ENH/DOC: more realm mismatch errors. Documented filter design criteria

pull/287/head
Daniel Black 2013-07-12 07:39:18 +10:00
parent bf54db7ce7
commit 975999591f
1 changed files with 21 additions and 11 deletions

View File

@ -12,27 +12,37 @@ before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (1st 3)
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c (2nd 3)
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_digest.c (next 4)
# This filter matches the authorization failures of Apache. It takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
#
# As an unauthorized response is the first step for a browser to instigate authentication
# so don't set max retry too low.
#
# Source:
#
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
# to return the actual failure.
failregex = ^%(_apache_error_client)s user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s user .* not found: \S*\s*$
^%(_apache_error_client)s client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s authorization failure \(no authenticated user\): \S*\s*$
^%(_apache_error_client)s client denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s user .* authorization failure for "\S*": \S*\s*$
^%(_apache_error_client)s user .* authorization failure: \S*\s*$
^%(_apache_error_client)s user .* authorization failure for "\S*": \s*$
^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
^%(_apache_error_client)s user `.*' in realm `.+' (not found|denied by provider): \S*\s*"$
^%(_apache_error_client)s user .* password mismatch: \S*\s*"$
^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
# Option: ignoreregex