AWS Lambda@Edge
Intercepting traffic at the CDN level using AWS Lambda@Edge is the most secure and cost-effective way to use ProxyTracer. By dropping malicious requests at the AWS edge, you completely shield your origin servers from botnet traffic and save on compute costs.
The Implementation
This function hooks into the CloudFront Viewer Request event. It reads the client IP directly from the event object, makes a fast asynchronous fetch to ProxyTracer, and returns a constructed 403 Forbidden response directly to the user if a proxy is detected.
export const handler = async (event) => {
const request = event.Records[0].cf.request;
// 1. Safely extract the client IP directly from CloudFront
const clientIp = request.clientIp;
// Pass through if local testing or no IP found
if (!clientIp) {
return request;
}
try {
// 2. Query ProxyTracer API (Lambda Node 18+ supports native fetch)
const ptResponse = await fetch(`https://api.proxytracer.com/v1/check/${clientIp}`, {
method: 'GET',
headers: {
'Authorization': `Bearer ${process.env.PROXYTRACER_API_KEY}`
},
// Using an AbortController to enforce a strict 500ms timeout
signal: AbortSignal.timeout(500)
});
if (ptResponse.ok) {
const data = await ptResponse.json();
// 3. Drop the connection immediately if a proxy is detected
if (data.proxy === true) {
// Returning a custom response short-circuits the CloudFront request
return {
status: '403',
statusDescription: 'Forbidden',
headers: {
'content-type': [{ key: 'Content-Type', value: 'application/json' }]
},
body: JSON.stringify({ error: "Access Denied: VPN or Proxy detected." })
};
}
}
} catch (error) {
// Fail open: If the API times out, allow traffic to ensure uptime
console.error('ProxyTracer API Error:', error);
}
// 4. Traffic is clean, return the request object to continue routing to origin
return request;
};Deployment Note: Ensure this Lambda function is deployed to the us-east-1 region, as CloudFront requires all Lambda@Edge functions to be initiated from there before replicating globally.
Last updated on