Apache HTTP Proxy installation - Linux
ESET Management Agents can connect to the the ESET PROTECT Server via Apache HTTP Proxy. Read more about how the proxy for ESET Management Agents works.
The Apache HTTP Proxy is commonly distributed as a apache2 or httpd package.
Choose the installation steps for Apache HTTP Proxy according to the Linux distribution you use on your server. If you want to use the Apache to cache also results from ESET LiveGuard Advanced, see also the related documentation.
Linux installation (distribution generic) for Apache HTTP Proxy
1.Install Apache HTTP Server (at least version 2.4.10).
2.Verify that the following modules are loaded:
access_compat, auth_basic, authn_core, authn_file, authz_core, authz_groupfile,
authz_host, proxy, proxy_http, proxy_connect, cache, cache_disk
3.Add the caching configuration:
CacheEnable disk http:// |
4.If the directory /var/cache/apache2/mod_cache_disk does not exist, create it and assign Apache privileges (r,w,x).
5.Add Proxy configuration:
AllowCONNECT 443 563 2222 8883 53535
ProxyRequests On
CacheLock on CacheLockMaxAge 10 ProxyTimeOut 900
SetEnv proxy-initial-not-pooled 1
<VirtualHost *:3128> ProxyRequests On </VirtualHost>
<VirtualHost *:3128> ServerName r.edtd.eset.com
<If "%{REQUEST_METHOD} == 'CONNECT'"> Require all denied </If>
ProxyRequests Off CacheEnable disk / SSLProxyEngine On
RequestHeader set Front-End-Https "On" ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10 ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On </VirtualHost> |
6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 563 2222 8883 53535 to your port number.
7.Enable the added caching proxy and configuration (if configuration is in the main Apache configuration file, you can skip this step).
8.If necessary, change listening to your desired port (port 3128 is set by default).
9.Optional basic authentication:
oAdd authentication configuration to the proxy directive:
AuthType Basic |
oCreate a password file using /etc/httpd/.htpasswd -c
oManually create a file named group.file with usergroup:username
10. Restart the Apache HTTP Server.
Ubuntu Server and other Debian-based Linux distributions installation of Apache HTTP Proxy
1.Install the latest version of Apache HTTP Server from apt repository:
sudo apt-get install apache2
2.Execute the following command to load the required Apache modules:
sudo a2enmod access_compat auth_basic authn_core authn_file authz_core\
authz_groupfile authz_host proxy proxy_http proxy_connect cache cache_disk
3.Edit the Apache caching configuration file:
sudo vim /etc/apache2/conf-available/cache_disk.conf
and copy/paste the following configuration:
CacheEnable disk http:// |
4. This step should not be required, but if the caching directory is missing, run following commands:
sudo mkdir /var/cache/apache2/mod_cache_disk |
5.Edit the Apache proxy configuration file:
sudo vim /etc/apache2/conf-available/proxy.conf
and copy/paste the following configuration:
AllowCONNECT 443 563 2222 8883 53535
ProxyRequests On
CacheLock on CacheLockMaxAge 10 ProxyTimeOut 900
SetEnv proxy-initial-not-pooled 1
<VirtualHost *:3128> ProxyRequests On </VirtualHost>
<VirtualHost *:3128> ServerName r.edtd.eset.com
<If "%{REQUEST_METHOD} == 'CONNECT'"> Require all denied </If>
ProxyRequests Off CacheEnable disk / SSLProxyEngine On
RequestHeader set Front-End-Https "On" ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10 ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On </VirtualHost> |
6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 563 2222 8883 53535 to your port number.
7.Enable the configuration files you edited in earlier steps:
sudo a2enconf cache_disk.conf proxy.conf
8.Switch the listening port of Apache HTTP Server to 3128. Edit the file /etc/apache2/ports.conf and replace Listen 80 with Listen 3128.
