☁️ Cloudflare Ruleset Engine — Phase Architecture

Hubungan ke Vault

Ruleset Engine adalah blueprint processing pipeline yang menginspirasi arsitektur jarsWAF. Konsep phase-based evaluation di sini terkait dengan ids-ips-waf-nsm-comparison dan network-security. Untuk logging & SIEM integration, lihat blueteam-detection-matrix dan cgnat-attribution-deepdive.

Daftar Isi

  1. Overview
  2. Core Concepts
  3. Arsitektur Ruleset Engine
  4. Phase Category: Network Layer
  5. Phase Category: Application Request
  6. Phase Category: Application Response
  7. Complete Phase Order Diagram
  8. Phase Entry Point Ruleset
  9. Actions
  10. Expression Language
  11. Deployment Model
  12. Relevansi untuk jarsWAF
  13. Bottom Line

Overview

Cloudflare Ruleset Engine — adalah sistem pemrosesan terstruktur yang mengevaluasi request dan response HTTP melalui 28 phase berurutan. Setiap phase adalah titik di pipeline di mana ruleset bisa di-deploy dan dieksekusi.

Data dari Cloudflare Docs (sumber utama note ini):

LayerJumlah Phase
Network Layer5
Application: Request17 (termasuk 3 internal/N/A)
Application: Response6 (termasuk 2 internal/N/A)
Total28

Setiap phase punya phase entry point ruleset — root ruleset yang nge-hold aturan untuk phase itu. Custom rulesets bisa di-execute dari entry point ini.


Core Concepts

Phase

Phase = stage dalam lifecycle request/response di mana rules bisa dieksekusi. Urutan eksekusi fixed — nggak bisa diubah.

Request masuk → [Phase 1] → [Phase 2] → ... → [Phase N] → ke Origin
Response dari Origin → [Phase R1] → [Phase R2] → ... → [Phase RN] → ke Client

Ruleset

Ruleset = versioned set of rules. Ada dua jenis:

TypeKindDeployable?Deskripsi
Phase Entry PointrootYa, ke satu phaseRuleset utama di setiap phase. Defines rules yang execute custom/managed rulesets
Custom RulesetcustomDi-execute dari entry pointRuleset reusable yang bisa dipasang di banyak phase entry points
Managed Ruleset(managed)Dari CloudflareRuleset pre-built dari Cloudflare (WAF, DDoS, Bot Mgmt)

Rule

Rule = filter + action. Setiap rule punya:

expression: "(http.request.uri.path eq \"/login\")"
action: "block" | "execute" | "skip" | "rewrite" | ...
  • Expression — menentukan request mana yang kena aturan (Cloudflare Wirefilter syntax)
  • Action — apa yang dilakukan kalau match (block, challenge, allow, execute ruleset, skip, rewrite, log, dll)

