Blocking entire countries


#1

I’m considering blocking a number of countries.
How much of an adverse affect will this have on performance, if any?
Rather than block countries, is it possible via a page rule to limit access to only specific countries?


#2

You need to be on an enterprise plan to block them

None

Unfortunately not. There’s no closing deny rule like a usual firewall has. You can just block them.

Hope this helps :slight_smile:


#3

To add to this, you can “Challenge” visitors from other countries, which is good for stopping bots, but humans can pass the browser challenge and get to your site.

You can use .htaccess to watch the headers for Country code and the block/allow accordingly:


#4

As @sdayman mentioned, you can (and probalby should) use .htaccess or equivalent at your web host to restrict access to your site. To enable this, Cloudflare passes you a param called ‘CF-IPCountry’ which holds the viewers country code in ISO 3166-1 Alpha 2 format (e.g. US, AU, GB etc). You can use the usual ‘allow from’, ‘deny from’ in conjunction with that to easily block countries or use a rewrite rule to send them to a generic blocked page.

They even include a code for Tor traffic (country code = T1) so you can block access from that too should you so desire.

Remember to set up some rules in htaccess (or better in your firewall) to make also sure all your access is only via Cloudflare if you want to guarantee access isn’t possible without Cloudflare giving you a valid country of origin.


#5

Although .htaccess works, it can negatively affect performance under load if the block target encompasses a massive amount of IPs. Hence, blocking via the firewall in conjunction with ipset, may be a better alternative. Careful monitoring required in either case.
Thus the attraction of CFs solution. An allow only or deny all except would be better yet. And available through PRO or higher better still.


#6

You may want to try CloudFlare Access. Currently it’s an email based login to protect the whole page, sub-domain and sub-folders. But give it some time. I guess there are cool features coming soon :slight_smile:


#7

Access is more of a silo solution vs the whole server. Unless you’re in corporate team environment, nothing an authenticator can’t handle, cheaper and better. Email? that’s so 90s.


#8

Just following up after applying the Cloudflare country block for Russia. Although, this was applied for a non-enterprise account, the results are still impressive, as various domains on the server are being targeted by Russian bots. This was confirmed by checking the firewall logs on the server where we’ve implemented an additional country block for Russia. Those logs show NO blocked attempts and no successful access from Russia. Thus Cloudflare is doing a bang up job of blocking bots. After checking the logs, I plan on implementing the same for other countries.



#9

Yes it does it’s job. :slight_smile:

Don’t rely on it! Blocking countries is not intended to be usable on other plans than enterprise. It’s still filed as a bug.

After solving this issue the block may fall back to “challenge” or the entries will be completely removed.

I’ve no new status on this. I hope @ryan has :wink:


firewallaccessrules.api.not_entitled.country_block (Code: 10016)
#10

I’ve already implemented multiple country blocks via our own firewall but I like the belt and suspenders approach.
Do you have a link about this being a bug?


#11

We don’t have it posted as a bug, but I confirmed that in an earlier thread. Any block by country rules created on self-serve plans will be automatically be converted to “challenge” instead. It seems that the massive overhaul that came with the dashboard update and shared account access has complicated the resolution. But as far as I know the block option is going away.


#12

Blocking countries has become more popular since the GDPR deadline. I wrote an Will Companies ‘Brexit’ EU Over GDPR? about this on my website ahead of the deadline and, as anticipated, many are doing it. I have some archival sites that are not meant for the public. It may not be particularly confidential but, I want to discourage people from visiting there since another website has current info. CloudFlare is useful in blocking regions from access.

The feature is available under the Firewall tab. There, you can enter a country (no need for IP address) and choose to challenge or block.

Tech firms struggle with EU’s new privacy rules

As far as performance impact goes, those who are blocked will experience an obvious reduction in performance – zero in fact. This should have no effect on other visitors. You will experience a drop in the number of visitors and a corresponding increase in the number of averted “threats.”


#13

GDPR … that’s a good point and another great use of country blocking.


#14

Challenge only for non-enterprise, not sure why CF would remove that? It’s not like someone is going to upgrade to Enterprise or even Business to get that feature.


#15

Not the challenge. Country block will be removed for non enterprise. I think it has partially to do with Cloudlare’s philosophy. Blocking networks or even whole countries wasn’t planned and requested only by a few enterprise customers.

Now that the feature became available to all users they start to use it. I appreciate it as well but have full understanding if they deactivate or downgrade it to “Challenge” Some customets paid a lot of money.

It seems to me that it is not a traffic or load thing for you, so you could use .htaccess or other things to block access to specific pages or sub folders from foreign countries.

Or even Cloudflare Access which will get some great features soon I guess. Let them run against a login page for sites that shouldn’t be public.


#16

It’s already challenge only with no full block for non-enterprise so what exactly is there to remove if it’s not challenge only? Makes no sense. And to repeat, blocking entire countries via .htaccess is not a good idea unless one doesn’t care about performance.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.