Skip to content

Add rate limits to the firewall UI#187

Merged
acoshift merged 4 commits into
mainfrom
waf-ratelimit
Jun 11, 2026
Merged

Add rate limits to the firewall UI#187
acoshift merged 4 commits into
mainfrom
waf-ratelimit

Conversation

@acoshift

@acoshift acoshift commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

The WAF zone API now carries a rate-limit set next to the rules (deploys-app/api#39). This adds the console UI:

  • Manage page: new "Rate limits" section — key / rate-per-window / mode (Enforce / muted Shadow badge) table with edit + delete, "Add Limit" footer.
  • New /waf/limit page (add/edit): bucket-key builder (IP / Host / Country / ASN / Header / Cookie rows with name inputs), rate + window presets (1s..1h, non-preset loaded windows preserved), fixed/sliding algorithm, enforce/shadow mode, rejection response (429/503 + message, hidden in shadow mode).
  • Index page: Limits count column.
  • waf.set replaces the whole zone, so every call site (manage, rule edit, limit edit, create) now echoes both rules and limits — saving a rule can't wipe limits and vice versa.
  • Mock fixtures gain two seed limits for offline dev/screenshots.

bun lint + bun check: 0 errors. Verified visually against bun dev:mock (manage, limit add/edit, index).

🤖 Generated with Claude Code

@acoshift @claude
Add rate limits to the firewall UI
e61b7f9 
The WAF zone API now carries a rate-limit set next to the rules. Add a
Rate limits section to the manage page (key / rate-per-window / mode
table with edit + delete), a /waf/limit add-edit page (bucket key
builder with header/cookie names, rate + window presets, fixed/sliding
algorithm, enforce/shadow mode, 429/503 rejection response, CIDR
exclusions), and a Limits count column on the index.

waf.set replaces the whole zone, so every call site now echoes both
rules and limits — saving a rule no longer risks wiping limits and vice
versa. Mock fixtures gain two seed limits for offline dev.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Deploying deploys-app--console with  Cloudflare Pages  Cloudflare Pages

Latest commit: 917b502
Status: ✅  Deploy successful!
Preview URL: https://58b4d69d.deploys-app--console.pages.dev
Branch Preview URL: https://waf-ratelimit.deploys-app--console.pages.dev

View logs

acoshift and others added 3 commits June 11, 2026 11:54
@acoshift @claude
Remove CIDR exclusions from rate limits
0506f46 
Exclude was dropped from the WAFLimit API.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@acoshift @claude
Fix window select width jitter on the limit page
3834c58 
The Requests/Window row sized both controls to their content, so the
row reflowed whenever the selected window label changed length. Give
both fields fixed widths (w-40 / w-44).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@acoshift @claude
Add rate limit share chart to the firewall metrics page
917b502 
New "Rate limit activity" section: a limited-share trend — one line per
limit charting limited / (allowed + limited) percent per bucket from
the new waf.limitMetrics RPC — plus a per-limit summary table (key,
mode, allowed, limited, range share). Shadow limits render dashed with
a "· shadow" legend suffix and their limited totals read "would be
limited": this page is how a shadow limit gets sized before enforcing.

Hidden when the zone has no limits; mock fixture generates drifting
shares for the two seed limits so the chart renders offline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@acoshift

acoshift commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

Added the rate-limit chart (design: limited-share trend): "Rate limit activity" on the metrics page charts limited / (allowed + limited) % per limit over time via the new waf.limitMetrics RPC (apiserver ratelimit-usage branch, PR #95 stack), with a per-limit summary table (allowed / limited / range share). Shadow limits draw dashed with "would be limited" totals — the sizing workflow before flipping a limit to enforce. Section is hidden for zones without limits.

@acoshift acoshift mentioned this pull request Jun 11, 2026
Merged
@acoshift

acoshift commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

Backend note: the chart calls waf.limitMetrics, which is not yet on any merged backend — api#41/apiserver#95 merged before that handler was added. It's been re-landed as deploys-app/api#42 + deploys-app/apiserver#96; both need to merge before the chart works against the real API (the mock fixture already covers offline dev, so this PR renders fine in bun dev:mock).

@acoshift acoshift merged commit f316eff into main Jun 11, 2026
5 checks passed
@acoshift acoshift deleted the waf-ratelimit branch June 11, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@acoshift