CGI-ACL

 view release on metacpan or  search on metacpan

README.md  view on Meta::CPAN

#### Output

    # Compatible with Return::Set:
    { type => 'object', isa => 'CGI::ACL' }

### MESSAGES

- `Usage: allow_country($country)`

    **Severity:** carp (warning).
    **Cause:** Called with no argument, with a non-hash/non-array reference, or
    without supplying the `country` key.
    **Action:** Pass a scalar ISO code or arrayref:
    `allow_country('US')` or `allow_country(country => ['GB','US'])`.

## deny\_cloud

Enables blocking of requests that originate from major cloud-hosting
providers.  Detection is performed via verified reverse DNS: the client
IP is looked up, the resulting hostname is forward-confirmed to prevent
spoofing, and the confirmed hostname is matched against a list of
provider-specific patterns.

Covered providers (as of this release): AWS EC2, Google Cloud Compute,
Microsoft Azure, DigitalOcean, Linode/Akamai, Hetzner, OVH.

**Important:** `deny_cloud` takes precedence over `allow_ip`.  An IP
that is explicitly permitted via `allow_ip()` is still denied if its
reverse DNS resolves to a cloud provider hostname.

### USAGE

    use CGI::ACL;

    my $acl = CGI::ACL->new()->deny_cloud();

    if ($acl->all_denied()) {
        print "Cloud-hosted clients are not permitted.\n";
        exit;
    }

### ARGUMENTS

None.

### RETURNS

The object itself, to allow method chaining.

### SIDE EFFECTS

Sets `$self->{deny_cloud}` to `1`.

### NOTES

IPv4 and IPv6 clients are both subject to the cloud check.  A client with
no reverse DNS record, or whose forward confirmation fails, is treated as
a non-cloud host and allowed through the cloud check (though it may still
be denied by other rules).

DNS lookups are performed synchronously.  On non-Windows platforms a
`$DNS_TIMEOUT`-second alarm is used to prevent indefinite blocking.

### API SPECIFICATION

#### Input

    # No parameters accepted.
    {}

#### Output

    # Compatible with Return::Set:
    { type => 'object', isa => 'CGI::ACL' }

### MESSAGES

This method emits no messages.

## all\_denied

Evaluates every active restriction against the current client and returns
`1` (deny) or `0` (allow).

The evaluation order is:

1. If **no** restrictions are configured at all, return `0` (allow).
2. Validate `REMOTE_ADDR` as a syntactically correct IPv4 or IPv6 address.
If it is missing or malformed, return `1` (deny).
3. If `deny_cloud` is set, perform a verified reverse-DNS lookup.  If the
hostname matches a cloud provider, return `1` (deny) immediately,
regardless of `allowed_ips`.  If the IP is not a cloud host and no
other restrictions are active, return `0` (allow).
4. If `allowed_ips` is set, check the client address against the exact-match
hash and then the CIDR list.  Return `0` (allow) on a match.
5. If country restrictions are set, resolve the client's country via the
`lingua` argument.  Apply default-deny or default-allow country logic.
If no lingua is provided, emit a warning and return `1` (deny).

Note that localhost (`127.0.0.1`) is **not** automatically allowed once
any restriction is configured; call `allow_ip('127.0.0.1')` explicitly.

### USAGE

    use CGI::Lingua;
    use CGI::ACL;

    my $acl = CGI::ACL->new()->allow_ip('8.35.80.39');

    if ($acl->all_denied()) {
        print "You are not allowed to view this site.\n";
        exit;
    }

    # Country check
    my $acl2 = CGI::ACL->new()
        ->deny_country('*')
        ->allow_country('US');

    if ($acl2->all_denied(lingua => CGI::Lingua->new(supported => ['en']))) {
        print "US-only site.\n";



( run in 1.080 second using v1.01-cache-2.11-cpan-9581c071862 )