On Wed, 07 Apr 2010 19:12:53 -0700, "Mellem, Dan" <Dan.Mellem@xxxxxxxxxxxxxxxx> wrote: > Hi, > > We're running Squid version 2.6. In our configuration, some URLs require > proxy authentication so we use the squid_ldap_auth helper with basic > auth. Everything works fine. > > We would like to log any password failures, including the source IP > address, to track down password guessers. The failure could be logged to > access.log or to another log. Only successful requests are logged > currently. Is there any way to log authentication failures? They _are_ logged by default. Reply status codes 401 and 407 in access.log are failed www-server and proxy authentication attempts respectively which were re-challenged. Other denials will be logged with other 4xx codes. > > I've been digging through acl.c, authenticate.c, and client_side.c to > see if there's something in there, but I'm not familiar with the source. > I could log from the helper but only the username and password are > available to it. > > Just in case any of this is helpful, here are a few lines from the > config: > > emulate_httpd_log on > auth_param basic program /usr/local/squid/libexec/multi_auth > access_log /usr/local/squid/var/logs/access.log > acl authenticated proxy_auth REQUIRED > (other ACLs) > http_access allow no_auth > http_access allow no_auth_dst > http_access allow no_auth_regex > http_access deny wireless > http_access allow authenticated > http_access deny all > Problem: None of your ACL involve denial based on auth credentials. Therefore bad auth credentials will never be challenged, only the general access denied will ever happen. So ... non-working credentials may show up in the access.log as a 404/403 status with NONE/- for the source information. Amos
