If I set it up can you guys help me with
If I set it up can you guys help me with the WAF and Caching rules so it's configured in a way that will keep it free? I honestly don't use hosting for much, but since I'm using Cloudflare for everything else I might as well consolidate everything.
69 Replies
Sure, a cache rule to do that is really simple though:
WAF side, just enabling the defaults should be fine.
You could perhaps set up a rate limiting rule on the subdomain (same
hostname equals match), with some rate limit to try to ward off silly attacks, not sure how much that would be worth doing though.
For what it's worth, the more requests you get, the more your assets are in cache, and you don't pay for cached requests, so just by the way the system works you have some defense thereThank you. What situations could cause a cost for using this service (based on what I previously said)?
And are cache rules new?
When you store over 10 GB of content, or have over 10 million Class B Requests (which include fetching files), or over 1 million Class A OPerations (Listing Files, Putting Files, etc), you can read over all the pricing here: https://developers.cloudflare.com/r2/pricing/
Pricing · Cloudflare R2 docs
R2 charges based on the total volume of data stored, along with two classes of operations on that data:
The Cloudflare Blog
Introducing Cache Rules: precision caching at your fingertips
We have spent the last ten years learning how customers use Page Rules to customize their cached content, and it’s clear the time is ripe for evolving rules-based caching on Cloudflare
Since Sep 27th of last year
Ah okay. Sounds like I won't hit it then. Is there a way to tell it to reject all requests if I'm about to hit that limit?
best you can do is set up a notification for when you come close
And then I can easily flick a switch to temporarily shut it off?
You can just disable the custom domain yea
For this could I just say if hostname is not literallymakesomethingup.rydercragie.com then apply the rule?
No other way I can think of to get it to work everywhere.
You want the cache rule to apply to everything on your zone, rydercragie.com?
Or is that a bad idea? Should it only apply to subdomains I use for R2?
Usually it would be undesired, depending on your setup. If you're fine with everything on your zone being effected by that rule though, you can just click "Edit Expression" and replace the expression in there with
trueI'll use the OR rule and set it to all of the R2 hostnames.
Doesn't sound recommended to do what I said.
That could come in handy for the future. I think I have a rule somewhere else that uses a similar thing. I should change it.
Was the only way I could think of.
Use "Is In"
Is in?
yea
the is in operator
then you can type out your domains
And that will apply it to everything?
In that zone?
err I picked bad examples for that I suppose. No, it's just a way of checking a field against a list of values
If you have a bunch of r2 hostnames, you can use that
Ah okay. Got it.
https://pub-e13ff2f9b2254734a99cbdd556313789.r2.dev doesn't show a page even though there's an index.html file there. What's the issue?
there's no magical index.html detection/routing/etc
if you want that on your custom domain, you can use a transform rule redirect rule (and using that is transparent to the visitor as well, they wouldn't see the path change)
I was about to get annoyed but I'll let it slide since it's possible.
Would a Transform Rule apply to that r2.dev domain?
Guessing not but that's fine as I'm gonna set it up on my custom domain soon anyway.
no
Would they all have to be separate rules for all of my subdomains/domains?
Or can I just tell it to map index.html to the root?
No matter what it is.
Not working.
you're backwards
checking for /index.html and rewriting to none
(This is for custom domain btw)
Oh
Awesome. That works. Thanks.
What's a good WAF rule for it?
I've migrated everything now.
to protect your assets?
So I don't end up getting charged if someone decides to reload the page 1,000 times.
(figure of speech)
You could slap on a simple rate limiting rule with sane limits. The WAF Rulesets themselves aren't going to help you with that too much, they're more targeted at vulnerabilities
here's the thing though: You don't get charged for cache hits
I just want something that says if someone refreshes too many times or requests too much, block them.
The more your asset is requested, the more it's going to be in cache, the less requests you pay for
Sure, you can use rate limiting for that
Surely there's a downside to that...
Otherwise if there wasn't it wouldn't be possible.
A downside? One might be that you're potentially serving stale content, it might have changed or been deleted since then
Otherwise not really, other then if you're serving tens of TB's of content per day, you'll probably get a nice sales email asking you to upgrade
This?
yea, same old
hostname equals yourr2subdomain.com
and you can set the limit to a sane amount of requests, maybe 100 per 5 minutes or soOr is in?
If you have more then one r2 subdomain, you can use is in, sure
Is one better than the other?
Equals checks one value, Is in checks against a list
If you have one hostname to check, use equals
If you have more then one, use Is in
Oh
oh, you're on free
hmmm
I thought you were on Pro, opps
free only gets path
Nothing I can do then other then?
Probably don't need to anyway with this in mind.
I guess it would be good for protection.
But all of the other stuff is enabled so should be good in that regards.
you could either set a global sane rate limit (let's say, 200 requests/5 minutes or something, depends on your site), or put all of your assets under the same prefix in your bucket like /assets/, and then use URI Path starts with /assets/
Should all of the default Cloudflare settings be enough?
All of the bot protection stuff that’s built in.
you mean without putting in a rate limiting rule?
Yeah
Do you have Bot Fight Mode or anything else enabled?
Only was bothered because of cost. But now that’s out of the question I just want to make sure my assets are protected.
Yes
I have every security feature enabled I think. Just disabled the ones that were causing issues (ages ago)
You probably don't have BFM on then, it's def one of the ones that can cause a lot of issues
eitherway, CF does have standard DDoS Protection yea, but it can take a hot bit to kick in. Some of the protections like Gatebot only samples every 1,000 requests, so you need a few hundred requests per second or so before it can even begin to detect something
Is it something to be worried about? Meh, imo not really..
$100 USD would get you some 277 million object requests for example, and that's not including cached requests
The Cahce Rules still apply on the free plan, right?
Indeed. On free your assets are more likely to be evicted, lower min edge cache ttl, and you have a lower max cache size (iirc 512mb?), but that's nothing specific to cache rules
Also says I need to allow public access when I go to a url of a nonexistent file. Maybe that needs rewording as I do have public access enabled for that custom domain?
"This object does not exist or is not publicily accesible.."
it is maybe a bit confusing, but meh. You can override those with Pro's Custom Error Responses I believe: https://developers.cloudflare.com/rules/custom-error-responses/
Thanks
This is bugging me lol.
How much can a cache rule store in the free plan?
cache rules are not special, same rules as normal cache. Free just has a 100mb single file limit, no limit on actual files stored, although free is evicted first/likely to not have something in cache for a while
Thanks