Hi,
Thanks for your response. Please see below.
>From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>Sent: Wednesday, April 07, 2010 7:33 PM
>On Wed, 07 Apr 2010 19:12:53 -0700, "Mellem, Dan"
>> access.log or to another log. Only successful requests are logged
>> currently. Is there any way to log authentication failures?
>
>They _are_ logged by default.
>Reply status codes 401 and 407 in access.log are failed www-server and
>proxy authentication attempts respectively which were
>re-challenged. Other
>denials will be logged with other 4xx codes.
I do a:
tail -f access.log | fgrep '<my IP address>'
and only get responses for allowed traffic. I also don't have any 407s
at all in the log.
You said the logging is on by default. Is there a way to it off or to
turn on debugging that would show where it's getting dropped?
>> Just in case any of this is helpful, here are a few lines from the
>> config:
>>
>> emulate_httpd_log on
>> auth_param basic program /usr/local/squid/libexec/multi_auth
>> access_log /usr/local/squid/var/logs/access.log
>> acl authenticated proxy_auth REQUIRED
>> (other ACLs)
>> http_access allow no_auth
>> http_access allow no_auth_dst
>> http_access allow no_auth_regex
>> http_access deny wireless
>> http_access allow authenticated
>> http_access deny all
>
>Problem: None of your ACL involve denial based on auth credentials.
>Therefore bad auth credentials will never be challenged, only
>the general
>access denied will ever happen.
>So ... non-working credentials may show up in the access.log
>as a 404/403
>status with NONE/- for the source information.
If I type the wrong password, I get re-prompted for authentication
again. I get the normal:
GET
407 Proxy Authentication Required
GET w/Proxy-Authorization: Basic (wrong password)
407 Proxy Authentication Required
GET w/Proxy-Authorization: Basic (right password)
200 OK
I'm not sure what I'd need to specifically deny if authentication fails.
Do you have an example? The Squid faq
http://wiki.squid-cache.org/Features/Authentication suggests something
like:
auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
acl foo proxy_auth REQUIRED
http_access allow foo
http_access deny all
and that's what I have. It also talks about adding a deny with a negated
group if there's some point where they need to change authentication,
but, the way I'm reading the FAQ, it doesn't look like the deny is
usually needed.
Thanks again,
-Dan
Received on Thu Apr 08 2010 - 05:48:49 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 08 2010 - 12:00:03 MDT