ESET Online Help

Search English
Select the category
Select the topic

Apache HTTP Proxy installation - Linux

ESET Management Agents can connect to the the ESET PROTECT Server via Apache HTTP Proxy. Read more about how the proxy for ESET Management Agents works.

The Apache HTTP Proxy is commonly distributed as a apache2 or httpd package.

Choose the installation steps for Apache HTTP Proxy according to the Linux distribution you use on your server. If you want to use the Apache to cache also results from ESET LiveGuard Advanced, see also the related documentation.

Linux installation (distribution generic) for Apache HTTP Proxy

1.Install Apache HTTP Server (at least version 2.4.10).

2.Verify that the following modules are loaded:

access_compat, auth_basic, authn_core, authn_file, authz_core, authz_groupfile,
authz_host, proxy, proxy_http, proxy_connect, cache, cache_disk

3.Add the caching configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 500000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4.If the directory /var/cache/apache2/mod_cache_disk does not exist, create it and assign Apache privileges (r,w,x).

5.Add Proxy configuration:

AllowCONNECT 443 563 2222 8883 53535

 

ProxyRequests On
ProxyVia On

 

CacheLock on

CacheLockMaxAge 10

ProxyTimeOut 900

 

SetEnv proxy-initial-not-pooled 1

 

<VirtualHost *:3128>

ProxyRequests On

</VirtualHost>

 

<VirtualHost *:3128>

ServerName r.edtd.eset.com

 

<If "%{REQUEST_METHOD} == 'CONNECT'">

Require all denied

</If>

 

ProxyRequests Off

CacheEnable disk /

SSLProxyEngine On

 

RequestHeader set Front-End-Https "On"

ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10

ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On

</VirtualHost>

 
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 563 2222 8883 53535 to your port number.

7.Enable the added caching proxy and configuration (if configuration is in the main Apache configuration file, you can skip this step).

8.If necessary, change listening to your desired port (port 3128 is set by default).

9.Optional basic authentication:

oAdd authentication configuration to the proxy directive:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oCreate a password file using /etc/httpd/.htpasswd -c

oManually create a file named group.file with usergroup:username

10. Restart the Apache HTTP Server.

Ubuntu Server and other Debian-based Linux distributions installation of Apache HTTP Proxy

1.Install the latest version of Apache HTTP Server from apt repository:

sudo apt-get install apache2

2.Execute the following command to load the required Apache modules:

sudo a2enmod access_compat auth_basic authn_core authn_file authz_core\

authz_groupfile authz_host proxy proxy_http proxy_connect cache cache_disk

3.Edit the Apache caching configuration file:

sudo vim /etc/apache2/conf-available/cache_disk.conf

and copy/paste the following configuration:

CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 500000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/apache2/mod_cache_disk

4. This step should not be required, but if the caching directory is missing, run following commands:

sudo mkdir /var/cache/apache2/mod_cache_disk
sudo chown www-data /var/cache/apache2/mod_cache_disk
sudo chgrp www-data /var/cache/apache2/mod_cache_disk

5.Edit the Apache proxy configuration file:

sudo vim /etc/apache2/conf-available/proxy.conf

and copy/paste the following configuration:

AllowCONNECT 443 563 2222 8883 53535

 

ProxyRequests On
ProxyVia On

 

CacheLock on

CacheLockMaxAge 10

ProxyTimeOut 900

 

SetEnv proxy-initial-not-pooled 1

 

<VirtualHost *:3128>

ProxyRequests On

</VirtualHost>

 

<VirtualHost *:3128>

        ServerName r.edtd.eset.com

 

<If "%{REQUEST_METHOD} == 'CONNECT'">

Require all denied

</If>

 

ProxyRequests Off

CacheEnable disk /

SSLProxyEngine On

 

RequestHeader set Front-End-Https "On"

ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10

ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On

</VirtualHost>

 
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

6.By default, port 2222 is used for communication with the ESET Management Agent. If you changed the port during installation, use the changed port number. Change 2222 in the line: AllowCONNECT 443 563 2222 8883 53535 to your port number.

7.Enable the configuration files you edited in earlier steps:

sudo a2enconf cache_disk.conf proxy.conf

8.Switch the listening port of Apache HTTP Server to 3128. Edit the file /etc/apache2/ports.conf and replace Listen 80 with Listen 3128.

