Cloudflare is a fantastic tool for improving performance and reliability of your websites by protecting them from attacks, such as DDoS attacks. Rate limiting is an easy way of preventing your server from being overloaded. In this article we look at an easy way of enabling a rate limiting rule in Cloudflare.

Introduction

We've been tightening things up on the hosting side recently at Made Simple Media.  We've noticed some sites regularly get a lot of requests from certain IP's and put rate limiting in place to mitigate the impact of this.

What is rate limiting?

Imagine a bot tries to load a web page on your site hundreds of times in a few seconds.  That's potentially going to put a huge load on your server, that is totally unnecessary.  If they keep doing this, it can cause a particular site or even the entire server to be overloaded and go offline.

So for the sake of serving that one IP address to your site over and over again in a totally unnecessary way, you have lost all your other visitors by the site going down.  It's not fair and bad for business, so how do we combat this?

Enter the solution: Rate limiting

Rate limiting says, that if a user tries to load a page in our site so many times that it is "unreasonable", then we should stop that user from doing it.

Do we ban that user for life?  Well some might, but with IP addresses being shared it's a nicer solution just to temporarily block them so it disrupts the huge number of requests, which are most likely from a bot or bad actor that we won't want to give access to our site anyway.

Why Cloudflare?

Cloudflare is one of the biggest networks on the Internet.  People use Cloudflare for web application security and performance.  Cloudflare helps connect and protect millions of customers globally. 

Cloudflare can be used for free, or you can opt for a paid plan with more features.  It's a very easy to get started and the benefits are instantaneous once set up.

I have dabbled with other CDNs in the past that were harder to use, requiring much more configuration, so I prefer cloudflare for protecting our clients websites.

Add your site to Cloudflare

To use Cloudflare you need to create a new account and add your site.  You do this by adding your site in Cloudflare, making sure Cloudflare has added all your DNS records and then by changing your nameservers to the ones Cloudflare specifies.

Here is the guide in Cloudflare's Docs

Ensure you have enabled Cloudflare proxys

Enable the Cloudflare proxys on your A-records.  When enabled they turn orange (when disabled they are grey):

cloudflare-proxys.jpg

Important: Do not enable on MX records, this can cause other issues because uses it's own IP addresses which means your email client will not be able to find your email server

 

Configure the rate limiting rule

Next, click "Security" in the left hand menu:

security-waf.jpg

Next, click "Rate liming rules" and "Create rule":

rate-limiting-rules.jpg

Name our rule

Next we name our rule with something that makes sense at a glance.  In this case we'll simply call it "Limit Requests".

name-rule.jpg

Specify which requests match our rule

We need to also specify which requests match our rule.  For example, it could be requests to a certain URL, but in this case we want to match any request to our websites pages:

match-all-pages.jpg

How many requests is too many?

Now this might vary depending on your site and what elements are on the page. For example a page with a lot of traffic and lots of page elements will need to allow more requests per second from an IP address.

For our example site, we will allow 200 requests, over a 10 second period, per IP address:

requests-per-10-seconds.jpg

So what happens if a user/bot on a specific IP address exceeds the number of requests?

This is where we choose what we want to do with that potentially malicous user or bot.

In our example we will block the IP address for 10 seconds so that it cannot continue to make this huge number of requests to our website/server:

rate-limiting-action.jpg 

Seeing our Rate limit rule in action

Cloudflare keeps a nice log of "Events" when rules are triggered.  There are already built-in rules that the Cloudflare Firewall uses, but it will also show our new rule being used if an IP address triggers it.

To view these Events, go to "Events" here under "Security":

security-events.jpg

You then see a list of Events involving firewall rules.

Below, we can see the IP address from France is triggering our new Rate limiting rule:

events.jpg

BTW we notice certain locations trigging these rules on a daily basis for some sites!

Conclusion

Cloudflare's rate limiting rules are very easy to set up and powerful.  Although we already have various security measures with our hosting company to mitigrate attacks, moving some of our defence measures into Cloudflare nips the problem at the source.  Cloudflares CDN is incredibly powerful and resilient and since rolling our these rules, we see far less load on our servers and better up time.

Join the discussion

Want to have your say on this topic? Start by posting your comment below...

Who are we?

We are a digital agency specialising in Web Design, Development, Concrete5 and digital marketing, based in London & West Sussex.

We make digital simple. Our purpose is to simplify your frustrations in digital and solve the challenges you face to help make you more money and progressively grow your business or organisation.

Tell me more

Keep up to date

Call us