Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

robj's avatar
robj
OP
2 years ago
Level 9

Geo locking app - which methods are best

Hi all, I have a gambling app in the UK - part of our regulatory obligations is to ensure the app is only accessible within the UK.

I’ve checked a few different ways to do it:

  1. Middleware that calls a geolocation IP API
  2. Middleware that checks a local geolocation IP DB
  3. CloudFront (we’re hosted on Vapor)
  4. CloudFlare (we don’t use it but it’s on my list to assess should we need serious bot protection so if I needed it for this then that’s no major hardship)

I think 1&2 are going for to be poor UX, I’m inclined to go for 3 now and hold 4 in reserve.

None of these will be perfect, I think 4 is probably the most advanced but may be overkill at this point.

Anyway, any I’ve missed? Any thoughts?

Thanks, RobJ.

0 likes
7 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Hi RobJ,

Geo-locking your app to ensure it's only accessible within the UK is indeed an important regulatory requirement for a gambling app. Here are my thoughts on the methods you've listed and a potential solution:

  1. Middleware that calls a geolocation IP API: This method can be effective but may introduce latency as each request will require a call to an external API. This could impact user experience if the API is slow or has rate limits.

  2. Middleware that checks a local geolocation IP DB: This method is faster than calling an external API since the database is local. However, the downside is that you need to keep the database up-to-date to maintain accuracy.

  3. CloudFront (AWS service, assuming you're using Laravel Vapor): CloudFront can be configured to serve content only to specific geographic locations. This is a robust solution as it's managed at the CDN level, reducing the load on your application servers.

  4. CloudFlare: Similar to CloudFront, CloudFlare offers geo-blocking features at the edge, which can be very effective. It also provides additional benefits like DDoS protection and bot management.

Considering performance and user experience, I would recommend starting with CloudFront since you're already hosted on Vapor, which integrates well with AWS services. CloudFront's geo-restriction feature can prevent users outside the UK from accessing your app content without adding latency to your application.

Here's a basic example of how you might set up a geo-restriction in CloudFront:

  1. Go to your CloudFront distribution in the AWS Management Console.
  2. Navigate to the 'Restrictions' tab.
  3. Click on 'Edit' in the Geo-Restriction section.
  4. Select 'Yes' for 'Enable Geo-Restriction'.
  5. Choose 'Whitelist' and add the UK to the list of countries.
  6. Save the changes.

CloudFlare can be kept in reserve as you mentioned, and it could be a good addition if you need more advanced security features in the future.

Remember to test any geo-restriction implementation thoroughly to ensure legitimate users are not inadvertently blocked and to confirm that the system is effective against users trying to access the app from outside the UK.

I hope this helps, and best of luck with your app!

Please note that the above steps are a general guide and the actual implementation details may vary based on your specific setup and requirements.
Snapey's avatar

You only need to check the location once. After that you could hold a flag in session. Then a simple gate middleware would have no impact on user experience.

Unfortunately though, I doubt you can do anything to prevent geographic proxies.

1 like
robj's avatar
robj
OP
2 years ago
Level 9

@Snapey thanks 🙏

One of the advantages of going the middleware route is bypasses can be arranged for non-UK devs if they need it. The risk team of our merchant provider is also abroad and they require periodic access.

Agreed, nothing will stop a someone who is motivated using a proxy/VPN. I did read there was some offering anti-VPN technology but at this point it’s less of a concern than, say, DOS. We also have gates on who can register (UK verified name & address) and pay (UK based debit account) - again nothing insurmountable but you have to be pretty keen to overcome all of those things.

MohamedTammam's avatar

I would go with 3 & 4 options. Not just because they handle it better than just geolocation IP middleware and they have more options.

If it comes to legal terms, it's better to relay on another company that takes this responsibility if you aren't able to build full solution yourself.

1 like
martinbean's avatar

@robj If the app is put behind a Cloudflare proxy, then Cloudflare tell you the country of the connecting IP in a header.

1 like
robj's avatar
robj
OP
2 years ago
Level 9

@martinbean that’s an interesting thought - I wonder if CloudFront has something similar, I’ll check.

Please or to participate in this conversation.