From 9ed5e78c45d3543215451ded9aa8416a55772434 Mon Sep 17 00:00:00 2001
From: kisfenyo <nagyfenyvesi.viktor@gmail.com>
Date: Wed, 25 Feb 2026 12:03:01 +0100
Subject: [PATCH] fix: remove custom block response from WAF rules (CF free
 plan)

Cloudflare Free plan doesn't support custom response body in block
rules. Use plain block action which returns CF's default 403 page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md                          |  5 +++++
 controller/internal/cloudflare/waf.go | 12 +++---------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b876b2..67c3fcb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## Changelog
 
+### v0.30.1 — Geo-Restriction fix (2026-02-25)
+
+#### Fixed
+- **WAF rule creation** — Removed custom block response body from WAF rules (requires paid Cloudflare plan). Block action now uses Cloudflare's default 403 page.
+
 ### v0.30.0 — Geo-Restriction via Cloudflare WAF (2026-02-25)
 
 #### Added
diff --git a/controller/internal/cloudflare/waf.go b/controller/internal/cloudflare/waf.go
index fedc215..b73029b 100644
--- a/controller/internal/cloudflare/waf.go
+++ b/controller/internal/cloudflare/waf.go
@@ -253,20 +253,14 @@ func IsAppRule(desc string) (string, bool) {
 	return "", false
 }
 
-// newBlockRule creates a rule struct with the standard felhom block response.
+// newBlockRule creates a rule struct with a block action.
+// Custom response body requires a paid CF plan, so we use a plain block (403).
 func newBlockRule(description, expression string) rule {
 	enabled := true
 	return rule{
 		Description: description,
 		Expression:  expression,
 		Action:      "block",
-		ActionParameters: &actionParameters{
-			Response: &blockResponse{
-				StatusCode:  403,
-				Content:     "Hozzáférés megtagadva — az Ön országa nem engedélyezett.",
-				ContentType: "text/plain",
-			},
-		},
-		Enabled: &enabled,
+		Enabled:     &enabled,
 	}
 }