Cloudflare is a fantastic tool for improving performance and reliability of your websites by protecting them from attacks, such as DDoS attacks. Rate limiting is an easy way of preventing your server from being overloaded. In this article we look at an easy way of enabling a rate limiting rule in Cloudflare.
We've been tightening things up on the hosting side recently at Made Simple Media. We've noticed some sites regularly get a lot of requests from certain IP's and put rate limiting in place to mitigate the impact of this.
Imagine a bot tries to load a web page on your site hundreds of times in a few seconds. That's potentially going to put a huge load on your server, that is totally unnecessary. If they keep doing this, it can cause a particular site or even the entire server to be overloaded and go offline.
So for the sake of serving that one IP address to your site over and over again in a totally unnecessary way, you have lost all your other visitors by the site going down. It's not fair and bad for business, so how do we combat this?
Rate limiting says, that if a user tries to load a page in our site so many times that it is "unreasonable", then we should stop that user from doing it.
Do we ban that user for life? Well some might, but with IP addresses being shared it's a nicer solution just to temporarily block them so it disrupts the huge number of requests, which are most likely from a bot or bad actor that we won't want to give access to our site anyway.
Cloudflare is one of the biggest networks on the Internet. People use Cloudflare for web application security and performance. Cloudflare helps connect and protect millions of customers globally.
Cloudflare can be used for free, or you can opt for a paid plan with more features. It's a very easy to get started and the benefits are instantaneous once set up.
I have dabbled with other CDNs in the past that were harder to use, requiring much more configuration, so I prefer cloudflare for protecting our clients websites.
To use Cloudflare you need to create a new account and add your site. You do this by adding your site in Cloudflare, making sure Cloudflare has added all your DNS records and then by changing your nameservers to the ones Cloudflare specifies.
Here is the guide in Cloudflare's Docs
Enable the Cloudflare proxys on your A-records. When enabled they turn orange (when disabled they are grey):
Important: Do not enable on MX records, this can cause other issues because uses it's own IP addresses which means your email client will not be able to find your email server
Next, click "Security" in the left hand menu:
Next, click "Rate liming rules" and "Create rule":
Next we name our rule with something that makes sense at a glance. In this case we'll simply call it "Limit Requests".
We need to also specify which requests match our rule. For example, it could be requests to a certain URL, but in this case we want to match any request to our websites pages:
Now this might vary depending on your site and what elements are on the page. For example a page with a lot of traffic and lots of page elements will need to allow more requests per second from an IP address.
For our example site, we will allow 200 requests, over a 10 second period, per IP address:
This is where we choose what we want to do with that potentially malicous user or bot.
In our example we will block the IP address for 10 seconds so that it cannot continue to make this huge number of requests to our website/server:
Cloudflare keeps a nice log of "Events" when rules are triggered. There are already built-in rules that the Cloudflare Firewall uses, but it will also show our new rule being used if an IP address triggers it.
To view these Events, go to "Events" here under "Security":
You then see a list of Events involving firewall rules.
Below, we can see the IP address from France is triggering our new Rate limiting rule:
BTW we notice certain locations trigging these rules on a daily basis for some sites!
Cloudflare's rate limiting rules are very easy to set up and powerful. Although we already have various security measures with our hosting company to mitigrate attacks, moving some of our defence measures into Cloudflare nips the problem at the source. Cloudflares CDN is incredibly powerful and resilient and since rolling our these rules, we see far less load on our servers and better up time.
Want to have your say on this topic? Start by posting your comment below...
08 October 2024
01 October 2024
We are a digital agency specialising in Web Design, Development, Concrete5 and digital marketing, based in London & West Sussex.
We make digital simple. Our purpose is to simplify your frustrations in digital and solve the challenges you face to help make you more money and progressively grow your business or organisation.
Tell me moreKeep up to date