/ Register

Join the community today
Register Now

Cloudflare Cloudflare Rate Limiting

Discussion in 'Domains, DNS, Email & SSL Certificates' started by BamaStangGuy, Aug 22, 2018.

Previous Thread Next Thread
Loading...
  1. Aug 22, 2018 #1
    BamaStangGuy

    BamaStangGuy Active Member

    669
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    9:42 PM
    I'd like to implement this on a site wide level but don't want to go to low. What should be a reasonable number of requests per second to limit at?
     
  2. Aug 22, 2018 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Any particular reason you want to use rate limiting ? Depending on your plan you get to rate limit based on GET or POST types etc too so that will vary depending on your site usage and theme/style layout i.e. css, js, images etc.
    You might want to setup a test url/directory for rate limiting and do some testing for both static and dynamic (php) request rates and see what is best.
     
  3. Aug 22, 2018 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
  4. Aug 28, 2018 #4
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    Here are my Rate Limiting rules:

    Screen Shot 2018-08-27 at 3.47.32 PM.png

    I can't seem to find the graph now (seriously, am I going crazy or does Cloudflare change around their control panel frequently?), but I did see where it blocked over 1,200 WordPress login attempts over the course of one minute.
     
  5. Sep 1, 2018 #5
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    I found the Rate Limiting graph again... Check this out: it blocked over 108,000 login attempts to my WordPress over the span of one day!

    Screen Shot 2018-08-31 at 9.42.15 PM.png

    Definitely enable this, guys!
     
  6. Sep 1, 2018 #6
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    wow that's a lot.. how much is this costing you for Cloudflare rate limiting ?
     
  7. Sep 1, 2018 #7
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    15 cents. :D

    You pay $0.05 for 10k "good" requests, and your first 10k requests are free. My site had ~45k good requests to WP/XF last month, so my bill this month will be an extra $0.15. Well worth it, in my opinion. :)
     
  8. Sep 1, 2018 #8
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Nice, I thought you had rate limiting else where but just for login page makes sense :)
     
  9. Sep 3, 2018 #9
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    10:42 AM
    Mainline
    10.2
    Nginx Auth/Password wp-login?
    Will easily reject all those login attempt.
     
  10. Sep 3, 2018 #10
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    Sure, but why not let Cloudflare take care of it before it even reaches your server?
     
  11. Sep 4, 2018 #11
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    10:42 AM
    Mainline
    10.2
    Cost.
     
  12. Sep 8, 2018 #12
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Yeah depends on your rate limited traffic and cost. Some folks can get attacked with 100000s of requests per second. That would add up eventually !
     
  13. Sep 9, 2018 #13
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    You only pay for "good" requests, so getting attacked with millions of requests would not cost anything. :)

    I would much rather let Cloudflare handle that than my own Nginx box.
     
  14. Sep 9, 2018 #14
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:42 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Yeah keep forgetting how that works.
     
  15. Sep 28, 2018 #15
    BamaStangGuy

    BamaStangGuy Active Member

    669
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    9:42 PM
    Can you share your exact settings for the Wordpress login? The URL used? Are there any other points of login?
     
  16. Sep 30, 2018 #16
    deltahf

    deltahf Premium Member Premium Member

    595
    270
    63
    Jun 8, 2014
    Ratings:
    +500
    Local Time:
    10:42 PM
    Yeah, you can see it in my post above, but there's not much to see. It's just Cloudflare's default WP protection settings. There are no other points of login.
     
Previous Thread Next Thread
Loading...

.