Create ratelimit payload not working

Hello,
I want to create a ratelimit WAF Rate limiting rules. The documentation https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/ gave me the needed parameters, so my current payload looks like this:

{
        description: "<description>",
        name: "<name>",
        kind: "zone",
        phase: "http_ratelimit",
        rules: [{
            expression: "<expression>",
            //enabled: true,
            action: "block"
        }],
        characteristics: ["ip.src"],
        requests_per_period: 75,
        period: 10,
        mitigation_timeout: 10
    }

the response I’m getting is:

{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "invalid JSON: unknown field \"characteristics\""
    }
  ],
  "messages": null
}

but when I remove the “characteristics” I get the same for “requests_per_period” and so on for “period” and “mitigation_timeout”.

Anyone know how I have to format the payload? The URL I’m requesting is https://api.cloudflare.com/client/v4/zones/ see here https://developers.cloudflare.com/api/operations/createZoneRuleset.

Also is “enabled” in the rule allowed? Since I couldn’t fine if it is or not, I only know that for “http_request_firewall_custom” it is allowed, so I assumed it is too for the rate limiting.

Thanks for any help.

That just doesn’t look like the right payload. I suggest you start with this template:

https://developers.cloudflare.com/waf/rate-limiting-rules/create-api/#example-a—rate-limiting-based-on-request-properties

Or maybe mine just isn’t the right API call for what you’re trying. But it does look like the most direct approach.

but I first need to create a ruleset, in order to get the suleset id, or is there by default an rate limiting ruleset.

I’m trying to create a rule here

Security → WAF → Rate Limiting Rules

I was able to get this payload to work:

{
  "description": "Rate Limit Them Pests",
  "kind": "zone",
  "name": "Rate Limiter",
  "phase": "http_ratelimit",
  "rules": [
    {
   "description": "My rate limiting rule",
  "expression": "(http.request.uri.path matches \"^/api/\")",
  "action": "block",
  "action_parameters": {
    "response": {
      "status_code": 403,
      "content": "You have been rate limited.",
      "content_type": "text/plain"
    }
  },
  "ratelimit": {
    "characteristics": [
      "cf.colo.id",
      "ip.src",
      "http.request.headers[\"x-api-key\"]"
    ],
    "period": 60,
    "requests_per_period": 100,
    "mitigation_timeout": 600
  }
    }
  ]
}

Alright, after some try and error, I found how to do it, by combining the invoking of a new rule in a rule set, and creating a new ruleset with the rules for rate limiting.

For anyone having issue finding out how to achieve this:

This is the body with short description:

{
        description: "<ruleset description>",
        name: "<ruleset name>",
        kind: "<kind>",  //eg "zone"
        phase: "http_ratelimit",
        rules: [{
            expression: "<normal expression when to trigger>",
            action: "<action>", //eg "block"
            enabled: true,  //false for disabling
            description: "<rule description>",
            ratelimit:{
                characteristics: [<defining how cf tracks the request rate (string)>],  //cf forced me to add "cf.colo.id"
                requests_per_period: <how many requests until rule executes>,
                period: <seconds for each period (see plan for allowed values)>,
                mitigation_timeout: <seconds how long the rule will be apllied on next requests>
            }
        }]
    }

The endpoint you want to reach is:
https://api.cloudflare.com/client/v4/zones/<zoneId>/rulesets.

For more parameter and a more detailed description of the parameter refer to their documentation
https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/

Really appreciate your work, actually I just found it out myself, and wrote my own reply in case someone else need it in the future. But imo, your example is better, so thanks.

1 Like

Yours is clean and to the point. It looks like a better template for anybody who wants to give it a shot.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.