Configure Country Access Control in CloudFront Using PHP

The following sample application gets the IP address of the end user and sends the IP address to IP2Location. IP2Location returns the country code that corresponds to the end user’s IP address. The application then will show the country code that is blocked and evaluates whether the value returned by IP2Location matches the blocked country code. If the end user’s country is not blocked, the application displays a graphic image, uses a canned policy to create a signed URL that expires in five minutes, performs the substitutions necessary to ensure that the URL doesn’t include any invalid characters, and redirects the user’s browser to the signed URL. If the end user’s country is blocked, the application displays a “You are not allowed to view the image” message.

 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
<!DOCTYPE html>
   <title>Example of Country Access Control</title>
   <h1>Example of Country Access Control</h1>
// Configure the private key
$private_key_filename = 'path to private key';
$key_pair_id          = 'CloudFront key pair ID';
//Configure the URL of the image file
$asset_path  = 'CloudFront URL for the image';
$expires     = time() + 300; // (5 minutes from now)
//Retrieving country code from web service call
$visitor_ip   = get_visitor_ip_address();
$service_url = "$visitor_ip&key=<your_api_key>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $service_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
$visitor_country = $result;
echo '<p>The visitor is from : ' . $visitor_country . '</p>';
//In this sample code, we restrict the access of VN country
if (strtoupper($visitor_country) != 'VN')
   echo '<p>You are allowed to view the image.</p>';
   //create the signed image url for display
   $signed_url = create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires);
   echo '<img src="' . $signed_url . '" />' ;
   echo '<p>You are not allowed to view the image.</p>';
//Get visitor ip address
function get_visitor_ip_address()
      $temp_array      = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
      return $temp_array[count($temp_array) - 1];
      return $_SERVER['REMOTE_ADDR'];
//Create the cloudfront signed URL
function create_signed_url($asset_path, $private_key_filename, $key_pair_id, $expires)
   // Build the policy.
   $canned_policy = '{"Statement":[{"Resource":"' . $asset_path
      . '","Condition":{"DateLessThan":{"AWS:EpochTime":'. $expires . '}}}]}';
   // Sign the policy.
   $signature = rsa_sha1_sign($canned_policy, $private_key_filename);
   // Make the signature contains only characters that
   // can be included in a URL.
   $encoded_signature = url_safe_base64_encode($signature);
   // Combine the above into a properly formed URL name
   $temp_signed_url = $asset_path . '?Expires=' . $expires . '&Signature='
      . $encoded_signature . '&Key-Pair-Id=' . $key_pair_id;
   return $temp_signed_url;
function rsa_sha1_sign($policy, $private_key_filename)
   $signature = '';
   // Load the private key.
   $fp = fopen($private_key_filename, 'r');
   $private_key = fread($fp, 8192);
   $private_key_id = openssl_get_privatekey($private_key);
   // Compute the signature.
   openssl_sign($policy, $signature, $private_key_id);
   // Free the key from memory.
   return $signature;
function url_safe_base64_encode($value)
   $encoded = base64_encode($value);
   // Replace characters that cannot be included in a URL.
   return str_replace(array('+', '=', '/'), array('-', '_', '~'), $encoded);


Was this article helpful?

Related Articles