pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
26ec1555d1ed173f4fe2a863d8a055b8455de0b3
docs-v2/manage/geoblocking.mdx
miloschwartz b7c3f45901 clean up for 1.11
2025-10-14 17:07:58 -07:00

92 lines
3.5 KiB
Plaintext
Raw Blame History

---
title: "Geo-blocking"
description: "Configure geo blocking to restrict access based on geographic location"
---
<Note>
Geoblocking is available in Pangolin community! Make sure to follow this guide for how to enable: [Enabling Geo Blocking](/self-host/advanced/enable-geoblocking)
</Note>
<iframe
className="w-full aspect-video rounded-xl"
src="https://www.youtube.com/embed/_2EheKVUYxI"
title="YouTube video player"
frameBorder="0"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowFullScreen
></iframe>
## Benefits of Geo Blocking
Geo blocking provides several important security and compliance advantages:
### Security Benefits
- **Reduce Attack Surface**: Block access from regions with high levels of malicious activity or where you don't expect legitimate users
- **Prevent Unauthorized Access**: Limit exposure to threat actors operating from specific geographic locations
- **Compliance Requirements**: Meet regulatory requirements that restrict data access based on geographic location
- **Resource Protection**: Prevent unnecessary load on your services from regions where you don't operate
## Implementing Geo Blocking with Bypass Rules
Geo blocking in Pangolin is implemented using [bypass rules](/manage/access-control/rules) with country-based matching. You can create rules that either allow or deny access based on the visitor's country.
<Frame caption="Screenshot of resources rules from the Pangolin Dashboard.">
<img src="/images/country_rules.png" alt="Pangolin Dashboard"/>
</Frame>
### Setting Up Geo Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **Country** as the match type
3. Choose your rule action:
- **Allow**: Bypass authentication for users from specific countries
- **Deny**: Block all access from specific countries
- **Pass to Auth**: Let users from specific countries proceed to authentication
### Common Geo Blocking Patterns
#### Allow Only Specific Countries
Create a "Deny" rule that blocks all countries except those you want to allow:
1. Create a **Deny** rule
2. Select **Country** match type
3. Choose "ALL" to match all countries
4. Add priority: 100 (lower priority)
Then create specific allow rules for your approved countries:
1. Create **Allow** rules for each approved country
2. Set higher priority (e.g., 10, 20, 30) so they process first
#### Block Specific High-Risk Countries
Create targeted deny rules for specific countries while allowing all others:
1. Create **Deny** rules for each country you want to block
2. Select the specific countries from the dropdown
3. Set appropriate priorities
#### Regional Access Control
Combine geo blocking with other rule types for sophisticated access control:
1. **Path + Country**: Block admin paths (`/admin/*`) from all countries except your headquarters
2. **IP + Country**: Allow specific IPs from restricted countries (for VPN users or partners)
3. **CIDR + Country**: Combine network-based and geography-based restrictions
### Best Practices
<Warning>
IP geolocation is not always 100% accurate. Users with VPNs, proxies, or mobile networks may appear to be from different countries than expected.
</Warning>
### Rule Priority Example
```
Priority 1: Allow - Country: United States
Priority 2: Allow - Country: Canada
Priority 3: Allow - Country: United Kingdom
Priority 4: Deny - Country: ALL
```
This configuration allows access only from the US, Canada, and UK while blocking all other countries.
Reference in New Issue View Git Blame Copy Permalink