Question About Stacking WAF rules

I have some rate limit configuration on my public API for specific endpoints (see tf block below).

resource "cloudflare_ruleset" "api_rate_limiting" {
  zone_id     = local.cloudflare_zone_id
  name        = "API Rate Limiting"
  description = "Rate limiting rules for API endpoints"
  kind        = "zone"
  phase       = "http_ratelimit"

  rules {
    action      = "block"
    description = "Rate limit for create cardholder"
    expression  = "(http.request.uri.path eq \"/api/v1/some-entity\" and http.request.method eq \"POST\")"

    ratelimit {
      characteristics     = ["ip.src", "cf.colo.id"]
      period              = 60
      requests_per_period = 10
      mitigation_timeout  = 60
    }
  }
}

resource "cloudflare_ruleset" "api_rate_limiting" {
  zone_id     = local.cloudflare_zone_id
  name        = "API Rate Limiting"
  description = "Rate limiting rules for API endpoints"
  kind        = "zone"
  phase       = "http_ratelimit"

  rules {
    action      = "block"
    description = "Rate limit for create cardholder"
    expression  = "(http.request.uri.path eq \"/api/v1/some-entity\" and http.request.method eq \"POST\")"

    ratelimit {
      characteristics     = ["ip.src", "cf.colo.id"]
      period              = 60
      requests_per_period = 10
      mitigation_timeout  = 60
    }
  }
}

resource "cloudflare_ruleset" "api_rate_limiting" {
  zone_id     = local.cloudflare_zone_id
  name        = "API Rate Limiting"
  description = "Rate limiting rules for API endpoints"
  kind        = "zone"
  phase       = "http_ratelimit"

  rules {
    action      = "block"
    description = "Rate limit for create cardholder"
    expression  = "(http.request.uri.path eq \"/api/v1/some-entity\" and http.request.method eq \"POST\")"

    ratelimit {
      characteristics     = ["ip.src", "cf.colo.id"]
      period              = 60
      requests_per_period = 10
      mitigation_timeout  = 60
    }
  }
}

resource "cloudflare_ruleset" "api_rate_limiting" {
  zone_id     = local.cloudflare_zone_id
  name        = "API Rate Limiting"
  description = "Rate limiting rules for API endpoints"
  kind        = "zone"
  phase       = "http_ratelimit"

  rules {
    action      = "block"
    description = "Rate limit for create cardholder"
    expression  = "(http.request.uri.path eq \"/api/v1/some-entity\" and http.request.method eq \"POST\")"

    ratelimit {
      characteristics     = ["ip.src", "cf.colo.id"]
      period              = 60
      requests_per_period = 10
      mitigation_timeout  = 60
    }
  }
}

Can I also add a "fallback" rate limit config that matches

"^/api/\"

"^/api/\"

"^/api/\"

"^/api/\"? Or would this general rule conflict with the endpoint-specific ones? I found this doc that says:

Rules that match identical criteria can be stacked together. For example... you can create multiple rules that match the same path but have different counting characteristics or request limits.

But this doc says:

Rate limiting rules are evaluated in order, and some actions like Block will stop the evaluation of other rules

I'd love to have our specific tight limits, but also add a broader rule for /api/* with a higher limit (like 100) to cover us if a dev forgets to add a rule for a new endpoint, and also block bots scanning for fake endpoints.

Question About Stacking WAF rules

Similar Threads

Similar Threads

Similar Threads