Geo-blocking at my firewall


#1

I know Cloudflare has rules for geo-blocking or geo-challenging. I’m looking at the option of geo-blocking at my own firewall in my datacenter. With the plan we’re on, the best we can do is geo-challenge. Looking at my firewall’s rules that allow traffic to our sites that are behind Cloudflare, if I also set up geo-blocking on those rules, would that mess anything up? My question comes because I know that it’s a large scope, a global network. If I’m looking to only allow visitors in the US to certain sites, will that mess up caching for US visitors because multiple countries come in and cache my site? I guess my bottom-line question is if I can only allow US visitors using my own firewall and not mess anything up for the US visitors to my site. Does the anycasting that Cloudflare does mess up being able to accurately tell which country the traffic is coming from?


#2

No replies, so I’ll throw in my assumption.

Cloudflare will always determine the visitor’s country to the best of CF’s ability. Considering that you have the option to add a CF header with the visitor’s originating country, they’re trying hard to provide data you can depend on:

Are you thinking that Cloudflare’s IP addresses that proxy requests to your server might muddle things up? You really need to be making decisions based upon Visitor IP.


#3

I am not confident that I won’t mess something up by blocking CloudFlare
IPs that may be flagged in a different country. I don’t even know if they
would due to their anycasting they do but if it did show up as a different
country to my firewall, I’m not confident that I wouldn’t break access to
the site for people in my own country. I am aware of their geolocation
header but the problem is that I can’t block HTTPS traffic at my firewall
since that would be an encrypted header.