Configuring Rate Limiting from the Cloudflare Dashboard

Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer. You have a great deal of control when configuring Rate Limiting in the Cloudflare dashboard.

Rate Limiting is an add-on service (available in all user plans) that when enabled, appears in the Firewall app of the Cloudflare dashboard. For subscription information, visit Cloudflare Pricing.

Contents

Overview

You can use the following image of the Create a Rate Limiting Rule dialog as a reference for the instructions outlined below. Note that certain advanced features are available exclusively for Pro, Business and Enterprise customers (labeled with P, B, and E, respectively).

Plans_ann_v2.png

You can see a list of existing rules under the Rate Limiting section of the Firewall app in the Cloudflare dashboard. This is where you can edit or remove existing rules.

Configure a basic Rate Limiting rule

Rate Limiting features a one-click Protect Your Login tool that creates a rule to block the client for 15 minutes when sending more than 5 POST requests within 5 minutes. This is sufficient to block most brute-force attempts.

To configure a basic rate limiting rule:

1. Log in to the Cloudflare dashboard.

2. Ensure the website you want to update is selected.

3. Click the Firewall app.

4. Click Create a custom rule.  A dialog opens with a UI similar to the one depicted above, based on your current Cloudflare plan.

5. Enter a descriptive Rule Name.

6. For If Traffic Matching URL, select an HTTP scheme from the dropdown and a URL.

7. In from the same IP address exceeds, enter an integer greater than 1 to represent the  number of requests in a sampling period.

8. For requests per, select the sampling period (the period during which requests are counted).

Enterprise customers can also type a value between 1 and 3600 seconds. 

9. In Then block matching traffic from that visitor, enter the duration of the block once a threshold has been triggered.

Enterprise customers can also type a value between 10 and 86400 seconds.

10. To activate your new rule, click Deploy.

Pro, Business, and Enterprise customers see a Deploy (Live) or Deploy (Simulate) button depending of the Mode selected under Advanced Response.

Once deployed, your new rule is listed under the Rate Limiting section of the Firewall app. 

At this point, you can edit the rule to add Advanced Criteria, Advanced Response, and Bypass details.

Configure Advanced Criteria for a Rate Limiting rule

The Advanced Criteria option allows you to specify which HTTP methods and origin response codes to match for your Rate Limiting rule.  

Advanced Criteria is only available to Business and Enterprise customers.

To configure your advanced criteria, while creating a new rule or editing an existing one:

1. In the dialog, click to expand Advanced Criteria.

2. Select a value form the Method(s) dropdown.  The value of ANY is selected by default to match all HTTP methods.

3. Under Origin Response code(s), type the valid numerical value of each HTTP response code to match.  To include 2 or more response codes, separate each value with a comma.

At this point you can deploy your changes or configure additional features. 

Configure Advanced Response for a Rate Limiting rule

The Advanced Response option allows you to specify the format of the information returned by Cloudflare when a rule's threshold has been exceeded and requests are being blocked. You can also set the mode in which matched requests are handled.

Advanced Response is only available to Pro, Business, and Enterprise customers.

About the Mode option

It is important understand how the Mode option works.  When actions are triggered due to a matched rule, you can choose from the following modes:

  • Simulate - logs requests that would otherwise be blocked.
  • Live - blocks traffic and clients matched against the rule.

Enterprise customers are the only ones who can view the log entries generated by a Rate Limiting rule through the Enterprise Log Share (ELS) feature.  To learn more, see ELS and Rate Limiting.  Non-Enterprise customers can get a sense of logged entries by looking at the Rate Limiting Analytics graph.

Configure your advanced response

While creating a new rule or editing an existing one:

1. In the dialog, click to expand Advanced Response.

2. Select an available format from the Response type dropdown. The top limit for response size is 32kb.

3. Select the Mode.

At this point you can deploy your changes or configure additional features.

Configure the Bypass option for a Rate Limiting rule

Bypass lets you create the equivalent of a whitelist or exception for a set of URLs.  That is, no actions trigger for those URLs even if the Rate Limiting rule is matched.

To create a bypass:

1. In the dialog, click to expand Advanced Criteria.

2. In the Bypass rule for these URLs text box, enter the URL(s) to apply the exception to.  Each URL must be in its own line.

At this point you can deploy your changes or configure additional options.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk