Amazon CloudFront
Developer Guide (API Version 2012-07-01)
AWS Documentation » Amazon CloudFront » Developer Guide » CloudFront Tutorials » Restricting Access to Files in a CloudFront Distribution Based on Geographic Location (Geoblocking) » Sample Code for Digital Element » PHP Sample Code for Digital Element
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

PHP Sample Code for Digital Element

The following sample application gets the IP address of the end user and sends the IP address to Digital Element. Digital Element returns the country code (in XML format) that corresponds to the end user's IP address. The application then parses the XML, displays the country code that is blocked, and evaluates whether the value returned by Digital Element matches the blocked country code. If the end user's country is not blocked, the application displays a "You are not blocked" message, uses a canned policy to create a signed URL that expires in five minutes, performs the substitutions necessary to ensure that the URL doesn't include any invalid characters, and redirects the user's browser to the signed URL. If the end user's country is blocked, the application displays a "You are blocked" message and a graphic.

<!DOCTYPE html>
<html>
<head>
   <title>Geoblocking Test</title>
</head>
<body>
   <h1>Geoblocking Test</h1>

<?php
// Configure the private key (make sure this information is secure).
$private_key_filename = 'path to private key';
$key_pair_id          = 'CloudFront key pair ID';

/*
 * Configure the geoblocking parameters. The following variables 
 * describe the two-letter country to be blocked, the 
 * CloudFront URL for the file that you want to secure, 
 * and the expiry time of the URL. Change these values as needed.
 */
$blocked_geo = 'uk';
$asset_path  = 'CloudFront URL for the object';
$expires     = time() + 300; // (5 minutes from now)

// Configure the URL to the geoblocking service.
$token       = 'Digital Element user token';
$address     = 'Digital Element URL';
$remote_ip   = get_remote_ip_address();
$service_url = $address . '?u=' . $token . '&ip=' . $remote_ip;

// Call the web service using the configured URL.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $service_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$ws_response = curl_exec($ch);

// Parse the response with SimpleXML and get the geoblocking value.
$xml      = new SimpleXMLElement($ws_response);
$edge_geo = $xml->response->attributes()->{'edge-two-letter-country'};

echo '<p>The country being blocked is: ' . strtoupper($blocked_geo) . '</p>';

if ($edge_geo != $blocked_geo)
{
   echo '<p>Your country is: ' . strtoupper($edge_geo) . '</p>';
   echo '<p>You are not blocked.</p>';
   $signed_url = create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires);
   echo '<img src="' . $signed_url . '" width="600" height="401" ' ;
}
else
{
   echo '<p>Your country is: ' . strtoupper($edge_geo) . '</p>';
   echo '<p>You are blocked.</p>';
   $blocked_url = 'http://s3.amazonaws.com/<Amazon S3 bucket>/blocked-image.jpg';
   echo '<img src="' . $blocked_url . '" alt="Access blocked" width="600" height="401" ';
}

// Function definitions


function get_remote_ip_address()
{
   // Check to see if an HTTP_X_FORWARDED_FOR header is present.

   if($_SERVER["HTTP_X_FORWARDED_FOR"])

   {

      // If the header is present, use the last IP address.
      $temp_array      = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
      $temp_ip_address = $temp_array[count($temp_array) - 1];
   }
   else
   {
      // If the header is not present, use the 
      // default server variable for remote address.
      $temp_ip_address = $_SERVER['REMOTE_ADDR'];
   }
   
   return $temp_ip_address;
}

function create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires)
{
   // Build the policy.
   $canned_policy = '{"Statement":[{"Resource":"' . $asset_path
      . '","Condition":{"DateLessThan":{"AWS:EpochTime":'. $expires . '}}}]}';

   // Sign the policy.
   $signature = rsa_sha1_sign($canned_policy, $private_key_filename);

   // Make the signature is safe to be included in a URL.
   $encoded_signature = url_safe_base64_encode($signature);

   // Combine the above into a properly formed URL name.
   $temp_signed_url = $asset_path . '?Expires=' . $expires . '&Signature='
      . $encoded_signature . '&Key-Pair-Id=' . $key_pair_id;

   return $temp_signed_url;
}

function rsa_sha1_sign($policy, $private_key_filename)
{
   $signature = '';

   // Load the private key.
   $fp = fopen($private_key_filename, 'r');
   $private_key = fread($fp, 8192);
   fclose($fp);

   $private_key_id = openssl_get_privatekey($private_key);

   // Compute the signature.
   openssl_sign($policy, $signature, $private_key_id);

   // Free the key from memory.
   openssl_free_key($private_key_id);

   return $signature;
}

function url_safe_base64_encode($value)
{
   $encoded = base64_encode($value);

   // Replace the characters that cannot be used in a URL.
   return str_replace(array('+', '=', '/'), array('-', '_', '~'), $encoded);
}
?>

</body>
</html>
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...