I wanted to add a little more security to a zope site that has no firewall in front of it but is mostly for internal users. To do this I put a check in the accept callback of http_server. Not sure how much security increase this really gives but I wonder if anyone would find it useful (or if anyone has a better solution)? Here is the patch. I only added the acl to the http server, it would be easy to do for the others as well (but I have these turned off). -EAD diff -C3 -r ./z2.py /home/edahl/zope/z2.py *** ./z2.py 2002-10-08 17:18:20.000000000 -0400 --- /home/edahl/zope/z2.py 2003-01-14 10:48:40.000000000 -0500 *************** *** 222,227 **** --- 222,234 ---- - The start of response output, and - The end of the request. + -A acl + Add an access control list to the HTTP server. List should be comma + delimited and can contain any part of the begining of an ip address. + For instnace 1.2.,3.4. would allow two class b networks 1.2.0.0/16 + and 3.4.0.0/16. + + Environment settings are of the form: NAME=VALUE. Note: you *must* use Python 2.1 or later! *************** *** 332,337 **** --- 339,350 ---- # Use a daemon process USE_DAEMON = 1 + # Access control list by IP + # each ip should be the begining of an ip + # ie 1.2. would allow the class b 1.2.0.0 + # mulitple ips should be comma delimited + ACL_LIST=() + # ######################################################################## *************** *** 386,392 **** opts, args = getopt.getopt(sys.argv[1:], ! 'hz:Z:t:i:a:d:u:w:W:f:p:m:Sl:2DP:rF:L:XM:C', ['icp=', 'force-http-connection-close' ]) --- 399,405 ---- opts, args = getopt.getopt(sys.argv[1:], ! 'hz:Z:t:i:a:d:u:w:W:f:p:m:Sl:2DP:rF:L:XM:CA:', ['icp=', 'force-http-connection-close' ]) *************** *** 470,475 **** --- 483,490 ---- if v=='-': v='' FCGI_PORT=v elif o=='-M': DETAILED_LOG_FILE=v + elif o=='-A': + ACL_LIST = v.split(',') except SystemExit: sys.exit(0) except: *************** *** 646,652 **** ip=address, port=port, resolver=rs, ! logger_object=lg) except socket.error, why: if why[0] == 98: # address in use raise port_err % {'port':port, --- 661,669 ---- ip=address, port=port, resolver=rs, ! logger_object=lg, ! acl_list=ACL_LIST) ! except socket.error, why: if why[0] == 98: # address in use raise port_err % {'port':port, diff -C3 -r ./ZServer/HTTPServer.py /home/edahl/zope/ZServer/HTTPServer.py *** ./ZServer/HTTPServer.py 2002-10-03 22:29:49.000000000 -0400 --- /home/edahl/zope/ZServer/HTTPServer.py 2003-01-14 09:28:44.000000000 -0500 *************** *** 357,365 **** channel_class = zhttp_channel shutup=0 ! def __init__ (self, ip, port, resolver=None, logger_object=None): self.shutup=1 ! http_server.__init__(self, ip, port, resolver, logger_object) self.shutup=0 self.log_info('HTTP server started at %s\n' '\tHostname: %s\n\tPort: %d' % ( --- 357,366 ---- channel_class = zhttp_channel shutup=0 ! def __init__ (self, ip, port, resolver=None, logger_object=None, ! acl_list=None): self.shutup=1 ! http_server.__init__(self, ip, port, resolver, logger_object, acl_list) self.shutup=0 self.log_info('HTTP server started at %s\n' '\tHostname: %s\n\tPort: %d' % ( diff -C3 -r ./ZServer/medusa/http_server.py /home/edahl/zope/ZServer/medusa/http_server.py *** ./ZServer/medusa/http_server.py 2002-06-20 10:39:34.000000000 -0400 --- /home/edahl/zope/ZServer/medusa/http_server.py 2003-01-14 10:31:21.000000000 -0500 *************** *** 558,569 **** channel_class = http_channel ! def __init__ (self, ip, port, resolver=None, logger_object=None): self.ip = ip self.port = port asyncore.dispatcher.__init__ (self) self.create_socket (socket.AF_INET, socket.SOCK_STREAM) ! self.handlers = [] if not logger_object: --- 558,571 ---- channel_class = http_channel ! def __init__ (self, ip, port, resolver=None, logger_object=None, ! acl_list=None): self.ip = ip self.port = port asyncore.dispatcher.__init__ (self) self.create_socket (socket.AF_INET, socket.SOCK_STREAM) ! self.acl_list = acl_list ! self.handlers = [] if not logger_object: *************** *** 652,657 **** --- 654,673 ---- self.total_clients.decrement() return + # check acl to see if we accept this connection + if self.acl_list: + ip = addr[0] + message = 'connection from client ' + ip + self.log_info(message) + for acl in self.acl_list: + if ip.find(acl) == 0: + break + else: + message += " blocked" + self.log_info(message, 'warning') + self.total_clients.decrement() + return + self.channel_class (self, conn, addr) def install_handler (self, handler, back=0):