Advanced Rate Limiting Rules - Response Headers

I find conflicting information in the docs on this one.

  1. Here - https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-response-fields - Cloudflare indicates that response fields are legal in Rate Limiting Rules.
  2. But HERE - https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/#configuration-restrictions - it seems to say this is not allowed.

I want to use this expression:
(http.request.uri.path matches "^*" and all(http.response.headers["Cf-Cache-Status"][*] ne "HIT") and http.request.method eq "GET")

I am converting an old rate limiting rule to a rule in a ruleset. Will this work?

Hi,

No contradiction there. Rule 1 says it’s allowed, rule 2 says it cannot be used along with IP Lists.

No, but not because of using a response header.

First, your regex isn’t valid. Did you mean "^.*", with a dot before the wildcard, to match all requests? If so the regex isn’t even needed here, as by default a rule will apply to everything except for the exclusions you set.

Second, you shouldn’t need to use the function all(), as there’d be only one header with the intended value. So you’d only need in principle http.response.headers["cf-cache-status"][*] ne "HIT" (header name must be lowercase.) But the headers returned by Cloudflare aren’t available to modification, to the best of my knowledge. But even it they were, matching the CF-Cache-Status header is unnecessary, as there’s a checkbox specifically designed to include/exclude cached results.

Which brings us to a much simpler rule, if your intention is to rate limit all GET requests to all hostnames in the zone that are not cached:

http.request.method eq "GET"

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.