alexroz 2 Posted April 27, 2017 Share Posted April 27, 2017 Hi How can I verify that Endpoint clients and agents (configuration according to hxxp://support.eset.com/kb5950/#Policy2useHttpProxy) are using my new Apache HTTP Proxy? And how can I verify that Apache HTTP Proxy is properly functioning? I have Windows domain with ERA Server (based on CentOS virtual appliance) at one host ERA Apache HTTP proxy based on Ubuntu 16.04 server (configuration according to hxxp://help.eset.com/era_install/65/en-US/index.html?http_proxy_installation_linux.htm). Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted April 27, 2017 ESET Staff Share Posted April 27, 2017 My personal recommendation is to enable status logs (https://httpd.apache.org/docs/2.4/mod/mod_cache.html#status) that will log each cahce hit or miss. This will enable you to check whether any requests are handled by cache and whether they are actually served from cache. It is also possible to use various apache modules for monitoring status and load. For example module mod_status (blog) may help you to monitor at least server activity, number of connections and transferred bytes. Link to comment Share on other sites More sharing options...
alexroz 2 Posted April 28, 2017 Author Share Posted April 28, 2017 12 hours ago, MartinK said: My personal recommendation is to enable status logs (https://httpd.apache.org/docs/2.4/mod/mod_cache.html#status) that will log each cahce hit or miss. This will enable you to check whether any requests are handled by cache and whether they are actually served from cache. It is also possible to use various apache modules for monitoring status and load. For example module mod_status (blog) may help you to monitor at least server activity, number of connections and transferred bytes. Thank you. It's quite a lot material to digest for me.... I'm not familiar enough with Linux's server side yet.... Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 28, 2017 Share Posted April 28, 2017 12 hours ago, MartinK said: My personal recommendation is to enable status logs (https://httpd.apache.org/docs/2.4/mod/mod_cache.html#status) that will log each cahce hit or miss. This will enable you to check whether any requests are handled by cache and whether they are actually served from cache. It is also possible to use various apache modules for monitoring status and load. For example module mod_status (blog) may help you to monitor at least server activity, number of connections and transferred bytes. Are there any considerations to make this easier or maybe there is already some report that shows when client's have downloaded updates, sent Live Grid statistics..etc..? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted April 28, 2017 ESET Staff Share Posted April 28, 2017 11 hours ago, bbahes said: Are there any considerations to make this easier or maybe there is already some report that shows when client's have downloaded updates, sent Live Grid statistics..etc..? It is reported as improvement but not sure of its priority. Tighter integration with HTTP proxy would definitelly help diagnose at least basic problems with its functionality. Link to comment Share on other sites More sharing options...
V2TW 3 Posted May 2, 2017 Share Posted May 2, 2017 Quick and dirty way: hxxp://<proxy server>:3128/index.html if something shows up (default Apache index pages showing "It Works") or you get a 404 error, then Apache proxy is working. Link to comment Share on other sites More sharing options...
bbahes 29 Posted May 2, 2017 Share Posted May 2, 2017 6 hours ago, V2TW said: Quick and dirty way: hxxp://<proxy server>:3128/index.html if something shows up (default Apache index pages showing "It Works") or you get a 404 error, then Apache proxy is working. This is just to very that proxy service is working. The original request was to check whether client's actually use proxy. It's something that can be seen in logs not in some nice admin interface. I would love to have info that clients download cached update from proxy or directly from ESET update servers. Link to comment Share on other sites More sharing options...
