Rule Precedence

A draft or policy may contain one or more rules. The use of multiple rules facilitates:

Sample Scenario

In this sample scenario, create the following rules:

Order Purpose Description

1

Assign a default cache policy for all requests.

Placing this rule at the top of the list ensures that this cache policy is assigned by default to all requests.

2

Define an alternative cache policy based on origin type.

The rule's position allows it to override the default behavior defined in the first rule for requests to a specific origin.

3

Deny access based on the requester's location.

This rule denies access for requests that originate from a specific location. Although this rule does not contradict the above two rules, segregating these instructions improves readability and facilitates rule management.

Rule order can drastically affect how requests are handled. In the above example, moving the default cache policy rule below the other rules will nullify the cache policy defined by origin type.

Rule Order

Rules are typically processed in the order that they are listed. If a client's request satisfies the criteria for more than one rule, then the corresponding features will be applied to the request. This could lead to a situation where conflicting actions will take place. In such a case, the last action to take place will take precedence over previous actions. Therefore, it is recommended to place rules that should take precedence as close to the bottom of the list as possible.

Rules within a draft may be reordered at any time.

This principle also applies for independent match conditions.
Learn more.

Sample Scenario

The following illustration contains four sample rules that provide different instructions based on the type of request being performed.

We will now examine how a request for an HTML asset from the "Secure" folder on "myorigin.com" will be handled. This request will satisfy the match criteria for all four rules. Therefore, the features associated with each of the rules will be applied to the request. If one or more rules contain conflicting instructions, then the rule closest to the bottom of the list will take precedence. In this sample scenario, the rule called "Apply to All HTML Requests for "myorigin.com" in "Secure" Folder" would take precedence over the other rules.

A good rule of thumb when determining where a rule should be placed is to order rules according to the level of detail in the criteria. Rules with general criteria should be placed closer to the top of the list, while more detailed criteria should be placed closer to the bottom. This type of configuration allows catch-all rules to assign default handling behavior for your assets without interfering with the manner in which specific types of assets are handled.

Exceptions

The following cases are exceptions to the order-based rule precedence stated above:

  1. Identical Top-Level Matching Criteria

    If the top-level matching criteria for a rule are the same as that of another rule, then the actions associated with those two rules will take place at the same time. Thus, a rule at the bottom could be combined with a rule at the top of the list. This type of situation would prevent the rule at the bottom from taking precedence over other rules.

  2. URL Rewrite Precedence

    The URL Rewrite feature takes precedence when multiple features will be applied to a request. This occurs regardless of rule order.

    Example

    In this sample scenario, a policy contains two rules. The first rule applies the URL Redirect feature, while the second one applies the URL Rewrite feature. If a request satisfies both rules, then the URL Rewrite feature will always be applied to a request before the URL Redirect feature.

  3. Token Auth Precedence

    The Token Auth feature takes precedence over most features with the exception of the URL Rewrite feature. This occurs regardless of rule order.

    Example

    In this sample scenario, a policy contains two rules. The first rule applies the URL Redirect feature, while the second one applies the Token Auth feature. If a request satisfies both rules, then the Token Auth feature will always be applied to a request before the URL Redirect feature.