I am trying to create a rate limit role but not working
Hi there, I am using
(http.request.uri.path eq "/*" and not http.request.uri contains "api") so that I can rate limit all the path except if it contains api inside the path. We want to apply rate limit to all path except api. we have different rate limit for api slightly higher. But it's not blocking even after sending more request19 Replies
Wildcards like that would only work in Page Rules, not Ruleset Engine, which is the parser behind Rate Limit and all of the new rule type expressions
So it's looking for literally paths equal to
/*ah got it, so how can we add all path
If you just want to match all paths except that contain api, remove that first part. I would also be a bit more careful in your match. http.request.uri contains the path and the query string, so someone could get around your rate limit by doing example.com/expensive_path?api. Use http.request.uri.path instead.
If your website is setup like example.com/api/ contains all API routes, you could use starts_with
(not starts_with(http.request.uri.path, "/api/"))thank you so much and yes, example.com/api like this
only (not starts_with(http.request.uri.path, "/api/")) is enought?
used (not starts_with(http.request.uri.path, "/api/")) but didn't block..
It would match all requests that don't start with /api/ in the path
It may take a minute to update or so. The Trace tool is helpful in debugging this stuff, you can find it Account level
https://dash.cloudflare.com/?to=/:account/trace/search
You can input your url there, and it would tell you if it hit the Rate Limit Rule or not
Are they requests to example.com/api, or requests to example.com/api/v1/example? Or rather, what's an example of an API Endpoint you use?
The expression I gave you would only match example.com/api/<anything>, not example.com/api. You could remove the trailing slash if you want it to match
/api
ex: (not starts_with(http.request.uri.path, "/api"))thanks
got it, seems working
the tracer give me id of the matched rate limit, like 0ca9ffe39fcf4f158e089afbb58... how to see which one matched with this id?
I believe that's the ID of the Ruleset rather then the specific rule, which is to say it's not useful for figuring that out
this role seems blocking cdn request from bunny,,...
Are you layering CDNs like Bunny -> Cloudflare -> origin?
yes
That just won't work with IP Rate Limiting then. It's just going to see the IP of Bunny and Rate limit on that. Only Enterprise could rate-limit on a specific header so that you could pass the Real User IP through
also now noticed that we use nextjs and serverside get intial props call. they send server ips instead of users' ip so rate limiting the server itself I see.. 😦
If that was the only issue you could just exclude that from your rule, if you're using CF Pages they should all be from
2a06:98c0:3600::103but we want to block user sending automated request. when you load a page, it calls from getInitialProps and this user server ip instead of users. we want to block that user sending automated request
Right, and so you'd have a rate limit in the initial page load instead of on the Server-side Requests
example.com (rate limited)
-> Server Side Requests to /api/ (Excluded)
example.com/api/ (rate limited)
But you can't really do that with Bunny in front of Cloudflare because it'd just be rate limiting Bunny IPs anyway, at least with Rate Limiting Rules
it gives bunny path so we can exclude that path
or add user's ip somehow in the call replacing server ip
hmm what do you mean by "bunny path"? only some requests go through bunny? If so then then yea you could exclude those.
You can't do the latter though, only Enterprise with Rate Limiting addon could use something other then the requested IP to Rate limit on (like a header value)