9.Optional basic authentication:
sudo vim /etc/apache2/mods-enabled/proxy.conf
oCopy/paste authentication configuration before </Proxy>:
AuthType Basic |
oInstall apache2-utils and create a new password file (for example username: user, group: usergroup):
sudo apt-get install apache2-utils
sudo htpasswd -c /etc/apache2/password.file user
oCreate a file called group:
sudo vim /etc/apache2/group.file
and copy/paste the following line:
usergroup:user
10. Restart the Apache HTTP Server using the following command:
sudo systemctl restart apache2
Forwarding for ESET communication onlyTo allow forwarding of ESET communication only, remove the following:
<Proxy *> |
And add the following:
<Proxy *> Deny from all </Proxy>
#*.eset.com: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#*.eset.eu: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#*.eset.systems: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#Antispam module (ESET Mail Security only): <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#Services (activation) <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#ESET servers accessed directly via IP address: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#AV Cloud over port 53535 <ProxyMatch ^.*e5.sk.*$> Allow from all </ProxyMatch> |
Forwarding for all communication
To allow forwarding of all communication, add the following:
<Proxy *> |
and remove the following:
<Proxy *> Deny from all </Proxy>
#*.eset.com: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#*.eset.eu: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#*.eset.systems: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#Antispam module (ESET Mail Security only): <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#Services (activation) <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#ESET servers accessed directly via IP address: <ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$> Allow from all </ProxyMatch>
#AV Cloud over port 53535 <ProxyMatch ^.*e5.sk.*$> Allow from all </ProxyMatch> |
Proxy chaining (all traffic)
ESET PROTECT does not support proxy chaining when proxies require authentication. You can use your own transparent web proxy solution, however there may be additional configuration required beyond what is mentioned here. Add the following to the proxy configuration (password is working only on child proxy):
<VirtualHost *:3128> ProxyRequests On ProxyRemote * http://IP_ADDRESS:3128 </VirtualHost> |
When using Proxy chaining on the ESET PROTECT Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESET PROTECT VA and run the following command:
/usr/sbin/setsebool -P httpd_can_network_connect 1
Configure the HTTP Proxy for a high number of clients
If you use 64-bit Apache HTTP Proxy, you can increase the thread limit for your Apache HTTP Proxy. Edit the configuration file httpd.conf, inside your Apache HTTP Proxy folder. Find the following settings in the file and update the values to match your number of clients.
Substitute the example value of 5000 with your number. The maximum value is 32000.
ThreadLimit 5000
ThreadsPerChild 5000
Do not change the rest of the file.
Configure the Apache HTTP Proxy to forward Agent-Server connections
1.On the proxy machine open the file
i.Debian distributions
/etc/apache2/mods-available/proxy.conf
ii.Red Hat distributions
/etc/httpd/conf/httpd.conf
2.Add the following line to the end of the file:
AllowCONNECT 443 563 2222 8883 53535
3.On the proxy machine open the file
i.Debian distributions
/etc/apache2/apache2.conf
ii.Red Hat distributions
/etc/httpd/conf/httpd.conf
4.Find the line:
Listen 80
and change it to
Listen 3128
5.If you have added restrictions for IP addresses in your proxy configuration (step 1), you have to allow access to your ESET PROTECT Server:
Add a separate ProxyMatch segment:
I.The address which your Agents use to connect to the ESET PROTECT Server.
II.All other possible addresses of your ESET PROTECT Server (IP, FQDN)
(add the whole below code; IP address 10.1.1.10 and hostname hostname.example are only examples to be substituted by your addresses. You can also generate the ProxyMatch expression in this Knowledgebase article.)
<ProxyMatch ^(hostname\.example(:[0-9]+)?(\/.*)?|10\.1\.1\.10(:[0-9]+)?(\/.*)?)$> Allow from all </ProxyMatch> |
6.Restart the Apache HTTP Proxy service.
Configure caching
You can use htcachceclean to configure Apache HTTP Proxy cache size and cache cleaning. See the cache configuration instructions for ESET PROTECT VA.
SELinux setting
When using Proxy on the ESET PROTECT Virtual Appliance, the SELinux policy must be modified (some other Linux distributions may have the same requirement). Open the terminal on the ESET PROTECT VA and run the following commands:
/usr/sbin/setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 2222