diff --git a/src/content/docs/cache/how-to/cache-rules/terraform-example.mdx b/src/content/docs/cache/how-to/cache-rules/terraform-example.mdx
index 5d470d17cad6b4..354c8a68e5c331 100644
--- a/src/content/docs/cache/how-to/cache-rules/terraform-example.mdx
+++ b/src/content/docs/cache/how-to/cache-rules/terraform-example.mdx
@@ -6,14 +6,12 @@ sidebar:
head:
- tag: title
content: Cache Rules — Terraform example
-
---
-import { Details } from "~/components"
+import { Details } from "~/components";
The following example defines a single cache rule for a zone using Terraform. The rule configures several cache settings and sets a custom cache key for incoming requests addressed at `example.net`.
-
```tf
@@ -26,7 +24,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
phase = "http_request_cache_settings"
rules {
- action = "set_cache_settings"
+ ref = "cache_settings_custom_cache_key"
+ description = "Set cache settings and custom cache key for example.net"
+ expression = "(http.host eq \"example.net\")"
+ action = "set_cache_settings"
action_parameters {
edge_ttl {
mode = "override_origin"
@@ -77,14 +78,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
}
origin_error_page_passthru = false
}
- expression = "(http.host eq \"example.net\")"
- description = "Set cache settings and custom cache key for example.net"
- enabled = true
}
}
```
-
For additional guidance on using Terraform with Cloudflare, refer to [Terraform](/terraform/).
diff --git a/src/content/docs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx b/src/content/docs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx
index d57de6b2f873eb..1e34bd96f858e0 100644
--- a/src/content/docs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx
+++ b/src/content/docs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx
@@ -23,14 +23,14 @@ resource "cloudflare_ruleset" "http_config_rules_example" {
phase = "http_config_settings"
rules {
- action = "set_config"
+ ref = "disable_obfuscation_bic"
+ description = "Disable email obfuscation and BIC for API requests"
+ expression = "(http.request.uri.path matches \"^/api/\")"
+ action = "set_config"
action_parameters {
email_obfuscation = false
bic = false
}
- expression = "(http.request.uri.path matches \"^/api/\")"
- description = "Disable email obfuscation and BIC for API requests"
- enabled = true
}
}
```
diff --git a/src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx b/src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx
index 3f31f97c93c151..645d1e8be51ffb 100644
--- a/src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx
+++ b/src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx
@@ -23,7 +23,10 @@ resource "cloudflare_ruleset" "http_origin_example" {
phase = "http_request_origin"
rules {
- action = "route"
+ ref = "change_api_origin"
+ description = "Change origin of API requests"
+ expression = "(http.request.uri.path matches \"^/api/\")"
+ action = "route"
action_parameters {
host_header = "example.net"
origin {
@@ -31,9 +34,6 @@ resource "cloudflare_ruleset" "http_origin_example" {
port = 8000
}
}
- expression = "(http.request.uri.path matches \"^/api/\")"
- description = "Change origin of API requests"
- enabled = true
}
}
```
diff --git a/src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx b/src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx
index 98ab89f8114365..c2b054aa9d8d04 100644
--- a/src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx
+++ b/src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx
@@ -20,7 +20,10 @@ resource "cloudflare_ruleset" "single_redirects_example" {
phase = "http_request_dynamic_redirect"
rules {
- action = "redirect"
+ ref = "redirect_old_url"
+ description = "Redirect visitors still using old URL"
+ expression = "(http.request.uri.path matches \"^/contact-us/\")"
+ action = "redirect"
action_parameters {
from_value {
status_code = 301
@@ -30,9 +33,6 @@ resource "cloudflare_ruleset" "single_redirects_example" {
preserve_query_string = false
}
}
- expression = "(http.request.uri.path matches \"^/contact-us/\")"
- description = "Redirect visitors still using old URL"
- enabled = true
}
}
```
diff --git a/src/content/docs/speed/optimization/content/speed-brain.mdx b/src/content/docs/speed/optimization/content/speed-brain.mdx
index c87ccf1a9107ae..8fbe4573a7e35c 100644
--- a/src/content/docs/speed/optimization/content/speed-brain.mdx
+++ b/src/content/docs/speed/optimization/content/speed-brain.mdx
@@ -1,7 +1,7 @@
---
pcx_content_type: how-to
title: Speed Brain
-sidebar:
+sidebar:
order: 9
badge:
text: Beta
@@ -22,6 +22,7 @@ Speed Brain is a tool for improving web page performance by prefetching the most
## Requirements
Speed Brain works under the following conditions:
+
- The Speed Brain feature is enabled in Cloudflare.
