0

I am trying to use Amazon AWS Cloudfront Geo to whitelist few specific countries and block access from anywhere else. So far I did this:

1) enabled Geo restriction on the Cloudfront distribution in a whitelist mode, added (for a test) just Israel to make sure it is available here. To be sure invalidated the whole website (the website is statically hosted on S3).[Attached config from AWS for sanity check]

2) To test tried accessing it from various EC2 instances around the world - looks good, always got 403 error. Still seemed not 100% full proof so:

3) Tried accessing the website using Tor browser with different exit points in US/UK/Germany and ... always get to the website, no block whatsoever. Tried at least from 20 different geo IPs [some of the tests are attached]. My idea so far is:

  • either testing from AWS infrastructure is not relevant and AWS Geo does not restrict anything

  • or it does restrict as advertised EXCEPT Tor traffic, then it is half the problem , still why not? After all Tor is just webtraffic from IP...

  • or I do something wrong in Geo configuration. For testing, should it be needed I did all this on https://lifeinisrael.co.il my hobby non-production site so I can mess with it freely. AWS Cloudfront geo configs

Accessing the site from UKenter image description here

Yuri
  • 108
  • 5
  • 2
    Configure your cache behavior to forward the `Cloudfront-Viewer-Country` header to your web server, and then configure your web server to log it. See where CloudFront thinks you are coming from. If the header says `A1` instead of an actual ISO country code, then it thinks you're using an anonymous proxy, like Tor. – Michael - sqlbot May 09 '17 at 23:23
  • Thanks, I will set up EC2 + apache to do so, as this one is on S3 bucket static hosting so no header logs are available, and update post here. – Yuri May 10 '17 at 04:37

1 Answers1

1

This is very late, and you may have already found the solution. I found that you cannot block tor with only cloudfront. Add WAF to cloudfront and make your whitelist in WAF, and TOR will be blocked (I have not tested if it blocks if the exit node is from that country)

eddy
  • 26
  • 1