Common rate limiting use cases
The examples below include sample rate limiting rule configurations that address common rate limiting use cases.
Example 1
The following rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
Expression:
(http.request.uri.path eq "/login" and ip.geoip.country eq "US" and ip.src ne 192.0.0.1)
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
Example 2
The following rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
Expression:
(http.request.uri.path contains "/product*" and http.request.method eq "POST")
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
- HTTP Header >
x-api-key
Example 3
The following rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and
User-Agent values.
Expression:
(http.request.uri.path eq "/store" or http.request.uri.path eq "/prices") and (http.host eq "mystore1.com" or http.host eq "mystore2.com") and not cf.client.bot
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
- HTTP Header >
user-agent