1

Some guys create a CloudFront CDN to proxy my site, so people can access my website using url like df03039lsls933.cloudfront.net instead of www.example.com

How to block this using nginx?

From CloudFront doc, it said..

Host: CloudFront sets the value to the domain name of the origin that is 
      associated with the requested object.

So I cannot block by using the host header, what would be the other approach?

(CloudFront is just an example, I want to block all CDNs with similar approach)

Ryan
  • 5,831
  • 24
  • 72
  • 91
  • 2
    It's not clear what it is precisely you are trying to prevent. Can you clarify precisely what problem you are trying to solve? – David Schwartz Apr 21 '14 at 05:04
  • I don't want user to view my content via df03039lsls933.cloudfront.net for example. – Ryan Apr 21 '14 at 06:33
  • 1
    So someone set up DNS to resolve `df03039lsls933.cloudfront.net` to your server IP? Or proxying your content through his server? – Alexey Ten Apr 21 '14 at 07:22
  • Are you taking any steps to prevent [hotlinking](http://serverfault.com/questions/tagged/hotlinking+nginx)? – Tom Brossman Apr 21 '14 at 09:40
  • @alexeyten, someone set up a AWS cloudfront distribution to proxy and cache my site – Ryan Apr 22 '14 at 13:51
  • @TomBrossman, the reverse, someone setup a CDN to cache and proxy my site, so user view my site without using my url. – Ryan Apr 22 '14 at 14:05

3 Answers3

5

CloudFront requests come from the documented IP ranges as well as with a User-Agent string that includes Amazon CloudFront. You can block either, but with AWS's IP ranges expanding fairly frequently I'd go with the User-Agent block.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
2

I would expect the CDN to add headers which can be used to identify them. These would typically indicate the real IP address of the user as well as some other information. They should also add or append an X-Forwarded-For header, which should also contain the IP address they are forwarding for.

You could use the presence of the header to trigger a redirect to your domain. I would not use the X-Forwarded-For header for this redirect as this may be added by proxies on network boundaries as well as CDNs. You will likely have to identify the CDN's header on a case by case basis.

You should also contact the CDN is someone has configured your domain without your permission.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • This will also block a valid forwarding proxy like Squid. I just don't want user to view my content if they are not viewing from www.example.com – Ryan Apr 21 '14 at 06:34
  • @Yoga The CDN should use their own header in addition to the X-Forwarded-For header. Base the header off their header, not the X-Forwarded-For header. – BillThor Apr 22 '14 at 03:19
1

I believe you can use javascript code to check what is in the location. This check will be done in the visitor browser (so not server-side!). This approach is quite similar to protection against opening a webpage in a iframe.

If such a situation is detected, then you can redirect user to the valid URL (or just don't show anything).

Community
  • 1
neutrinus
  • 1,125
  • 7
  • 18
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. – dawud Apr 21 '14 at 10:43
  • @dawud: hope EDIT made it a bit more like an answer.. :) – neutrinus Apr 21 '14 at 18:45