After some further testing and looking closely at the request headers it turns out that this is failing because the User-Agent header field isn't present (rather than it being present but empty). Here's my workaround/solution which seems to work nicely. acl image_leechers browser ^$ acl image_leechers browser Wget acl has_user_agent browser ^.+$ http_access deny !has_user_agent http_access deny image_leechers I promise not to make a habit of just conversing with myself on this list... 2008/10/20 James Cohen <james@xxxxxxxxxxxx>: > Hi, > > I think I've found a bug but first wanted to double-check I wasn't > doing anything dumb. > > In our reverse proxy setup we want to block people from "leeching" the > images using Wget or similar applications. To do this we want to block > user agents that match "Wget" and because lots of people use CURL or > their own home-brew clients anything with an empty user agent string. > > I added the following acl rule: > > # Block automated processes from requesting our images > acl image_leechers browser ^$ > acl image_leechers browser Wget > > and later on... > > http_access deny image_leechers > > Requests that contain Wget are being blocked exactly as expected by > the proxy. Empty requests are still going through to the parent > server: > > > Request with Wget in the user agent request headers (correct behaviour) > > $ wget -S http://images.xxx.com/preview/1134/35121981.jpg > --11:29:45-- http://images.xxx.com/preview/1134/35121981.jpg > => `35121981.jpg' > Resolving images.xxx.com... 62.216.237.30 > Connecting to images.xxx.com|62.216.237.30|:80... connected. > HTTP request sent, awaiting response... > HTTP/1.0 403 Forbidden > Server: squid/3.0.STABLE9 > Mime-Version: 1.0 > Date: Mon, 20 Oct 2008 10:29:45 GMT > Content-Type: text/html > Content-Length: 1653 > Expires: Mon, 20 Oct 2008 10:29:45 GMT > X-Squid-Error: ERR_ACCESS_DENIED 0 > X-Cache: MISS from ws2 > Via: 1.0 ws2 (squid/3.0.STABLE9) > Connection: close > 11:29:45 ERROR 403: Forbidden. > > And a similar request with an empty user agent string (incorrect - the > request is being passed back to the parent where it returns a 403) > > $ wget -U "" -S http://images.xxx.com/preview/1134/james.jpg > --11:30:09-- http://images.xxx.com/preview/1134/james.jpg > => `james.jpg' > Resolving images.xxx.com... 62.216.237.30 > Connecting to images.xxx.com|62.216.237.30|:80... connected. > HTTP request sent, awaiting response... > HTTP/1.0 403 Forbidden > Content-Type: text/html > Content-Length: 345 > Date: Mon, 20 Oct 2008 10:30:09 GMT > Server: lighttpd/1.4.20 > X-Cache: MISS from ws2 > Via: 1.0 ws2 (squid/3.0.STABLE9) > Connection: close > 11:30:09 ERROR 403: Forbidden. > > > Thanks, > > James >
