Rate limiting behind a proxy
Hi,
I have the following flow.
Client -> GCP App Engine Server -> Cloudfare -> GCP App Engine Backend Server.
My site keeps getting attacked by several malicious users. They do it via automation for SMS attack but I have activated Rate limiting rules however for my mobile apps they are fine since it calls directly the Cloudfare protected domain, but for my web it seems that Cloudflare always uses the App Engine Server IP and activating it will block real users since they do this request non-stop.
Is there a way in the rate limit to change it to use the X-Forwarded-For IP ? This attack has been going for a few days, even though I have stopped the SMS sending for the numbers that this attacker is using.
2 Replies
Would need Enterprise with Advanced Rate Limiting as far as I know: https://developers.cloudflare.com/waf/rate-limiting-rules/#availability
Workers do have a rate limiting API as well: https://developers.cloudflare.com/workers/runtime-apis/bindings/rate-limit/, and you can make the key anything you want, but limited in the counting period and would have to pay for all Worker Requests, even ones being rate limited
Cloudflare Docs
Rate limiting rules | Cloudflare Web Application Firewall (WAF) docs
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
I will have a look, no matter what I try the attack is distributed, all IPs are different and can't seem to find a way to fix it. They even passed the recaptcha v3 of google (not sure if I rightly implemented it)
I think I still have to find a different way since I cannot do the rate-limiting via IP anymore :/