Limiting cloudflare Geolocation

#1

We have a Geo-location filter in place to limit the access to our website ,but after using CloudFlare service our Geo-location filters are blocking legitimates requests to the website even though it is coming from allowed Geo-locations .
After investigation , we noticed that CloudFlare addresses (which are leading the client’s connection to our website) are coming from blocked Geo-location over our filters.
How can we limit the usage of CloudFlare addresses to certain Geo-location only and not use all CloudFlare base servers

#2

First, you need to rewrite the IP address from the connection’s actual address (Cloudflare) to the client’s original address.

Second, you need to describe what you have in place and what you configured. What is that filter? Post screenshots and examples and be technically as detailed as possible.

1 Like
#3

Your geolocation filter relies on client IP but as a website using Cloudflare all requests come from CF servers. CF adds some headers to requests which you can use to retrieve actual client IP:

CF-Connecting-IP

To provide the client (visitor) IP address for every request to the origin, Cloudflare adds the CF-Connecting-IP header.

“CF-Connecting-IP: A.B.C.D”

Where A.B.C.D is the client’s IP address, also known as the original visitor IP address.

Also on a Enterprise CF plan you can block by country code.

1 Like
#4

Thank you Sandro for your prompt reply
The Geo-location Filter i am talking about is embedded within an F5 appliance which is doing the blocking automatically for disallowed Geolocations .
I am not able to change the way to filter Geolocation ,that is why i am asking about the possibility to limit the IP addresses/location from which cloudflare is redirecting the client connection

#5

Cloudflare is not redirecting but proxying. If the proxy addresses are an issue for you, your only option will be to unproxy your records by switch the record from :orange: to :grey:. But this will also reveal your IP address and you wont be able to use most of Cloudflare’s security and performance features.

1 Like
#6

Thank you Xaq ,yes we are receiving the client IP and the CF- connecting IP header , but the Gbeolocation Filter is considering only the the CF header IP

#7

you are right Sandro, I have Already tested this option ,but as you have mentioned ,i will loose CF’s protection in this case .
Is there an option to limit the CF connecting IP addressees for a certain A record

#8

Are you referring to the Cloudflare proxies?

#9

Yes I mean Cloud Flare proxies

#10

There is no way to limit these I am afraid. Requests will be sent over the datacentre closest to your visitors.

#11

I am thinking about another solution .Will it be possible to have all proxies IP addresses to be used at my alliance white list ?

#12

That is something you need to clarify with whomever supports your device. The full list of addresses is at https://www.cloudflare.com/ips/

#13

These are sub nets .is it confirmed that all the IP s within the sub net is cloudflare’s

#14

I would take this list pretty much as confirmation. If you need anything else you’d really have to contact support.

#15

Thank you Sandro for your time .But i can not find any way to contact support but through this community .is there a phone number or email that i can directly contact them .

#16

https://support.cloudflare.com/requests/new

#17

after refrering to the support they provided me with this link to restore the client original IP at level of the webserver to solve the issue
https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

Many thanks

#18

That was what I mentioned in my very first response, however that wont your presumable issue of having certain Cloudflare addresses blocked.

closed #19

This topic was automatically closed after 14 days. New replies are no longer allowed.