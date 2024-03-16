Note This feature requires an Enterprise plan with a paid add-on.

To deploy custom rules at the account level, you must create a custom ruleset with one or more rules. Use the Rulesets API to work with custom rulesets using the API.

Procedure

To deploy a custom ruleset in your account, follow these general steps:

Create a custom ruleset in the http_request_firewall_custom phase with one or more rules. Deploy the ruleset to the entry point ruleset of the http_request_firewall_custom phase at the account level.

Currently, you can only deploy WAF custom rulesets at the account level.

1. Create a custom ruleset

The following example creates a custom ruleset with a single rule in the rules array.

Terminal window curl "https://api.cloudflare.com/api/v4/accounts/{account_id}/rulesets" \ --header "Authorization: Bearer <API_TOKEN>" \ --header "Content-Type: application/json" \ --data '{ "description": "", "kind": "custom", "name": "My custom ruleset", "rules": [ { "description": "Challenge web traffic (not /api)", "expression": "not starts_with(http.request.uri.path, \"/api/\")", "action": "managed_challenge" } ], "phase": "http_request_firewall_custom" }'

Save the ruleset ID in the response for the next step.

2. Deploy the custom ruleset

To deploy the custom ruleset, add a rule with "action": "execute" to the http_request_firewall_custom phase entry point ruleset at the account level.

Invoke the Get an account entry point ruleset operation to obtain the definition of the entry point ruleset for the http_request_firewall_custom phase. You will need the account ID for this task. Terminal window curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/http_request_firewall_custom/entrypoint" \ --header "Authorization: Bearer <API_TOKEN>" { " result " : { " description " : "Account-level phase entry point" , " id " : "<RULESET_ID>" , " kind " : "root" , " last_updated " : "2024-03-16T15:40:08.202335Z" , " name " : "root" , " phase " : "http_request_firewall_custom" , " rules " : [ // ... ], " version " : "9" }, " success " : true , " errors " : [], " messages " : [] } If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create an account ruleset rule operation to add an execute rule to the existing ruleset deploying the custom ruleset. By default, the rule will be added at the end of the list of rules already in the ruleset. The following request creates a rule that executes the custom ruleset with ID <CUSTOM_RULESET_ID> for all Enterprise zones in the account: Terminal window curl "https://dash.cloudflare.com/api/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules" \ --header "Authorization: Bearer <API_TOKEN>" \ --header "Content-Type: application/json" \ --data '{ "description": "Execute custom ruleset", "expression": "(cf.zone.plan eq \"ENT\")", "action": "execute", "action_parameters": { "id": "<CUSTOM_RULESET_ID>" }, "enabled": true }' Warning You can only apply custom rulesets to incoming traffic of zones on an Enterprise plan. To enforce this requirement, you must include cf.zone.plan eq "ENT" in the expression of the execute rule deploying the custom ruleset. If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create an account ruleset operation. Include a single rule in the rules array that executes the custom ruleset for all incoming requests of Enterprise zones in your account. Terminal window curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets" \ --header "Authorization: Bearer <API_TOKEN>" \ --header "Content-Type: application/json" \ --data '{ "description": "", "kind": "root", "name": "Account-level phase entry point", "rules": [ { "action": "execute", "expression": "(cf.zone.plan eq \"ENT\")", "action_parameters": { "id": "<CUSTOM_RULESET_ID>" } } ], "phase": "http_request_firewall_custom" }'

Next steps

Use the different operations in the Rulesets API to work with the custom ruleset you just created and deployed. The following table has a list of common tasks for working with custom rulesets at the account level:

More resources

For more information on working with custom rulesets, refer to Work with custom rulesets in the Ruleset Engine documentation.