Listen to this Post

Introduction
Geo-restrictions are a common frustration for global platforms—when a content delivery network (CDN) or storage provider blocks entire countries’ IP ranges, legitimate users are locked out. The typical advice (“use a VPN”) destroys user experience. Instead, a smarter approach uses a reverse proxy layer: route traffic through Cloudflare to mask the origin, allowing unrestricted access without requiring clients to change their network configuration.
Learning Objectives
- Understand how CDN-level geo-blocking works and why ISPs are often not the root cause.
- Implement a Cloudflare reverse proxy to bypass upstream IP-based restrictions.
- Apply critical configuration tweaks (cache disabling, bot protection off) for video streaming workloads.
You Should Know
- Diagnosing the Real Block: ISP vs. CDN-Level Restrictions
When users in a specific country cannot load content but a VPN fixes the issue, the block may be upstream. In this case, Bunny.net was restricting Sudanese IP addresses directly. To confirm, run the following diagnostic commands from an affected network (or simulate using a geolocation-aware tool).
Linux/macOS – Check direct CDN access:
curl -v https://your-bunny-storage.b-cdn.net/test.mp4 --connect-timeout 10 Look for HTTP 403, 404, or connection resets
Windows (PowerShell):
Invoke-WebRequest -Uri "https://your-bunny-storage.b-cdn.net/test.mp4" -Method Head Inspect StatusCode and StatusDescription
Test from multiple regions using online tools (e.g., `curl` via GeoPeek or a cloud instance):
Using a free CDN checker for region in us eu asia africa; do curl -s "https://api.geopeek.com/v1/check?url=https://your-bunny-storage.b-cdn.net/test.mp4®ion=$region" done
If the request times out or returns a 403 only from specific regions (e.g., Africa), the block is at the CDN level. The solution is to insert a reverse proxy that fetches content on behalf of the user.
2. Building the Cloudflare Reverse Proxy Layer
The architecture: User → Cloudflare (proxy) → Bunny.net → Cloudflare → User. Cloudflare’s global network will request the video from Bunny using its own IP (which is not blocked), then serve it back. Here’s how to set it up step by step.
Step 1: Create a subdomain for media (e.g., media.yourdomain.com) via your DNS provider (Namecheap, GoDaddy, etc.). Do not point it directly to Bunny.
Step 2: Add the subdomain to Cloudflare (free plan works). Change your domain’s nameservers to Cloudflare’s (provided after signup). On Namecheap, replace custom nameservers:
– Cloudflare NS1 and NS2 addresses.
Step 3: In Cloudflare DNS, create an `A` record for `media` pointing to any dummy IP (e.g., 192.0.2.1) and enable the orange cloud (proxied). This forces traffic through Cloudflare.
Step 4: Configure Cloudflare Workers or Page Rules to rewrite requests to Bunny.net. Using a Cloudflare Worker (simpler for streaming):
// Cloudflare Worker script
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
const url = new URL(request.url)
// Rewrite to Bunny.net storage zone
const bunnyHost = 'your-bunny-storage.b-cdn.net'
const newUrl = `https://${bunnyHost}${url.pathname}${url.search}`
// Pass through most headers, but modify Host
const newRequest = new Request(newUrl, {
method: request.method,
headers: request.headers,
body: request.body
})
newRequest.headers.set('Host', bunnyHost)
// Fetch from Bunny
let response = await fetch(newRequest)
// Optional: add CORS headers for web players
const modifiedResponse = new Response(response.body, response)
modifiedResponse.headers.set('Access-Control-Allow-Origin', '')
return modifiedResponse
}
Deploy the worker and route `media.yourdomain.com/` to it via Cloudflare’s Workers Routes.
Step 5: Critical tweaks for video files (as mentioned in the original post):
– Disable caching on Cloudflare for video paths: Go to Caching → Cache Rules → Create rule: If URL path contains .mp4 or .m3u8, then Bypass cache. Otherwise, large videos on free plan will exhaust bandwidth or cause partial downloads.
– Disable Bot Fight Mode (under Security → Bots): This can block API requests from your own backend or video player. Set to “Allow” or create a skip rule for your media subdomain.
– Disable Rocket Loader (under Speed → Optimization) – it can break video streaming.
