Cloudflare Docs
Load Balancing
Visit Load Balancing on GitHub
Set theme to dark (⇧+D)

Supported fields and operators

The fields available for load balancing rules depend on whether Cloudflare proxies the traffic going through your load balancer.

If you use the wrong set of fields, you might see unexpected behavior from load balancing rules. For best results, use the fields associated with your traffic’s proxy status.

Field Set Section in Expression Builder Description
Fields supported regardless of proxy BOTH The values that are always accessible regardless of whether the load balancer is proxied or not.
Proxied-only fields PROXIED ONLY The values accessible only when the load balancer’s traffic is proxied.
Unproxied-only fields NON-PROXIED ONLY The values accessible only when the load balancer’s traffic is not proxied (DNS-only traffic).

Choose load balancer fields based on the proxy status header

For a step-by-step guide for creating a rule using the UI’s Expression Builder, see Create a load balancing rule. Note that there are a few fields that are still API-only and not present in the UI.

​​ Fields supported regardless of proxy

Regardless of whether your traffic is proxied, you have access to the following fields:

Field Name in Expression Builder Description
cf.load_balancer.name
Bytes
Load Balancer Name

Represents the name of the load balancer executing these rules.

Example value:
lb.example.com

cf.load_balancer.region
Bytes
Load Balancer Region

Provides the region name of the data center processing the request.

Example value:
ENAM

ip.src
IP address
IP Source Address

If proxied, this field provides the client TCP IP address, which may be adjusted to reflect the actual address of the client by using HTTP headers such as X-Forwarded-For or X-Real-IP.

If unproxied (DNS-only), this field provides the ECS source address, if available. If not available, it provides the client resolver IP address.

Deprecation Warning: In the future, this field will always be set to the client resolver IP address for unproxied requests. To check for the presence of ECS and use the ECS IP, see the fields dns.rr.opt.client and dns.rr.opt.client.addr, respectively.

Example value:
1.2.3.4

​​ Proxied-only fields

If your traffic is proxied through Cloudflare, you have access to all the fields listed under Fields supported regardless of proxy in addition to the following fields:

Many of these fields are referenced from the Rules language documentation.

Field Name in Expression Builder Description
http.host
String
(API-only)

Represents the hostname used in the full request URI.

Example value:
www.example.org

http.referer
String
(API-only)

Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

Example value:
Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript

http.request.headers
Map<String><Array>
Header

Represents HTTP request headers as a Map (or associative array).

The keys of the associative array are the names of HTTP request headers converted to lowercase.

When there are repeating headers, the array includes them in the order they appear in the request.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.headers["content-type"][*] == "application/json")

Example value:
{"content-type": ["application/json"]}

http.request.method
String
Request Method

Represents the HTTP method, returned as a string of uppercase characters.

Example value:
GET

http.request.timestamp.sec
Integer
Timestamp

Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.

Example value:
1484063137

http.request.uri
String
URI

Represents the URI path and query string of the request.

Example value:
/articles/index?section=539061&expand=comments

http.request.uri.args
Map<String><Array>
(API-only)

Represents the HTTP URI arguments associated with a request as a Map (associative array).

When an argument repeats, then the array contains multiple items in the order they appear in the request.

The values are not pre-processed and retain the original case used in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args["search"][*] == "red+apples")

Example value:
{"search": ["red+apples"]}

http.request.uri.args.names
Array<String>
(API-only)

Represents the names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.

When a name repeats, the array contains multiple items in the order that they appear in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.names[*] == "search")

Example value:
["search"]

http.request.uri.args.values
Array<String>
(API-only)

Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.

Duplicated values are listed multiple times.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.values[*] == "red+apples")

Example value:
["red+apples"]

http.request.uri.path
String
URI Path

Represents the URI path of the request.

Example value:
/articles/index

http.request.uri.query
String
URI Query

Represents the entire query string, without the ? delimiter.

Example value:
section=539061&expand=comments

http.request.version
String
HTTP Version

Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.

Example Values:

  • HTTP/1.1
  • HTTP/3

​​ Unproxied-only fields

If your traffic is not proxied through Cloudflare, you have access to all the fields listed under Fields supported regardless of proxy in addition to the following fields:

Field Name in Expression Builder Description
dns.qry.name
Bytes
Query Name

Represents the query name asked.

Example value:
example.com.

dns.qry.name.len
Integer
Query Name Length

Represents the length in bytes of the query name.

Example value:
123

dns.qry.qu
Boolean
Question

When true, this field indicates that the received DNS message was a question.

dns.qry.type
Integer
Query Type

Represents the numeric value of the DNS query type.

Example Values:

  • 1 (A record)
  • 28 (AAAA record)
dns.rr.opt.client
Boolean
(API-only)

When true, this field indicates that the EDNS Client Subnet (ECS) address was sent with the DNS request.

dns.rr.opt.client.addr
String
(API-only)

If present, this field represents the ECS address sent with the DNS request.

Example value:
1.2.3.0

​​ Operators and grouping symbols

  • Comparison operators specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.

  • Logical operators combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.

  • Grouping symbols allow you to organize expressions, enforce operator precedence, and nest expressions.

For examples and usage, refer to Operators and grouping symbols in the Rules language documentation.