Blocking entire countries


I’m considering blocking a number of countries.
How much of an adverse affect will this have on performance, if any?
Rather than block countries, is it possible via a page rule to limit access to only specific countries?


You need to be on an enterprise plan to block them


Unfortunately not. There’s no closing deny rule like a usual firewall has. You can just block them.

Hope this helps :slight_smile:


To add to this, you can “Challenge” visitors from other countries, which is good for stopping bots, but humans can pass the browser challenge and get to your site.

You can use .htaccess to watch the headers for Country code and the block/allow accordingly:


As @sdayman mentioned, you can (and probalby should) use .htaccess or equivalent at your web host to restrict access to your site. To enable this, Cloudflare passes you a param called ‘CF-IPCountry’ which holds the viewers country code in ISO 3166-1 Alpha 2 format (e.g. US, AU, GB etc). You can use the usual ‘allow from’, ‘deny from’ in conjunction with that to easily block countries or use a rewrite rule to send them to a generic blocked page.

They even include a code for Tor traffic (country code = T1) so you can block access from that too should you so desire.

Remember to set up some rules in htaccess (or better in your firewall) to make also sure all your access is only via Cloudflare if you want to guarantee access isn’t possible without Cloudflare giving you a valid country of origin.


Although .htaccess works, it can negatively affect performance under load if the block target encompasses a massive amount of IPs. Hence, blocking via the firewall in conjunction with ipset, may be a better alternative. Careful monitoring required in either case.
Thus the attraction of CFs solution. An allow only or deny all except would be better yet. And available through PRO or higher better still.


You may want to try CloudFlare Access. Currently it’s an email based login to protect the whole page, sub-domain and sub-folders. But give it some time. I guess there are cool features coming soon :slight_smile:


Access is more of a silo solution vs the whole server. Unless you’re in corporate team environment, nothing an authenticator can’t handle, cheaper and better. Email? that’s so 90s.


Just following up after applying the Cloudflare country block for Russia. Although, this was applied for a non-enterprise account, the results are still impressive, as various domains on the server are being targeted by Russian bots. This was confirmed by checking the firewall logs on the server where we’ve implemented an additional country block for Russia. Those logs show NO blocked attempts and no successful access from Russia. Thus Cloudflare is doing a bang up job of blocking bots. After checking the logs, I plan on implementing the same for other countries.


Yes it does it’s job. :slight_smile:

Don’t rely on it! Blocking countries is not intended to be usable on other plans than enterprise. It’s still filed as a bug.

After solving this issue the block may fall back to “challenge” or the entries will be completely removed.

I’ve no new status on this. I hope @ryan has :wink:


I’ve already implemented multiple country blocks via our own firewall but I like the belt and suspenders approach.
Do you have a link about this being a bug?


We don’t have it posted as a bug, but I confirmed that in an earlier thread. Any block by country rules created on self-serve plans will be automatically be converted to “challenge” instead. It seems that the massive overhaul that came with the dashboard update and shared account access has complicated the resolution. But as far as I know the block option is going away.