Step 6: Update your application to serve video URLs from the new subdomain instead of directly from Bunny. Example embed:
<video src="https://media.yourdomain.com/path/to/video.mp4" controls></video>
Step 7: Test without VPN from a restricted region using `curl` or a browser:
curl -I https://media.yourdomain.com/test.mp4 Expect HTTP 200 OK instead of 403/timeout
3. Security and Hardening Considerations
While a reverse proxy solves access, it introduces new risks. Harden your setup:
Prevent direct Bunny access – keep the storage zone private. Set Bunny.net’s access rules to allow only Cloudflare’s IP ranges. Obtain Cloudflare’s IP list:
curl https://www.cloudflare.com/ips-v4 > cloudflare_ips.txt curl https://www.cloudflare.com/ips-v6 >> cloudflare_ips.txt
In Bunny.net’s pull zone or storage zone settings, add an IP whitelist rule referencing these ranges.
Add authentication tokens for sensitive videos: Use signed URLs. Cloudflare Workers can validate a query parameter before fetching from Bunny. Example:
// In Worker, check for a valid token
const expectedToken = 'your-secret'
if (url.searchParams.get('token') !== expectedToken) {
return new Response('Unauthorized', { status: 401 })
}
Monitor for abuse – Because Cloudflare hides the origin, malicious users could hammer your proxy. Implement rate limiting:
// Cloudflare Rate Limiting rule: 100 requests per minute per IP // Or add inside Worker with durable objects (simpler to use Cloudflare's built-in rate limiting)
API security – If your platform uses APIs to fetch video manifests, ensure the Cloudflare proxy doesn’t expose Bunny’s internal headers. Use response header filtering:
const allowedHeaders = ['Content-Type', 'Content-Length', 'Accept-Ranges']
for (let header of response.headers.keys()) {
if (!allowedHeaders.includes(header)) {
modifiedResponse.headers.delete(header)
}
}
4. Alternative Approaches and Mitigation
If Cloudflare is not an option, consider these workarounds:
- Deploy a tiny VPS in a non-blocked region (e.g., DigitalOcean Frankfurt) and run Nginx as a reverse proxy:
location /videos/ { proxy_pass https://your-bunny-storage.b-cdn.net/; proxy_set_header Host your-bunny-storage.b-cdn.net; proxy_cache off; for large files proxy_buffering off; } - Use a dedicated CDN with per-country allowlisting (e.g., AWS CloudFront with geo-restriction override via Lambda@Edge).
- Contact the CDN provider – Bunny.net support may whitelist specific ASNs if you provide valid use cases (education, non-commercial).
For vulnerability exploitation: If you discover a CDN blocking your country, do not attempt to abuse it (e.g., using open proxies). The ethical mitigation is exactly what was described: adding your own proxy layer with permission from the content owner.
What Undercode Say
- Key Takeaway 1: Geo-blocks are often implemented at the CDN or cloud storage level, not by ISPs. Always test with `curl` from multiple regions before blaming local connectivity.
- Key Takeaway 2: A reverse proxy (Cloudflare, Nginx, or HAProxy) is a powerful tool to bypass upstream restrictions without degrading user experience—no VPN required.
- Analysis: The solution elegantly decouples the access layer from the storage layer. However, it adds a potential single point of failure (Cloudflare) and latency. For production, one must also consider legal implications: circumventing a CDN’s terms of service may violate acceptable use policies. Yet, for legitimate educational platforms serving sanctioned regions, this approach is often the only way to deliver content. The post highlights a growing need for CDNs to offer per-customer allowlisting instead of blunt country blocks.
Prediction
As geo-restrictions become more aggressive (driven by licensing, sanctions, or DDoS mitigation), reverse proxy patterns will become standard in developer toolkits. We will see rise of “proxy-as-a-service” offerings that specifically target CDN bypass, leading to a cat-and-mouse game where CDNs start detecting and blocking Cloudflare IP ranges. The long-term solution is a shift toward zero-trust edge delivery where authentication happens at the application layer, not based on source IP. Until then, engineers must master multi-layer routing, worker scripting, and cache tuning to keep global users connected.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mohamed Abdelgadr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


