Create a custom ruleset using the API

To deploy custom rules at the account level, you must create a custom ruleset with one or more rules. Use the Rulesets API to work with custom rulesets using the API.

Procedure

To deploy a custom ruleset in your account, follow these general steps:

Create a custom ruleset in the http_request_firewall_custom phase with one or more rules.
Deploy the ruleset to the entry point ruleset of the http_request_firewall_custom phase at the account level.

Currently, you can only deploy WAF custom rulesets at the account level.

1. Create a custom ruleset

The following example creates a custom ruleset with a single rule in the rules array.

curl "https://api.cloudflare.com/api/v4/accounts/{account_id}/rulesets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "description": "",
  "kind": "custom",
  "name": "My custom ruleset",
  "rules": [
    {
      "description": "Challenge web traffic (not /api)",
      "expression": "not starts_with(http.request.uri.path, \"/api/\")",
      "action": "managed_challenge"
    }
  ],
  "phase": "http_request_firewall_custom"
}'

Save the ruleset ID in the response for the next step.

2. Deploy the custom ruleset

To deploy the custom ruleset, add a rule with "action": "execute" to the http_request_firewall_custom phase entry point ruleset at the account level.

Invoke the Get an account entry point ruleset operation to obtain the definition of the entry point ruleset for the http_request_firewall_custom phase. You will need the account ID for this task.
Terminal window
```
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/http_request_firewall_custom/entrypoint" \
--header "Authorization: Bearer <API_TOKEN>"
```
```
{
  "result": {
    "description": "Account-level phase entry point",
    "id": "<RULESET_ID>",
    "kind": "root",
    "last_updated": "2024-03-16T15:40:08.202335Z",
    "name": "root",
    "phase": "http_request_firewall_custom",
    "rules": [
      // ...
    ],
    "version": "9"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```
If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create an account ruleset rule operation to add an execute rule to the existing ruleset deploying the custom ruleset. By default, the rule will be added at the end of the list of rules already in the ruleset.

The following request creates a rule that executes the custom ruleset with ID <CUSTOM_RULESET_ID> for all Enterprise zones in the account:
Terminal window
```
curl "https://dash.cloudflare.com/api/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "description": "Execute custom ruleset",
  "expression": "(cf.zone.plan eq \"ENT\")",
  "action": "execute",
  "action_parameters": {
    "id": "<CUSTOM_RULESET_ID>"
  },
  "enabled": true
}'
```
You can only apply custom rulesets to incoming traffic of zones on an Enterprise plan. To enforce this requirement, you must include cf.zone.plan eq "ENT" in the expression of the execute rule deploying the custom ruleset.

If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create an account ruleset operation. Include a single rule in the rules array that executes the custom ruleset for all incoming requests of Enterprise zones in your account.

curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "description": "",
  "kind": "root",
  "name": "Account-level phase entry point",
  "rules": [
    {
      "action": "execute",
      "expression": "(cf.zone.plan eq \"ENT\")",
      "action_parameters": {
        "id": "<CUSTOM_RULESET_ID>"
      }
    }
  ],
  "phase": "http_request_firewall_custom"
}'

Next steps

Use the different operations in the Rulesets API to work with the custom ruleset you just created and deployed. The following table has a list of common tasks for working with custom rulesets at the account level:

Task	Procedure
Get list of custom rulesets	Use the List account rulesets operation and search for rulesets with `"kind": "custom"` and `"phase": "http_request_firewall_custom"`. The response will include the ruleset IDs. For more information, refer to List existing rulesets.
List all rules in a custom ruleset	Use the Get an account ruleset operation with the custom ruleset ID to obtain the list of configured rules and their IDs. For more information, refer to View a specific ruleset.
Update a custom rule	Use the Update an account ruleset rule operation. You will need to provide the custom ruleset ID and the rule ID. For more information, refer to Update a rule in a ruleset.
Delete a custom rule	Use the Delete an account ruleset rule operation. You will need to provide the custom ruleset ID and the rule ID. For more information, refer to Delete a rule in a ruleset.

More resources

For more information on working with custom rulesets, refer to Work with custom rulesets in the Ruleset Engine documentation.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings