When trying to allow sites in policy layers after a policy layer containing a deny based on supplier.country or supplier.allowed_countries policy results in a deny decision.

Users may see the exception "EXCEPTION(geoip_denied): Request could not be handled" in their browsers and proxy administrators will see the exception in a policy trace.

For example, if you had the following rules:

  <Proxy>
 supplier.allowed_countries[SK](deny)

<Proxy>
allow url.domain=um15.domain.ltd

a user going to the Slovakian website http://um15.domain.ltd/ would still be denied.

A denial from supplier.allowed_countries or supplier.country is absolute because it occurs when DNS is resolved. With the geolocation policies, addresses with restricted locations are skipped before the connection is attempted - servers in restricted locations are treated as if they down. 

There is no fix for this issue since the exception is working as designed. To allow a site or URL then a rule on the same layer as the geolocation policy must be placed before the geolocation rule that forms the deny.

For example, using the same URLs and rules above:

<Proxy>
allow url.domain=um15.domain.ltd
supplier.allowed_countries[SK](deny)

would allow the end-user to access http://um15.domain.ltd/  and all URLs in that domain.

NOTE: Since geolocation policy (supplier.allowed_countries or supplier.country) is applied before the URL is fetched, they must be applied with rules that are evaluated on the inbound client request like url.domain but not on the inbound server response to the proxy (such as http.response.apparent_data_type).