9.Optional basic authentication:

sudo vim /etc/apache2/mods-enabled/proxy.conf

oCopy/paste authentication configuration before </Proxy>:

AuthType Basic
AuthName "Password Required"
AuthUserFile /etc/apache2/password.file
AuthGroupFile /etc/apache2/group.file
Require group usergroup

oInstall apache2-utils and create a new password file (for example username: user, group: usergroup):

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/apache2/password.file user

oCreate a file called group:

sudo vim /etc/apache2/group.file

and copy/paste the following line:

usergroup:user

10. Restart the Apache HTTP Server using the following command:

sudo systemctl restart apache2

 

Forwarding for ESET communication onlyTo allow forwarding of ESET communication only, remove the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

And add the following:

<Proxy *>

Deny from all

</Proxy>

 

#*.eset.com:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.eu:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.systems:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Antispam module (ESET Mail Security only):

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Services (activation)

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#ESET servers accessed directly via IP address:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#AV Cloud over port 53535

<ProxyMatch ^.*e5.sk.*$>

Allow from all

</ProxyMatch>

Forwarding for all communication

To allow forwarding of all communication, add the following:

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>

and remove the following:

<Proxy *>

Deny from all

</Proxy>

 

#*.eset.com:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.eu:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#*.eset.systems:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Antispam module (ESET Mail Security only):

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#Services (activation)

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#ESET servers accessed directly via IP address:

<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>

Allow from all

</ProxyMatch>

 

#AV Cloud over port 53535

<ProxyMatch ^.*e5.sk.*$>

Allow from all

</ProxyMatch>

Proxy chaining (all traffic)

ESET PROTECT does not support proxy chaining when proxies require authentication. You can use your own transparent web proxy solution, however there may be additional configuration required beyond what is mentioned here. Add the following to the proxy configuration (password is working only on child proxy):

<VirtualHost *:3128>

ProxyRequests On

ProxyRemote * http://IP_ADDRESS:3128

</VirtualHost>

When using Proxy chaining on the ESET PROTECT Virtual Appliance, the SELinux policy must be modified. Open the terminal on the ESET PROTECT VA and run the following command:

/usr/sbin/setsebool -P httpd_can_network_connect 1

Configure the HTTP Proxy for a high number of clients

If you use 64-bit Apache HTTP Proxy, you can increase the thread limit for your Apache HTTP Proxy. Edit the configuration file httpd.conf, inside your Apache HTTP Proxy folder. Find the following settings in the file and update the values to match your number of clients.

Substitute the example value of 5000 with your number. The maximum value is 32000.

ThreadLimit 5000

ThreadsPerChild 5000

 
Do not change the rest of the file.

Configure the Apache HTTP Proxy to forward Agent-Server connections

1.On the proxy machine open the file

i.Debian distributions
/etc/apache2/mods-available/proxy.conf

ii.Red Hat distributions
/etc/httpd/conf/httpd.conf

2.Add the following line to the end of the file:
AllowCONNECT 443 563 2222 8883 53535

3.On the proxy machine open the file

i.Debian distributions
/etc/apache2/apache2.conf

ii.Red Hat distributions
/etc/httpd/conf/httpd.conf

4.Find the line:
Listen 80
and change it to
Listen 3128

5.If you have added restrictions for IP addresses in your proxy configuration (step 1), you have to allow access to your ESET PROTECT Server:

Add a separate ProxyMatch segment:

I.The address which your Agents use to connect to the ESET PROTECT Server.

II.All other possible addresses of your ESET PROTECT Server (IP, FQDN)
(add the whole below code; IP address 10.1.1.10 and hostname hostname.example are only examples to be substituted by your addresses. You can also generate the ProxyMatch expression in this Knowledgebase article.)
 

<ProxyMatch ^(hostname\.example(:[0-9]+)?(\/.*)?|10\.1\.1\.10(:[0-9]+)?(\/.*)?)$>

Allow from all

</ProxyMatch>

6.Restart the Apache HTTP Proxy service.

Configure caching

You can use htcachceclean to configure Apache HTTP Proxy cache size and cache cleaning. See the cache configuration instructions for ESET PROTECT VA.

SELinux setting

When using Proxy on the ESET PROTECT Virtual Appliance, the SELinux policy must be modified (some other Linux distributions may have the same requirement). Open the terminal on the ESET PROTECT VA and run the following commands:

/usr/sbin/setsebool -P httpd_can_network_connect 1

sudo semanage port -a -t http_port_t -p tcp 2222