Can i ensure my traffic and data stay within Canada?

Is there a way to ensure this or does this happen by default?

No. Anybody with a VPN endpoint in Canada would be able to view your site.

The best I can suggest would be to create a Firewall Rule that blocks anybody who’s not in Canada:

2 Likes

Thank you that is helpful.

Is there a way to ensure data flows through a specific Cloudflare data center? For instance if i live in Canada on the border beside Detroit, will my data route to a Canadian server or go to the closest one (Detroit)? (POST request to a website)

No, that would be up to the ISP to control your routing. They might even route visitors through the US even if you’re not using Cloudflare. @thedaveCA probably has more info on this.

1 Like

hmm thanks for the insight. The traffic will be encrypted so this might be a non-issue.

You can use firewall rules as @sdayman suggested but If you’re looking for strict PIPEDA or OFSI compliance, you may want to look at Azure https://azure.microsoft.com/en-ca/global-infrastructure/services/?regions=canada-central,canada-east

2 Likes

What exactly do you mean by your question?

Do you only want to use the Canadian datacentres or only allow Canadian visitors?

@sandro the answer would be both, only Canadian visitors and only Canadian datacentres. I understand the firewall, I guess i am curious if there is an option somewhere to select preferred datacentres. If i post data and it routes through a server located in the United States this might look bad from a political stand point. If static content is served from a CDN server in the United States this might also look bad from a political standpoint. Even though my servers and data are stored in Canada and traffic is firewalled to Canada only, uneducated people might see American IPs and cause trouble. :slight_smile:

Only Canadian visitors can be achieved via the firewall as already mentioned.

Only Canadian datacentres might be trickier but should be also doable via the following configuration (for Apache)

RewriteCond %{HTTP:CF-Ray} !-(?:YUL|YVR|YWG|YXE|YYC|YYZ)$
RewriteRule .* - [F]

Of course should Cloudflare add or remove Canadian datacentres you’d also need to update that list. Also, this wont route everything via Canada but will simply reject requests from non-Canadian datacentres.

2 Likes

So in the event a Canadian citizen is, for whatever reason, routed through the US that their request would also be blocked? I’m not nuts about the idea of blocking actual people out of any website. This sounds like a big issue if it’ll also block the target audience at random

1 Like

I came to the same conclusion. Seeing that ISPs control routing it seems its impossible to ensure the traffic stays in the country. This would only really effect border towns i think, i would be curious to test this. Seeing that all traffic is encrypted this should not matter from a technical standpoint (unless the NSA have cracked TLS :slightly_smiling_face:)

Can I ask why it matters? Blocking traffic from legit human users seems (in my uninformed opinion) like a bad idea.

I would not block traffic from non-Canadian Cloudflare datacenters because that doesn’t accomplish my goal as users using my system would still get their data routed through the states which i want to avoid. I would be able to tell my superiors that no traffic comes to our server from out-of-country but user data would still be routing through other countries as well as being blocked from our application which would create user complaints.

Canadian laws require personal information to be kept within country in certain industries, and the US patriot act which allows the government access to any data stored in their country causes lots of concern over here. I’m trying to avoid foreign governments or actors collecting data that travels en-route to my server :slight_smile:

2 Likes

Sure, of course. If you block non-Canadian datacentres you block all traffic from them, regardless of where it originated from.

1 Like

I live in Brazil, and when I access one of my websites (hosted in the US and proxied by Cloudflare), my ISP routes me to the US, then Spain (ISP is controlled by Telefónica, a Spanish company), then back to the US, then to Cloudflare.

If your site is visited by a Canadian citizen living in Canada their traffic may be routed to who-knows-where before it is sent to the open internet, at which point it will find the nearest Cloudflare datacenter. Unless all Canadian ISPs are forced by some law to not route their users abroad, using Firewall Rules or a server configuration as suggested by @sandro may prevent many Canadians in Canada from accessing your website.

Please see:

3 Likes

A firewall rule should be actually fine, as that takes the actual user location into account. The Apache directives I posted might be a problem but hence my disclaimer and it was specifically meant for when someone really wants to block datacentres.

1 Like

@cbrandt thats insane, why would they route you over the Atlantic, look at your latency piling up… who designed this thing!

1 Like

For reference, I’m a Canadian standing in Canada, but in being served from SEA right now on Rogers (Mobile) network. I hopped on Shaw’s public wifi which usually routes me via YVR, or sometimes YEG, but today? SEA as well. In fact I’ve only been routed to Cloudflare’s YYC site when I’m physically in a city of Calgary facility (hospital, library, etc).

4 Likes

Geo-restrictions are valid concerns for personal data and good points by all. Since this is for political purposes, I personally know of several Riding Associations and at least one major Party actively using Cloudflare. Most have their own internal election database and create the candidates site during the election. I’d contact the Party Headquarters for clarification.

3 Likes

The :angel: in me agrees that this was poorly designed.
The :smiling_imp: in me thinks this is a way to bypass another jurisdiction’s privacy laws.

1 Like