Re: How to block empty User-Agent strings?

Sat, 10 Sep 2011 15:03:40 -0700 

Hi Matthias,

On Sat, Sep 10, 2011 at 10:19:28PM +0200, [email protected] wrote:
> Hi,
> 
> I have been using haproxy for my lab servers for a while and I like it.
> But i have seen in my web server logs (iis) that I get empty User-Agent 
> strings on most attempts to access files that not exists.
> Some examples:
> 
> #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem 
> cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) 
> cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes 
> time-taken 
> 2011-09-09 00:42:30 W3SVC143517500 WEB2 192.168.20.31 GET /muieblackcat - 80 
> - 219.94.198.229 HTTP/1.1 - - - www.ifj.se 404 0 1236 0 136 18031
> 2011-09-09 00:42:34 W3SVC143517500 WEB2 192.168.20.31 GET 
> /phpMyAdmin-2.6.4-pl3/libraries/dbg/setup.php - 80 - 219.94.198.229 HTTP/1.1 
> - - - www.ifj.se 404 0 1236 0 169 21437
> 2011-09-09 00:42:34 W3SVC143517500 WEB2 192.168.20.31 GET 
> /old/padmin/libraries/dbg/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 159 20500
> 2011-09-09 00:42:34 W3SVC143517500 WEB2 192.168.20.31 GET 
> /xampp/phpmyadmin/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 160 18140
> 2011-09-09 00:42:40 W3SVC143517500 WEB2 192.168.20.31 GET 
> /php-my-admin/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 156 19046
> 2011-09-09 00:42:40 W3SVC143517500 WEB2 192.168.20.31 GET 
> /typo3/phpmyadmin/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 160 18031
> 2011-09-09 00:42:44 W3SVC143517500 WEB2 192.168.20.31 GET 
> /admin/pma/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - www.ifj.se 
> 404 0 1236 0 153 21796
> 2011-09-09 00:42:44 W3SVC143517500 WEB2 192.168.20.31 GET 
> /admin/phpmyadmin/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 160 20843
> 2011-09-09 00:42:44 W3SVC143517500 WEB2 192.168.20.31 GET 
> /sql/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - www.ifj.se 404 0 
> 1236 0 146 19953
> 2011-09-09 00:42:44 W3SVC143517500 WEB2 192.168.20.31 GET 
> /php/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - www.ifj.se 404 0 
> 1236 0 146 19015
> 2011-09-09 00:42:44 W3SVC143517500 WEB2 192.168.20.31 GET 
> /PHPMYADMIN/+/scripts/setup.php - 80 - 219.94.198.229 HTTP/1.1 - - - 
> www.ifj.se 404 0 1236 0 158 18187
> 
> How do i block empty User-Agent strings i haproxy.cfg?
> 
> I have tried with the example in the documentation for haproxy:
> # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but 
> # block all others. 
> reqipass ^User-Agent:\.*(Mozilla|MSIE) 
> reqitarpit ^User-Agent:

I think it does not work because in fact you don't have an empty User-Agent
but you have no user-agent at all.

Please try this instead :

   reqtarpit ^  if { hdr_cnt(user-agent) eq 0 }

Which means tarpit anything if the number of user-agent headers is null.

Regards,
Willy

Reply via email to