[squid-users] Re: Unable to match empty user-agent strings? from James Cohen on 2008-10-20 (squid-users)

From: James Cohen <james_at_hotwhale.com>
Date: Mon, 20 Oct 2008 12:19:08 +0100

After some further testing and looking closely at the request headers
it turns out that this is failing because the User-Agent header field
isn't present (rather than it being present but empty).

Here's my workaround/solution which seems to work nicely.

acl image_leechers browser ^$
acl image_leechers browser Wget

acl has_user_agent browser ^.+$

http_access deny !has_user_agent
http_access deny image_leechers

I promise not to make a habit of just conversing with myself on this list...

2008/10/20 James Cohen <james_at_hotwhale.com>:
> Hi,
>
> I think I've found a bug but first wanted to double-check I wasn't
> doing anything dumb.
>
> In our reverse proxy setup we want to block people from "leeching" the
> images using Wget or similar applications. To do this we want to block
> user agents that match "Wget" and because lots of people use CURL or
> their own home-brew clients anything with an empty user agent string.
>
> I added the following acl rule:
>
> # Block automated processes from requesting our images
> acl image_leechers browser ^$
> acl image_leechers browser Wget
>
> and later on...
>
> http_access deny image_leechers
>
> Requests that contain Wget are being blocked exactly as expected by
> the proxy. Empty requests are still going through to the parent
> server:
>
>
> Request with Wget in the user agent request headers (correct behaviour)
>
> $ wget -S http://images.xxx.com/preview/1134/35121981.jpg
> --11:29:45-- http://images.xxx.com/preview/1134/35121981.jpg
> => `35121981.jpg'
> Resolving images.xxx.com... 62.216.237.30
> Connecting to images.xxx.com|62.216.237.30|:80... connected.
> HTTP request sent, awaiting response...
> HTTP/1.0 403 Forbidden
> Server: squid/3.0.STABLE9
> Mime-Version: 1.0
> Date: Mon, 20 Oct 2008 10:29:45 GMT
> Content-Type: text/html
> Content-Length: 1653
> Expires: Mon, 20 Oct 2008 10:29:45 GMT
> X-Squid-Error: ERR_ACCESS_DENIED 0
> X-Cache: MISS from ws2
> Via: 1.0 ws2 (squid/3.0.STABLE9)
> Connection: close
> 11:29:45 ERROR 403: Forbidden.
>
> And a similar request with an empty user agent string (incorrect - the
> request is being passed back to the parent where it returns a 403)
>
> $ wget -U "" -S http://images.xxx.com/preview/1134/james.jpg
> --11:30:09-- http://images.xxx.com/preview/1134/james.jpg
> => `james.jpg'
> Resolving images.xxx.com... 62.216.237.30
> Connecting to images.xxx.com|62.216.237.30|:80... connected.
> HTTP request sent, awaiting response...
> HTTP/1.0 403 Forbidden
> Content-Type: text/html
> Content-Length: 345
> Date: Mon, 20 Oct 2008 10:30:09 GMT
> Server: lighttpd/1.4.20
> X-Cache: MISS from ws2
> Via: 1.0 ws2 (squid/3.0.STABLE9)
> Connection: close
> 11:30:09 ERROR 403: Forbidden.
>
>
> Thanks,
>
> James
>
Received on Mon Oct 20 2008 - 11:19:15 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 20 2008 - 12:00:04 MDT