I think what I've got is an Apache configuration issue, but I'm not
positive.  I'm hoping someone else has seen something like this before.

We provide a proxy service to some specific academic journal sites for
which we have a site license.  The way that proxy service works is that we
use a custom Apache authentication module in conjunction with mod_proxy,
and provide the users a .pac file for automatic proxy configuration.  A
typical entry in the .pac file is:

if (shExpMatch(url, "http://www.example.com/*"))
{ return "PROXY proxy.stanford.edu:80"; }

and the corresponding Apache configuration fragment is:

<Proxy http://www.example.com/*>
AuthType WebAuth
WebAuthExtraRedirect on
require valid-user
allow from all
</Proxy>

This works fine.

We now need to also proxy to some hosts that are only accessible via SSL.
Ideally I'd like both SSL to the proxy server and SSL to the remote site,
but right now I'm trying to get anything at all working.  When I do
something directly equivalent, such as putting:

if (shExpMatch(url, "https://www.example.org/*"))
{ return "PROXY proxy.stanford.edu:80"; }

in the .pac file and then add a corresponding configuration fragment like:

<Proxy https://www.example.org/*>
AuthType WebAuth
WebAuthExtraRedirect on
require valid-user
allow from all
</Proxy>

I get the following error message in the Apache logs:

[Tue Dec 14 16:40:13 2004] [error] [client 171.64.19.147] client denied by 
server configuration: proxy:www.example.org:443

Notice the weird format of this site.  What I'm used to seeing are error
messages like:

[Thu Dec 09 14:20:51 2004] [error] [client 171.64.136.43] client denied by 
server configuration: proxy:http://www.example.com:80/

which I can then fix by adding the appropriate <Proxy> block.  But this
doesn't seem to keep the https:// prefix inside Apache.

I can make this error go away by instead adding a configuration block
like:

<Proxy proxy:www.example.org:443>
AuthType WebAuth
WebAuthExtraRedirect on
require valid-user
allow from all
</Proxy>

but then of course our authentication module gets upset since it has no
idea what to do with that sort of a URL.  So two questions:  first, are
forward proxies to SSL sites really handled differently and have to be
configured using a different <Proxy> syntax in the Apache configuration?
And second, do we have to handle these sorts of proxy:www.example.org:443
URLs in the Apache authentication module, without all the normal trappings
of a real URL?

Any help would be greatly appreciated.

--
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

[ Post a follow-up to this message ]

Russ Allbery <rra@stanford.edu> writes:

> I think what I've got is an Apache configuration issue, but I'm not
> positive.  I'm hoping someone else has seen something like this before.

And my apologies; on re-reading this I realize that I completely forgot to
mention the Apache version.

This is Apache 2.0.52 (the 2.0.52-3 package from Debian sarge).

> So two questions:  first, are forward proxies to SSL sites really
> handled differently and have to be configured using a different <Proxy>
> syntax in the Apache configuration?  And second, do we have to handle
> these sorts of proxy:www.example.org:443 URLs in the Apache
> authentication module, without all the normal trappings of a real URL?

--
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

[ Post a follow-up to this message ]