Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Constraints

• One region can be configured in only one geolocation access control rule. For example, if you have blocked requests from Singapore with a geolocation access control rule, then Singapore cannot be added to other geolocation access control rules.
• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Precautions

If you configure a regional access control rule in both EdgeSec and CDN, the rule in CDN is executed first.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Edge Security.
3. In the navigation pane on the left, choose Dashboard under Security Protection.
4. In the navigation pane on the left, choose Website Settings.
5. In the Policy column of the row containing the domain name, click the number to go to the Policies page.
   Figure 1 Website list
   

6. In the Geolocation Access Control configuration area, change Status if needed and click Customize Rule.
   Figure 2 Geolocation Access Control configuration area
   

7. In the upper left corner of the Geolocation Access Control page, click Add Rule.
8. In the displayed dialog box, specify the parameters by referring to Table 1.
   Figure 3 Adding a geolocation access control rule
   

   Table 1 Rule parameters

   Parameter	Description	Example Value
   Rule Name	Rule name you configured	-
   Rule Description	A brief description of the rule. This parameter is optional.	-
   Geolocation	Geographical location from which an IP address is originated	-
   Protective Action	Action EdgeSec will take if the rule is hit. You can select Block, Allow, or Log only.	Block

9. Click Confirm. You can then view the added rule in the list of the geolocation access control rules.
   • To modify a rule, click Modify in the row containing the rule.
   • To delete a rule, click Delete in the row containing the rule.

Configuration Example - Allowing Access Requests from IP Addresses in a Specified Region

Assume that domain name www.example.com has been connected to EdgeSec and you want to allow only IP addresses in Singapore, to access the domain name. Perform the following steps:

1. Add a geolocation access control rule: Select Singapore for Geolocation and select Allow for Protective Action.
   Figure 4 Add Geolocation Access Control Rule
   

2. Enable geolocation access control.
   Figure 5 Geolocation Access Control configuration area
   

3. Configure a precise protection rule to block all requests.
   Figure 6 Blocking all access requests
   

   For details, see Configuring a Precise Protection Rule.

4. Clear the browser cache and access http://www.example.com.

   When an access request from IP addresses outside Singapore accesses the page, EdgeSec blocks the access request. Figure 7 shows an example block page.

   Figure 7 Block page
   

5. Go to the EdgeSec console. In the navigation pane on the left, choose Events. View the event on the Events page. You will see that all requests not from Shanghai have been blocked.

Protection Effect

To verify EdgeSec is protecting your website (www.example.com) against a rule:

1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
   • If the website is inaccessible, connect the website domain name to EdgeSec by following the instructions in Adding a Website to EdgeSec.
   • If the website is accessible, go to 2.

2. Add a geolocation access control rule by referring to Procedure.
3. Clear the browser cache and access http://www.example.com. Normally, EdgeSec blocks such requests and returns the block page.