pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a2ff2a118a3b3cb516b00a9c14c08edafc832947
docs-v2/manage/geoblocking.mdx
Owen d9b8d03512 Add youtube videos!
2025-08-28 15:39:17 -07:00

94 lines
3.6 KiB
Plaintext
Raw Blame History

---
title: "Geo Blocking"
description: "Configure geo blocking to restrict access based on geographic location"
---
<Note>
Geo blocking is only available for targets created with managed nodes or in the cloud because we need to host services to resolve IP addresses and evolve it quickly as network change.
Fully self hosted users can install a [Traefik plugin](/self-host/community-guides/geoblock) for geo blocking support.
</Note>
<iframe
className="w-full aspect-video rounded-xl"
src="https://www.youtube.com/embed/_2EheKVUYxI"
title="YouTube video player"
frameBorder="0"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowFullScreen
></iframe>
## Benefits of Geo Blocking
Geo blocking provides several important security and compliance advantages:
### Security Benefits
- **Reduce Attack Surface**: Block access from regions with high levels of malicious activity or where you don't expect legitimate users
- **Prevent Unauthorized Access**: Limit exposure to threat actors operating from specific geographic locations
- **Compliance Requirements**: Meet regulatory requirements that restrict data access based on geographic location
- **Resource Protection**: Prevent unnecessary load on your services from regions where you don't operate
## Implementing Geo Blocking with Bypass Rules
Geo blocking in Pangolin is implemented using [bypass rules](/manage/access-control/rules) with country-based matching. You can create rules that either allow or deny access based on the visitor's country.
<Frame caption="Screenshot of resources rules from the Pangolin Dashboard.">
<img src="/images/country_rules.png" alt="Pangolin Dashboard"/>
</Frame>
### Setting Up Geo Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **Country** as the match type
3. Choose your rule action:
- **Allow**: Bypass authentication for users from specific countries
- **Deny**: Block all access from specific countries
- **Pass to Auth**: Let users from specific countries proceed to authentication
### Common Geo Blocking Patterns
#### Allow Only Specific Countries
Create a "Deny" rule that blocks all countries except those you want to allow:
1. Create a **Deny** rule
2. Select **Country** match type
3. Choose "ALL" to match all countries
4. Add priority: 100 (lower priority)
Then create specific allow rules for your approved countries:
1. Create **Allow** rules for each approved country
2. Set higher priority (e.g., 10, 20, 30) so they process first
#### Block Specific High-Risk Countries
Create targeted deny rules for specific countries while allowing all others:
1. Create **Deny** rules for each country you want to block
2. Select the specific countries from the dropdown
3. Set appropriate priorities
#### Regional Access Control
Combine geo blocking with other rule types for sophisticated access control:
1. **Path + Country**: Block admin paths (`/admin/*`) from all countries except your headquarters
2. **IP + Country**: Allow specific IPs from restricted countries (for VPN users or partners)
3. **CIDR + Country**: Combine network-based and geography-based restrictions
### Best Practices
<Warning>
IP geolocation is not always 100% accurate. Users with VPNs, proxies, or mobile networks may appear to be from different countries than expected.
</Warning>
### Rule Priority Example
```
Priority 1: Allow - Country: United States
Priority 2: Allow - Country: Canada
Priority 3: Allow - Country: United Kingdom
Priority 4: Deny - Country: ALL
```
This configuration allows access only from the US, Canada, and UK while blocking all other countries.
Reference in New Issue View Git Blame Copy Permalink