No way to rate limit requests from Vercel without enterprise?!
I was planning on using Cloudflare rate limiting to protect my API, but since most of our requests come from a frontend hosted on Vercel, I was planning on using the x-forwarded-for header to increment buckets on real user IPs instead of Vercel's address.
It looks like request header filtering is an enterprise only feature, we're stuck on business.
Is there any workaround or do we need to roll this ourselves?
11 Replies
Yeah unfortunately the WAF rate limiting rules are extremely basic and only support counting by IP unless you upgrade to enterprise with the advanced rate limiting addon. So for anything more advanced or using other fields than the connecting IP you will need to roll your own.
Indeed, stacking the CDN behind an external service like this is not fully recommended or supported outside of an Enterprise plan as you're miissing the control needed to implement proper protections
We were able to get enterprise rolling
I'm a bit lost on how to structure this counter- how can I "bucket" requests by x-forwarded-for?
Looks like default is just to match on it
How do I specify I want to use x-forwarded-for to group requests?
The "With the same characteristics" field is defining what properties go into your rate limiting bucket
Oh I see the screenshot now... Header value of isn't appearing. I wonder if we need something special enabled on the account. For me it just has IP and IP with Nat
I didn't request it specifically yet, let me try 🙂
We just upgraded today through the startup program
makes sense-- there's docs in the startup plan for how to get extra features enabled, I'm reaching out per those guidelines now
appreciate you taking a look too
@Matt if you reached out to support for that feel free to let me know the ticket number and I can enable it for you or request the needed approvals
Ticket #3081925! No major rush! Thank you so much
Thanks
Yeah this is one thats going to need approval but I'll take care of that and hopefully it won't take too long
totally makes sense, ty