On 17/02/2023 7:29 pm, Andrey K wrote:
Hello,
I would like to disable logging of 407-errors, except when the
username is known.
Is it possible to configure?
Assuming that you have the wrapper script from your previous request
about always logging usernames you should be able to use a note type ACL
like so:
acl knownUser note user
access_log ... on-error=drop http-407 !knownUser
I have now the log configured:
acl http-407 http_status 407
access_log daemon:/var/log/squid/access.log logformat=extended-squid
on-error=drop !http-407
But I would also like to see authentication errors when a user types
the wrong password (the username is known in these cases).
With most HTTP authentication you could rely on all 407 meaning bad or
unknown credentials. But NTLM (ab)uses that code for its handshake
type-2 response, so you one distinguish a failed from an incomplete
authentication.
At this point you are already wrapping and re-writing most of the
NTLM->Squid helper traffic. You could adjust the challenge to also use
the current helper syntax with a custom note to log. But I recommend
just upgrading your systems to Kerberos which will avoid a lot of these
complications entirely.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
