How do I disable ratelimits for a domain on a Cloudflare Tunnel?
I have a Nextcloud instance that goes through Cloudflare Tunnel and I am consistently hitting the ratelimit. This has never happened before and I just want to get rid of it. I can't seem to figure it out, would appreciate any help, thanks!
37 Replies
No
I never changed any of the ratelimiting rules, this appears to be new default behavior
The rate limit with rule ID of worker can be removed upon request to support if you are on a paid Workers plan. Please create a support ticket.
?support
To contact Cloudflare Support about an issue, please visit the Support Portal and fill in the form on the portal. After submission, you will receive confirmation over email.
Some issues, such as Account or Billing related issues, cannot be solved by the community. Any plan level can open a ticket for these topics.
For more information on the methods by which you can contact Support for your plan level, see Contacting Cloudflare Support - Cloudflare Docs
The limit is documented here https://developers.cloudflare.com/workers/platform/limits/#request
Cloudflare’s abuse protection methods do not affect well-intentioned traffic. However, if you send many thousands of requests per second from a small number of client IP addresses, you can inadvertently trigger Cloudflare’s abuse protection.
wait, how did you access example.com?
it shouldn't be your domain.
They probably used inspect element to redact their domain
the same way it says ipv6-address
which is the high effort way to do it
Wait, so I cannot get rid of this if I'm on the free plan?
Are you on Workers Free?
Yeah
In fact, are you using Workers at all?
Can you explain more?
I never messed with that stuff
All I'm using are Cloudflare Tunnels to access nextcloud and other services
My guess is that Nextcloud is sending a bunch of individual requests when syncing, which causes it to constantly hit the ratelimit
That's odd then since the rate limit is specific for Workers.
Do you have other "Optimization" features enabled on the zone like Early Hints or Automatic Signed Exchanges?
I was setting up a new computer, which meant downloading all the files I want to be synced. I've done this many times before without any issues on the Cloudflare-end of things, so it's odd to see it ratelimit now
Where can I check that?
https://dash.cloudflare.com/?to=/:account/:zone/speed/optimization/recommendations and https://dash.cloudflare.com/?to=/:account/:zone/speed/optimization/other
Also the IPv6 address you redacted, is it
2a06:98c0:3600::103? That's the IP for requests coming from WorkersNo
It's my actual IPv6 address (just looked it up)
Okay
Can you check the optimization settings then?
Yeah doing that rn
I'm wondering if one of the ones which is implemented with Workers in the backend might be interfering
Its cropped too early for me to see Early Hints
My bad
It's enabled
Should I disable it?
Yes can you try disabling it
I appreciate this isn't something that's made immediately clear and actually shouldn't be happening in the first place, but hopefully it helps
I'll have to wait until tonight when I'm back at the computer with the issue (the big nextcloud sync). I'll let you know if it fails or succeeds, thank you for your help
The logic I'm followiig here is that Early Hints is implemented using a Worker in the backend of the feature, so its possible the system is mistakenly attributing these Worker requests to your zone and rate limiting them with the Worker rate limit
No problem, ping me whenever and I'll respond if/when I'm around
One extra thing to note:
The one thing I did change recently was adding a configurable "offline" page to show when a KVP is true, which is to be used when my server is under scheduled maintenance. I am using workers routes for these. I'm not too familiar with this, so perhaps that could have been the cause?
Is the route active all the time?
Actually I think so
It's only supposed to show a separate page when a KVP is set to true
But I think everything is always going through it, which could explain the ratelimit
The worker:
Can I disable it without deleting it? I don't see a button anywhere
You can remove the route but keep the worker
Then to re-enable just add the route back
I have like 8 routes though
That's quite tedious
Well
There isn't a disable button, sorry
Unfortunate
And yeah if your requests are going via a Worker and you dont have Workers Paid then seeing limits is expected and the first step to prevent that is to subscribe to Workers Paid.
Also if you check the settings for each route, there should be a "fail open"/"fail closed", make sure thats set to fail open
Alright
I don't use workers enough to justify paying for it, so I think I'll just remove it for now. This is probably resolved now, thanks again for your help
Sure no problem, let me know if it comes back