[squid-users] Log 407-transactions when username is known

Andrey K ankor2023 at gmail.com
Mon Feb 20 06:24:55 UTC 2023


Hello Amos,

Thank you for your recommendations.
I modified negotiate_wrapper_auth to parse NTLM tokens and to set the user
attribute in AV-pairs,
so now I can configure the desired logging using acl note-type.

But I also have BASIC authentication type users.
Usernames of those users are known to the squid even if they type wrong
passwords, but  the user-attribute is not set in the note-list in such
transactions.
Should I write a new wrapper script for the BASIC-authentication to set the
user-attribute, or I can check if the username is known without using
wrapper?

The general idea is to log wrong authentication attempts to find the
sources if user accounts are blocked in AD.

> But I recommend
> just upgrading your systems to Kerberos which will avoid a lot of
> these complications entirely.
We have many linux-users whose software can't perform Kerberos proxy
authentication, they can just NTLM, or even BASIC (or they can't work
through http-proxy at all, but we configure them to use cntlm or
proxifier). So we cannot refuse NTLM and BASIC proxy-authentications.

Kind regards,
       Ankor.




пт, 17 февр. 2023 г. в 23:20, Amos Jeffries <squid3 at treenet.co.nz>:

> On 18/02/2023 7:29 am, Amos Jeffries wrote:
> > On 17/02/2023 7:29 pm, Andrey K wrote:
> >> Hello,
> >>
> >> I would like to disable logging of 407-errors, except when the
> >> username is known.
> >> Is it possible to configure?
> >
> > Assuming that you have the wrapper script from your previous request
> > about always logging usernames you should be able to use a note type
> > ACL like so:
> >
> >  acl knownUser note user
> >  access_log ... on-error=drop http-407 !knownUser
> >
> >
> >>
> >> I have now the log configured:
> >> acl http-407 http_status 407
> >> access_log daemon:/var/log/squid/access.log logformat=extended-squid
> >> on-error=drop !http-407
> >>
> >> But I would also like to see authentication errors when a user types
> >> the wrong password (the username is known in these cases).
> >>
> >
> > With most HTTP authentication you could rely on all 407 meaning bad or
> > unknown credentials. But NTLM (ab)uses that code for its handshake
> > type-2 response, so you one distinguish a failed from an incomplete
> > authentication.
>
> That was meant to say "so one cannot distinguish a failed from an
> incomplete authentication."
>
>
> >
> > At this point you are already wrapping and re-writing most of the
> > NTLM->Squid helper traffic. You could adjust the challenge to also use
> > the current helper syntax with a custom note to log. But I recommend
> > just upgrading your systems to Kerberos which will avoid a lot of
> > these complications entirely.
> >
> > Cheers
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230220/bcc029ea/attachment.htm>


More information about the squid-users mailing list