Arsitektur Ruleset Engine

Phase Evaluation Flow

┌─────────────────────────────────────────────────────────────────┐
│                    REQUEST PHASES (↓)                            │
│                                                                  │
│  http_request_dynamic_redirect ──→ URL redirect check            │
│         ↓                                                        │
│  http_request_sanitize ──→ URL normalization                     │
│         ↓                                                        │
│  http_request_transform ──→ Rewrite request URL/params           │
│         ↓                                                        │
│  http_request_api_gateway_early ──→ API Shield early check       │
│         ↓                                                        │
│  http_config_settings ──→ Zone configuration rules               │
│         ↓                                                        │
│  http_request_origin ──→ Override origin server                  │
│         ↓                                                        │
│  ddos_l7 ──→ HTTP DDoS Attack Protection                         │
│         ↓                                                        │
│  http_request_firewall_custom ──→ WAF Custom Rules               │
│         ↓                                                        │
│  http_ratelimit ──→ Rate Limiting                                │
│         ↓                                                        │
│  http_request_api_gateway_late ──→ API Shield late check         │
│         ↓                                                        │
│  http_request_firewall_managed ──→ WAF Managed Rules             │
│         ↓                                                        │
│  http_request_sbfm ──→ Super Bot Fight Mode                      │
│         ↓                                                        │
│  (Cloudflare Access check — internal)                            │
│         ↓                                                        │
│  http_request_redirect ──→ Bulk Redirects                        │
│         ↓                                                        │
│  (Managed Transforms — internal)                                 │
│         ↓                                                        │
│  http_request_late_transform ──→ Response Headers transform      │
│         ↓                                                        │
│  http_request_cache_settings ──→ Cache rules override            │
│         ↓                                                        │
│  http_request_snippets ──→ Snippets (Cloudflare Workers-lite)    │
│         ↓                                                        │
│  http_request_cloud_connector ──→ Cloud Connector rules          │
│         ↓                                                        │
│  ┌─────────────────────────────────────────────────────────────────
│  │  (koneksi ke origin server)
│  └─────────────────────────────────────────────────────────────────
│                                                                  │
│                    RESPONSE PHASES (↑)                            │
│                                                                  │
│  http_custom_errors ──→ Custom error pages                       │
│         ↓                                                        │
│  (Managed Transforms — internal)                                 │
│         ↓                                                        │
│  http_response_headers_transform ──→ Response headers modify     │
│         ↓                                                        │
│  http_ratelimit ──→ Rate Limiting (response-based info)          │
│         ↓                                                        │
│  http_response_compression ──→ Compression rules (Brotli/gzip)   │
│         ↓                                                        │
│  http_response_firewall_managed ──→ Sensitive Data Detection(DLP)│
│         ↓                                                        │
│  http_log_custom_fields ──→ Custom logpush fields                │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Phase Category: Network Layer

5 phase untuk packet-level filtering — berlaku di Cloudflare Network Firewall / Magic Transit.

#Phase NameProduct/FeatureFungsi
1ddos_l4L4 DDoS Attack ProtectionFilter serangan DDoS di layer 4 (SYN flood, UDP flood, dll)
2magic_transitCloudflare Network FirewallPacket filtering — allow/block berdasarkan IP/port/protocol
3magic_transit_managedManaged Rulesets (Network)Ruleset pre-built untuk traffic network
4magic_transit_ratelimitRate Limiting (Network)Rate limit per source IP di layer jaringan
5magic_transit_ids_managedIntrusion Detection SystemIDS signature-based detection di layer network

Karakteristik Network Layer:

  • Operates on raw packets, bukan HTTP
  • Tidak punya konsep URI, headers, cookies
  • Fields: ip.src, ip.dst, ip.proto, tcp.srcport, tcp.dstport, udp.srcport, udp.dstport
  • Actions: block, allow, log

Phase Category: Application Request

17 phase untuk HTTP request processing — dari redirect hingga cache.

#Phase NameProduct/FeatureEvaluates
1http_request_dynamic_redirectSingle RedirectsURL, query string — redirect decision
2http_request_sanitizeURL NormalizationURL encoding, path normalization
3http_request_transformURL Rewrite RulesURL path, query params — rewrite
(internal)Waiting Room RulesQueue management
4http_request_api_gateway_earlyAPI Shield (early)Schema validation, mTLS API tokens
5http_config_settingsConfiguration RulesZone config overrides (per-URL)
6http_request_originOrigin RulesOrigin server, SNI, DNS resolution
7ddos_l7HTTP DDoS ProtectionL7 DDoS — rate, pattern, fingerprint
8http_request_firewall_customWAF Custom RulesUser-defined WAF rules
9http_ratelimitRate Limiting RulesRequest rate per threshold
10http_request_api_gateway_lateAPI Shield (late)Schema + token validation (after rate limit)
11http_request_firewall_managedWAF Managed RulesCloudflare-managed WAF rulesets
12http_request_sbfmSuper Bot Fight ModeBot detection — verified vs suspicious
(internal)Cloudflare AccessZero Trust auth check (Access policies)
13http_request_redirectBulk RedirectsMany-to-many URL redirects
(internal)Managed TransformsAutomatic header transforms
14http_request_late_transformResponse Header TransformModify response headers before cache
15http_request_cache_settingsCache RulesCache key, TTL, bypass rules
16http_request_snippetsSnippetsCloudflare Workers-lite scripts
17http_request_cloud_connectorCloud ConnectorThird-party cloud integration

