Andreas Jung wrote: > Hi there, > > I have repoze.bfg app listening 0.0.0.0 (started using paster serve). > > What is the best practice for restricting access to the server to a > number of IP addresses other than through a firewall. Is there > some WSGI middleware doing the filtering? I think writing a WSGI filter > would not be too hard but how to configure this with the server.ini? > Just looking for the missing link.
I guess it depends what granularity of access you want different kinds of people to have. If you just want anyone from any network other than X.X.X.X/255 to be rejected by the system when they attempt to access port XXX, this is probably best done at the system level (firewall). If you want to be able to identify two or more sets of people based on their IP address, and give the sets different system access levels, I might write a BFG authentication policy based on the repoze.who plugin that lives at http://svn.repoze.org/whoplugins/repoze.whoplugins.ipauth/trunk ... or just use repoze.who and the BFG repoze.who authentication policy. See http://docs.repoze.org/bfg/1.0/narr/security.html#creating-your-own-authentication-policy or http://docs.repoze.org/bfg/1.0/narr/security.html#repozewho1authenticationpolicy . - C _______________________________________________ Repoze-dev mailing list Repozefirstname.lastname@example.org http://lists.repoze.org/listinfo/repoze-dev