Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
If you need to control access from IP addresses in a specific region, you can configure a geolocation access control rule. WAF blocks or allows access from IP addresses in a specific region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions.
To allow only the IP addresses in a certain region to access the protected website, configure a rule by referring to Configuration Example: Allowing Only IP Addresses from a Specified Location.
Prerequisites
- You have connected a website to WAF.
- You have created a policy and added the domain name to it. For details, see Creating a Protection Policy and Adding a Domain Name to a Policy.
- If you use a dedicated WAF instance, make sure it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.
Constraints
- This function is not supported in the standard edition.
- If you are using dedicated WAF instances, upgrade them to the latest version and add IPv6 addresses for IP Address Range, or the settings cannot work.
- When you add a website through Cloud Mode - Load balancer and set Frontend Protocol of the listener of your ELB load balancer to TCP, UDP, or QUIC, this type of rule does not take effect.
- One region can be configured in only one geolocation access control rule. For example, if you have blocked requests from Shanghai with a geolocation access control rule, then Shanghai cannot be added to other geolocation access control rules.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
Configuring a Geolocation Access Control Rule
- Log in to the WAF console.
- Click
in the upper left corner and select a region or project. - (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
- In the navigation pane on the left, click Policies.
- Click the name of the target policy to go to the protection rule configuration page.
Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.
- Click the Geolocation Access Control configuration area and ensure that the geolocation access control protection is enabled.
: enabled. - In the upper left corner above the Geolocation Access Control list, click Add Rule.
- In the dialog box displayed, add a geolocation access control rule.
Table 1 Rule parameters Parameter
Description
Example Value
Rule Name
Name of the geolocation control rule.
-
Rule Description (Optional)
A brief description of the rule.
waf
Geolocation
Geographical location of IP addresses that can access your website. Locations are classified into China and Outside China.
A geographical location cannot be added to multiple protection policies.
China: Shanghai
IP Address Range
IP address range for the rule. You can select IPv4, IPv6, or Any (IPv4 and IPv6).
NOTE:If you are using dedicated WAF instances, upgrade them to the latest version and add IPv6 addresses for IP Address Range, or the settings cannot work.
IPv4
Protective Action
Protective action for the rule when a request matches the rule.- Block: The IP addresses from the specified geographical locations will be blocked, and a block response page will be returned to the client that initiates the request.
By default, WAF uses a unified block response page. You can also customize this page.
- Allow: The IP addresses from the specified geographical locations will be allowed to access the website domain name.
- Log: The IP addresses from the specified geographical locations will not be blocked, but their accesses will be logged.
Block
- Block: The IP addresses from the specified geographical locations will be blocked, and a block response page will be returned to the client that initiates the request.
- Click OK. You can then view the added rule in the list of the geolocation access control rules.
After completing the preceding configurations, you can:
- Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
- Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
- Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
- Verify the protection effect:
- Clear the browser cache. Then, use an IP address from Shanghai to access the http://www.example.com page. If WAF blocks the access request from the IP address and returns the block page, the rule works.
- On the Events page, check the protection logs.
Configuration Example: Allowing Only IP Addresses from a Specified Location
If you want to allow only IP addresses from Shanghai to access the domain name, configure a rule as follows:
If IP addresses from Shanghai are allowed to access the domain name, requests from these IP addresses will bypass all access control rules with priorities lower than geolocation access control rules and be forwarded to the origin server. To prevent this issue, you are advised to block all requests from regions other than Shanghai. For the check sequence of protection rules, see Table 1.
- Add a geolocation access control rule, select all geographical locations except Shanghai, and set Protective Action to Block.
- Enable geolocation access control.
Figure 1 Geolocation Access Control configuration area
- Configure a precise protection rule to block all requests.
Figure 2 Blocking all access requests
For details, see Configuring Custom Precise Protection Rules.
- Clear the browser cache and access http://www.example.com.
When an access request from IP addresses outside Shanghai accesses the page, WAF blocks the access request.
Figure 3 Block page
- Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page. You will see that all requests not from Shanghai have been blocked.
Configuration Example: Blocking IP Addresses from a Specified Location
If you want to block all IP addresses from Beijing, configure a rule as follows:
- Add a geolocation access control rule: Select Beijing for Geolocation and Block for Protective Action.
- Enable geolocation access control.
Figure 4 Geolocation Access Control configuration area
- Clear the browser cache and access http://www.example.com.
When an access request from IP addresses inside Beijing accesses the page, WAF blocks the access request.
Figure 5 Block page
- Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.
Figure 6 Viewing events - blocking access requests from IP addresses in a region
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