Urutan Logis Request Phase

URL in → Normalize → Rewrite → API Shield → Config → Origin → DDoS
  → Custom WAF → Rate Limit → API Shield 2 → Managed WAF → Bot Mode
  → Access → Bulk Redirect → Transforms → Cache → Snippets → Cloud
    ↓
  [OUTBOUND TO ORIGIN]

Ketersediaan Fields per Phase

Fields tertentu hanya available di phase-phase tertentu:

PhaseHTTP HeadersURI PathQuery StringRequest BodyResponse FieldsGeolocation
Early (redirect, sanitize, transform)
Mid (firewall, ratelimit, managed)✅ (some)
Late (cache, snippets, cloud connector)
Response phases

Request body fields (http.request.body.*) tersedia mulai phase http_request_firewall_custom.


Phase Category: Application Response

6 phase untuk HTTP response processing — dari error page hingga logging.

#Phase NameProduct/FeatureFungsi
1http_custom_errorsCustom ErrorsGanti error page (500, 502, 1xxx errors) dengan konten kustom
(internal)Managed TransformsTransform response headers otomatis
2http_response_headers_transformResponse Header TransformSet/add/remove response headers
3http_ratelimitRate Limiting (response)Rate limit berdasarkan response attributes (status code)
4http_response_compressionCompression RulesKontrol kompresi Brotli/gzip per content type
5http_response_firewall_managedSensitive Data DetectionDLP — deteksi credit card, SSN, API key di response body
6http_log_custom_fieldsLogpush Custom FieldsAdd custom fields ke logpush

Response Phase Flow

[ORIGIN RESPONSE IN]
    ↓
Custom Errors → Managed Transforms → Response Headers
    → Rate Limit → Compression → DLP/Database → Logpush
    ↓
[RESPONSE BACK TO CLIENT]

Complete Phase Order Diagram

[CLIENT REQUEST]
    │
    ├─ Network Layer ──────────────────────────────────────
    │  ├─ ddos_l4                          (DDoS L4)
    │  ├─ magic_transit                    (Pkt Filter)
    │  ├─ magic_transit_managed            (Managed Rules)
    │  ├─ magic_transit_ratelimit          (Rate Limit)
    │  └─ magic_transit_ids_managed        (IDS)
    │
    ├─ Application Request ───────────────────────────────
    │  ├─ http_request_dynamic_redirect    (Single Redirect)
    │  ├─ http_request_sanitize            (URL Normalize)
    │  ├─ http_request_transform           (URL Rewrite)
    │  ├─ [internal] Waiting Room
    │  ├─ http_request_api_gateway_early   (API Shield)
    │  ├─ http_config_settings             (Config Rules)
    │  ├─ http_request_origin              (Origin Rules)
    │  ├─ ddos_l7                          (DDoS L7)
    │  ├─ http_request_firewall_custom     (WAF Custom)
    │  ├─ http_ratelimit                   (Rate Limit)
    │  ├─ http_request_api_gateway_late    (API Shield)
    │  ├─ http_request_firewall_managed    (WAF Managed)
    │  ├─ http_request_sbfm                (Bot Mode)
    │  ├─ [internal] Cloudflare Access
    │  ├─ http_request_redirect            (Bulk Redirect)
    │  ├─ [internal] Managed Transforms
    │  ├─ http_request_late_transform      (Late Transform)
    │  ├─ http_request_cache_settings      (Cache Rules)
    │  ├─ http_request_snippets            (Snippets)
    │  └─ http_request_cloud_connector     (Cloud Connector)
    │
    ├─ [TO ORIGIN SERVER] ─────────────────
    │
    ├─ Application Response ──────────────────────────────
    │  ├─ http_custom_errors               (Custom Errors)
    │  ├─ [internal] Managed Transforms
    │  ├─ http_response_headers_transform  (Resp Headers)
    │  ├─ http_ratelimit                   (Rate Limit)
    │  ├─ http_response_compression        (Compression)
    │  └─ http_response_firewall_managed   (DLP/Data)
    │  └─ http_log_custom_fields           (Logpush)
    │
    └─ [RESPONSE TO CLIENT]

Phase Entry Point Ruleset

Setiap phase punya entry point ruleset — ruleset root yang dideploy ke phase itu.

Struktur Entry Point

{
  "result": {
    "id": "<ZONE_PHASE_RULESET_ID>",
    "name": "http_request_firewall_custom phase entry point ruleset for my zone",
    "description": "",
    "kind": "zone",
    "version": "3",
    "rules": [
      {
        "id": "<PHASE_RULE_ID>",
        "version": "1",
        "action": "execute",
        "description": "Execute custom ruleset (zone)",
        "action_parameters": {
          "id": "<CUSTOM_RULESET_ID>",
          "version": "latest"
        },
        "expression": "(http.request.uri.path eq \"/login\")",
        "last_updated": "2025-08-18T18:35:14.135697Z",
        "ref": "<PHASE_RULE_REF>",
        "enabled": true
      }
    ],
    "phase": "http_request_firewall_custom"
  }
}

Cara Kerja Entry Point

Zone-level:
  [http_request_firewall_custom entry point] ← root ruleset, attached to zone
    Rule 1: if expression → execute custom_ruleset_A
    Rule 2: if expression → execute custom_ruleset_B
    Rule 3: if expression → block

Account-level:
  [http_request_firewall_custom entry point] ← root ruleset, attached to account
    Rule 1: if (cf.zone.plan eq "ENT") → execute enterprise_custom_ruleset

Key point: Entry point ruleset bisa punya multiple rules. Setiap rule bisa execute custom ruleset, block, challenge, skip, dll. Urutan rules dalam satu entry point penting — rules di atas dievaluasi dulu.


Actions

Setiap rule bisa punya action berikut:

ActionDeskripsiUse Case
blockReturn error response (403/4xx/5xx)Block malicious requests
challengeShow CAPTCHASuspicious traffic
managed_challengeAdaptive challenge (CAPTCHA/JS/No-op)Bot detection
allowSkip semua phase selanjutnyaWhitelist legitimate traffic
executeExecute another ruleset (custom/managed)Run rule collection
skipSkip specified phases/rulesetsBypass certain checks
rewriteModify URI/headersURL normalization
redirectURL redirectURL forwarding
logLog only, no actionMonitoring
set_configOverride zone settingsPer-request config
force_connection_closeClose TCP connectionMitigation
compress_responseSet compression typeResponse optimization

Action: Allow vs Skip

AspekAllowSkip
EffectSkip ALL remaining phasesSkip specific phases/rulesets
Origin requestAlways passes to originRequest continues processing
Use caseTrusted traffic bypassSkip certain checks but not others

Action: Execute

Rule yang mengeksekusi custom/managed ruleset:

{
  "action": "execute",
  "expression": "(http.request.uri.path eq \"/login\")",
  "action_parameters": {
    "id": "<CUSTOM_RULESET_ID>",
    "version": "latest"
  }
}

Multiple rulesets bisa di-execute dalam satu phase entry point:

Entry Point: http_request_firewall_managed
  Rule 1: if true → execute cloudflare_managed_ruleset_owasp
  Rule 2: if true → execute cloudflare_managed_ruleset_cloudflare_php

Expression Language

Cloudflare pakai Wirefilter syntax — mirip Wireshark display filter.

