Bobcares
Client Area
Emergency Support
Cloudflare | Latest

Configure Cloudflare Rate Limiting

by | Mar 19, 2022

Wondering how to configure Cloudflare Rate Limiting? We can help you.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team configure rate limiting.

How to configure Cloudflare Rate Limiting?

Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain.

The most common uses for Rate Limiting are DDoS protection, Brute-force attack protection and to limit access to forum searches, API calls or resources that involve database-intensive operations at origin.

Configure a basic Cloudflare Rate Limiting rule

There are two common types of Cloudflare Rate Limiting rule.

  1. To enable ‘Protect your login’:

Rate Limiting features a one-click Protect your login tool that creates a rule to block the client for 15 minutes when sending more than 5 POST requests within 5 minutes.

This is sufficient to block most brute-force attempts.

  • Firstly, log into Cloudflare account.
  • Then, select the domain to protect.
  • Next, click the Firewall app and then the Tools tab.
  • Click Protect your login under Rate Limiting.
  • Enter Rule Name and Enter your login URL in the Protect your login dialog that appears.
  • Click Save.
  • Finally, the Rule Name appears in the Rate Limiting rules list.
2. To create a custom rule:
  • Firstly, log in to the Cloudflare dashboard.
  • Then, select the appropriate domain.
  • Next, click the Firewall app and select the Tools tab.
  • Click Create a custom rule. A dialog opens where we can specify the details of new rule.
  • Then, enter a descriptive Rule Name.
  • For If Traffic Matching the URL, select an HTTP scheme from the dropdown as well as a URL.
  • In from the same IP address exceeds, enter an integer greater than 1 to represent the number of requests in a sampling period.
  • For requests per, select the sampling period.
  • Domains on Enterprise plans can enter manually any duration between 10 seconds and 3600 seconds (1 hour).
  • For the Then dropdown, pick one of the available actions based on the plan.
  • If we select Block or Log, for matching traffic from that visitor for, select how long to apply the option once a threshold has been triggered.
  • Domains on Enterprise plans can enter any value between 10 seconds and 86400 seconds (24 hours).
  • To activate new rule, click Save and Deploy.
  • Finally, the Rule Name appears in your Rate Limiting rules list.

Any change to a Rate Limiting rule clears that rule’s currently triggered actions.

Exercise care when editing Rate Limiting rules for mitigation of an ongoing attack.

In general, when setting a lower threshold:

  • Leave existing rules in place and add a new rule with the lower threshold.
  • Once the new rule is in place, wait for the action duration of the old rule to pass before deleting the old rule.

When setting a higher threshold (due to legitimate client blocking), increase the threshold within the existing rule.

Configure Advanced Criteria

The Advanced Criteria option configures which HTTP methods, header responses and origin response codes to match for our Rate Limiting rule.

To configure our advanced criteria for a new or existing rule, follow these steps:

  • Firstly, click Advanced Criteria.
  • Then, select a value from the Method(s) dropdown. ANY is a default that matches all HTTP methods.

Filter by HTTP Response Header(s).

The CF-Cache-Status header appears by default so that Cloudflare serves cached resources rather than rate limit those resources.

  • Click Add header response field to include headers returned by origin web server.

If we have more than one header under HTTP Response Header(s), an AND boolean logic applies.

To exclude a header, use the Not Equals option. Also, each header is case insensitive.

  • Under Origin Response code(s), enter the numerical value of each HTTP response code to match. Separate two or more HTTP codes with a comma; for example: 401, 403
  • Then, click Save and Deploy or configure additional Rate Limiting features allowed for the plan.

Configure Advanced Response

The Advanced Response option configures the information format returned by Cloudflare when a rule’s threshold is exceeded. Use Advanced Response when we wish to return static plain text or JSON content.

To configure a plain text or JSON response:

  • Firstly, click Advanced Response.
  • Then, select a Response type format (plain text or JSON).
  • Enter the plain text or JSON response we wish to return. The maximum response size is 32kB.
  • Finally, click Save and Deploy or configure additional features based on the plan.
Using a custom HTML page or a redirect

If we wish to display a custom HTML page, configure an custom page for HTTP 429 errors (“Too many requests”) in the dashboard.

Cloudflare will display this page when we select “Default Cloudflare Rate Limiting Page” in Response type (the default value for the field).

We can use this method to redirect a rate-limited client to a specific URL:

Create an HTML page on the server that will redirect to the final URL of the page we wish to display.

Include a meta refresh tag in the page content.

Configure the Bypass option

Bypass creates an allowlist or exception so that no actions apply to a specific set of URLs even if the rate limit is matched.

Configure a Bypass via the following steps:

  1. Firstly, click Bypass.
  2. In the Bypass rule for these URLs text box, enter the URL(s) to exempt from the rate limiting rule.
  3. Enter each URL on its own line. An HTTP or HTTPS specified in the URL is automatically removed when the rule is saved and instead applies to both HTTP and HTTPS.
  4. Click Save and Deploy, or configure additional features based on the plan.

Order of rule execution

1: If a request matches with both rules below,

rule1: matching with test.example.com
rule2: matching with .example.com
or

rule1: matching with .example.com
rule2: matching with test.example.com
then rule 2 will always trigger first because it was created last.

2: By removing the asterisk (*) at the end of the domain, rule execution will depend on which rule was created the last.

rule1: matching with test.example.com
rule2: matching with *.example.com
rule2 above triggers first if a request matches both rules.

rule1: matching with *.example.com
rule2: matching with test.example.com
rule2 above triggers first if a request matches both rules.

[Looking for a solution to another query? We are just a click away.]

 

Conclusion

To sum up, our skilled Support Engineers at Bobcares demonstrated how to configure Cloudflare Rate Limiting

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. DDoS protection by Cloudflare stuck
  2. Expose Kubernetes service using Cloudflare Argo Tunnel
  3. Connection error in Plesk 360 for server behind Cloudflare
  4. Create bulk redirect via API in Cloudflare

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. DDoS protection by Cloudflare stuck
  2. Expose Kubernetes service using Cloudflare Argo Tunnel
  3. Connection error in Plesk 360 for server behind Cloudflare
  4. Create bulk redirect via API in Cloudflare

Never again lose customers to poor
server speed! Let us help you.

GET STARTED