Cloudflare Docs
Ruleset Engine
Visit Ruleset Engine on GitHub
Set theme to dark (⇧+D)

Use category overrides to enable Joomla rules

Use the Rulesets API to configure the execution of a managed ruleset and override its behavior. By default, enabled rules perform the actions defined by the managed ruleset issuer. This example uses overrides to ensure that only rules with a specific tag are enabled.

Follow the steps below to configure the execution of a managed ruleset with two overrides for enabling only the rules tagged with joomla.

  1. Add a rule to a phase entry point ruleset that executes a managed ruleset.
  2. Configure a ruleset override that disables all rules in the managed ruleset.
  3. Configure a tag override that enables only the rules with a given tag.

Tag overrides take precedence over ruleset overrides. Only the rules with the specified tag are enabled, and all other rules are disabled.

​​ Example 1

This example uses the Update ruleset operation to deploy the Cloudflare Managed Ruleset to a phase with only Joomla rules enabled. The name, kind, and phase fields are omitted from the request because they are immutable.

Example: Enable only Joomla rules using category overrides at the zone level

curl --request PUT \
https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"action": "execute",
"expression": "true",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "joomla",
"action": "block",
"enabled": true
}
]
}
}
}
]
}'
  • "id": "<MANAGED_RULESET_ID>" adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for the specified zone ({zone_id}).
  • "enabled": false defines an override at the ruleset level that disables all rules in the managed ruleset.
  • "categories": [{"category": "joomla", "action": "block", "enabled": true}] defines an override at the tag level that enables the Joomla rules and sets their action to block.
Example: Enable only Joomla rules using category overrides at the account level

curl --request PUT \
https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/http_request_firewall_managed/entrypoint \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"action": "execute",
"expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "joomla",
"action": "block",
"enabled": true
}
]
}
}
}
]
}'
  • "id": "<MANAGED_RULESET_ID>" adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for example.com.
  • "enabled": false defines an override at the ruleset level that disables all rules in the managed ruleset.
  • "categories": [{"category": "joomla", "action": "block", "enabled": true}] defines an override at the tag level that enables the Joomla rules and sets their action to block.

You can add more than one category override to a rule.

​​ Example 2

This example uses a PUT request to add two overrides to the rule that executes a managed ruleset (<MANAGED_RULESET_ID>) in the http_request_firewall_managed phase. Note that the name, kind, and phase fields are omitted from the request because they are immutable.

Example: Add more than one category override at the zone level

curl --request PUT \
https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"action": "execute",
"expression": "true",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "joomla",
"action": "log",
"enabled": true
},
{
"category": "wordpress",
"enabled": false
}
]
}
}
}
]
}'
Example: Add more than one category override at the account level

curl --request PUT \
https://api.cloudflare.com/client/v4/account/{account_id}/rulesets/phases/http_request_firewall_managed/entrypoint \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"action": "execute",
"expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "joomla",
"action": "log",
"enabled": true
},
{
"category": "wordpress",
"enabled": false
}
]
}
}
}
]
}'

The order of the overrides in the root ruleset affects whether rules in the deployed managed ruleset are enabled or disabled. Overrides placed later in the list take precedence over earlier overrides. Consider four rules from the managed ruleset in the code above that have different combinations of category tags.

The following table shows the status of the rules after the overrides.

Rule in managed ruleset Tags Rule status after overrides
ManagedRule1 drupal, dos disabled
ManagedRule2 drupal, dos, joomla enabled
ManagedRule3 dos, joomla, wordpress disabled
ManagedRule4 drupal, wordpress disabled
ManagedRule5 (no tags) disabled