Field Categories

CategoryContoh Fields
HTTPhttp.request.uri, http.request.method, http.request.headers.*, http.cookie, http.user_agent
IPip.src, ip.dst, ip.geoip.country
TCPtcp.srcport, tcp.dstport
SSL/TLSssl, ssl.protocol, ssl.certificate
Cloudflare-specificcf.bot_management.score, cf.waf.score, cf.threat_score, cf.zone.plan
Rate Limitingcf.ratelimit.remaining, cf.rl.action

Operators

OperatorContoh
eqhttp.request.uri.path eq "/login"
neip.src ne 1.1.1.1
containshttp.request.uri.path contains "/wp-admin"
starts_withstarts_with(http.request.uri.path, "/api")
ends_withends_with(http.request.uri.path, ".php")
inip.src in { 10.0.0.0/8 192.168.0.0/16 }
matcheshttp.request.uri.path matches "^/admin" (regex)
andip.src eq 1.1.1.1 and http.request.method eq "POST"
orhttp.request.uri.path eq "/admin" or http.request.uri.path eq "/login"
notnot ip.geoip.country in { "RU" "CN" }

Example Complex Expression

(http.request.method eq "POST" and
 http.request.uri.path eq "/graphql" and
 not cf.bot_management.score gt 30 and
 ip.geoip.country ne "ID")

Deployment Model

Zone-level vs Account-level

LevelScopeUse Case
Zone-levelPer domainZone-specific WAF rules, page rules
Account-levelAll zonesEnterprise-wide policy, shared rulesets

Phase Entry Point Deployment

POST /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint
{
  "description": "Phase entry point for custom rules",
  "kind": "root",
  "name": "Default",
  "rules": [ ... ],
  "phase": "http_request_firewall_custom"
}

Custom Ruleset Creation

POST /zones/{zone_id}/rulesets
{
  "description": "Block login path brute force",
  "kind": "custom",
  "name": "Brute force protection",
  "rules": [ ... ],
  "phase": "http_request_firewall_custom"
}

Kemudian deploy ke entry point:

PUT /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint

Relevansi untuk jarsWAF

Apa yang bisa diadopsi

Konsep CloudflareImplementasi di jarsWAF
Phase pipelinePipeline processing dengan urutan fixed — setiap phase punya tanggung jawab spesifik (parsing → sanitasi → WAF → rate limit → cache → response)
Entry point rulesetRoot ruleset per phase yang mengeksekusi filter chain — memisahkan “what to check” dari “what to do when match”
Multiple actionsActions: block, challenge, allow, log, rewrite — nggak cuma allow/deny
Expression languageDSL untuk aturan firewall — field-based, composable (eq, contains, starts_with, regex, CIDR)
Skip actionBypass phase tertentu — berguna buat trust list tanpa harus disable WAF entirely
Score-based bot detectionMachine learning score instead of binary block — prinsip risk-based decision
Phase field visibilityFields tertentu hanya available di phase tertentu — desain yang mencegah misuse
Account-level vs zone-levelMulti-tenant policy separation — each tenant punya ruleset sendiri

