AWS Cloudfront 黑名单,通过 VPN 访问
AWS Cloudfront blacklist, access via VPN
我正在设置 AWS Cloudfront Management。我正在将世界上几个国家列入黑名单(例如:中国)。如果来自中国的人通过另一个国家使用 VPN,他们还能访问吗?黑名单是否防止通过 VPN 访问?
CloudFront determines the location of your users by using a third-party GeoIP database. The accuracy of the mapping between IP addresses and countries varies by Region. Based on recent tests, the overall accuracy is 99.8%. If CloudFront can't determine a user's location, CloudFront serves the content that the user has requested.
当用户通过VPN访问您的服务时,他们的真实IP是隐藏的,您看到的是服务器的IP。因此,地理限制将基本无效。
您可以通过限制共享单个 IP 的离散会话的数量来在某种程度上减少 VPN 的使用。这可以(例如)通过 Lambda@Edge and DynamoDB.
来实现
补充@aymericbeaumet 的回答。您还可以在 CloudFront 前面设置 WAF。
在 WAF 中,您可以使用名为 AWSManagedRulesAnonymousIpList:
的 AWS Managed Rules 规则组
This rule group contains rules to block requests from services that allow the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.
我正在设置 AWS Cloudfront Management。我正在将世界上几个国家列入黑名单(例如:中国)。如果来自中国的人通过另一个国家使用 VPN,他们还能访问吗?黑名单是否防止通过 VPN 访问?
CloudFront determines the location of your users by using a third-party GeoIP database. The accuracy of the mapping between IP addresses and countries varies by Region. Based on recent tests, the overall accuracy is 99.8%. If CloudFront can't determine a user's location, CloudFront serves the content that the user has requested.
当用户通过VPN访问您的服务时,他们的真实IP是隐藏的,您看到的是服务器的IP。因此,地理限制将基本无效。
您可以通过限制共享单个 IP 的离散会话的数量来在某种程度上减少 VPN 的使用。这可以(例如)通过 Lambda@Edge and DynamoDB.
来实现补充@aymericbeaumet 的回答。您还可以在 CloudFront 前面设置 WAF。
在 WAF 中,您可以使用名为 AWSManagedRulesAnonymousIpList:
的 AWS Managed Rules 规则组This rule group contains rules to block requests from services that allow the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.