diff --git a/auth.go b/auth.go
index d9cb6fc..b88721d 100644
--- a/auth.go
+++ b/auth.go
@@ -23,7 +23,7 @@ const AUTH_TRIGGERED_MSG = "Browser auth triggered!\n"
 const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
 
 type Auth interface {
-	Validate(wr http.ResponseWriter, req *http.Request) bool
+	Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
 	Stop()
 }
 
@@ -191,29 +191,29 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
 	}
 }
 
-func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
+func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return false
+		return "", false
 	}
 	hdr_parts := strings.SplitN(hdr, " ", 2)
 	if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return false
+		return "", false
 	}
 
 	token := hdr_parts[1]
 	data, err := base64.StdEncoding.DecodeString(token)
 	if err != nil {
 		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return false
+		return "", false
 	}
 
 	pair := strings.SplitN(string(data), ":", 2)
 	if len(pair) != 2 {
 		requireBasicAuth(wr, req, auth.hiddenDomain)
-		return false
+		return "", false
 	}
 
 	login := pair[0]
@@ -233,13 +233,13 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
 			wr.Header()["Date"] = nil
 			wr.WriteHeader(http.StatusOK)
 			wr.Write([]byte(AUTH_TRIGGERED_MSG))
-			return false
+			return "", false
 		} else {
-			return true
+			return login, true
 		}
 	}
 	requireBasicAuth(wr, req, auth.hiddenDomain)
-	return false
+	return "", false
 }
 
 func (auth *BasicAuth) Stop() {
@@ -250,20 +250,20 @@ func (auth *BasicAuth) Stop() {
 
 type NoAuth struct{}
 
-func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
-	return true
+func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+	return "", true
 }
 
 func (_ NoAuth) Stop() {}
 
 type CertAuth struct{}
 
-func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
-	if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 {
+func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+	if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
-		return false
+		return "", false
 	} else {
-		return true
+		return req.TLS.VerifiedChains[0][0].Subject.String(), true
 	}
 }
 
diff --git a/handler.go b/handler.go
index eb3fcaf..62ab0c5 100644
--- a/handler.go
+++ b/handler.go
@@ -106,8 +106,6 @@ func (s *ProxyHandler) isLoopback(req *http.Request) (string, bool) {
 }
 
 func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
-	s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL)
-
 	if originator, isLoopback := s.isLoopback(req); isLoopback {
 		s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
 			"address for another request from %s", req.RemoteAddr, originator)
@@ -121,7 +119,11 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return
 	}
-	if !s.auth.Validate(wr, req) {
+
+	username, ok := s.auth.Validate(wr, req)
+	s.logger.Info("Request: %v %q %v %v %v", req.RemoteAddr, username, req.Proto, req.Method, req.URL)
+
+	if !ok {
 		return
 	}
 	delHopHeaders(req.Header)