Blocking or Allowing entire countries in Cloudflare
Blocking Entire Countries with Cloudflare Geoblocking
Yes—Cloudflare can block (or challenge) all traffic from a selected country. Here’s how to do it safely, with alternatives and automation tips.
What Is Geoblocking?
Geoblocking uses the visitor’s IP geolocation (Cloudflare’s CF-IPCountry) to take an action—such as Block, Challenge (CAPTCHA), or JS Challenge—for traffic coming from one or more countries.
| Action | Typical Use Case |
|---|---|
| Block | Fully deny traffic from specified countries. |
| Challenge | Allow only human traffic to pass via CAPTCHA. |
| JS Challenge | Mitigate bots with a background browser check. |
Option A: Set It Up in the Cloudflare Dashboard
- Open your zone in the Cloudflare dashboard.
- Navigate to Security → WAF → Firewall Rules.
- Click Create rule.
- Add a descriptive name (e.g., Block CN & RU (Global)).
- In the expression builder, choose:
- Field: ip.geoip.country
- Operator: in
- Value: pick countries (e.g., CN, RU)
- Set the Action to Block (or Challenge/JS Challenge).
- Save and deploy.
Example Firewall Expression
(ip.geoip.country in {"CN" "RU" "KP"})(ip.geoip.country in {"CN" "RU"}) and (http.request.uri.path starts_with "/admin")Account-Wide vs. Single Zone
If you administer multiple sites, you can either:
- Repeat the same Firewall Rule per zone, or
- Use IP Access Rules or Account-level WAF (available on certain plans) to apply country-based actions across all zones.
Option B: Automate with the Cloudflare API
Create a firewall rule via API for repeatable deployments or CI/CD.
1) Create a Filter
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1260 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply