Rate Limiting Rules

We have a few different Rate Limiting Rules.
When a page request comes into Cloudflare, and it matches two or more of our Rate Limiting rules, do both Rate Limiting Rules count the event?

For example, we have one rule that protects our login page so that brute force password attempts are thwarted after a handful of attempts within 1 minute. This rule is very specific. It blocks this specific login page.

We also have a more general rule that protects our web servers from IP Addresses that make many high speed requests. This rule is very general. The match is for “/” with only a few Bypass entries so that images and such are not counted. This very general rule blocks an IP address that requests more than about 60 pages within a minute.

We have a few other rate limiting rules that are very specific and will prevent a robot from using the print page function repetitively, or the contact us page repetitively.

How does the Rate Limiting rule engine process page requests that match two or more of our Rate Limiting rules?

If it depends upon the sequence of these Rate Limiting rules, how does one control the sequence? That is possible with Firewall Rules. But how does one control the sequence of Rate Limiting Rules? Or does it not matter?

That’s a great question. Most filters here work their way down a priority list. As soon as it gets a match, it doesn’t go through any more rules. Workers works this way, seemingly regardless of their order on the screen. Page Rules and Firewall Rules need to be manually ordered for priority.

I’d expect Rate Limiting to work the same way, but only Cloudflare knows for sure. Maybe @cloonan can answer this.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.