- The browser of the web page visitor is using a Chromium-based browser version 121 or later.
- The web page requested by the prefetch is eligible for cache.
@@ -43,15 +44,15 @@ The configuration looks like this:
```json
{
- "prefetch": [{
- "source": "document",
- "where": {
- "and": [
- { "href_matches": "/*", "relative_to": "document" },
- ]
- },
- "eagerness": "conservative"
- }]
+ "prefetch": [
+ {
+ "source": "document",
+ "where": {
+ "and": [{ "href_matches": "/*", "relative_to": "document" }]
+ },
+ "eagerness": "conservative"
+ }
+ ]
}
```
@@ -99,13 +100,13 @@ To disable Speed Brain, set `value:` to `"off"`.
-You can also configure Speed Brain using Terraform. For more details, refer to the [`cloudflare_zone_settings_override`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.48.0/docs/resources/zone_settings_override) resource in the Terraform documentation.
+You can also configure Speed Brain using Terraform. For more details, refer to the `cloudflare_zone_settings_override` resource in the [Terraform documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
## Caveats
-- Since prefetch responses are not guaranteed to be rendered by the browser, Speed Brain includes two safeguards to minimize the risk of [unsafe prefetching](https://developer.mozilla.org/en-US/docs/Web/API/Speculation_Rules_API#unsafe_prefetching):
+- Since prefetch responses are not guaranteed to be rendered by the browser, Speed Brain includes two safeguards to minimize the risk of [unsafe prefetching](https://developer.mozilla.org/en-US/docs/Web/API/Speculation_Rules_API#unsafe_prefetching):
- Speed Brain will not prefetch on routes that run Workers. Without this safeguard, prefetch requests could inadvertently run Worker logic that assumes the incoming request is a normal (that is, not a prefetch) request. An example of this could be an incrementing page view counter running in a Worker. A page view counter should not increment if the page is not actually rendered in the browser.
@@ -115,4 +116,4 @@ You can also configure Speed Brain using Terraform. For more details, refer to t
- Speed Brain will not work with restrictive [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) configurations using `strict-dynamic` or `nonce-{hash}` attributes.
-- Currently, Speed Brain is not compatible with websites that use or rely on `pages.dev`.
+- Currently, Speed Brain is not compatible with websites that use or rely on `pages.dev`.
diff --git a/src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx b/src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx
index e052914febaa5f..c1b7cf3d437c5b 100644
--- a/src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx
+++ b/src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx
@@ -45,21 +45,21 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
phase = "ddos_l7"
rules {
- action = "execute"
+ ref = "override_l7_ddos_ruleset_all"
+ description = "Override the HTTP DDoS Attack Protection managed ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #11).
- id = "fdfdac75430c4c47a959592f0aa5e68a"
+ id = "fdfdac75430c4c47a959592f0aa5e68a"
sensitivity_level = "low"
}
}
}
- expression = "true"
- description = "Override the HTTP DDoS Attack Protection managed ruleset"
- enabled = true
}
}
```
@@ -86,21 +86,21 @@ resource "cloudflare_ruleset" "account_level_network_ddos_config" {
phase = "ddos_l4"
rules {
- action = "execute"
+ ref = "override_l7_ddos_ruleset_dst_ip"
+ description = "Override the HTTP DDoS Attack Protection managed ruleset"
+ expression = "ip.dst in { 192.0.2.0/24 }"
+ action = "execute"
action_parameters {
# Cloudflare L3/4 DDoS Attack Protection Ruleset
id = "3b64149bfa6e4220bbbc2bd6db589552"
overrides {
rules {
# Rule: Generic high-volume UDP traffic flows.
- id = "599dab0942ff4898ac1b7797e954e98b"
+ id = "599dab0942ff4898ac1b7797e954e98b"
sensitivity_level = "low"
}
}
}
- expression = "ip.dst in { 192.0.2.0/24 }"
- description = "Override the HTTP DDoS Attack Protection managed ruleset"
- enabled = true
}
}
```
@@ -159,53 +159,53 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
# level.
rules {
+ ref = "l7_ddos_block_traffic_low_threshold"
description = "At the low sensitivity threshold, block the traffic"
- action = "execute"
+ expression = "true"
+ action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests from known botnet (signature #4).
