Proxy Interaction with Websec

Problem Statement

Many ISPs run inline web proxy servers which are invisible to the user. They intercept any HTTP or HTTPS requests from the user's web browser, go and retrieve the page themselves, and then hand it back to the user.

The implementation of some of these inline proxies can cause problems with Penn's Websec module for web authentication. In particular, we are aware that AOL users are unable to view HTTP pages authenticated by Websec or HTPAS. For a technical description of the problem, see http://www.upenn.edu/computing/web-security/proxyprob.html.

Other ISPs may have inline proxy implementations which would also break with Websec and HTPAS, even if they do not implement the separate HTTP and HTTPS proxies as AOL does. In particular, any implementation where the IP address of the requesting host varies may trigger the problem.

Statement of Direction

It is clear that the different technical approaches have caused significant problems for users who have chosen these ISPs and need to see authenticated content on Penn web servers.

ISC Networking & Telecommunications already has plans to replace the Websec package in the future. The new implementation should address these problems.

Interim Solutions

• AOL users have reported that using another browser like Internet Explorer rather than the AOL supplied browser has allowed them to authenticate successfully.
• Providers of authenticated content can eliminate the problem for AOL users specifically by offering the content from an HTTPS server instead of an HTTP server or by not enforcing IP address checking. More information on turning off IP address checking while using the Apache/Websec module is available.
• A user having this problem can consider connecting via another ISP, one that does not implement inline proxies in a manner incompatible with Websec.