I’m trying to understand if custom rules are processed after all the custom rules have been processed in the Cloudflare WAF.
My current situation is this: for a certain host, let’s say the subdomain ‘res’ for ‘example dot com’ (the forum doesn’t allow me to add links…), I have a rule in custom rules that says “SKIP”. I’m doing this because the WAF is causing using trouble for that specific host. But I’d like to have a rate limiting rule nonetheless before this SKIP-rule that applies only to a certain uri.
Adding such a rule in the ‘rate limiting rules’ doesn’t seem to have any effect, because the SKIP rule (from the custom rules) is matched first.
So first of all, can anyone confirm that the rate limiting rules are processed only after all the custom rules are processed?
And secondly, is there any way I can use a rate limiting rule while having this SKIP custom rule applied to ‘res dot example dot com’?
You can also see this ordering alongisde the rules UI in the dashboard (on wider screens):
In any case, rate limit rules run after custom firewall rules as shown on the docs. But you can add filtering logic to the rule itself, to include or exclude the traffic you care about:
Is there any way I can solve the issue I’ve described? That would be even more important.
And another question: I see that http_ratelimit is after http_request_firewall_custom (which I take it to be the custom rules) and before http_request_firewall_managed. But http_ratelimit is not considered part of WAF in the phases list. Any reason why that is? Is there any intention in that?
I think in your case, I think you could try removing your “skip” rule and instead add a WAF exception (assuming you’re using the new WAF) instead of skip:
You cannot bypass the new WAF managed rules using this action, only the previous version of WAF managed rules. To skip one or more managed rules in the new WAF for specific requests, create a WAF exception.