- id = "29d170ba2f004cc787b1ac272c9e04e7"
+ id = "29d170ba2f004cc787b1ac272c9e04e7"
sensitivity_level = "low"
- action = "block"
+ action = "block"
}
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
- id = "60a48054bbcf4014ac63c44f1712a123"
+ id = "60a48054bbcf4014ac63c44f1712a123"
sensitivity_level = "low"
- action = "block"
+ action = "block"
}
}
}
- expression = "true"
- enabled = true
}
rules {
+ ref = "l7_ddos_log_default_threshold"
description = "At the default sensitivity threshold, log to see if any legitimate traffic gets caught"
- action = "execute"
+ expression = "true"
+ action = "execute"
action_parameters {
# Cloudflare L7 DDoS Attack Protection Ruleset
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
rules {
# Rule: HTTP requests from known botnet (signature #4).
- id = "29d170ba2f004cc787b1ac272c9e04e7"
+ id = "29d170ba2f004cc787b1ac272c9e04e7"
sensitivity_level = "default"
- action = "log"
+ action = "log"
}
rules {
# Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
- id = "60a48054bbcf4014ac63c44f1712a123"
+ id = "60a48054bbcf4014ac63c44f1712a123"
sensitivity_level = "default"
- action = "log"
+ action = "log"
}
}
}
- expression = "true"
- enabled = true
}
}
```
diff --git a/src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx b/src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx
index 1c0580dfaf4160..8b016058c0e6ce 100644
--- a/src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx
+++ b/src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx
@@ -6,10 +6,9 @@ sidebar:
head:
- tag: title
content: Configure rate limiting rules with Terraform
-
---
-import { Details, Render } from "~/components"
+import { Details, Render } from "~/components";
This page provides an example of creating a rate limiting rule in a zone using Terraform.
@@ -17,7 +16,7 @@ For more information on rate limiting rules, refer to [Rate limiting rules](/waf
:::note
-For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation.
+For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation.
:::
## Before you start
@@ -30,7 +29,7 @@ For more information on configuring the previous version of rate limiting rules
-***
+---
## Create a rate limiting rule
@@ -45,31 +44,29 @@ resource "cloudflare_ruleset" "zone_rl" {
phase = "http_ratelimit"
rules {
- action = "block"
+ ref = "rate_limit_api_requests_ip"
+ description = "Rate limit API requests by IP"
+ expression = "(http.request.uri.path matches \"^/api/\")"
+ action = "block"
ratelimit {
characteristics = ["cf.colo.id", "ip.src"]
period = 60
requests_per_period = 100
mitigation_timeout = 600
}
- expression = "(http.request.uri.path matches \"^/api/\")"
- description = "My rate limiting rule"
- enabled = true
}
}
```
-
-
+
:::note[Before you start]
+- Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.
-* Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.
-
-* Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`.
+- Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`.
:::
This example defines a [custom ruleset](/ruleset-engine/custom-rulesets/) with a single rate limiting rule in account with ID `` that blocks traffic for the `/api/` path exceeding the configured rate. The second `cloudflare_ruleset` resource defines an `execute` rule that deploys the custom ruleset for traffic addressed at `example.com`.
@@ -83,16 +80,16 @@ resource "cloudflare_ruleset" "account_rl" {
phase = "http_ratelimit"
rules {
- action = "block"
+ ref = "rate_limit_api_ip"
+ description = "Rate limit API requests by IP"
+ expression = "http.request.uri.path contains \"/api/\""
+ action = "block"
ratelimit {
- characteristics = ["cf.colo.id", "ip.src"]
- period = 60
+ characteristics = ["cf.colo.id", "ip.src"]
+ period = 60
requests_per_period = 100
- mitigation_timeout = 600
+ mitigation_timeout = 600
}
- expression = "http.request.uri.path contains \"/api/\""
- description = "API rule"
- enabled = true
}
}
@@ -108,26 +105,25 @@ resource "cloudflare_ruleset" "account_rl_entrypoint" {
rules {
# Deploy the previously defined custom ruleset containing a rate limiting rule
- action = "execute"
+ ref = "deploy_rate_limit_example_com"
+ description = "Deploy custom ruleset with RL rule"
+ expression = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
+ action = "execute"
action_parameters {
id = cloudflare_ruleset.account_rl.id
}
- expression = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
- description = "Deploy custom ruleset with RL rule"
- enabled = true
}
}
```
-
## Create an advanced rate limiting rule
This example creates a rate limiting rule in zone with ID `` with:
-* A custom counting expression that includes a response field (`http.response.code`).
