Geo and tor restrictions

If you want to restrict access to your application from tor and whitelist/blacklist users from specific countries, follow the configuration steps given below. This section is divided into two parts:

  1. Deploy CloudFormation stack and integrate with Cloudfront distribution (which you created in Custom Domain section) to block access from tor.

  2. Configuring WAF ACL Rules to whitelist/blacklist specific countries as per your requirement.

Blocking Application access from tor browser:

The AWS WAF (Web Application Firewall) service can be integrated with AWS CloudFront to block access requests from unintended sources. You can use the following CloudFormation solution template offered in AWS solutions



This template creates:

  • Multiple AWS Lambda functions
  • an AWS WAFv2 Web ACL
  • an Amazon S3 bucket
  • and Amazon CloudWatch custom metric You will be billed for the AWS resources used, if you create a stack from this template.

This template provides multiple parameters for preventing web-based attacks, of which we will be only using the IP reputation lists option to block access from tor. Since the rest is beyond the scope of this document, you can refer to AWS documentation for further information.

Given below are the steps to implement this solution:

  1. To deploy this solution, you can download the cloudformation template from here

  2. This solution includes an option to send anonymous operational metrics to AWS which is by default enabled. To disable this option, make the following changes to the downloaded template: under Mappings section - disable the SendAnonymousUsageData flag

  3. Navigate to CloudFormation service dashboard from your AWS Management console (N. Virginia region), and click on Create stack -> With new resources (standard)

  4. Click Template is ready -> Upload a template file -> and choose the template file you downloaded in step 1 -> click Next

  5. Specify a stack name

  6. Under Parameters -> Protection List, choose no for all the parameters except for Activate Reputation List Protection since we want to use only this feature to block tor access. Choose yes for Activate Reputation List Protection parameter.

  7. Under Log Monitoring Settings section, select the Endpoint Type as CloudFront

  8. Keep everything else as default and click Next

  9. Add tags if required -> click Next

  10. Review the configuration, check acknowledgements and then click Create stack

  11. View the status of the stack in the AWS CloudFormation console in the Status column. You should receive a status of CREATE_COMPLETE in approximately 15 minutes. This is a nested stack that will deploy 2 stacks - one parent and a child stack. Check the Resources tab to view all the deployed resources.

  12. Navigate to your CloudFront distribution. Under the general tab of your distribution, click Edit under the Settings section

  13. Under AWS WAF web ACL parameter, select the WAF ACL created by the cloudformation stack you deployed above

  14. Click Save changes
    This will block access from tor browsers on your cloudfront distribution/s.

Geo restrictions using AWS WAF Service

  1. Navigate to AWS WAF service dashboard and click on Web ACLs. Select Global(CloudFront) option to view it

  2. Click on the ACL Name which you have integrated with cloudfront in the above steps -> go to the Rules tab -> Add Rules -> Add my own rules and rule groups

  3. Select Rule builder as Rule type. Give a rule name

  4. In front of If a request option, select: matches all the statements (AND)

  5. If you want to blacklist specific countries: in Statement 1 section, select Originates from countries in from the Inspect drop down. Then select the required countries, to be blacklisted as per your requirement, from the Country codes option.

  6. If you want to whitelist specific countries: in Statement 1 section, enable the Negate statement (NOT) checkbox and select Originates from countries in from the Inspect drop down. Then select the required countries, to be whitelisted, from the Country codes option.

  7. In Statement 2 section, select Single header from the Inspect drop down. Type host in Header field name text-box. For Match type, use Contains string. In String to match text-box type your custom domain name. For example: if your custom-domain name is, then type foo.xooa.

  8. Under the then section, choose Action as Block

  9. (Optional) Further, you can also configure response body and response code, by enabling the custom response checkbox and related configuration

  10. Click Save Rule