Amazon CloudFront
Developer Guide (API Version 2010-11-01)
AWS Documentation » Amazon CloudFront » Developer Guide » CloudFront Tutorials » Restricting Access to Files in a CloudFront Distribution Based on Geographic Location (Geoblocking) » Sample Code for MaxMind » PHP Sample Code for MaxMind
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

PHP Sample Code for MaxMind

The following sample application gets the IP address of the end user and sends the IP address to MaxMind. MaxMind returns the country code that corresponds to the end user's IP address. The application then displays the country code that is blocked and evaluates whether the value returned by MaxMind matches the blocked country code. If the end user's country is not blocked, the application displays a "You are not blocked" message, uses a canned policy to create a signed URL that expires in five minutes, performs the substitutions necessary to ensure that the URL doesn't include any invalid characters, and redirects the user's browser to the signed URL. If the end user's country is blocked, the application displays a "You are blocked" message and a graphic.

<!DOCTYPE html>
<html>
<head>
   <title>Geoblocking Test</title>
</head>
<body>
   <h1>Geoblocking Test</h1>

<?php
// Configure the private key (make sure this information is secure).
$private_key_filename = 'path to private key';
$key_pair_id          = 'CloudFront key pair ID';

/*
 * Configure the geoblocking parameters. The following variables 
 * describe the two-letter country to be blocked, the 
 * CloudFront URL for the file that you want to secure, 
 * and the expiry time of the URL. Change these values as needed.
 */
$blocked_geo = 'gb';
$asset_path  = 'CloudFront URL for the object';
$expires     = time() + 300; // (5 minutes from now)

// Configure the URL to the geolocation service.
$token       = 'MaxMind user token';
$address     = 'MaxMind URL';
$remote_ip   = get_remote_ip_address();
$service_url = $address . '?l=' . $token . '&i=' . $remote_ip;

// Call the web service using the configured URL.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $service_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$ws_response = curl_exec($ch);

$edge_geo = $ws_response;

echo '<p>The country being blocked is: ' . strtoupper($blocked_geo) . '</p>';

if ($edge_geo != strtoupper($blocked_geo))
{
   echo '<p>Your country is: ' . strtoupper($edge_geo) . '</p>';
   echo '<p>You are not blocked.</p>';
   $signed_url = create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires);
   echo '<img src="' . $signed_url . '" width="600" height="401" />' ;
}
else
{
   echo '<p>Your country is: ' . strtoupper($edge_geo) . '</p>';
   echo '<p>You are blocked.</p>';
   $blocked_url = 'http://s3.amazonaws.com/<Amazon S3 bucket>/blocked-image.jpg';
   echo '<img src="' . $blocked_url . '" alt="Access blocked" width="600" height="401" />';
}

// Function definitions

function get_remote_ip_address()
{
   // Check to see if an HTTP_X_FORWARDED_FOR header is present.

   if($_SERVER['HTTP_X_FORWARDED_FOR'])

   {
   
      // If the header is present, use the last IP address.
      $temp_array      = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
      $temp_ip_address = $temp_array[count($temp_array) - 1];  
   }
   else
   {
      // If the header is not present, use the 
      // default server variable for remote address.
      $temp_ip_address = $_SERVER['REMOTE_ADDR'];
   }

   return $temp_ip_address;
}


function create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires)
{
   // Build the policy.
   $canned_policy = '{"Statement":[{"Resource":"' . $asset_path
      . '","Condition":{"DateLessThan":{"AWS:EpochTime":'. $expires . '}}}]}';

   // Sign the policy.
   $signature = rsa_sha1_sign($canned_policy, $private_key_filename);

   // Make the signature contains only characters that 
   // can be included in a URL.
   $encoded_signature = url_safe_base64_encode($signature);

   // Combine the above into a properly formed URL name
   $temp_signed_url = $asset_path . '?Expires=' . $expires . '&Signature='
      . $encoded_signature . '&Key-Pair-Id=' . $key_pair_id;

   return $temp_signed_url;
}

function rsa_sha1_sign($policy, $private_key_filename)
{
   $signature = '';

   // Load the private key.
   $fp = fopen($private_key_filename, 'r');
   $private_key = fread($fp, 8192);
   fclose($fp);

   $private_key_id = openssl_get_privatekey($private_key);

   // Compute the signature.
   openssl_sign($policy, $signature, $private_key_id);

   // Free the key from memory.
   openssl_free_key($private_key_id);

   return $signature;
}

function url_safe_base64_encode($value)
{
   $encoded = base64_encode($value);

   // Replace characters that cannot be included in a URL.
   return str_replace(array('+', '=', '/'), array('-', '_', '~'), $encoded);
}
?>

</body>
</html>
Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...