Rule operators and grouping symbols
The Cloudflare Rules language supports comparison and logical operators:
- Comparison operators specify how values defined in an expression must relate to the actual HTTP request value for the expression to return
true
. - Logical operators combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.
Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.
Comparison operators
Comparison operators return true
when a value from an HTTP request matches a value defined in an expression.
This is the general pattern for using comparison operators:
<field> <comparison_operator> <value>
The Rules language supports these comparison operators:
Name | Operator Notation | Supported Data Types | ||||
---|---|---|---|---|---|---|
English | C-like | String | IP | Number | Example (operator in bold) | |
Equal | eq | == | ✅ | ✅ | ✅ | http.request.uri.path eq "/articles/2008/" |
Not equal | ne | != | ✅ | ✅ | ✅ | ip.src ne 203.0.113.0 |
Less than | lt | < | ✅ | ❌ | ✅ | cf.threat_score lt 10 |
Less than or equal | le | <= | ✅ | ❌ | ✅ | cf.threat_score le 20 |
Greater than | gt | > | ✅ | ❌ | ✅ | cf.threat_score gt 25 |
Greater than or equal | ge | >= | ✅ | ❌ | ✅ | cf.threat_score ge 60 |
Exactly contains | contains | ✅ | ❌ | ❌ | http.request.uri.path contains "/articles/" | |
Matches regex* | matches | ~ | ✅ | ❌ | ❌ | http.request.uri.path matches "^/articles/200[7-8]/$" |
Value is in a set of values | in | ✅ | ✅ | ✅ | ip.src in { 203.0.113.0 203.0.113.1 } |
* Access to the matches
operator requires a Cloudflare Business or Enterprise plan.
Additional operators in the Cloudflare dashboard
The Cloudflare dashboard shows the following functions as operators:
- starts with (corresponding to the
starts_with
function): Returnstrue
when a string starts with a given substring, andfalse
otherwise. - ends with (corresponding to the
ends_with
function): Returnstrue
when a string ends with a given substring, andfalse
otherwise.
However, when writing your own custom expressions, you must use these functions in function calls, not as operators. For example:
# Valid function callends_with(http.request.uri.path, ".html")
# Invalid use of ends_with functionhttp.request.uri.path ends_with ".html"
Comparing string values
String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the lower()
function and compare the result with a lowercased string, like in the following example:
lower(http.request.uri.path) contains "/wp-login.php"
Regular expression matching
Customers on Business and Enterprise plans have access to the matches
operator. Regular expression matching is performed using the Rust regular expression engine.
If you are using a regular expression, you can test it using a tool like Regular Expressions 101 or Rustexp.
For more information on regular expressions, refer to String values and regular expressions.
Logical operators
Logical operators combine two or more expressions into a single compound expression. A compound expression has this general syntax:
<expression> <logical_operator> <expression>
Supported logical operators
Each logical operator has an order of precedence. The order of precedence (along with grouping symbols) determines the order in which Cloudflare evaluates logical operators in an expression. The not
operator ranks first in order of precedence.
Name | English Notation | C-like Notation | Example | Order of Precedence |
---|---|---|---|---|
Logical NOT | not | ! | not ( http.host eq "www.cloudflare.com" and ip.src in {203.0.113.0/24} ) | 1 |
Logical AND | and | && | http.host eq "www.cloudflare.com" and ip.src in {203.0.113.0/24} | 2 |
Logical XOR (exclusive OR) | xor | ^^ | http.host eq "www.cloudflare.com" xor ip.src in {203.0.113.0/24} | 3 |
Logical OR | or | || | http.host eq "www.cloudflare.com" or ip.src in 203.0.113.0/24 | 4 |
Order of precedence
When writing compound expressions, it is important to be aware of the precedence of logical operators so that your expression is evaluated the way you expect.
For example, consider the following generic expression, which uses and
and or
operators:
Expression1 and Expression2 or Expression3
If these operators had no order of precedence, it would not be clear which of two interpretations is correct:
- Match when Expression 1 and Expression 2 are both true or when Expression 3 is true.
- Match when Expression 1 is true and either Expression 2 or Expression 3 is true.
Since the logical and
operator has precedence over logical or
, the and
operator must be evaluated first. Interpretation 1 is correct.
To avoid ambiguity when working with logical operators, use grouping symbols so that the order of evaluation is explicit.
Grouping symbols
The Rules language supports parentheses ((
,)
) as grouping symbols. Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.
Only the Expression Editor and the Cloudflare API support grouping symbols. The Expression Builder does not.
Group expressions
Use parentheses to explicitly group expressions that should be evaluated together. In this example, the parentheses do not alter the evaluation of the expression, but they unambiguously call out which logical operators to evaluate first.
(Expression1 and Expression2) or Expression3
Because grouping symbols are so explicit, you are less likely to make errors when you use them to write compound expressions.
Enforce precedence
Grouping symbols are a powerful tool to enforce precedence for grouped elements of a compound expression. In this example, parentheses force the logical or
operator to be evaluated before the logical and
:
Expression1 and (Expression2 or Expression3)
Without parentheses, the logical and
operator would take precedence.
Nest expressions
You can nest expressions grouped by parentheses inside other groups to create very precise, sophisticated expressions, such as this example for a rule designed to block access to a domain:
( (http.host eq "api.example.com" and http.request.uri.path eq "/api/v2/auth") or (http.host matches "^(www|store|blog)\.example.com" and http.request.uri.path contains "wp-login.php") or ip.geoip.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.geoip.asnum in {12345 54321 11111}) and not ip.src in {11.22.33.0/24}
Note that when evaluating the precedence of logical operators, parentheses inside strings delimited by quotes are ignored, such as those in the following regular expression, drawn from the example above:
"^(www|store|blog)\.example\.com"