Traffic sequence - some queries & UI visibility

Current traffic sequence is -
DDoS > URL Rewrites > Page Rules > IP Access Rules > Bots > WAF > Header Modification > Workers > Origin

Query 1) Can you please provide details on where the following stages/blocks fit into the above traffic sequence ?

Normalize incoming URLs ??
Normalize URLs to origin ??
Rate Limiting Rules ??
Firewall Rules ?? == WAF ?
User Agent Blocking == WAF ?
Tiered Cache UPPER TIER (Colo/POP/DataCenter/Edge) ?
Tiered Cache LOWER TIER (Colo/POP/DataCenter/Edge) ?
Cache Reserve (storage bucket) ?
Argo Smart Routing (Colo/POP/DataCenter/Edge) ?

Query 2) There’s a UI visibility issue with the Traffic sequence UI block. On the Desktop website (latest Chrome browser on Windows), the traffic sequence UI block is only visible when I zoom out to 50% (reduce screen size). Otherwise its not even visible. I have seen in the community posts that this has been reported earlier. Is anyone else facing same issue in their web browsers ? Please review.

Query 3) The Traffic Sequence UI block should be a collapsible component and should be placed next line to the main H1 heading of the webpage, so that its easily visible near the top of page and being collapsible not takes up much space. Please review.

Please VOTE UP on the post if you agree on these feature requests.
Also can anyone share details on Query 1 above.

Thank you.

This post was flagged by the community and is temporarily hidden.

#1
Normalize incoming URLs ??
Before everything else at L7 (except DDoS).

Normalize URLs to origin ??
Prior to going to origin (i.e. leaving the Cloudflare zone).

Rate Limiting Rules ??
Firewall Rules ?? == WAF ?
User Agent Blocking == WAF ?

@mstremante can confirm but AFAIR the order shown in the WAF UI tab (Firewall Rules > Custom Rules > Rate limiting rules > Managed Rules > ‘Tools’) was designed to reflect the order of traffic flow within the WAF scope.

Cache will run typically after Workers/LB.

#2
We’re aware, we’ve got a ticket open with the UI team to see how how we can make Traffic Sequence visible on lower resolutions. The intention is to hide it when there is insufficient room on the browser window to render it; however since the move to side nav from top-nav we may need to rethink how we do that.

#3
We had this originally and removed it as no one used it. We wont be re-adding it.

3 Likes

Thanks for detailed response.

For CF-Status = Dynamic i.e. request goes to origin server, can you please confirm which one of the below sequence is correct ?

Client --> CF POP (nearest to client) --> Origin
or
Client --> CF POP (nearest to client) --> re-route to CF POP (nearest to Origin) --> Origin and same way back ?

As per my test results, it seems to be the second case.

If you use Argo Smart Routing or Cloudflare Tunnel, Cloudflare will route the request through a PoP close to your origin (second case). With Argo Smart Routing the CF-RAY header sent to your origin will signal the “exit PoP”. Not sure if this is also the case with Cloudflare Tunnel.

If you don’t use Argo Smart Routing or Cloudflare Tunnel, Cloudflare will directly contact your origin from the “entry PoP” (first case). Since there’s only one PoP in use, the CF-RAY header will surely contain that PoP.

1 Like

I am seeing strange results - CF_RAY colo (id-colo) sent to my origin server by CF as part of http request headers is DIFFERENT from the CF_RAY colo (id-colo) finally sent back to the client/browser.

See pic below -
On left side, AMS is the colo rcvd by the origin server (origin server in DE)
On right side, SIN is the colo rcvd in the client web browser http response header (client in IN)

What would this mean ? CF_RAY id is same, but the CF_RAY colo part varies.

The CF-RAY header in responses (Cloudflare → Client) will contain the colo that the client connected to. The CF-RAY header in requests (Cloudflare → Server) will contain the colo that Cloudflare uses to connect to your origin.

If you use Argo Smart Routing or Cloudflare Tunnel, the request will be routed through a colo close to your origin server. That is why the colo part of the CF-RAY header can vary.

1 Like