Jump to content

Configuration of Apache HTTP Proxy as a reverse proxy for remote clients


Go to solution Solved by User 999,

Recommended Posts

Hello together,

I'm new to ESET Protect and I'm having problems to configure the Apache HTTP proxy from ESET for our remote client (without vpn access). We are using ESET Protect Management server v9 on premises. The ESET Endpoint Security client policy includes the external FQDN example.com port 3128 as proxy and has checked the "use direct connection if proxy is unavailable option".

We are using a Windows 2022 server in our DMZ and have installed the Apache HTTP proxy with the ESET installer program. The proxy should now forward the requests from the remote clients to the internal EPMS.

The standard config of the httpd.conf seems to be not for action as a reverse proxy and so we found this https://help.eset.com/protect_install/90/en-US/http_proxy_installation_linux.html, but which is just a beginning.

Our current httpd.conf looks like this, but the Apache log shows errors:


 

#Configuration

Listen 3128

LoadModule access_compat_module modules/mod_access_compat.dll
LoadModule auth_basic_module modules/mod_auth_basic.dll
LoadModule authn_core_module modules/mod_authn_core.dll
LoadModule authn_file_module modules/mod_authn_file.dll
LoadModule authz_core_module modules/mod_authz_core.dll
LoadModule authz_groupfile_module modules/mod_authz_groupfile.dll
LoadModule authz_host_module modules/mod_authz_host.dll
LoadModule env_module modules/mod_env.dll
LoadModule alias_module ..\modules\mod_alias.dll
LoadModule ssl_module ..\modules\mod_ssl.dll
LoadModule headers_module ..\modules\mod_headers.dll
LoadModule proxy_module ..\modules\mod_proxy.dll
LoadModule proxy_http_module  ..\modules\mod_proxy_http.dll
LoadModule proxy_connect_module ..\modules\mod_proxy_connect.dll
LoadModule cache_module ..\modules\mod_cache.dll
LoadModule cache_disk_module ..\modules\mod_cache_disk.dll


<Directory />
    AllowOverride none
    Require all denied
</Directory>


<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error.log"

LogLevel warn

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin


CacheEnable disk hxxp://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 500000000
CacheMaxExpire 604800
CacheQuickHandler Off


ProxyRequests Off
ProxyVia On

ThreadLimit 1500
ThreadsPerChild 1500
CacheLock on
CacheLockMaxAge 10
ProxyTimeOut 900

MergeSlashes OFF

<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>


SetEnv proxy-initial-not-pooled 1


#Following 4 settings disable some performance optimizations, in order to avoid situation when service is running, but does not respond to any request on computers with specific configuration.
#Comment out lines in order to improve performance, but test it first in non production environment.

AcceptFilter https none
AcceptFilter http none
EnableSendfile Off
EnableMMAP off


<VirtualHost *:3128>
    ProxyRequests On
</VirtualHost>

<VirtualHost *:3128>
        ProxyRequests Off
        CacheEnable disk /
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        ProxyPreserveHost off
        
        ServerName example.com:3128

        ProxyPass / https://internalservername.domain:2222
        ProxyPassReverse / https://internalservername.domain:2222
</VirtualHost>
AllowCONNECT 2222 8883 53535


# # revalidation setting for update.ver
<FilesMatch "\.ver$">
    Header set Cache-Control "max-age=14400, no-cache, must-revalidate"
</FilesMatch>

#Configuration written

 

Apache errors:

[Fri May 27 07:10:43.545726 2022] [mpm_winnt:notice] [pid 1232:tid 468] AH00455: Apache/2.4.53 (Win64) OpenSSL/1.1.1n configured -- resuming normal operations
[Fri May 27 07:10:43.545726 2022] [mpm_winnt:notice] [pid 1232:tid 468] AH00456: Server built: Mar 21 2022 09:33:11
[Fri May 27 07:10:43.545726 2022] [core:notice] [pid 1232:tid 468] AH00094: Command line: 'C:\\Program Files\\Apache HTTP Proxy 2.4.53\\bin\\httpd.exe -d C:/Program Files/Apache HTTP Proxy 2.4.53'
[Fri May 27 07:10:44.061350 2022] [mpm_winnt:notice] [pid 1232:tid 468] AH00418: Parent: Created child process 2828
AH00558: httpd.exe: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[Fri May 27 07:10:46.311350 2022] [ssl:warn] [pid 2828:tid 484] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri May 27 07:10:46.561350 2022] [mpm_winnt:notice] [pid 2828:tid 484] AH00354: Child: Starting 1500 worker threads.
[Fri May 27 07:15:02.103200 2022] [proxy_http:error] [pid 2828:tid 12804] (70014)End of file found: [client client-ip:57816] AH01102: error reading status line from remote server EPMSinternal.domain:2222
[Fri May 27 07:15:02.103385 2022] [proxy:error] [pid 2828:tid 12804] [client client-ip:57816] AH00898: Error reading from remote server returned by /
[Fri May 27 07:15:03.132224 2022] [proxy_http:error] [pid 2828:tid 12804] (70014)End of file found: [client client-ip:57818] AH01102: error reading status line from remote server EPMSinternal.domain:2222
[Fri May 27 07:15:03.132224 2022] [proxy:error] [pid 2828:tid 12804] [client client-ip:57818] AH00898: Error reading from remote server returned by /

 

Is there an offical guide for configurating the Apache HTTP proxy for this purpose?: https://support.eset.com/en/kb7916-advanced-scenarios-for-apache-http-proxy-with-eset-protect#dmz

 

 

Link to comment
Share on other sites

change 

ProxyPass / https://internalservername.domain:2222
ProxyPassReverse / https://internalservername.domain:2222

to 

ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10
ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On

use proxy remote when you want to forward request from branch site to main site

change from

<VirtualHost *:3128>
    ProxyRequests On
</VirtualHost>

to

<VirtualHost *:3128>
    ProxyRequests On
    ProxyRemote * hxxp://YOUR_MAIN_IP_ESET_PROXY_OR_WEB_PROXY:3128
</VirtualHost>

 

Link to comment
Share on other sites

Many Thanks. The errors from this morning are gone for now.

By the way I changed your suggestion for

ProxyRemote * hxxp://YOUR_MAIN_IP_ESET_PROXY_OR_WEB_PROXY:3128

to

ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222

because we don't have a second proxy or do I understand something wrong? So the current httpd.conf file looks like this:

#<VirtualHost *:3128>
	ProxyRequests On
	ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222
#</VirtualHost>

<VirtualHost *:3128>
    	ProxyRequests On
	
	ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10
	ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On

	LogLevel error
	

</VirtualHost>

 

However, the remote test client still cannot replicate to the internal EPMS. Any idea? Our concept looks like this:

KB7916FIg3-1.png

 

 

Link to comment
Share on other sites

remove this command

 

ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222

since it's DMZ setup then you must forward port from you firewall network 

Link to comment
Share on other sites

  • Solution

Hello together,

I found a solution for the issue. I restored the orignal httpd.conf from installation archive and followed this help ESET help article: https://help.eset.com/protect_install/90/en-US/apache_configuration.html#s-configuration-of-apache-http-proxy-for-replication-agent-server

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...