James Cohen wrote:
Hi,
I think I've found a bug but first wanted to double-check I wasn't
doing anything dumb.
In our reverse proxy setup we want to block people from "leeching" the
images using Wget or similar applications. To do this we want to block
user agents that match "Wget" and because lots of people use CURL or
their own home-brew clients anything with an empty user agent string.
I added the following acl rule:
# Block automated processes from requesting our images
acl image_leechers browser ^$
acl image_leechers browser Wget
and later on...
http_access deny image_leechers
Requests that contain Wget are being blocked exactly as expected by
the proxy. Empty requests are still going through to the parent
server:
It's not so much an empty string. As a completely missing header.
Squid can only test what it has against what it checks. If you get my
meaning.
I haven't tested it, but you might have better luck if you invert the
test to allow access to okay agents and deny the rest.
All they have to do is send -U "fu" and they get past the wget blocker.
Not to mention the real browser UA are commonly known and often
recommended for script kiddies to spoof the IE agent to get past site
barriers and brokenness in one action.
Amos
Request with Wget in the user agent request headers (correct behaviour)
$ wget -S http://images.xxx.com/preview/1134/35121981.jpg
--11:29:45-- http://images.xxx.com/preview/1134/35121981.jpg
=> `35121981.jpg'
Resolving images.xxx.com... 62.216.237.30
Connecting to images.xxx.com|62.216.237.30|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.0 403 Forbidden
Server: squid/3.0.STABLE9
Mime-Version: 1.0
Date: Mon, 20 Oct 2008 10:29:45 GMT
Content-Type: text/html
Content-Length: 1653
Expires: Mon, 20 Oct 2008 10:29:45 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from ws2
Via: 1.0 ws2 (squid/3.0.STABLE9)
Connection: close
11:29:45 ERROR 403: Forbidden.
And a similar request with an empty user agent string (incorrect - the
request is being passed back to the parent where it returns a 403)
$ wget -U "" -S http://images.xxx.com/preview/1134/james.jpg
--11:30:09-- http://images.xxx.com/preview/1134/james.jpg
=> `james.jpg'
Resolving images.xxx.com... 62.216.237.30
Connecting to images.xxx.com|62.216.237.30|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 345
Date: Mon, 20 Oct 2008 10:30:09 GMT
Server: lighttpd/1.4.20
X-Cache: MISS from ws2
Via: 1.0 ws2 (squid/3.0.STABLE9)
Connection: close
11:30:09 ERROR 403: Forbidden.
Thanks,
James
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
