WAF Doesn't Work To Bypass Rate Limiting Rules (And Many Problems With Rate Limit)

I’ve created a rule on rate limiting rules. If the request excedeed 30 in 10 seconds, it will be blocked automatically (all request to my domain affected. Not just one url).

I know that will cause many problem. I’m ok with that, because there is overview security option to monitor what’s going on with the rule.

First problem is Google bot, Bing (and other bots) is blocked by limit rules. So i created WAF rules to Bypass All Known Bots from Hotlink Protection, Security Level, and Rate Limiting.

But there is weird thing when the rules have been running for half a day. There are some google bots that are still blocked even though they have been bypassed in the WAF rules, even those rules are in the first priority.

So i change the rules from Bypass to Allow. And so far no problem come.

Second problem is myself (with get blocked by limit rules. So i created the second WAF to bypass myself from rate limit with same User Agent and ASN.

In short, similar incident happened when i changed the IP Address, even though it’s clear that ASNum and User Agent are exactly the same (not a single letter is different). But finally, I need to change the rule from BYPASS to ALLOW.

Third problem is really weird! My origin server IP is blocked too by the rate limit rule. I have no idea with that, because Cloudflare is connected with that IP address. Why still got blocked?

Well, someone please tell Cloudflare team to resolve this

Fifth problem comes to other website that i manage (actually not yet a problem, because i don’t know what’s going on there). When i check in the dashboard, there is too many visitor get blocked by rate limit rules (i’m still using the same configuration limit rules, which is 30 request max on 10 seconds).

So i check all (one by one). I found that some people gets blocked when requesting favicon logo, logo banner and file download.

Note : I have one post that contains 100 download link

I don’t know how requests are calculated. And this is my questions :

  1. Is one click action (let’s say someone downloads a file) will it be considered as 1x request?
  1. Then why someone get’s blocked when requesting favicon? Like, who wants to visit the favicon over and over again?
  1. Does that mean if someone does 1x page load contains more than 1 request? I wondering it much, because the theme i used is pretty complex (contains much element and flow), see Anton JR.
  1. I think, the faster finger though won’t be able to download 30 files in 10 seconds. So, how many request when someone click the download button? Why they still gets blocked? Is that an indication that the one who downloaded my file is not a human?
  1. I try to clear cache in Wordpress dashboard, but later on I get limit. Is the cache cleared or not?
  1. UPDATE : I’m just editing a post, but suddenly got limited. After i check in the Overview, there is no block history by rate limit rule, even i’m waiting 2-3 minutes to refresh. So, the limit rules Cloudflare isn’t it worth it? Bacause, there is many bugs and sometimes out of our sight.

Thanks so much if someone answering my bunch questions.

it depends :tm:. If the transfer is done in chunks, it will count as many requests.


:thinking:


Loading one site can add to few hundred requests in some cases, depends completely on how your site is structured and how many assets the page loads.


Honestly; most of your points seem like user error; rate limit isn’t meant to be used the way you are currently using it.
Rate limiting entire websites is a bad idea because there are no general rules that works for all pages (generally, exceptions may apply in some cases).

My tip: Don’t use rate limit unless you know well where to use it and why you need it.

2 Likes

Ok, thanks for answering.

I just found out that 1x load doesn’t mean the visitor ask for 1 request too. I realize that the problem is because I don’t know how the request is asked.

I got a new idea. I think i’ll not limit the entire website, just homepage and images. Thanks mr. @jnperamo, hope your days are going well.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.