I am trying to create a rate limit role but not working

Hi there, I am using

(http.request.uri.path eq "/*" and not http.request.uri contains "api")

(http.request.uri.path eq "/*" and not http.request.uri contains "api")

(http.request.uri.path eq "/*" and not http.request.uri contains "api")

(http.request.uri.path eq "/*" and not http.request.uri contains "api") so that I can rate limit all the path except if it contains api inside the path. We want to apply rate limit to all path except api. we have different rate limit for api slightly higher. But it's not blocking even after sending more request

SSadek Hi there, I am using `(http.request.uri.path eq "/*" and not http.request.uri co...

Chaika•12/2/23, 9:36 PM

Wildcards like that would only work in Page Rules, not Ruleset Engine, which is the parser behind Rate Limit and all of the new rule type expressions

Chaika•12/2/23, 9:37 PM

So it's looking for literally paths equal to /*/*

SadekOP•12/2/23, 9:37 PM

ah got it, so how can we add all path

Chaika•12/2/23, 9:38 PM

If you just want to match all paths except that contain api, remove that first part. I would also be a bit more careful in your match. http.request.uri contains the path and the query string, so someone could get around your rate limit by doing example.com/expensive_path?api. Use http.request.uri.path instead.

If your website is setup like example.com/api/ contains all API routes, you could use starts_with
(not starts_with(http.request.uri.path, "/api/"))(not starts_with(http.request.uri.path, "/api/"))

SadekOP•12/2/23, 9:41 PM

thank you so much and yes, example.com/api like this

SadekOP•12/2/23, 9:41 PM

only (not starts_with(http.request.uri.path, "/api/")) is enought?

SadekOP•12/2/23, 9:43 PM

used (not starts_with(http.request.uri.path, "/api/")) but didn't block..

Chaika•12/2/23, 9:44 PM

It would match all requests that don't start with /api/ in the path

Chaika•12/2/23, 9:44 PM

It may take a minute to update or so. The Trace tool is helpful in debugging this stuff, you can find it Account level

Chaika•12/2/23, 9:45 PM

https://dash.cloudflare.com/?to=/:account/trace/search

Chaika•12/2/23, 9:45 PM

You can input your url there, and it would tell you if it hit the Rate Limit Rule or not

Chaika•12/2/23, 9:45 PM

SSadek thank you so much and yes, example.com/api like this

Chaika•12/2/23, 9:48 PM

Are they requests to example.com/api, or requests to example.com/api/v1/example? Or rather, what's an example of an API Endpoint you use?
The expression I gave you would only match example.com/api/<anything>, not example.com/api. You could remove the trailing slash if you want it to match

/api

/api

ex: (not starts_with(http.request.uri.path, "/api"))(not starts_with(http.request.uri.path, "/api"))

SadekOP•12/2/23, 9:49 PM

thanks

SadekOP•12/2/23, 9:49 PM

got it, seems working

SadekOP•12/2/23, 9:51 PM

the tracer give me id of the matched rate limit, like 0ca9ffe39fcf4f158e089afbb58... how to see which one matched with this id?

Chaika•12/2/23, 9:56 PM

I believe that's the ID of the Ruleset rather then the specific rule, which is to say it's not useful for figuring that out

SadekOP•12/2/23, 9:57 PM

this role seems blocking cdn request from bunny,,...

Chaika•12/2/23, 9:57 PM

Are you layering CDNs like Bunny -> Cloudflare -> origin?

SadekOP•12/2/23, 10:03 PM

yes

Chaika•12/2/23, 10:04 PM

That just won't work with IP Rate Limiting then. It's just going to see the IP of Bunny and Rate limit on that. Only Enterprise could rate-limit on a specific header so that you could pass the Real User IP through

SadekOP•12/2/23, 10:06 PM

also now noticed that we use nextjs and serverside get intial props call. they send server ips instead of users' ip so rate limiting the server itself I see..

Chaika•12/2/23, 10:08 PM

If that was the only issue you could just exclude that from your rule, if you're using CF Pages they should all be from 2a06:98c0:3600::1032a06:98c0:3600::103

SadekOP•12/2/23, 10:10 PM

but we want to block user sending automated request. when you load a page, it calls from getInitialProps and this user server ip instead of users. we want to block that user sending automated request

Chaika•12/2/23, 10:13 PM

Right, and so you'd have a rate limit in the initial page load instead of on the Server-side Requests

Chaika•12/2/23, 10:14 PM

example.com (rate limited)
-> Server Side Requests to /api/ (Excluded)
example.com/api/ (rate limited)

Chaika•12/2/23, 10:15 PM

But you can't really do that with Bunny in front of Cloudflare because it'd just be rate limiting Bunny IPs anyway, at least with Rate Limiting Rules

SadekOP•12/2/23, 10:17 PM

it gives bunny path so we can exclude that path

SadekOP•12/2/23, 10:18 PM

or add user's ip somehow in the call replacing server ip

Chaika•12/2/23, 10:58 PM

hmm what do you mean by "bunny path"? only some requests go through bunny? If so then then yea you could exclude those.
You can't do the latter though, only Enterprise with Rate Limiting addon could use something other then the requested IP to Rate limit on (like a header value)

I am trying to create a rate limit role but not working

Similar Threads

Similar Threads

Similar Threads