Firewall rule that whitelists certain countries not working as expected

I have one firewall rule:

(not ip.geoip.country in {“US” “CA” “GB” “IE” “FR” “ES” “PT” “BE” “NL” “LU” “DE” “DK” “NO” “SE” “FI” “CH” “IT” “AT” “AU” “NZ”})

As I’m currently located in Australia, I would expect requests to get through. However, it seems that requests from here are getting blocked (error code 1020 - not the standard Cloudflare page though. The entire response is “error code: 1020”). If I disable the rule and wait for a bit then these errors go away.

The RayID below goes ends in “SIN” which I assume is Singapore. Singapore is not in my whitelist of countries, so I wonder if that is related? But, I would think that shouldn’t matter since the request originates in a whitelisted country. It shouldn’t matter where it gets routed through.

Any ideas why this would continue to be blocked?

Curl requests:

$ curl https://cdn.mydomain.com/assets/application-c2c6a2247bc2fe1d004b688504007337326ed1818f6edb3fe2ae04e8848dfc87.css
error code: 1020

$ curl -I https://cdn.mydomain.com/assets/application-c2c6a2247bc2fe1d004b688504007337326ed1818f6edb3fe2ae04e8848dfc87.css
HTTP/2 403
date: Tue, 21 Jan 2020 23:51:41 GMT
content-type: text/plain; charset=UTF-8
set-cookie: __cfduid=dd511db5adb6b2a732b52aac079f20dd11579650701; expires=Thu, 20-Feb-20 23:51:41 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax; Secure
cache-control: max-age=14400
expires: Tue, 21 Jan 2020 23:48:16 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-cache: Error from cloudfront
via: 1.1 dcb42c70bda10759ea456b517bba08fb.cloudfront.net (CloudFront)
x-amz-cf-pop: SIN5-C1
x-amz-cf-id: hDUCbQRQOy4zDoFLvLbPx2OjvLxfBpu7Axkzz4SNI6TVcN3BD9ccYw==
cf-cache-status: EXPIRED
server: cloudflare
cf-ray: 558d32942d39dcbe-SIN

I increased your trust level so you won’t hit that permissions issue again. Sorry about that.

Cheers, thanks. Cleaned up the post.

1 Like

So, I do not see the issue when requesting a resource over the ‘www’ subdomain. (The original post is about my ‘cdn’ subdomain). Both are Proxied CNAMEs, but point to different locations. www points to heroku. cdn points to Amazon cloudfront (I know, a bit redundant. it is what it is for now)

I think it’s odd because, both www and cdn should be subject to the same firewall rules and the “error code 1020” is a cloudflare/firewall error code. So, if one has an error and the other does not, that would seem to point to the origin location.

Additionally, if I request the resource directly from Cloudfront, I don’t get an error. So… maybe it something to do with the cloudflare data center in Singapore (see the CF Ray ID above) requesting the resource from Amazon Cloudfront. But I can find no information regarding an Amazon Cloudfront error 1020. It just doesn’t seem to be a thing.