-* A custom JSON response for rate limited requests.
+- A custom counting expression that includes a response field (`http.response.code`).
+- A custom JSON response for rate limited requests.
```tf
resource "cloudflare_ruleset" "zone_rl_custom_response" {
@@ -138,26 +134,26 @@ resource "cloudflare_ruleset" "zone_rl_custom_response" {
phase = "http_ratelimit"
rules {
- action = "block"
+ ref = "rate_limit_example_com_status_404"
+ description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
+ expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
+ action = "block"
action_parameters {
response {
- status_code = 429
- content = "{\"response\": \"block\"}"
+ status_code = 429
+ content = "{\"response\": \"block\"}"
content_type = "application/json"
}
}
ratelimit {
- characteristics = ["ip.src", "cf.colo.id"]
- period = 10
+ characteristics = ["ip.src", "cf.colo.id"]
+ period = 10
requests_per_period = 5
- mitigation_timeout = 30
+ mitigation_timeout = 30
counting_expression = "(http.host eq \"www.example.com\") and (http.request.uri.path matches \"^/status/\") and (http.response.code eq 404)"
}
- expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
- description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
- enabled = true
}
}
```
-
+
diff --git a/src/content/docs/terraform/additional-configurations/transform-rules.mdx b/src/content/docs/terraform/additional-configurations/transform-rules.mdx
index 6c2c5d6791e7fa..9f01101b5cd2ce 100644
--- a/src/content/docs/terraform/additional-configurations/transform-rules.mdx
+++ b/src/content/docs/terraform/additional-configurations/transform-rules.mdx
@@ -6,15 +6,14 @@ sidebar:
head:
- tag: title
content: Configure Transform Rules with Terraform
-
---
-import { Render } from "~/components"
+import { Render } from "~/components";
This page provides examples of creating Transform Rules in a zone using Terraform. The examples cover the following scenarios:
-* [Create a Rewrite URL Rule](#create-a-rewrite-url-rule)
-* [Create an HTTP Request Header Modification Rule](#create-an-http-request-header-modification-rule)
+- [Create a Rewrite URL Rule](#create-a-rewrite-url-rule)
+- [Create an HTTP Request Header Modification Rule](#create-an-http-request-header-modification-rule)
For more information on Transform Rules, refer to [Transform Rules](/rules/transform/).
@@ -28,7 +27,7 @@ For more information on Transform Rules, refer to [Transform Rules](/rules/trans
-***
+---
## Create a Rewrite URL Rule
@@ -43,7 +42,10 @@ resource "cloudflare_ruleset" "transform_url_rewrite" {
phase = "http_request_transform"
rules {
- action = "rewrite"
+ ref = "url_rewrite_old_folder"
+ description = "Example Rewrite URL Rule"
+ expression = "(http.host eq \"example.com\" and http.request.uri.path eq \"/old-folder\")"
+ action = "rewrite"
action_parameters {
uri {
path {
@@ -51,14 +53,11 @@ resource "cloudflare_ruleset" "transform_url_rewrite" {
}
}
}
- expression = "(http.host eq \"example.com\" and http.request.uri.path eq \"/old-folder\")"
- description = "Example Rewrite URL Rule"
- enabled = true
}
}
```
-
+
For more information on rewriting URLs, refer to [Rewrite URL Rules](/rules/transform/url-rewrite/).
@@ -66,9 +65,9 @@ For more information on rewriting URLs, refer to [Rewrite URL Rules](/rules/tran
The following configuration example performs the following adjustments to HTTP request headers:
-* Adds a `my-header-1` header to the request with a static value.
-* Adds a `my-header-2` header to the request with a dynamic value defined by an expression.
-* Deletes the `existing-header` header from the request, if it exists.
+- Adds a `my-header-1` header to the request with a static value.
+- Adds a `my-header-2` header to the request with a dynamic value defined by an expression.
+- Deletes the `existing-header` header from the request, if it exists.
