Trying to limit access to MOST subdomains to a single country. Is this config ok?

What is the name of the domain?

mydomain.com

What is the issue you’re encountering

I’m unable to restrict access to a specific country

What steps have you taken to resolve the issue?

So I’m trying to set up WAF rules to limit access to all but two of my subdomains to a specific country. In other words, I only want two subdomains to be accessible globally. Everything else should be limited to my country of residence (Japan). I set it up like this:

(http.host ne “subdomain1.mydomain.com”) or (http.host ne “subdomain2.mydomain.com” and ip.geoip.country ne “JP”)

But my friends in the States and Europe are still able to access mydomain dot com, as well as my subdomains. How would I go about restricting access to everything besides those two specific subdomains? I’d appreciate any advice/help/suggestions.

Screenshot of the error

Change the “or” to an “and”.

2 Likes

Thank you for trying to help!

I changed the OR to AND, but it still doesn’t work. My friend in the US was still able to access subdomain3.mydomain.com

Did you try running their request through Rule Tracer with Geolocation set to US?

2 Likes

Thank you for that link! The tracer worked fine with geo set to US or other countries besides Japan (403 Access Denied) … maybe my friend’s device had DNS cached for my domain and some of my subdomains.

Anyway, it seems to be working, so thank you for your help. Now I just have to figure out how to send people to google.com instead of of getting a generic 403 …

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

You can use the same filter to deploy a redirect rule to any target destination of your choice, including google.com. :wink:

1 Like

Wow, that’s perfect - thank you!!! Would you mind testing this for me? I think it’s set up correctly, but I’d just like to make sure.

Does https://hammcloud.com redirect to Google?
And does https://link.hammcloud.com/cloudfare still work, directing to this page?

You need to orange-cloud the DNS record for Cloudflare products to work. :wink:

Once this is done, you will see the redirect:

% curl -svo /dev/null https://hammcloud.com/ --connect-to ::104.21.48.164
...
< HTTP/2 301 
< date: Mon, 02 Sep 2024 11:16:27 GMT
< content-type: text/html
< content-length: 167
< location: http://www.google.com
< cache-control: max-age=3600
< expires: Mon, 02 Sep 2024 12:16:27 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SCZ3yTjYGI1%2FS1qkUMCp%2F%2FTyfyho7xaLwHlJQvNeZH9jV1ED7LkBhU14Xgbn7i%2Bu7dvUNIiaq%2FU%2BMYt4iE1lTdViaTV8BQ9%2BJHTWP9jRNgc5Otlq8%2FEw95wMIM%2B7p%2BBG"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8bcd1687bf3963bf-LHR
< 
{ [167 bytes data]
* Connection #0 to host 104.21.48.164 left intact
2 Likes

Thank you! I never "orange-cloud"ed any DNS records because I got redirect errors; after Googling I found that I just had to change the SSL/TLS settings on all of my domains from Flexible to Full (Strict). After doing that, I’m able to use proxied DNS, an in turn, my routing rules. Thank you so much for your help!

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.