Add exceptions with Page Rules
In the Configure HTTPS settings tutorial, you configured zone settings that apply to all of example.com
. In this tutorial, you will add an exception to these settings using Page Rules.
Specifically, you will increase the security level for a URL known to be expensive to render and cannot be cached: https://www.example.com/expensive-db-call
. Additionally, you will add a redirect from the previous URL used to host this page.
1. Create a new branch and append the page rule
Create a new branch and append the configuration.
$ git checkout -b step6-pageruleSwitched to a new branch 'step6-pagerule'
$ cat >> cloudflare.tf <<'EOF'resource "cloudflare_page_rule" "increase-security-on-expensive-page" { zone_id = var.zone_id target = "www.${var.domain}/expensive-db-call" priority = 1
actions { security_level = "under_attack", }}
resource "cloudflare_page_rule" "redirect-to-new-db-page" { zone_id = var.zone_id target = "www.${var.domain}/old-location.php" priority = 2
actions { forwarding_url { url = "https://www.${var.domain}/expensive-db-call" status_code = 301 } }}EOF
2. Preview and merge the changes
Preview the changes Terraform will make and then merge them into the master
branch.
$ terraform planRefreshing Terraform state in-memory prior to plan...The refreshed state will be used to calculate this plan, but will not bepersisted to local or remote state storage.
cloudflare_record.www-asia: Refreshing state... (ID: fda39d8c9bf909132e82a36bab992864)cloudflare_record.www: Refreshing state... (ID: c38d3103767284e7cd14d5dad3ab8669)cloudflare_zone_settings_override.example-com-settings: Refreshing state... (ID: e2e6491340be87a3726f91fc4148b126)cloudflare_load_balancer_monitor.get-root-https: Refreshing state... (ID: 4238142473fcd48e89ef1964be72e3e0)cloudflare_load_balancer_pool.www-servers: Refreshing state... (ID: 906d2a7521634783f4a96c062eeecc6d)cloudflare_load_balancer.www-lb: Refreshing state... (ID: cb94f53f150e5c1a65a07e43c5d4cac4)
------------------------------------------------------------------------
An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols: + create
Terraform will perform the following actions:
+ cloudflare_page_rule.increase-security-on-expensive-page id: <computed> actions.#: "1" actions.0.always_use_https: "false" actions.0.disable_apps: "false" actions.0.disable_performance: "false" actions.0.disable_security: "false" actions.0.security_level: "under_attack" priority: "1" status: "active" target: "www.example.com/expensive-db-call" zone: "example.com" zone_id: <computed>
+ cloudflare_page_rule.redirect-to-new-db-page id: <computed> actions.#: "1" actions.0.always_use_https: "false" actions.0.disable_apps: "false" actions.0.disable_performance: "false" actions.0.disable_security: "false" actions.0.forwarding_url.#: "1" actions.0.forwarding_url.0.status_code: "301" actions.0.forwarding_url.0.url: "https://www.example.com/expensive-db-call" priority: "2" status: "active" target: "www.example.com/old-location.php" zone: "example.com" zone_id: <computed>
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraformcan't guarantee that exactly these actions will be performed if"terraform apply" is subsequently run.
$ git add cloudflare.tf
$ git commit -m "Step 6 - Add two Page Rules."[step6-pagerule d4fec16] Step 6 - Add two Page Rules. 1 file changed, 23 insertions(+)
$ git checkout masterSwitched to branch 'master'
$ git merge step6-pageruleUpdating 7a2ac34..d4fec16Fast-forward cloudflare.tf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
3. Apply and verify the changes
First, test request the (now missing) old location of the expensive-to-render page.
$ curl -vso /dev/null https://www.example.com/old-location.php 2>&1 | grep "< HTTP\|Location"< HTTP/1.1 404 Not Found
As expected, the location cannot be found. Apply the Page Rules, including the redirect that should fix this error.
$ terraform apply --auto-approvecloudflare_record.www-asia: Refreshing state... (ID: fda39d8c9bf909132e82a36bab992864)cloudflare_load_balancer_monitor.get-root-https: Refreshing state... (ID: 4238142473fcd48e89ef1964be72e3e0)cloudflare_zone_settings_override.example-com-settings: Refreshing state... (ID: e2e6491340be87a3726f91fc4148b126)cloudflare_record.www: Refreshing state... (ID: c38d3103767284e7cd14d5dad3ab8669)cloudflare_load_balancer_pool.www-servers: Refreshing state... (ID: 906d2a7521634783f4a96c062eeecc6d)cloudflare_load_balancer.www-lb: Refreshing state... (ID: cb94f53f150e5c1a65a07e43c5d4cac4)cloudflare_page_rule.redirect-to-new-db-page: Creating... actions.#: "0" => "1" actions.0.always_use_https: "" => "false" actions.0.disable_apps: "" => "false" actions.0.disable_performance: "" => "false" actions.0.disable_security: "" => "false" actions.0.forwarding_url.#: "0" => "1" actions.0.forwarding_url.0.status_code: "" => "301" actions.0.forwarding_url.0.url: "" => "https://www.example.com/expensive-db-call" priority: "" => "2" status: "" => "active" target: "" => "www.example.com/old-location.php" zone: "" => "example.com" zone_id: "" => "<computed>"cloudflare_page_rule.increase-security-on-expensive-page: Creating... actions.#: "0" => "1" actions.0.always_use_https: "" => "false" actions.0.disable_apps: "" => "false" actions.0.disable_performance: "" => "false" actions.0.disable_security: "" => "false" actions.0.security_level: "" => "under_attack" priority: "" => "1" status: "" => "active" target: "" => "www.example.com/expensive-db-call" zone: "" => "example.com" zone_id: "" => "<computed>"cloudflare_page_rule.redirect-to-new-db-page: Creation complete after 3s (ID: c5c40ff2dc12416b5fe4d0541980c591)cloudflare_page_rule.increase-security-on-expensive-page: Creation complete after 6s (ID: 1c13fdb84710c4cc8b11daf7ffcca449)
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
With the Page Rules in place, try that call again, along with a test for the “I Am Under Attack” mode:
$ curl -vso /dev/null https://www.example.com/old-location.php 2>&1 | grep "< HTTP\|Location"< HTTP/1.1 301 Moved Permanently< Location: https://www.example.com/expensive-db-call
$ curl -vso /dev/null https://www.example.com/expensive-db-call 2>&1 | grep "< HTTP"< HTTP/1.1 503 Service Temporarily Unavailable
The call works as expected. In the first case, the Cloudflare edge responds with a 301
redirecting the browser to the new location. In the second case, the Cloudflare edge initially responds with a 503
, which is consistent with the “I Am Under Attack” mode.