Configuring Rate Limiting in the Cloudflare Dashboard

Cloudflare Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer. 

Rate Limiting is an add-on service (available in all user plans) that when enabled, appears in the Firewall app of the Cloudflare dashboard. For subscription information, visit Cloudflare Pricing.

Overview

Cloudflare Rate Limiting supports multiple levels of configuration control depending on the Cloudflare plan that your zone is subscribed to.

You can see a list of existing rules for your zone under the Rate Limiting section of the Firewall app in the Cloudflare dashboard. This is where you can add, edit, and remove existing rules.

The instructions in this page are tiered based on the different customer plans. The table below maps out what you can do based on your plan.

# Task Available in
1 Configure a basic Rate Limiting rule All plans
2 Configure Advanced Criteria Business and Enterprise plans
3 Configure Advanced Response Business and Enterprise plans
4 Configure the Bypass option Enterprise plan

The tasks in this page are designed to help you get started.  For more in-depth information, consult Cloudflare Rate Limiting.


Task 1: Configure a basic Rate Limiting rule

Rate Limiting features a one-click Protect Your Login tool that creates a rule to block the client for 15 minutes when sending more than 5 POST requests within 5 minutes. This is sufficient to block most brute-force attempts.

To configure a basic rate limiting rule:

1. Log in to the Cloudflare dashboard.

2. Ensure the website you want to update is selected.

3. Click the Firewall app.

4. Click Create a custom rule.  A dialog opens where you specify the details of your new rule. 

cf_firewall_rate_limiting_create_rule_free.png

5. Enter a descriptive Rule Name.

6. For If Traffic Matching the URL, select an HTTP scheme from the dropdown as well as a URL.

7. In from the same IP address exceeds, enter an integer greater than 1 to represent the  number of requests in a sampling period.

8. For requests per, select the sampling period (the period during which requests are counted).

Enterprise customers can also type a value between 1 and 3600 seconds.

9. For the Then dropdown, pick one of the available actions based on your plan:

"Then" action Description Available in
Block Cloudflare issues a 429 error when the threshold is exceeded. All plans
Challenge User has to pass a Google reCaptcha Challenge before proceeding. If successful, Cloudflare accepts the request. Otherwise, the request is blocked. Pro, Business, and Enterprise plans
JS Challenge User has to pass a Cloudflare Javascript Challenge before proceeding. If successful, Cloudflare accepts the request. Otherwise, the request is blocked.
Simulate Cloudflare does not block any requests but instead, logs them in Enterprise Log Share (ELS) as simulate.  You can use this option to test your rule before applying any of the other options in your live environment.

10. If you selected Block or Simulate, for matching traffic from that visitor for, select how long to apply the option once a threshold has been triggered.

Enterprise customers can also type a value between 10 and 86400 seconds.

11. To activate your new rule, click Save and Deploy.

Once deployed, your new rule is listed under the Rate Limiting section of the Firewall app. 

At this point and based on your plan, you can edit your rule to add Advanced Criteria, Advanced Response, and Bypass details.


Task 2: Configure Advanced Criteria

The Advanced Criteria option allows you to specify which HTTP methods, header responses, and origin response codes to match for your Rate Limiting rule.  

Advanced Criteria is only available to Business and Enterprise customers.

To configure your advanced criteria while creating a new rule or editing an existing one, follow these steps:

1. In the dialog, click Advanced Criteria.  That section of the dialog expands to display the options available.

cf_firewall_rate_limiting_create_rule_advanced_criteria.png

2. Select a value form the Method(s) dropdown.  The value of ANY is selected by default to match all HTTP methods.

3. Update HTTP Response Header(s) by editing the default header included.  You can also Add header response field to include headers returned by your origin web server.

If you have more than one header under  HTTP Response Header(s), an AND boolean logic will apply.  To exclude a header from being matched, use the Not Equals option. Also, each header must be an exact match; however, case sensitivity doesn't apply.

4. Under Origin Response code(s), type the valid numerical value of each HTTP response code to match.  To include 2 or more response codes, separate each value with a comma; for example, you can enter 401, 403 if you only want those two error codes to count. 

5.  At this point, you can deploy your changes by clicking Save and Deploy or configure additional features based on your plan.


Task 3: Configure Advanced Response

The Advanced Response option allows you to specify the format of the information returned by Cloudflare when a rule's threshold has been exceeded and requests are being blocked. 

Advanced Response is only available to Business and Enterprise customers.

Enterprise customers are the only ones who can view the log entries generated by a Rate Limiting rule through the Enterprise Log Share (ELS) feature.  To learn more, see ELS and Rate Limiting.  Non-Enterprise customers can get a sense of logged entries by looking at the Rate Limiting Analytics graph.

Configure your advanced response

To configure your advanced response while creating a new rule or editing an existing one, follow these steps:

1. In the dialog, click Advanced Response. That section of the dialog expands to display a dropdown.

cf_firewall_rate_limiting_create_rule_advanced_response.png

2. In the Response type dropdown, select an available format. The top limit for response size is 32kb.

3. At this point you can deploy your changes by clicking Save and Deploy, or configure additional features based on your plan.


Task 4: Configure the Bypass option

Bypass lets you create the equivalent of a whitelist or exception for a set of URLs.  That is, no actions trigger for those URLs even if the Rate Limiting rule is matched.

Bypass is only available to Enterprise customers.

To configure your bypass while creating a new rule or editing an existing one, follow these steps:

1. In the dialog, click Bypass. That section of the dialog expands to display a text box.

cf_firewall_rate_limiting_create_rule_bypass.png

2. In the Bypass rule for these URLs text box, enter the URL(s) to apply the exception to.  Each URL must be in its own line.

3. At this point you can deploy your changes by clicking Save and Deploy, or configure additional features based on your plan.


Next steps

Visit Cloudflare Rate Limiting for more in-depth information.

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk