Configure rate limiting rules
This page provides an example of creating a rate limiting rule in a zone using Terraform.
For more information on rate limiting rules, refer to Rate limiting rules in the Cloudflare WAF documentation.
Create a rate limiting rule
This example creates a rate limiting rule in zone with ID <ZONE_ID> blocking traffic that exceeds the configured rate:
resource "cloudflare_ruleset" "zone_rl" { zone_id = "<ZONE_ID>" name = "Rate limiting for my zone" description = "" kind = "zone" phase = "http_ratelimit"
rules { action = "block" ratelimit { characteristics = ["cf.colo.id", "ip.src"] period = 60 requests_per_period = 100 mitigation_timeout = 600 } expression = "(http.request.uri.path matches \"^/api/\")" description = "My rate limiting rule" enabled = true }
}
Create an advanced rate limiting rule
This example creates a rate limiting rule in zone with ID <ZONE_ID> with:
- A custom counting expression that includes a response field (
http.response.code). - A custom JSON response for rate limited requests.resource "cloudflare_ruleset" "zone_rl_custom_response" {zone_id = "<ZONE_ID>"name = "Advanced rate limiting rule for my zone"description = ""kind = "zone"phase = "http_ratelimit"rules {action = "block"action_parameters {response {status_code = 429content = "{\"response\": \"block\"}"content_type = "application/json"}}ratelimit {characteristics = ["ip.src", "cf.colo.id"]period = 10requests_per_period = 5mitigation_timeout = 30counting_expression = "(http.host eq \"www.example.com\") and (http.request.uri.path matches \"^/status/\") and (http.response.code eq 404)"}expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"enabled = true}}