Which do I prefer, my Nginx or cloudflare?

I use my Nginx and have Japan allowed, US allowed, and others blocked.

In Cloudflare’s WAF settings, I allow Japan, allow US bots, and block others.

in this case,

Which do I prefer, my Nginx or Cloudflare?

Cloudflare traffic is zero all the time.

Can I block countries other than Japan even if I remove my Nginx settings?

Yes, but keep in mind, anyone could try and establish a connection from the country you’ve blocked at Cloudflare with Firewall Rules by going directly to the origin IP address (aside from HTTPS at Cloudflare where they’d get 1020 blocked page, access denied) - if they know it, except you only.

However, using cloudflared tunnel and limiting to allow only Cloudflare IPs to connect to your origin server, you’d be in a better position, if so.

One thing coming to my mind is, Imunify360. If you have it installed at your origin host/server and chose to block some XYZ countries, they can’t even establish a connection to your origin host. That is exactly the way to block countries in your iptables for the example, and not only to your websites via HTTP(S).

Not sure what are you using, but I’ve used geoip database with Nginx with which I limited access to some parts of my origin host for specific countries as the particular apps are being in use (despite those blocked countries could establish the connection as they weren’t blocked in iptables).

I use my Nginx configuration to allow Japan, allow America, and block others.

In Cloudflare’s WAF settings, I allow Japan, allow US bots, and block others.

Which setting takes precedence in this case?

Cloudflare traffic is zero all the time.

Is it okay to remove my Nginx configuration?

Are your DNS records :grey: or :orange:? If your records are all :orange: then you can remove nginx blocking provided you have secured your origin.

If your DNS records are :orange: then Cloudflare settings take precedence as the traffic is filtered by Cloudflare before it reaches your server. If they are :grey: then you are not using Cloudflare settings at all.

Is there a way to get the effect of both my Nginx and Cloudflare?

When your DNS records are :orange: you are getting both. The traffic is going through Cloudflare, requests will be filtered out then the allowed ones will be sent to your server where the nginx config will filter out some more.

My DNS records are :orange:
But in Cloudflare’s WAF settings, “Block other than Japan” is not used.
Why?

What do you mean? In the screenshot, your first rule has 6k hits in the last 24 hours.

1 Like

①(ip.geoip.country ne “JP” and ip.geoip.country ne “US”)
②(ip.geoip.country eq “US” and not cf.client.bot)
③ (ip.geoip.country eq “JP”) ←Set to confirm the number
④ (cf.client.bot) ←Set to confirm numbers

Now only 4 is used.

Previously, when I had the same settings, ① was used a lot. (without Nginx)
Now only 4 is used.

>>>What do you mean? In the screenshot, your first rule has 6k hits in the last 24 hours.

That time was (without Nginx).

Once there is an Allow action, then Cloudflare is no longer checking other Firewall rules.

For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.
There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within firewall rules

What are the actions set for the firewall rules? Open a firewall activity and see what rule allowed the request.

1 Like

>>>>However, using cloudflared tunnel and limiting to allow only Cloudflare IPs to connect to your origin server, you’d be in a better position, if so.

How do I set it up?

I have the same setup.
But now only 4 applies.

Right now I’m using my Nginx and I have Japan allowed, US allowed and other blocked.

Is this the reason?

Cloudflare fires first. It is a proxy. If you want unique or more restrictive rules on your origin great. But if they are blocked by Cloudflare first your origin rules can’t apply.

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.