Hm, yeah, not sure. I would have thought their builtin rate-limiting stuff wouldn’t support looking at a custom header, and also might be hard to add that since this is all upstream of anything you control? I’d be a bit hesitant to try and get too bespoke with something like that anyway in terms of making things worse vs. better
If it still is an issue, I think it should be a relatively simple fix on their end (basically looking at a hard-coded offset vs. the last item), but could be wrong there
I think they’re saying that they don’t support it off of any custom header, but specifically the x-real-ip
Thank you and just a quick question: does enabling verbose logging allow us to see all fields, like "matchedFieldValue": ",\"id\","?
Also, if I already know the matched field and want to exclude it, do you have any recommendations?
I tried using Advanced Rule Tuning to exclude request fields, but it doesn’t seem to have any effect. Is there any proper guidance or best practice on how to use it effectively?
Thanks for helping clarify my doubts, I really appreciate the quick responses and support
we’re looking at third party alternates specifically because of it
Are there any managed rule sets we can use with Cloud Armor, similar to how Big-IP F5 is used with AWS WAF?
yes pretty much every third party provider has managed rules of some sort – cloud armor themselves are a service that cloudflare itself manages AFAIK
