How does Rate Limiting work?

ratelimiting

#14

maybe allow cloudflare users to set a custom header on their origin backends which they can setup in cloudflare rate limiting to detectthat custom header on their origin backends and exclude or include them in rate limiting at cloudflare level ?


#15

Not a bad idea. We are currently testing a bypass feature with our ENT customers which allows you to exclude paths/patterns, but the option for origin to educate us about what resources are OK to be pulled at any rate would be interesting.

Since rate limiting is such a new feature I anticipate we’ll see a number of iterations to tweak and improve the feature over time. We have some other cool items on the roadmap this year which I think will also also help with the larger problem trying to be solved.

From a personal standpoint my worry/concern is that we roll out these kind of features in a way that a non-expert user can take advantage of them without having to be an expert (while still allowing power users to tweak the settings to get even more out of them).


#16

well headers can be added by .htaccess for apache or via nginx directives which isn’t any more difficult than the requirements for setting up real ip detection and/or cloudflare ip whitelisting within apache or nginx i.e. https://support.cloudflare.com/hc/en-us/sections/200805497 :slight_smile:


#17

I was actually a beta tester of the Cloudflare Rate Limiting Product, it’s nice in that Cloudflare does the rate limits at their edge rather than the user’s origin server. Because of this the already overwhelmed origin doesn’t receive additional tasks and become unable to keep up with the tasks. It’s very well implemented.


#18

I guess I am a bit late to this party, but I am looking at enabling rate limiting as well and have some of the same questions. I just want to make sure that my assumptions are correct (as I’m a bit of a noob at this).

I have a page that makes 94 requests upon page load (it’s a list that contains quite a lot of images). Of those requests 68 are images, 9 are js, 5 are css, and 4 are fonts. The remaining 8 are XHR / Other requests.

Now, anything that is cached within Cloudflare will not count as a request if it is successfully retrieved from said cache. Would this statement be true?

So, in theory, since those 68 images are static, they should be cached in Cloudflare. So those shouldn’t count. Same would go for the JS / CSS / Fonts I would assume (which some of those are served from a cdn anyway).

So, in theory, this page loading would potentially hit the rate limiter would tally 8 requests in the two to four seconds it takes this page to load.

Am I following along the correct path, or am I completely helpless? Somewhere in between? Haha. Thanks in advance.


#19

Yes.

Yes, in theory. In practice it depends on are they cached. Maybe the cache will be flushed and you will have a new request again.
A new request from different geo position will hit different CF DC, on which if it is not cached already (and if not using Argo) will hit the origin again.

You will have to set the limits yourself, as you can see what rates are OK for you.
Take a look at the bot rates, at the visitor rates at the site/hosting acceptable rate.
Keep in mind that in one second a bot and a human, can make the same number of requests.
In 1,5 or 10 minutes, not so much. :smile:

Take a look at the How we built rate limiting capable of scaling to millions of domains and a help center.


split this topic #20

A post was split to a new topic: “Page isn’t redirecting properly” errors on wp-admin


#21

Well, i think the slide window algorithm is great! Yet i’m confused about when the increasemnt job runs asynchronously ,the request rate in the current minute(in the article, e.g. 18), what this “rate" means? I guess it is the total request in a Pop, but how can we get these number efficiently, you know the latency will be high if spawns a query to the data center per request.


#22

I have read the article/How we built rate limiting capable of scaling to millions of domains.
Well, i think the slide window algorithm is great! Yet i’m confused about when the increasemnt job runs asynchronously ,the request rate in the current minute(in the article, e.g. 18), what this “rate" means? I guess it is the total requests in a Pop, but how can we get these number efficiently, you know the latency will be high if spawns a query to the data center per request.


#24

Hi,

I’m trying to set up rate limiting for one of my sites but it doesn’t seem to be working for me.
I’m testing with very simple rules like: www.mydomain.com/foo/* in order to protect some API resources I have under that URI, however even after making sure the rule is set as “Live” and that I’m sending more requests than defined in threshold, I don’t see any change in behavior, i.e: I can keep sending requests without any restriction.

I’ve also checked and my current IP is not among any whitelist.

Any ideas of what could be happening?

Thanks in advance.


#25

With your current threshold the total number of requests in the last 24 hours (cumulative) hasn’t exceeded the threshold set for the single minute threshold set for the rule according to the analytics information for rate limiting for the control panel.


#26

@cscharff not sure if I understood you correctly, I have even tried to test setting a threshold of 10 requests per minute and then tried to access more than 10 times per minutes and didn’t see any change.


#27

The current threshold is 750. Are you curling the actual API endpoint or a valid URL in your testing? Rate limiting only applies if the request is to origin. A response such as a 404 would be cached by our edge so subsequent requests wouldn’t go to the origin until the cache timed out on the 404 response.


#28

@cscharff At this moment it’s 750, but as said before I’ve tried with very small values like 10 per minute hitting one endpoint below the current matching URL and even though I see the requests in logs in my origin server, I don’t see it being blocked. I even tried setting the matching URL to ‘*’, and still no luck.

After I tried this, I set it back to 750.


#29

It shows there were matching requests in the UI so at some point it was logging requests. But I can’t speak to any specifics around them. You might open a support ticket to see if you can reproduce with them using your URL/ data.


#30

Hello, I am on free website plan but have entered my CC details to get further rate limiting quota (beyond the free 10k for all websites).

I just want to know exactly how many requests a server send to visit or access a page on my website. Is it 1 request to visit a page on my website? It is because I have set a Rate limit rule for each ip address for 10 requests for 1 minute beyond which to block for 1 hour.

The reason for this is I think each page visit results in 1 request and since I don’t get much traffic (I think no one visits ten pages on my site (if it results in 10 requests for = 10 page visits)) I have decided to block any ip that uses more than 10 visits (if it equals to 10 requests) in one minute. Is that alright if 1 page visit is 1 request and if I don’t get more than 10 visits in one minute? Thank you for your assistance.


#31

In reference to the latest UI for configuring Rate Limiting, could you please tell me if the list of URLs in the Rate Limiting Bypass field are meant to be comma-separated or separated by carriage returns?
Example: .example.com/api/,.example.com/admin/,.example.com/users/
Or
.example.com/api/
.example.com/admin/
.example.com/users/


#32

Is this still the case with the recent new features of rate limiting?


split this topic #33

A post was split to a new topic: How cap rate limiting?


closed #34