```tf
resource "cloudflare_ruleset" "transform_modify_request_headers" {
@@ -79,7 +78,10 @@ resource "cloudflare_ruleset" "transform_modify_request_headers" {
phase = "http_request_late_transform"
rules {
- action = "rewrite"
+ ref = "modify_request_headers"
+ description = "Example HTTP Request Header Modification Rule"
+ expression = "true"
+ action = "rewrite"
action_parameters {
headers {
name = "my-header-1"
@@ -96,14 +98,14 @@ resource "cloudflare_ruleset" "transform_modify_request_headers" {
operation = "remove"
}
}
- expression = "true"
- description = "Example HTTP Request Header Modification Rule"
- enabled = true
}
}
```
-
+
For more information on modifying request headers, refer to [HTTP Request Header Modification Rules](/rules/transform/request-header-modification/).
@@ -111,9 +113,9 @@ For more information on modifying request headers, refer to [HTTP Request Header
The following configuration example performs the following adjustments to HTTP response headers:
-* Adds a `my-header-1` header to the response with a static value.
-* Adds a `my-header-2` header to the response with a dynamic value defined by an expression.
-* Deletes the `existing-header` header from the response, if it exists.
+- Adds a `my-header-1` header to the response with a static value.
+- Adds a `my-header-2` header to the response with a dynamic value defined by an expression.
+- Deletes the `existing-header` header from the response, if it exists.
```tf
resource "cloudflare_ruleset" "transform_modify_response_headers" {
@@ -124,7 +126,10 @@ resource "cloudflare_ruleset" "transform_modify_response_headers" {
phase = "http_response_headers_transform"
rules {
- action = "rewrite"
+ ref = "modify_response_headers"
+ description = "Example HTTP Response Header Modification Rule"
+ expression = "true"
+ action = "rewrite"
action_parameters {
headers {
name = "my-header-1"
@@ -141,13 +146,13 @@ resource "cloudflare_ruleset" "transform_modify_response_headers" {
operation = "remove"
}
}
- expression = "true"
- description = "Example HTTP Response Header Modification Rule"
- enabled = true
}
}
```
-
+
For more information on modifying response headers, refer to [HTTP Response Header Modification Rules](/rules/transform/response-header-modification/).
diff --git a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
index 4d69248ddcffa5..8116cf52a5e3b6 100644
--- a/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
+++ b/src/content/docs/terraform/additional-configurations/waf-custom-rules.mdx
@@ -6,21 +6,20 @@ sidebar:
head:
- tag: title
content: Configure WAF custom rules with Terraform
-
---
-import { Render } from "~/components"
+import { Render } from "~/components";
This page provides examples of creating WAF custom rules in a zone or account using Terraform. The examples cover the following scenarios:
-* Zone-level configurations:
+- Zone-level configurations:
- * [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
+ - [Add a custom rule to a zone](#add-a-custom-rule-to-a-zone)
-* Account-level configurations:
+- Account-level configurations:
- * [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
- * [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
+ - [Create and deploy a custom ruleset](#create-and-deploy-a-custom-ruleset)
+ - [Add a custom rule checking for exposed credentials](#add-a-custom-rule-checking-for-exposed-credentials)
For more information on custom rules, refer to [Custom rules](/waf/custom-rules/) in the Cloudflare WAF documentation.
@@ -34,7 +33,7 @@ For more information on custom rules, refer to [Custom rules](/waf/custom-rules/
-***
+---
## Zone-level configurations
@@ -51,15 +50,15 @@ resource "cloudflare_ruleset" "zone_custom_firewall" {
phase = "http_request_firewall_custom"
rules {
- action = "block"
- expression = "(not cf.edge.server_port in {80 443})"
+ ref = "block_non_default_ports"
description = "Block ports other than 80 and 443"
- enabled = true
+ expression = "(not cf.edge.server_port in {80 443})"
+ action = "block"
}
}
```
-
+
## Account-level configurations
@@ -69,7 +68,7 @@ The following example creates a [custom ruleset](/ruleset-engine/custom-rulesets
:::caution
-You can only create and deploy custom rulesets at the account level.
+You can only create and deploy custom rulesets at the account level.
