New user here.
I set up rate limiting for the first time yesterday with 20 per minute being the trigger. Within a couple of hours, I received a complaint from a reader who said they had not loaded multiple pages, just one, before being rate limited.
I raised the threshold to 40, then the following day at my office, I received a rate limit message myself. I had simply loaded one page, and then I got the rate limit message when I attempted to load a second page.
So, perhaps I’m not understanding how rate limiting works.
Does it count pages, or does it count up each “hit” on every element of a page? My site is a Wordpress blog with a few ads, but nothing excessive like some.
If your match is everything on the domain, then every single request triggers a rate limit count. This will then include all of the images on the site, css, js, etc.
It is very likely your site has more than 40 requests to your own domain for each page load because of how html/css/js files are structured on the server; so it makes sense that one or two would be the maximum before it’s triggered.
Rate limiting is more for rate limiting things like APIs; rate limiting full websites is generally more expensive since you pay for each request including css and js.
IIRC for non-ENT plans it will count all requests which are a cache MISS. For Enterprise customers there are additional options (including counting cache HIT or excluding specific URIs) in the mix. In general this makes sense as most customers don’t care if a given request was served from Cloudflare’s cache as that doesn’t impact their origin.
I have been getting occasional attacks over the past several months. I used htaccess initially, but they kept changing IPs. That led me to implement Cloudflare, where initially I used Firewire Rules to block most countries where English is not the first language.
This has been working nicely until yesterday when a US-based IP sent more than 15,000 requests in a single hour and caused my server load to surge. I blocked the offending IP, but I know they can just change to another one later, so I decided to give Rate Limiting a try.
This topic was automatically closed after 30 days. New replies are no longer allowed.