WAF: Block all requests except 1 country and some IP addresses

What is the domain name?

I would prefer to keep it private.

Have you searched for an answer?

Yes, but no query specifically matches mine of a single WAF rule to block all requests except for 1 country and some IP addresses (not in the same country).

The closest answer I got was:

But this isn’t what I want.

Please share your search results url:

https://community.cloudflare.com/search?q=block+all+requests+except+geo+and+IP

Describe the issue you are having:

Here is the WAF rule in text:

(http.request.full_uri contains "https://app.mysite.org/login/" 
and not ip.src in {IP1 IP2}) 
or (http.request.full_uri contains "https://app.mysite.org/login/" 
and not ip.geoip.country in {"US"})

Then: Block

The 2 whitelisted IPs allow me access to the URI but the geoIP blocking does not allow me (the firewall restriction pops up) when testing from a local IP address. The alternatives I tried were:

(http.request.full_uri contains "https://app.mysite.org/login/" 
and not ip.src in {IP1 IP2}) or (ip.geoip.country ne "US")

I also tested “is not in” too.

But this has the same firewall issue mentioned above.

What error message or number are you receiving?

Access denied Error code 1020

What steps have you taken to resolve the issue?

  1. Tested a few alternatives to the firewall rule, but I have no idea what the correct logic is for the firewall to:

  2. BLOCK everything

  3. EXCEPT

  4. 2 IP addresses

  5. AND 1 geoIP (which is not in the same country as the 2 IP addresses)

Was the site working with SSL prior to adding it to Cloudflare?

Not an SSL issue.

What are the steps to reproduce the error:

Use my WAF rule above via the dash.Cloudflare dashboard

Have you tried from another browser and/or incognito mode?

Yes. I also tried to purge the cache. No access from the geoIP.

This should do it:

(http.request.full_uri contains "https://app.mysite.org/login/" and ip.geoip.country ne "US" and not ip.src in {123.123.123.123 12.12.12.12})

If you’re getting blocked, take a look at the Firewall Events Activity Log to check which country and IP address show up in that request.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.