I have 3 API endpoints which need same rate-limiting on Cloudflare. So, I have clubbed them together.
The rule goes like this:
If incoming requests match:
Host = "https://www.x.com" AND URI Path = "/a"
OR
Host = "https://www.x.com" AND URI Path = "/b"
OR
Host = "https://www.x.com" AND URI Path = "/c"
(Notice the usage of AND and OR operators above)
with the same characteristics:
Header value of identifier
When rate exceeds:
10 requests in 1 minute
Then take action:
Block requests for 1 day
What happens out of the following:
Are individual counter buckets created for paths a
, b
& c
?
So, only when a user makes 10 requests for path a
(or 10 requests for path b
or 10 requests for path c
) within a minute, the user gets blocked for a day.
Is a common counter bucket created for all paths a
, b
& c
combined together?
So, if a user makes 7 requests for path a
and 3 requests for path c
within a minute, the user gets blocked for a day.
Are individual counter buckets created for paths a, b & c?
So, only when a user makes 10 requests for path a (or 10 requests for path b or 10 requests for path c) within a minute, the user gets blocked for a day.
No, bucket only counts on Header value of identifier
in this case.
You need to set AND Path
condition additionally
Is a common counter bucket created for all paths a, b & c combined together?
So, if a user makes 7 requests for path a and 3 requests for path c within a minute, the user gets blocked for a day.
Yes. If you want to separate bucket for each path, you will have to do the thing above.
See this documentation in detail
https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/