Thanks for the suggestions, but unfortunately neither will work. Both would (presumably) work for a forward proxy, but not for a reverse proxy.
A forward proxy is used for traffic FROM a private network TO the public Internet. "Do not proxy" means that certain sites are internal and should stay within the private network.
A reverse proxy is basically the reverse; it is used for traffic FROM the public Internet TO the private network - very similar to how you would punch holes into a firewall, except quite a bit more elaborate. In addition, a reverse proxy can analyze the URL and, based on the directory part of the URL, send the request to one of several internal servers. So "Do not proxy" is meaningless here; it would just mean "don't let traffic reach the open-audit server at all".
Similarly, a separate DNS A record breaks because there is not ONE server behind the proxy (it also breaks for various other reasons).
In my setup, I have several servers behind an external front-end server (the reverse proxy). The reverse proxy is facing the Internet.
If you visit
http://myreverseproxy.mysite.com/openaudit, the reverse proxy will figure out (based on the directory /openaudit) that it needs to send the HTTP request on to
http://openauditserver.mysite.local/openaudit.
If you visit
http://myreverseproxy.mysite.com/webmail, the reverse proxy will figure out that it needs to send the HTTP request on to
http://mailserver.mysite.local/webmail . And so on.
Theoretically, one could also create a similar reverse proxy to make
http://www.mysite.com send all traffic to, say,
http://www.cnn.com. That would obviously be pretty nefarious
Reverse proxying is used frequently in larger sites for load balancing, to organize the sites, for better security (the actual Web servers don't have to be exposed on the Internet at all), but it is also notoriously tricky. The reverse proxy needs to rewrite every single occurrence of a URL, all links, etc. Sites, conversely, should be written reverse-proxy-friendly. That is, URLs need to be structured in a way that the reverse proxy can actually find and replace it. That's where the %host_url% apparently breaks down; I'm not sure (yet) why the reverse proxy doesn't find it.
I'm not sure if the issue *can* be solved automatically by open-audit alone, but it would be nice if the URL could be made "visible" to the reverse proxy. I'll have to do further research before I can say what it would take to do that.