Skip to content

Commit 0f47a48

Browse files
pedrosousaOxyjun
pedrosousa
and
Oxyjun
authored
[WAF] RL: Add note about subrequests (#25351)
--------- Co-authored-by: Jun Lee <[email protected]>
1 parent 305e9b5 commit 0f47a48

File tree

2 files changed

+21
-0
lines changed

2 files changed

+21
-0
lines changed

src/content/docs/waf/rate-limiting-rules/request-rate.mdx

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ The counting model of this rate limiting rule is based on the number of incoming
3030

3131
- The available characteristics depend on your Cloudflare plan. Refer to [Availability](/waf/rate-limiting-rules/#availability) for more information.
3232

33+
- In some situations, Workers subrequests made to the same zone will be counted as separate requests, which will cause the rate limiting rule to trigger sooner than expected. Refer to [Troubleshooting](/waf/rate-limiting-rules/troubleshooting/#some-workers-subrequests-are-counted-as-separate-requests) for details.
34+
3335
:::
3436

3537
## Example A

src/content/docs/waf/rate-limiting-rules/troubleshooting.mdx

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
---
2+
title: Troubleshoot rate limiting rules
3+
pcx_content_type: troubleshooting
4+
sidebar:
5+
order: 30
6+
label: Troubleshooting
7+
---
8+
9+
## Some Workers subrequests are counted as separate requests
10+
11+
Cloudflare may count Workers subrequests on the same zone as separate requests, which will cause a rate limiting rule to trigger sooner than expected. This behavior happens when the rate limiting rule is configured with [**Also apply rate limiting to cached assets**](/waf/rate-limiting-rules/parameters/#also-apply-rate-limiting-to-cached-assets) set to false.
12+
13+
To prevent this behavior, you must exclude any Workers subrequests coming from the same zone from your rate limiting rule using the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field. For example, you could add the following sub-expression to your [rate limiting rule expression](/waf/rate-limiting-rules/parameters/#if-incoming-requests-match):
14+
15+
```txt
16+
and (cf.worker.upstream_zone == "" or cf.worker.upstream_zone != "<YOUR_ZONE>")
17+
```
18+
19+
The first condition (testing for an empty string) will match direct visitor requests, while the second condition will match subrequests not originating from your zone, effectively excluding subrequests from the same zone from the rate limiting rule.

0 commit comments

Comments
 (0)