Apache HTTP proxy authentication does not work

[devlin 5]

Hello,

I'm trying to setup Apache HTTP proxy and it looks like it's not working in case of ESMC agents. When I tick off "Use direct connection if proxy is not available", I can't comunicate with agent and there is this logged on proxy server:

[Tue Apr 16 15:29:13.202849 2019] [core:debug] [pid 10956:tid 12484] vhost.c(1167): [client 172.16.1.46:50496] AH02417: Replacing host header 'proxy.server.cz:2222' with host 'proxy.server.cz:2222' given in the request uri
[Tue Apr 16 15:29:13.202849 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:50496] AH01626: authorization result of Require group usergroup: denied (no authenticated user yet)
[Tue Apr 16 15:29:13.202849 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:50496] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

It looks like it's working in case of Endpoint Antivirus, because when I tick off "Use direct connection if proxy is not available" in Endpoint Antivirus policy, product can be updated and I can see this in HTTP proxy log. But it also looks strange, because authorization is failing two times until it's succesfull. What does it mean?

[Tue Apr 16 15:44:24.071494 2019] [core:debug] [pid 10956:tid 12484] vhost.c(1167): [client 172.16.1.46:49965] AH02417: Replacing host header 'i1.c.eset.com:80' with host 'i1.c.eset.com:80' given in the request uri
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of Require group usergroup: denied (no authenticated user yet)
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 16 15:44:24.071494 2019] [core:debug] [pid 10956:tid 12484] vhost.c(1167): [client 172.16.1.46:49965] AH02417: Replacing host header 'i1.c.eset.com:80' with host 'i1.c.eset.com:80' given in the request uri
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of Require group usergroup: denied (no authenticated user yet)
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of Require group usergroup: granted
[Tue Apr 16 15:44:24.071494 2019] [authz_core:debug] [pid 10956:tid 12484] mod_authz_core.c(806): [client 172.16.1.46:49965] AH01626: authorization result of <RequireAny>: granted
[Tue Apr 16 15:44:24.071494 2019] [cache:debug] [pid 10956:tid 12484] mod_cache.c(443): [client 172.16.1.46:49965] AH02463: PUT/POST/DELETE: Adding CACHE_INVALIDATE filter for hxxp://i1.c.eset.com:80/
[Tue Apr 16 15:44:24.071494 2019] [proxy:debug] [pid 10956:tid 12484] mod_proxy.c(1237): [client 172.16.1.46:49965] AH01143: Running scheme http handler (attempt 0)
[Tue Apr 16 15:44:24.071494 2019] [proxy:debug] [pid 10956:tid 12484] proxy_util.c(2160): AH00942: HTTP: has acquired connection for (*)
[Tue Apr 16 15:44:24.071494 2019] [proxy:debug] [pid 10956:tid 12484] proxy_util.c(2214): [client 172.16.1.46:49965] AH00944: connecting hxxp://i1.c.eset.com/ to i1.c.eset.com:80
[Tue Apr 16 15:44:24.071494 2019] [proxy:debug] [pid 10956:tid 12484] proxy_util.c(2423): [client 172.16.1.46:49965] AH00947: connected / to i1.c.eset.com:80

What could be a problem?

[MartinK 378]

Not sure I correctly understand, but from chunk of logs seems to capture attempt of AGENT to connec to ESMC via HTTP proxy. In this case authorization is not used even in configured -> this is a known issue of underlying layer.

Second set of logs seem to cover some communication between endpoint and ESET infrastrucutre. As I do not known this protocol, I can only guess, but mostly first request is without authorization, and second should be repeated with authorization credentials. In case of update servers (not covered here), first request without credentials should be even of type HEAD, i.e. it is some kind of proxy. Whole purpose of this is to not send credentials until is is really required, and for some authentication mechanisms is is not even possible to send credentials with first request as challenge from remote peer might be required.

For further analysis I would recommend to capture traffic using Wireshark, there might be visible which kind of requests are actually sent, especially in case underlying protocol is not encrypted (this is not case of first part, AGENT uses TLS to communicate with ESMC).