Apache HTTP Proxy installation - Linux

Choose the installation steps for Apache HTTP Proxy according to the Linux distribution you use on your server. If you want to use the Apache to cache also results from ESET Dynamic Threat Defense, see also the related documentation.

Linux installation (distribution generic) for Apache HTTP Proxy

1.Install Apache HTTP Server (at least version 2.4.10).

2.Verify that the following modules are loaded:

access_compat, auth_basic, authn_core, authn_file, authz_core, authz_groupfile,
authz_host, proxy, proxy_http, proxy_connect, cache, cache_disk

3.Add the caching configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 500000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4.If the directory /var/cache/apache2/mod_cache_disk does not exist, create it and assign Apache privileges (r,w,x).

5.Add Proxy configuration:

AllowCONNECT 443 2222 8883 53535

 

ProxyRequests On
ProxyVia On

 

CacheLock on

CacheLockMaxAge 10

ProxyTimeOut 900

 

SetEnv proxy-initial-not-pooled 1

 

<VirtualHost *:3128>

 ProxyRequests On

</VirtualHost>

 

<VirtualHost *:3128>

        ServerName r.edtd.eset.com

 

        <If "%{REQUEST_METHOD} == 'CONNECT'">

            Require all denied

        </If>

        

        ProxyRequests Off

        CacheEnable disk /        

        SSLProxyEngine On

 

        RequestHeader set Front-End-Https "On"

        ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10

        ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On

</VirtualHost>

 
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 2222 8883 53535 to your port number.

7.Enable the added caching proxy and configuration (if configuration is in the main Apache configuration file, you can skip this step).

8.If necessary, change listening to your desired port (port 3128 is set by default).

9.Optional basic authentication:

oAdd authentication configuration to the proxy directive:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oCreate a password file using /etc/httpd/.htpasswd -c

oManually create a file named group.file with usergroup:username

10. Restart the Apache HTTP Server.

Ubuntu Server and other Debian-based Linux distributions installation of Apache HTTP Proxy

1.Install the latest version of Apache HTTP Server from apt repository:

sudo apt-get install apache2

2.Execute the following command to load the required Apache modules:

sudo a2enmod access_compat auth_basic authn_core authn_file authz_core\

authz_groupfile authz_host proxy proxy_http proxy_connect cache cache_disk

3.Edit the Apache caching configuration file:

sudo vim /etc/apache2/conf-available/cache_disk.conf

and copy/paste the following configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 500000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4. This step should not be required, but if the caching directory is missing, run following commands:

sudo mkdir /var/cache/apache2/mod_cache_disk
sudo chown www-data /var/cache/apache2/mod_cache_disk
sudo chgrp www-data /var/cache/apache2/mod_cache_disk

5.Edit the Apache proxy configuration file:

sudo vim /etc/apache2/conf-available/proxy.conf

and copy/paste the following configuration:

AllowCONNECT 443 2222 8883 53535

 

ProxyRequests On
ProxyVia On

 

CacheLock on

CacheLockMaxAge 10

ProxyTimeOut 900

 

SetEnv proxy-initial-not-pooled 1

 

<VirtualHost *:3128>

 ProxyRequests On

</VirtualHost>

 

<VirtualHost *:3128>

        ServerName r.edtd.eset.com

 

        <If "%{REQUEST_METHOD} == 'CONNECT'">

            Require all denied

        </If>

        

        ProxyRequests Off

        CacheEnable disk /        

        SSLProxyEngine On

 

        RequestHeader set Front-End-Https "On"

        ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10

        ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On

</VirtualHost>

 
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 2222 8883 53535 to your port number.

7.Enable the configuration files you edited in earlier steps:

sudo a2enconf cache_disk.conf proxy.conf

8.Switch the listening port of Apache HTTP Server to 3128. Edit the file /etc/apache2/ports.conf and replace Listen 80 with Listen 3128.

9.Optional basic authentication:

sudo vim /etc/apache2/mods-enabled/proxy.conf

oCopy/paste authentication configuration before </Proxy>:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oInstall apache2-utils and create a new password file (for example username: user, group: usergroup):

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/apache2/password.file user

oCreate a file called group:

sudo vim /etc/apache2/group.file

and copy/paste the following line:

usergroup:user

10. Restart the Apache HTTP Server using the following command:

sudo service apache2 restart

 

Forwarding for ESET communication only

 

To allow forwarding of ESET communication only, remove the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

And add the following:

<Proxy *>

Deny from all

</Proxy>

 

#*.eset.com:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.eu:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.systems:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Antispam module (ESET Mail Security only):

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Services (activation)

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#ESET servers accessed directly via IP address:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#AV Cloud over port 53535

<ProxyMatch ^.*e5.sk.*$>

Allow from all

</ProxyMatch>

Forwarding for all communication

To allow forwarding of all communication, add the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

and remove the following:

<Proxy *>

Deny from all

</Proxy>

 

#*.eset.com:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.eu:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.systems:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Antispam module (ESET Mail Security only):

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Services (activation)

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#ESET servers accessed directly via IP address:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#AV Cloud over port 53535

<ProxyMatch ^.*e5.sk.*$>

Allow from all

</ProxyMatch>

 

Proxy chaining (all traffic)

ESMC does not support proxy chaining when proxies require authentication. You can use your own transparent web proxy solution, however there may be additional configuration required beyond what is mentioned here. Add the following to the proxy configuration (password is working only on child proxy):

ProxyRemote * http://IP_ADDRESS:3128

When using Proxy chaining on the ESMC Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESMC VA and run the following command:

/usr/sbin/setsebool -P httpd_can_network_connect 1

Configure the HTTP Proxy for a high number of clients

If you use 64-bit Apache HTTP Proxy, you can increase the thread limit for your Apache HTTP Proxy. Edit the configuration file httpd.conf, inside your Apache HTTP Proxy folder. Find the following settings in the file and update the values to match your number of clients.

Substitute the example value of 5000 with your number. The maximum value is 32000.

ThreadLimit 5000

ThreadsPerChild 5000

 
Do not change the rest of the file.