Use category overrides to enable Joomla rules
Use the Rulesets API to configure the execution of a managed ruleset and override its behavior. By default, enabled rules perform the actions defined by the managed ruleset issuer. This example uses overrides to ensure that only rules with a specific tag are enabled.
Follow the steps below to configure the execution of a managed ruleset with two overrides for enabling only the rules tagged with joomla
.
- Add a rule to a phase entry point ruleset that executes a managed ruleset.
- Configure a ruleset override that disables all rules in the managed ruleset.
- Configure a tag override that enables only the rules with a given tag.
Tag overrides take precedence over ruleset overrides. Only the rules with the specified tag are enabled, and all other rules are disabled.
Example 1
This example uses the Update ruleset operation to deploy the Cloudflare Managed Ruleset to a phase with only Joomla rules enabled. The name
, kind
, and phase
fields are omitted from the request because they are immutable.
Example: Enable only Joomla rules using category overrides at the zone level
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"rules": [{"action": "execute","expression": "true","action_parameters": {"id": "<MANAGED_RULESET_ID>","overrides": {"enabled": false,"categories": [{"category": "joomla","action": "block","enabled": true}]}}}]}'
"id": "<MANAGED_RULESET_ID>"
adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for the specified zone ({zone_id}
)."enabled": false
defines an override at the ruleset level that disables all rules in the managed ruleset."categories": [{"category": "joomla", "action": "block", "enabled": true}]
defines an override at the tag level that enables the Joomla rules and sets their action toblock
.
Example: Enable only Joomla rules using category overrides at the account level
curl --request PUT \https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"rules": [{"action": "execute","expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"","action_parameters": {"id": "<MANAGED_RULESET_ID>","overrides": {"enabled": false,"categories": [{"category": "joomla","action": "block","enabled": true}]}}}]}'
"id": "<MANAGED_RULESET_ID>"
adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests forexample.com
."enabled": false
defines an override at the ruleset level that disables all rules in the managed ruleset."categories": [{"category": "joomla", "action": "block", "enabled": true}]
defines an override at the tag level that enables the Joomla rules and sets their action toblock
.
You can add more than one category override to a rule.
Example 2
This example uses a PUT
request to add two overrides to the rule that executes a managed ruleset (<MANAGED_RULESET_ID>
) in the http_request_firewall_managed
phase. Note that the name
, kind
, and phase
fields are omitted from the request because they are immutable.
Example: Add more than one category override at the zone level
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"rules": [{"action": "execute","expression": "true","action_parameters": {"id": "<MANAGED_RULESET_ID>","overrides": {"enabled": false,"categories": [{"category": "joomla","action": "log","enabled": true},{"category": "wordpress","enabled": false}]}}}]}'
Example: Add more than one category override at the account level
curl --request PUT \https://api.cloudflare.com/client/v4/account/{account_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"rules": [{"action": "execute","expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"","action_parameters": {"id": "<MANAGED_RULESET_ID>","overrides": {"enabled": false,"categories": [{"category": "joomla","action": "log","enabled": true},{"category": "wordpress","enabled": false}]}}}]}'
The order of the overrides in the root ruleset affects whether rules in the deployed managed ruleset are enabled or disabled. Overrides placed later in the list take precedence over earlier overrides. Consider four rules from the managed ruleset in the code above that have different combinations of category
tags.
The following table shows the status of the rules after the overrides.
Rule in managed ruleset | Tags | Rule status after overrides |
---|---|---|
ManagedRule1 | drupal, dos | disabled |
ManagedRule2 | drupal, dos, joomla | enabled |
ManagedRule3 | dos, joomla, wordpress | disabled |
ManagedRule4 | drupal, wordpress | disabled |
ManagedRule5 | (no tags) | disabled |