usestrict;useApache2::Connection ();useApache2::Module ();useApache2::ServerRec ();useApache::Test;=head1 NAMEMail::SpamAssassin::Spamd::Apache2::AclIP - host-based spamd access control=head1 SYNOPSIS##### in httpd.conf:PerlLoadModule Mail::SpamAssassin::Spamd::Apache2::ConfigSAallow from 127.0.0.1 192.168.0.0/24=head1 DESCRIPTIONAllows / denies access to spamd basing on client's network address.This is a simple version of C<mod_authz_host> (which, unfortunately,is too HTTP-centric to use here).Should be before C<Mail::SpamAssassin::Spamd::Apache2::AclRFC1413>in the handler chain.=head1 NOTEThis module doesn't prevent Apache from accepting a connection; child(and therefore we) get control after client actually sends something.It's possible to open C<$toomany> connections to the parent server andDoS this way.=head1 BUGS=head1 SEE ALSOC<Mail::SpamAssassin::Spamd::Apache2::Config(3)>=cutuseAPR::IpSubnet ();subhandler {my($c) =@_;my$srv_cfg=Apache2::Module::get_config('Mail::SpamAssassin::Spamd::Apache2::Config',$c->base_server);# TODO: log it somewhere (or not?) -- means all deniedreturnApache2::Const::SERVER_ERRORunless$srv_cfg&&exists$srv_cfg->{allowed_ips};# use NetAddr::IP::Lite ();# my $ip = NetAddr::IP::Lite->new($c->remote_ip)# or return Apache2::Const::SERVER_ERROR; # log it, shouldn't happen#use Apache::Test have_min_apache_version to support MP under Apache 2.2 and 2.4my$remote= APACHE24 ?$c->client_addr :$c->remote_addr;formy$allowed(@{$srv_cfg->{allowed_networks} }) {# depends on allowed_ips format; TODO; if NetAddr::IP::Lite:# return Apache2::Const::OK if $allowed->contains($ip);returnApache2::Const::OKif$allowed->test($remote);}info(sprintf"access denied for '%s'", APACHE24 ?$c->client_ip :$c->remote_ip);returnApache2::Const::FORBIDDEN;}1;# vim: ts=8 sw=2 et