Under “Rules”, “Settings” we have “Normalize URLs to origin”
I have no idea what this sentence is saying:
“In addition to URL normalization at Cloudflare’s edge, normalize URLs for traffic to the origin.”
Specifically what does “edge” mean? And what does “origin” mean?
Basically, ‘edge’ is where requests come into Cloudflare and origin is ‘where your requests are going to AFTER Cloudflare’.
To answer your question directly. If you received a request to your zone for ‘www.example.com/%cogin’, with ‘to origin’ enabled your server logs will see ‘/login’. Without, they will see ‘/%6cogin’. Make sense?
Thanks, More questions - The other setting is “Normalize incoming URLs”
If this setting is ON, does this mean that normalized URLs are used for the Couldflare firewall rules, but that the un-normalized URL is then sent to the host server?
But that if “Normalize URLs to origin” is set, then the normalized URL is also sent to the host server?
If only “Normalize incoming URLs” is on then instead of ‘/%6cogin’, Firewall Rules/Page Rules/Workers/Transform Rules/et al will see ‘/login’ instead, but ‘/%6cogin’ will be sent to the host server still.
If you enable ‘Normalize URLs to origin’, then the host server will see ‘/login’ also.
I think that email is one of those things where if you don’t know what it means, you probably don’t need it.
I knew right away what to do, because I manage multiple websites on a server, and I have a firewall set up … and my firewall has a list of “allowed” IPs that should not be blocked. So this was just telling me that I need to update that particular list.
Now if someone could only explain to me what the Cloudflare email I got today about “normalizing URL’s” means…
Hi @dyslexia,
There have been a couple of topics about this today, and a couple of different messages that you could have received, I believe.
If those don’t help, I would recommend opening a new topic with your questions.
Is there any reason NOT to normalize URL’s to origin? For example, could that break normal queries?
I notice that the Normalize at edge seems to be ON by default for all my domains, but for origin it is OFF by default.
I received an email saying normalization had not been activated on three of my domains because of conflicts with firewall rules, but when I went to check the Normalize at edge had been activated – and none of these domains had any unusual firewall rules that I could see.
The vast majority of setups are fine to normalize to origin; its only if you have applications or origin-side configurations that expect percent encoding (like certain legacy applications and some API gateways).
Thats why we took the decision to not do this globally for everyone, and instead have it only on for ‘what Cloudflare products see’ so that Firewall Rules, Page Rules, Workers, Transform Rules, et al all see a consistent input - regardless of the tricks malicious actors may use such as path traversal, encoding, etc.
If your origin doesnt need to receive encoded traffic then your fine to turn this on in both directions.
Same
When I look at the Normalization page it is On for the domain I had an email from CF saying it was NOT on.
Confused still.
If I could make a suggestion to Cloudflare, perhaps but “help” links under each option on the “Rules”, “Settings” page, as is done on the other pages. Please include clear examples, to include what happens if neither option is on, if one or the other option is on, and if both options are on.
Do not use the words “origin” or “edge” in the examples.
Thank you.
The blog post had examples that helped me understand potential ways to use this feature:
While I can see the urge to want Cloudflare to use layman’s terms, it does users of a technical service a disservice to use non-technical terms. It makes it much easier for future communication, and elevates the technical skills of Cloudflare users. “Origin” and “Edge” are also helpful for visual learners, which most people tend to be.
Agreed. I did notice the absence of these. Hopefully they’re coming soon.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
