CGI-ACL
view release on metacpan or search on metacpan
#### Output
# Compatible with Return::Set:
{ type => 'object', isa => 'CGI::ACL' }
### MESSAGES
- `Usage: allow_country($country)`
**Severity:** carp (warning).
**Cause:** Called with no argument, with a non-hash/non-array reference, or
without supplying the `country` key.
**Action:** Pass a scalar ISO code or arrayref:
`allow_country('US')` or `allow_country(country => ['GB','US'])`.
## deny\_cloud
Enables blocking of requests that originate from major cloud-hosting
providers. Detection is performed via verified reverse DNS: the client
IP is looked up, the resulting hostname is forward-confirmed to prevent
spoofing, and the confirmed hostname is matched against a list of
provider-specific patterns.
Covered providers (as of this release): AWS EC2, Google Cloud Compute,
Microsoft Azure, DigitalOcean, Linode/Akamai, Hetzner, OVH.
**Important:** `deny_cloud` takes precedence over `allow_ip`. An IP
that is explicitly permitted via `allow_ip()` is still denied if its
reverse DNS resolves to a cloud provider hostname.
### USAGE
use CGI::ACL;
my $acl = CGI::ACL->new()->deny_cloud();
if ($acl->all_denied()) {
print "Cloud-hosted clients are not permitted.\n";
exit;
}
### ARGUMENTS
None.
### RETURNS
The object itself, to allow method chaining.
### SIDE EFFECTS
Sets `$self->{deny_cloud}` to `1`.
### NOTES
IPv4 and IPv6 clients are both subject to the cloud check. A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).
DNS lookups are performed synchronously. On non-Windows platforms a
`$DNS_TIMEOUT`-second alarm is used to prevent indefinite blocking.
### API SPECIFICATION
#### Input
# No parameters accepted.
{}
#### Output
# Compatible with Return::Set:
{ type => 'object', isa => 'CGI::ACL' }
### MESSAGES
This method emits no messages.
## all\_denied
Evaluates every active restriction against the current client and returns
`1` (deny) or `0` (allow).
The evaluation order is:
1. If **no** restrictions are configured at all, return `0` (allow).
2. Validate `REMOTE_ADDR` as a syntactically correct IPv4 or IPv6 address.
If it is missing or malformed, return `1` (deny).
3. If `deny_cloud` is set, perform a verified reverse-DNS lookup. If the
hostname matches a cloud provider, return `1` (deny) immediately,
regardless of `allowed_ips`. If the IP is not a cloud host and no
other restrictions are active, return `0` (allow).
4. If `allowed_ips` is set, check the client address against the exact-match
hash and then the CIDR list. Return `0` (allow) on a match.
5. If country restrictions are set, resolve the client's country via the
`lingua` argument. Apply default-deny or default-allow country logic.
If no lingua is provided, emit a warning and return `1` (deny).
Note that localhost (`127.0.0.1`) is **not** automatically allowed once
any restriction is configured; call `allow_ip('127.0.0.1')` explicitly.
### USAGE
use CGI::Lingua;
use CGI::ACL;
my $acl = CGI::ACL->new()->allow_ip('8.35.80.39');
if ($acl->all_denied()) {
print "You are not allowed to view this site.\n";
exit;
}
# Country check
my $acl2 = CGI::ACL->new()
->deny_country('*')
->allow_country('US');
if ($acl2->all_denied(lingua => CGI::Lingua->new(supported => ['en']))) {
print "US-only site.\n";
( run in 1.080 second using v1.01-cache-2.11-cpan-9581c071862 )