Cache Everything & Ignore Query String enabled simultaneously

Hi,

I have a website hosted from a cloud service storage provider - which charges me based on both bandwidth and GET requests. I want to avoid the potential for a malicious actor to exhaust my budget by issuing a large number of requests. My content is static, nothing is dynamic, so caching literally everything is not a problem.

I would want to enable the “Cache Everything” option through page rules, but this overrides “Ignore Query String”. This makes it so that an attacker can just request mypage.html?123 and keep replacing 123 with any random number, and each request will go to my origin server.

How do I work around this? My website is relatively small, and as such options restricted to business & enterprise plans are sadly not an option for me.

Thanks in advance for any ideas :slight_smile:

Which kind of content are we talking about? Why would you want to use page rules instead of the default caching?

  1. Has this actually happened?
  2. You can turn on Rate Limiting. Yes, it accepts a wildcard for mypage.html*
    https://support.cloudflare.com/hc/en-us/articles/115001635128-Configuring-Rate-Limiting-from-the-Cloudflare-Dashboard

@sandro It is just static HTML, and default caching does not cache static HTML - I have to use a page rule for that (at least, that was my understanding?)

@sdayman

  1. No, this is just a precaution to prevent excess billing from my origin host provider (I am also looking at cutting off access programatically if I detect a surge in traffic on the origin server, but I’d like to explore what other options I have first).
  2. Rate limiting is definitely an option I considered - however I don’t really want to impede on legit users’ ability to refresh the page as much as they want while waiting for an update. Is it possible to enable rate limiting only for content that is not cached? So that a user can refresh the cached mypage.html as much as they want.

Thank you both for your replies, hope you have a great weekend!

With your setup, there aren’t many options. Due to legitimate traffic, you’ll need to decide on your limits.

Rate Limiting can allow you to cap usage by hits per second or per minute. And then block that IP address for a minute, or an hour.

If you use the API, you can use almost any value for hits per time period and long the IP address is blocked.

1 Like

I understand, thank you for the replies!

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.