reCAPTCHA Not Triggered When User-Agent Header Is Missing

#1
Hello,

I'm running OpenLiteSpeed and have reCAPTCHA enabled in the security settings.
CAPTCHA is working as expected for browser requests and for headless clients like curl or wget when a User-Agent header is present (even if it's blank).
However, if I do a raw curl with no User-Agent header at all (e.g. a raw curl with no -A), the full page loads without showing the CAPTCHA challenge page. That's not ideal.

Is this an OpenLiteSpeed limitation, or is there a way to trigger the reCAPTCHA even when the User-Agent header is missing entirely?
Ideally, I'd like to serve the lightweight CAPTCHA challenge before any of my main website's backend logic runs, especially during high traffic or abuse.


Thanks
 

Cold-Egg

Administrator
#2
curl should work too. I just used curl to trigger the reCAPTCHA feature.
Log:
Code:
[RECAPTCHA] tries: 3, concurrent conns: 1
bot detected for vhost [Example], reason: FailedCaptchaVerify, close connection!
You could use parameters like --parallel --parallel-max 10 and send it multiple times to trigger it.
 
#3
curl should work too. I just used curl to trigger the reCAPTCHA feature.[/CODE]

You could use parameters like --parallel --parallel-max 10 and send it multiple times to trigger it.
Thanks, that worked.

Settings:
Code:
OpenLiteSpeed 1.8.2
[RECAPTCHA] type: checkbox, tries: 3, concurrent conns: 1
I had overlooked that a curl would only match the Concurrent Request Limit and not exceed it. Once I started using curl --parallel, I began seeing the CAPTCHA challenge in some of the requests. I assume passing in the user-agent in the curl triggered the CAPTCHA due to how OpenLiteSpeed handles the connection in the background (it doesn't trigger if the concurrent conns is set to 2 with a single curl).

One follow-up question:
If I apply the Concurrent Request Limit to a VHost Template, does that limit apply per individual virtual host member, or is it shared across all vhosts that use the same template?

Thanks in advance.
 
Last edited:
Top