James Cohen wrote:
> Hi,
>
> I think I've found a bug but first wanted to double-check I wasn't
> doing anything dumb.
>
> In our reverse proxy setup we want to block people from "leeching" the
> images using Wget or similar applications. To do this we want to block
> user agents that match "Wget" and because lots of people use CURL or
> their own home-brew clients anything with an empty user agent string.
>
> I added the following acl rule:
>
> # Block automated processes from requesting our images
> acl image_leechers browser ^$
> acl image_leechers browser Wget
>
> and later on...
>
> http_access deny image_leechers
>
> Requests that contain Wget are being blocked exactly as expected by
> the proxy. Empty requests are still going through to the parent
> server:
It's not so much an empty string. As a completely missing header.
Squid can only test what it has against what it checks. If you get my
meaning.
I haven't tested it, but you might have better luck if you invert the
test to allow access to okay agents and deny the rest.
All they have to do is send -U "fu" and they get past the wget blocker.
Not to mention the real browser UA are commonly known and often
recommended for script kiddies to spoof the IE agent to get past site
barriers and brokenness in one action.
Amos
>
> Request with Wget in the user agent request headers (correct behaviour)
>
> $ wget -S http://images.xxx.com/preview/1134/35121981.jpg
> --11:29:45-- http://images.xxx.com/preview/1134/35121981.jpg
> => `35121981.jpg'
> Resolving images.xxx.com... 62.216.237.30
> Connecting to images.xxx.com|62.216.237.30|:80... connected.
> HTTP request sent, awaiting response...
> HTTP/1.0 403 Forbidden
> Server: squid/3.0.STABLE9
> Mime-Version: 1.0
> Date: Mon, 20 Oct 2008 10:29:45 GMT
> Content-Type: text/html
> Content-Length: 1653
> Expires: Mon, 20 Oct 2008 10:29:45 GMT
> X-Squid-Error: ERR_ACCESS_DENIED 0
> X-Cache: MISS from ws2
> Via: 1.0 ws2 (squid/3.0.STABLE9)
> Connection: close
> 11:29:45 ERROR 403: Forbidden.
>
> And a similar request with an empty user agent string (incorrect - the
> request is being passed back to the parent where it returns a 403)
>
> $ wget -U "" -S http://images.xxx.com/preview/1134/james.jpg
> --11:30:09-- http://images.xxx.com/preview/1134/james.jpg
> => `james.jpg'
> Resolving images.xxx.com... 62.216.237.30
> Connecting to images.xxx.com|62.216.237.30|:80... connected.
> HTTP request sent, awaiting response...
> HTTP/1.0 403 Forbidden
> Content-Type: text/html
> Content-Length: 345
> Date: Mon, 20 Oct 2008 10:30:09 GMT
> Server: lighttpd/1.4.20
> X-Cache: MISS from ws2
> Via: 1.0 ws2 (squid/3.0.STABLE9)
> Connection: close
> 11:30:09 ERROR 403: Forbidden.
>
>
> Thanks,
>
> James
-- Please use Squid 2.7.STABLE4 or 3.0.STABLE9Received on Mon Oct 20 2008 - 11:53:40 MDT
This archive was generated by hypermail 2.2.0 : Mon Oct 20 2008 - 12:00:04 MDT