Hi, Thanks for your response. Please see below. >From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] >Sent: Wednesday, April 07, 2010 7:33 PM >On Wed, 07 Apr 2010 19:12:53 -0700, "Mellem, Dan" >> access.log or to another log. Only successful requests are logged >> currently. Is there any way to log authentication failures? > >They _are_ logged by default. >Reply status codes 401 and 407 in access.log are failed www-server and >proxy authentication attempts respectively which were >re-challenged. Other >denials will be logged with other 4xx codes. I do a: tail -f access.log | fgrep '<my IP address>' and only get responses for allowed traffic. I also don't have any 407s at all in the log. You said the logging is on by default. Is there a way to it off or to turn on debugging that would show where it's getting dropped? >> Just in case any of this is helpful, here are a few lines from the >> config: >> >> emulate_httpd_log on >> auth_param basic program /usr/local/squid/libexec/multi_auth >> access_log /usr/local/squid/var/logs/access.log >> acl authenticated proxy_auth REQUIRED >> (other ACLs) >> http_access allow no_auth >> http_access allow no_auth_dst >> http_access allow no_auth_regex >> http_access deny wireless >> http_access allow authenticated >> http_access deny all > >Problem: None of your ACL involve denial based on auth credentials. >Therefore bad auth credentials will never be challenged, only >the general >access denied will ever happen. >So ... non-working credentials may show up in the access.log >as a 404/403 >status with NONE/- for the source information. If I type the wrong password, I get re-prompted for authentication again. I get the normal: GET 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (wrong password) 407 Proxy Authentication Required GET w/Proxy-Authorization: Basic (right password) 200 OK I'm not sure what I'd need to specifically deny if authentication fails. Do you have an example? The Squid faq http://wiki.squid-cache.org/Features/Authentication suggests something like: auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd acl foo proxy_auth REQUIRED http_access allow foo http_access deny all and that's what I have. It also talks about adding a deny with a negated group if there's some point where they need to change authentication, but, the way I'm reading the FAQ, it doesn't look like the deny is usually needed. Thanks again, -Dan