:::
The following configuration creates the custom ruleset with a single rule:
@@ -83,15 +82,18 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset" {
phase = "http_request_firewall_custom"
rules {
- action = "block"
- expression = "(not cf.edge.server_port in {80 443})"
+ ref = "block_non_default_ports"
description = "Block ports other than 80 and 443"
- enabled = true
+ expression = "(not cf.edge.server_port in {80 443})"
+ action = "block"
}
}
```
-
+
The following configuration deploys the custom ruleset at the account level. It defines a dependency on the `account_firewall_custom_ruleset` resource and uses the ID of the created custom ruleset in `action_parameters`:
@@ -106,13 +108,13 @@ resource "cloudflare_ruleset" "account_firewall_custom_entrypoint" {
depends_on = [cloudflare_ruleset.account_firewall_custom_ruleset]
rules {
- action = "execute"
+ ref = "deploy_custom_ruleset_example_com"
+ description = "Deploy custom ruleset for example.com"
+ expression = "(cf.zone.name eq \"example.com\")"
+ action = "execute"
action_parameters {
id = cloudflare_ruleset.account_firewall_custom_ruleset.id
}
- expression = "(cf.zone.name eq \"example.com\")"
- description = "Deploy custom ruleset for example.com"
- enabled = true
}
}
```
@@ -125,7 +127,7 @@ The following configuration creates a custom ruleset with a single rule that [ch
:::caution
-You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`).
+You can only add exposed credential checks to rules in a custom ruleset (that is, a ruleset with `kind = "custom"`).
:::
```tf
@@ -137,26 +139,26 @@ resource "cloudflare_ruleset" "account_firewall_custom_ruleset_exposed_creds" {
phase = "http_request_firewall_custom"
rules {
- action = "rewrite"
+ ref = "check_for_exposed_creds_add_header"
+ description = "Add header when there is a rule match and exposed credentials are detected"
+ expression = "http.request.method == \"POST\" && http.request.uri == \"/login.php\""
+ action = "rewrite"
action_parameters {
headers {
- name = "Exposed-Credential-Check"
+ name = "Exposed-Credential-Check"
operation = "set"
- value = "1"
+ value = "1"
}
}
exposed_credential_check {
username_expression = "url_decode(http.request.body.form[\"username\"][0])"
password_expression = "url_decode(http.request.body.form[\"password\"][0])"
}
- expression = "http.request.method == \"POST\" && http.request.uri == \"/login.php\""
- description = "Add header when there is a rule match and exposed credentials are detected"
- enabled = true
}
}
```
-
+
The following configuration deploys the custom ruleset. It defines a dependency on the `account_firewall_custom_ruleset_exposed_creds` resource and obtains the ID of the created custom ruleset:
@@ -171,13 +173,13 @@ resource "cloudflare_ruleset" "account_firewall_custom_entrypoint" {
depends_on = [cloudflare_ruleset.account_firewall_custom_ruleset_exposed_creds]
rules {
- action = "execute"
+ ref = "deploy_custom_ruleset_example_com"
+ description = "Deploy custom ruleset for example.com"
+ expression = "(cf.zone.name eq \"example.com\")"
+ action = "execute"
action_parameters {
id = cloudflare_ruleset.account_firewall_custom_ruleset_exposed_creds.id
}
- expression = "(cf.zone.name eq \"example.com\")"
- description = "Deploy custom ruleset for example.com"
- enabled = true
}
}
```
diff --git a/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx b/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
index 0904f60c360abb..338ff132e2aa3c 100644
--- a/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
+++ b/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
@@ -47,24 +47,24 @@ resource "cloudflare_ruleset" "zone_level_managed_waf" {
# Execute Cloudflare Managed Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_managed_ruleset"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
- expression = "true"
- description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
- enabled = true
}
# Execute Cloudflare OWASP Core Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_owasp_core_ruleset"
+ description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
- expression = "true"
- description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
- enabled = true
}
}
```
@@ -90,24 +90,24 @@ resource "cloudflare_ruleset" "account_level_managed_waf" {
# Execute Cloudflare Managed Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_managed_ruleset_api_store"
+ description = "Execute Cloudflare Managed Ruleset on my account-level phase entry point ruleset"
+ expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
+ action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
- expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
- description = "Execute Cloudflare Managed Ruleset on my account-level phase entry point ruleset"
- enabled = true
}
# Execute Cloudflare OWASP Core Ruleset
rules {
- action = "execute"
+ ref = "execute_owasp_core_ruleset_api_store"
+ description = "Execute Cloudflare OWASP Core Ruleset on my account-level phase entry point ruleset"
+ expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
+ action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
}
- expression = "http.host in {\"api.example.com\" \"store.example.com\"} and cf.zone.plan eq \"ENT\""
- description = "Execute Cloudflare OWASP Core Ruleset on my account-level phase entry point ruleset"
- enabled = true
}
}
```
@@ -124,43 +124,43 @@ The following example adds two [skip rules](/waf/managed-rules/waf-exceptions/)
Add the two skip rules to the `cloudflare_ruleset` resource before the rule that deploys the Cloudflare Managed Ruleset:
