reCAPTCHA Not Triggered When User-Agent Header Is Missing

[rsJesse]

Hello,

I'm running OpenLiteSpeed and have reCAPTCHA enabled in the security settings.
CAPTCHA is working as expected for browser requests and for headless clients like curl or wget when a User-Agent header is present (even if it's blank).
However, if I do a raw curl with no User-Agent header at all (e.g. a raw curl with no -A), the full page loads without showing the CAPTCHA challenge page. That's not ideal.

Is this an OpenLiteSpeed limitation, or is there a way to trigger the reCAPTCHA even when the User-Agent header is missing entirely?
Ideally, I'd like to serve the lightweight CAPTCHA challenge before any of my main website's backend logic runs, especially during high traffic or abuse.


Thanks

 

[Cold-Egg]

curl should work too. I just used curl to trigger the reCAPTCHA feature.
Log:

[RECAPTCHA] tries: 3, concurrent conns: 1
bot detected for vhost [Example], reason: FailedCaptchaVerify, close connection!

You could use parameters like --parallel --parallel-max 10 and send it multiple times to trigger it.

 

[rsJesse]

curl should work too. I just used curl to trigger the reCAPTCHA feature.[/CODE]

You could use parameters like --parallel --parallel-max 10 and send it multiple times to trigger it.

Thanks, that worked.

Settings:

OpenLiteSpeed 1.8.2
[RECAPTCHA] type: checkbox, tries: 3, concurrent conns: 1

I had overlooked that a curl would only match the Concurrent Request Limit and not exceed it. Once I started using curl --parallel, I began seeing the CAPTCHA challenge in some of the requests. I assume passing in the user-agent in the curl triggered the CAPTCHA due to how OpenLiteSpeed handles the connection in the background (it doesn't trigger if the concurrent conns is set to 2 with a single curl).

One follow-up question:
If I apply the Concurrent Request Limit to a VHost Template, does that limit apply per individual virtual host member, or is it shared across all vhosts that use the same template?

Thanks in advance.