Rate limiting full site on free plan

which expression would cover all pages on website
for example, this (http.request.uri.path contains “/”) will not cover https://www.example.com or Example Domain
So which expression will cover the most
(http.request.uri.path contains “”), (http.request.uri.path contains “*”) or (http.request.uri.path contains “/”)

second question , is such rule needed or cloudflare already would bock high hits IPs

Match all requests? Use true as the expression. In this case, make sure to set the limit quite high. All resources such as JavaScript, CSS and images also count towards the limit.

Cloudflare automatically blocks DDoS attacks. However, the mitigation may only kick in when there are several thousand requests per second.

1 Like

you mean each hit on a page will count as more than 1 request ?
if yes, then every page refresh will count as many hits. then would you recommend some limit per minute ?

Could you help writing an example of the true expression?
I cant find such in rate limiting rules ?

Yes, each request to each resource on the page (css, images, etc) hosted on the same domain count. You can open up Dev Tools (ctrl+shift+i), and look at the network tab while navigating around the site, and get a rough idea of how many requests it takes to load the pages on your site, and depending on the rate-limiting period, try to pick a reasonable limit. You can always start way higher and lower the limit over time if you need to.

Just as simple as that, Edit Expression → true

1 Like

@albert @Chaika

i dont think the rate limiting is counting (http requests) a page generates. my understanding is, each ip visit is 1 request . am i correct ?
Determining the rate · Cloudflare Web Application Firewall (WAF) docs

No. If you have 1 HTML document, 10 images and 2 JavaScript files on a page, 1 visit to that page will count as 13 requests.

i just read this Determining the rate · Cloudflare Web Application Firewall (WAF) docs
and set rate limiting on wp-login to 3 per minute and never noticed any issue !!!

how does rate limiting counts and reach the max rate
Does it count each page visit per IP as one hit?
or count total number of http requests generated by the page. So, each page visit results in many hits?

i tested the limit 3 only on wp-login page and did not see the max rate reached yet.

It is basically “total number of http requests generated by the page”, but with one extra catch, it’s a total amount of requests that go to your website/zone and match your rate limiting rule. For example, if you have a rate limiting rule that only matches wp-admin.php, then all of the other requests won’t match that url. You can use Dev Tools (ctrl+shift+i or right click → inspect) and look at the network tab to see all the requests your browser makes.

If you have a generic rate limiting rule that matches all requests, all of the requests you see there to your own domain/site will count. If you have it set up to “Path equals wp-admin.php”, then only wp-admin.php matching requests will count.

thank you. now i know why i didnt see any limit exceed. it is because i was using full path /wp-admin.php

that explains. thank you again.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.