When npm clients send requests to the remote server ( ie. the registry URL ) it needlessly encodes slashs as %2f. Sonatype has filed an npm issue about this because it seems improper that npm client url encodes forward slashes: https://github.com/npm/npm/issues/16380
Other clients ( not npm ) may also send URLs with encoded slashes.
Unfortunately this encoding of slashes conflicts with the default settings of Apache httpd which by default DOES NOT ALLOW THEM and WILL RETURN a 404 response.
With the default value, Off, such URLs are refused with a 404 (Not found) error.
However, if you are running Apache httpd 2.0.52 to 2.2.8 and you set:
Then you will trigger a bug that incorrectly decodes encoded slashes when they should not be:
The workaround to allow encoded slashes through Apache httpd involves 2 settings:
The ProxyPass directive may also need nocanon option. From https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass :
Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.
Basically Sonatype server products do not rely on Apache httpd to filter out suspect URLs containing path info with encoded values, so it is OK and sometimes required to let these through to the backend servers.
Additional Reference: http://stackoverflow.com/a/9933890/235000