```tf null {4-13,15-27}
-resource "cloudflare_ruleset" "account_level_managed_waf" {
+resource "cloudflare_ruleset" "zone_level_managed_waf" {
# (...)
# Skip execution of the entire Cloudflare Managed Ruleset for specific URLs
rules {
- action = "skip"
+ ref = "skip_cloudflare_managed_ruleset_example_com"
+ description = "Skip Cloudflare Managed Ruleset"
+ expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rulesets\")"
+ action = "skip"
action_parameters {
rulesets = ["efb7b8c949ac4650a09736fc376e9aee"]
}
- expression = "(cf.zone.name eq \"example.com\" and http.request.uri.query contains \"skip=rulesets\")"
- description = "Skip Cloudflare Manage ruleset"
- enabled = true
}
# Skip execution of two rules in the Cloudflare Managed Ruleset for specific URLs
rules {
- action = "skip"
+ ref = "skip_wordpress_sqli_rules_example_com"
+ description = "Skip WordPress and SQLi rules"
+ expression = "(http.request.uri.path eq \"/status\" and http.request.uri.query contains \"skip=rules\")"
+ action = "skip"
action_parameters {
rules = {
# Format: "" = ",,..."
"efb7b8c949ac4650a09736fc376e9aee" = "5de7edfa648c4d6891dc3e7f84534ffa,e3a567afc347477d9702d9047e97d760"
}
}
- expression = "(cf.zone.name eq \"example.com\" and http.request.uri.query contains \"skip=rules\")"
- description = "Skip WordPress and SQLi rules"
- enabled = true
}
# Execute Cloudflare Managed Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_managed_ruleset"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
}
- expression = "true"
- description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
- enabled = true
}
# (...)
@@ -189,29 +189,29 @@ The following configuration includes the three overrides in the rule that execut
# Execute Cloudflare Managed Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_managed_ruleset"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides {
rules {
- id = "5de7edfa648c4d6891dc3e7f84534ffa"
- action = "log"
+ id = "5de7edfa648c4d6891dc3e7f84534ffa"
+ action = "log"
enabled = true
}
rules {
- id = "75a0060762034a6cb663fd51a02344cb"
+ id = "75a0060762034a6cb663fd51a02344cb"
enabled = false
}
categories {
category = "wordpress"
- action = "js_challenge"
- enabled = true
+ action = "js_challenge"
+ enabled = true
}
}
}
- expression = "true"
- description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
- enabled = true
}
# (...)
@@ -228,16 +228,16 @@ Building upon the rule that deploys the Cloudflare Managed Ruleset, the followin
# Execute Cloudflare Managed Ruleset
rules {
- action = "execute"
+ ref = "execute_cloudflare_managed_ruleset"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
matched_data {
public_key = "Ycig/Zr/pZmklmFUN99nr+taURlYItL91g+NcHGYpB8="
}
}
- expression = "true"
- description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
- enabled = true
}
# (...)
@@ -267,7 +267,10 @@ The following example rule of a `cloudflare_ruleset` Terraform resource performs
# Execute Cloudflare OWASP Core Ruleset
rules {
- action = "execute"
+ ref = "execute_owasp_core_ruleset"
+ description = "Execute Cloudflare OWASP Core Ruleset"
+ expression = "true"
+ action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
overrides {
@@ -276,22 +279,19 @@ The following example rule of a `cloudflare_ruleset` Terraform resource performs
# tags "paranoia-level-3" and "paranoia-level-4".
categories {
category = "paranoia-level-3"
- enabled = false
+ enabled = false
}
categories {
category = "paranoia-level-4"
- enabled = false
+ enabled = false
}
rules {
- id = "6179ae15870a4bb7b2d480d4843b323c"
- action = "log"
+ id = "6179ae15870a4bb7b2d480d4843b323c"
+ action = "log"
score_threshold = 60
}
}
}
- expression = "true"
- description = "zone"
- enabled = true
}
# (...)