search

luxysiv / Cloudflare-Gateway-Pihole

Make ad blocking dns using Cloudflare Gateway Zero Trust
76 stars 121 forks source link

Block ads only for a specific location #44

Closed agneevX closed 1 month ago

agneevX commented 1 month ago

Hello,

Can the functionality of limiting this to specific locations be added?

This is already possible in firewall policies to some extent but the firewall logic needs to be modified:

Screenshot
luxysiv commented 1 month ago

You can see it to know

curl --request POST \
  --url https://api.cloudflare.com/client/v4/accounts/account_id/gateway/rules \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: ' \
  --data '{
  "action": "allow",
  "description": "Block bad websites based on their host name.",
  "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})",
  "enabled": true,
  "filters": [
    "http"
  ],
  "identity": "any(identity.groups.name[*] in {\"finance\"})",
  "name": "block bad websites",
  "precedence": 0,
  "rule_settings": {
    "add_headers": {
      "My-Next-Header": [
        "foo",
        "bar"
      ],
      "X-Custom-Header-Name": [
        "somecustomvalue"
      ]
    },
    "allow_child_bypass": false,
    "audit_ssh": {
      "command_logging": false
    },
    "biso_admin_controls": {
      "dcp": false,
      "dd": false,
      "dk": false,
      "dp": false,
      "du": false
    },
    "block_page_enabled": true,
    "block_reason": "This website is a security risk",
    "bypass_parent_rule": false,
    "check_session": {
      "duration": "300s",
      "enforce": true
    },
    "dns_resolvers": {
      "ipv4": [
        {
          "ip": "2.2.2.2",
          "port": 5053,
          "route_through_private_network": true,
          "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
        }
      ],
      "ipv6": [
        {
          "ip": "2001:DB8::",
          "port": 5053,
          "route_through_private_network": true,
          "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
        }
      ]
    },
    "egress": {
      "ipv4": "192.0.2.2",
      "ipv4_fallback": "192.0.2.3",
      "ipv6": "2001:DB8::/64"
    },
    "ignore_cname_category_matches": true,
    "insecure_disable_dnssec_validation": false,
    "ip_categories": true,
    "ip_indicator_feeds": true,
    "l4override": {
      "ip": "1.1.1.1",
      "port": 0
    },
    "notification_settings": {
      "enabled": true,
      "msg": "string",
      "support_url": "string"
    },
    "override_host": "example.com",
    "override_ips": [
      "1.1.1.1",
      "2.2.2.2"
    ],
    "payload_log": {
      "enabled": true
    },
    "resolve_dns_through_cloudflare": true,
    "untrusted_cert": {
      "action": "error"
    }
  },
  "schedule": {
    "fri": "08:00-12:30,13:30-17:00",
    "mon": "08:00-12:30,13:30-17:00",
    "sat": "08:00-12:30,13:30-17:00",
    "sun": "08:00-12:30,13:30-17:00",
    "thu": "08:00-12:30,13:30-17:00",
    "time_zone": "America/New York",
    "tue": "08:00-12:30,13:30-17:00",
    "wed": "08:00-12:30,13:30-17:00"
  },
  "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
}'
luxysiv commented 1 month ago

I couldn't find documentation to set rules for specific locations. And if so, users can do it themselves because each person will name the location differently