alexroz 2 Posted May 3, 2017 Author Share Posted May 3, 2017 On 4/27/2017 at 10:42 PM, MartinK said: My personal recommendation is to enable status logs (https://httpd.apache.org/docs/2.4/mod/mod_cache.html#status) that will log each cahce hit or miss. This will enable you to check whether any requests are handled by cache and whether they are actually served from cache. OK I enabled apache's status logging according to https://httpd.apache.org/docs/current/mod/mod_cache.html#status I can see that cached-requests.log and revalidated-requests.log are empty. When uncached-requests.log contains: Quote usermane@proxy-era:/etc$ cat /etc/apache2/uncached-requests.log 192.168.0.68 - - [03/May/2017:15:27:47 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.68 - - [03/May/2017:15:28:03 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.68 - - [03/May/2017:15:28:20 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.68 - - [03/May/2017:15:28:35 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.68 - - [03/May/2017:15:28:51 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.183 - - [03/May/2017:15:29:04 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.68 - - [03/May/2017:15:29:06 +0300] "GET hxxp://update.eset.com/eset_upd/ep6/update.ver HTTP/1.1" 200 11167 192.168.0.38 - - [03/May/2017:15:29:08 +0300] "GET hxxp://update.eset.com/eset_upd/era6/update.ver HTTP/1.1" 200 2524 192.168.0.100 - - [03/May/2017:15:29:12 +0300] "GET hxxp://update.eset.com/eset_upd/era6/update.ver HTTP/1.1" 200 2524 ...... And invalidated-requests.log Quote usermane@proxy-era:/etc$ cat /etc/apache2/invalidated-requests.log 192.168.0.97 - - [03/May/2017:15:28:00 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 192.168.0.32 - - [03/May/2017:15:28:25 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 192.168.0.116 - - [03/May/2017:15:29:01 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 192.168.0.40 - - [03/May/2017:15:29:03 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 192.168.0.183 - - [03/May/2017:15:29:04 +0300] "POST hxxp://ts.eset.com:80/query/chsquery.php HTTP/1.1" 200 213 192.168.0.183 - - [03/May/2017:15:29:04 +0300] "POST hxxp://ts.eset.com:80/query/chsquery.php HTTP/1.1" 200 310 192.168.0.183 - - [03/May/2017:15:29:04 +0300] "POST hxxp://ts.eset.com:80/query/chsquery.php HTTP/1.1" 200 213 192.168.0.183 - - [03/May/2017:15:29:04 +0300] "POST hxxp://ts.eset.com:80/query/chsquery.php HTTP/1.1" 200 310 192.168.0.95 - - [03/May/2017:15:29:09 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 192.168.0.35 - - [03/May/2017:15:29:21 +0300] "POST hxxp://i4.c.eset.com:80/ HTTP/1.1" 200 11085 ..... Volume of /var/cache/apache2/mod_cache_disk is 103M Quote usermane@proxy-era:/etc$ sudo du -shc /var/cache/apache2/mod_cache_disk 103M /var/cache/apache2/mod_cache_disk 103M total What does it mean? Does caching work or is it just proxy without any caching? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted May 3, 2017 ESET Staff Share Posted May 3, 2017 (edited) Content of uncached-requests.log seems to be fine -> metadata file update.ver is intentionaly not cached. Invalidated requests are also as expected: those queries are not cached. Unfortunatelly there are no operations that are supposed to be cached (= download of updatable modules or installers). I would expect them to be listed as revalidated or missed. Maybe logging was not running long enough and there were no updates downloaded? There is also one other method how to check whether cacheing works -> you can list cache content using command htcacheclean which should be part of apache proxy installation. Not sure of the exact syntax, but something like: htcacheclean -v -a -p <path to cache directory> should list cached entries with details. Edited May 3, 2017 by MartinK Link to comment Share on other sites More sharing options...
alexroz 2 Posted May 3, 2017 Author Share Posted May 3, 2017 (edited) 1 hour ago, MartinK said: Content of uncached-requests.log seems to be fine -> metadata file update.ver is intentionaly not cached. Invalidated requests are also as expected: those queries are not cached. Unfortunatelly there are no operations that are supposed to be cached (= download of updatable modules or installers). I would expect them to be listed as revalidated or missed. Maybe logging was not running long enough and there were no updates downloaded? There is also one other method how to check whether cacheing works -> you can list cache content using command htcacheclean which should be part of apache proxy installation. Not sure of the exact syntax, but something like: htcacheclean -v -a -p <path to cache directory> should list cached entries with details. Thank you MartinK Your assumption was correct. The logging wasn't running long enough... Now I can see some activity at revalidated-requests.log : Quote username@proxy-era:~$ cat /etc/apache2/revalidated-requests.log 192.168.0.68 - - [03/May/2017:16:15:45 +0300] "GET hxxp://update.eset.com/ep6-rel-bat/mod_042_netprot_1755/em042_32_n1.nup HTTP/1.1" 200 7201 192.168.0.56 - - [03/May/2017:16:18:43 +0300] "GET hxxp://update.eset.com/ep6-rel-bat/mod_002_engine_33258/em002_32_n1.nup HTTP/1.1" 200 49696 192.168.0.56 - - [03/May/2017:16:18:44 +0300] "GET hxxp://update.eset.com/ep6-rel-bat/mod_021_horus_10604/em021_32_n2.nup HTTP/1.1" 200 28521 192.168.0.56 - - [03/May/2017:16:18:44 +0300] "GET hxxp://update.eset.com/ep6-rel-bat/mod_023_pegasus_10135/em023_32_n3.nup HTTP/1.1" 200 44005 192.168.0.56 - - [03/May/2017:16:18:45 +0300] "GET hxxp://update.eset.com/ep6-rel-bat/mod_042_netprot_1755/em042_32_n1.nup HTTP/1.1" 200 7201 Edited May 3, 2017 by alexroz Link to comment Share on other sites More sharing options...
Recommended Posts