Arsitektur jarsWAF yang Terinspirasi

[REQUEST IN]
    │
    ├─ L4 Processing ─────────────────────
    │  ├─ Connection Table (conntrack)
    │  ├─ SYN Flood Protection
    │  └─ IP Reputation Check
    │
    ├─ L7 Parsing ──────────────────────
    │  ├─ HTTP Parser (AST tokenizer)
    │  ├─ URL Normalization / Sanitization
    │  └─ Header Extraction
    │
    ├─ Security Phases ──────────────────
    │  ├─ Phase 1: Request Sanitization
    │  │    URL normalization, path traversal detection
    │  ├─ Phase 2: Input Validation
    │  │    Parameter validation, content type check
    │  ├─ Phase 3: WAF Rule Processing
    │  │    CRS rules, custom rules, regex matching
    │  ├─ Phase 4: Rate Limiting
    │  │    Per-IP, per-path, per-session counters
    │  └─ Phase 5: Bot Detection
    │       User-agent, JS challenge, fingerprint
    │
    ├─ Routing ────────────────────────
    │  ├─ Origin Selection
    │  ├─ Load Balancing (Pingora)
    │  └─ Connection Pooling
    │
    ├─ [TO ORIGIN]
    │
    ├─ Response Processing ──────────────
    │  ├─ Phase 6: Response Header Filter
    │  ├─ Phase 7: Response Body Scan (DLP)
    │  └─ Phase 8: Logging & Metrics
    │
    └─ [RESPONSE OUT]

Phase Design untuk jarsWAF

Setiap phase di jarsWAF punya struktur yang sama:

Phase struct {
    id: u8,                    // Phase order (0..N)
    name: String,
    rulesets: Vec<Ruleset>,    // Entry point ruleset + custom
    actions: Vec<Action>,      // Block/Allow/Log/Rewrite
    skip_conditions: Vec<Expr>, // Skip phase jika kondisi terpenuhi
}
// Pseudocode arsitektur jarsWAF
pub struct Phase {
    pub id: u8,
    pub name: &'static str,
    pub entry_ruleset: Ruleset,
    pub skip_expression: Option<Expression>,
}
 
pub enum PhaseId {
    L4DDoS = 0,
    HttpParse = 1,
    Sanitize = 2,
    WafCustom = 3,
    RateLimit = 4,
    BotDetection = 5,
    OriginRouting = 6,
    ResponseHeaders = 7,
    ResponseDLP = 8,
    Logging = 9,
}
 
impl Pipeline {
    pub fn process(&self, ctx: &mut RequestContext) -> PipelineResult {
        let phases = self.order();
        for phase in phases {
            if phase.should_skip(&ctx) { continue; }
            let result = phase.evaluate(&ctx)?;
            match result.action {
                Action::Block => return Err(PipelineError::Blocked(phase, result.reason)),
                Action::Allow => break, // skip remaining phases
                Action::Execute(ruleset) => ruleset.evaluate(&mut ctx)?,
                Action::Log => ctx.log_phase(phase.id, &result),
                Action::Rewrite => ctx.apply_rewrite(&result.rewrite)?,
            }
        }
        Ok(PipelineResult::Forward)
    }
}

Perbedaan Utama jarsWAF vs Cloudflare

AspekCloudflarejarsWAF
ArsitekturGlobal reverse proxy networkSingle Rust binary (Pingora)
ScalingMulti-region anycastHorizontal per-instance
Phase configAPI-driven (REST + JSON)Config file / YAML / TOML
Ruleset formatCloudflare Wirefilter DSLCustom DSL + CRS compatibility
Multi-tenancyAccount + Zone hierarchyTenant via config/namespace
DeploymentCloud-only (SaaS)On-prem / edge / cloud-agnostic
Network layerMagic Transit (proprietary)eBPF XDP + iptables/nftables

Bottom Line

Bottom Line

Ruleset Engine Cloudflare adalah referensi utama buat desain pipeline jarsWAF:

  1. 28 phase terbagi rapi — network (5), request (17), response (6)
  2. Setiap phase punya entry point ruleset → clean separation of concerns
  3. Actions: block, allow, skip, execute, rewrite, log — beyond binary allow/deny
  4. Expression language (Wirefilter) → composable, field-based
  5. Urutan phase FIXED — predictability & determinism

Untuk jarsWAF: cukup 8-10 phase yang relevan (L4 → Parse → Sanitize → WAF Custom → RateLimit → Bot → Routing → Response → Log). Jangan over-engineer — cukup yang diperlukan.


Referensi