Service StatusSupport Hub[email protected]
Documentation

Creating a rate limit rule

Suggest Edits

Creating a rate limit rule allows you to customize Bunny Shield’s protections to manage traffic effectively and defend against abuse. Whether you're safeguarding against malicious bots or preventing traffic spikes from overwhelming your services, rate limit rules give you precise control over request volumes. With Bunny Shield’s advanced capabilities, you can ensure optimal performance and security while maintaining a seamless experience for legitimate users.

What you'll need

Before you dive in, make sure you have the following prerequisites in place:

  • A bunny.net account ( Log in or sign up for a free trial).
  • An existing Shield Zone.
  • Advanced Plan or above on the existing Shield Zone (if creating more than 2 rate limit rules*).

Creating a Ratelimit Rule

To create an effective rate limit rule, it's important to understand the fundamentals of how to build a Custom WAF Rule on Bunny Shield. Familiarize yourself with our Understanding Rule Engine documentation to gain insights into how rules are structured and processed within the system.


This rule processes each HTTP request by extracting only the REQUEST_URI (Variable), converting it to lowercase, and removing whitespaces (Transformations). It then verifies if the transformed REQUEST_URI matches exactly (Operator) with '/blockedpath’ (Operator Value). If a match is found, we increment the global rate limit counter. If the RequestCount (10 requests) is exceeded within the defined 1-second Timeframe, then our WAF Engine will block (Response Action) the request for the defined 30-second BlockTime, halting further rule processing and intercepting the request.

With the basics covered, you can now create highly effective rate limit rules tailored to protect your site with customized mitigation strategies.

Examples

Rate limit request if a cookie is set with a specific value and exceeds a defined limit

If you want to rate limit requests when a specific cookie is set to a certain value and the request rate exceeds a defined limit, you can use the following configuration:

Rate limit request if User-Agent is a known crawler and exceeds a defined limit

If you need to rate limit requests where the User-Agent header contains a known crawler identifier and the request rate exceeds a defined limit, use the following rule configuration:


Need help or encountering issues?

If you encounter any difficulties or have questions, our support team is here to assist you. Please don't hesitate to contact us via support request form for prompt assistance.

Our dedicated support team is ready to help you resolve any issues you might face during the deployment process, provide additional guidance, or answer your questions.

Updated about 16 hours ago