caddy: caddy not logging basic authentication failures

relates to #2402 which was implemented Feb 2019 pre-v2.

when using basicauth to authenticate it would be nice to use fail2ban to detect multiple failed login attempts and ban ip addresses. this is difficult with the current logging since every basic authentication attempt starts with a 401 and thus banning on this results in many false positives.

see #2402 for further details and reasoning.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 26 (13 by maintainers)

Commits related to this issue

caddyauth: Debug log for failed attempts (closes #3363) — committed to caddyserver/caddy by mholt 4 years ago
caddyauth: Debug log for failed attempts (closes #3363) — committed to caddyserver/caddy by mholt 4 years ago
basicauth: Emit specific log based on type of auth failure (#3363) — committed to caddyserver/caddy by mholt 4 years ago

Most upvoted comments

Technically you don’t know the identity, because they haven’t successfully authenticated. You have a username, but that’s not enough to say that you know who it is. 401 is definitely the correct status code to return on a failed authentication.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.

This status is similar to 403, but in this case, authentication is possible.

francislavoie on May 14, 2020