RE: [squid-users] Logging only authentications

From: Korell, Doug <DKorell@dont-contact.us>
Date: Thu, 29 Mar 2007 09:18:38 -0700

This gets me close but I do need to somehow log the IP. I tried to
figure out a pattern in the access.log that would allow me to grab only
407 status codes and then the next log entry for the IP address if
successful (most have been 200) but as this thing gets hit, not sure how
well that would work since all entries will be mixed up. I'm sure some
creative programming can overcome this.

I was trying to find detailed information on helpers and wrappers and I
can't find a thing. Is there a tutorial for this that explains, for
example, what you did below?
 

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: Monday, March 26, 2007 2:10 AM
To: Korell, Doug
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Logging only authentications

ons 2007-03-21 klockan 16:31 -0700 skrev Korell, Doug:
> I am using Squid for one purpose only, to force PC's with generic
> Windows logins to authenticate using AD credentials when accessing the

> Internet. I have Squid configured and it's working fine, except the
> access.log of course logs all website hits (which we also have
> Websense doing). At first I didn't think this would be a big deal but
> in testing, if I hit just the mainpage for a site like cnn.com, it
logs 150 entries.

Hmm.. thinking. HTTP is stateless so there is not really a "login" only
"this request was authorized". But I suppose it should be possible to
rate-limit the access log somehow.

At first I thought maybe this can be done with the session helper, which
can be used in many other such situations. However, the access.log acls
is "fast" and do not support external lookups such as helpers.. so I
guess something need to be coded to support this.
 
> So, is there some way I can log only LDAP authentications and if they
> were successful or unsuccessful?

You can do this in the auth helper interface, but unfortunately will
only tell you the login name and timestamp, not from which station or
any other details.

Most easily done as a wrapper around the actual auth helper.

#!/usr/bin/perl
$|=1;
use IPC::Open2;
my ($in, $out, $logfile);
my $logfilename = shift @ARGV;
open($logfile, ">>$logfilename") || die; select $logfile; $|=1;
open2($out,$in,@ARGV) || die;
while(<STDIN>) {
  my ($login, $password) = split;
  print $in $_; $ans = <$out>;
  print $logfile time(). " $login $ans\n";
  print $ans;
}

Used in front of the auth helper in squid.conf together with a log file
name.

auth_param basic /usr/local/squid/libexec/logauth.pl
/usr/local/squid/var/logs/auth.log
/usr/local/squid/libexec/squid_ldap_auth -b ...

Regards
Henrik

Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
Received on Thu Mar 29 2007 - 10:18:45 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT