Estimated Reading time: 7 minutes | Last modified: 2026-02-24, 4:40:21 pm

Condition Variables

Condition variables are the left operands used in page rules to match request attributes. Each condition consists of three parts: “variable + operator + value”. Variables are organized into the following groups:

  • URI (uri): The full URI path of the current request, excluding the query string. For example, in the request https://example.com/api/users?id=1, the URI is /api/users. Supports string operators.

  • URI argument (uri-arg): The value of a specified query parameter in the URI. Requires filling in the argument name. For example, when the argument name is id, the value 123 can be obtained from the request ?id=123. Supports string, numeric, and empty operators.

  • URI segment (uri-seg): A segment at a specified index position in the URI path, split by /. Requires filling in the segment index as a number. For example, in the URI /api/v2/users, index 1 corresponds to api, index 2 corresponds to v2, and index 3 corresponds to users. Supports string, numeric, and empty operators.

  • Query string (query-string): The full query string of the current request (the part after ?). For example, in the request ?a=1&b=2, the query string is a=1&b=2. Supports string operators.

  • Sorted URI arguments (sorted-query-string): The query string with parameters sorted by name. This is useful when you need to match regardless of parameter order. Supports string operators.

  • Duplicate URI arguments (duplicate-uri-arg): Detects whether there are duplicate URI query parameter names in the request. Supports boolean operators (Is True / Is False).

  • Host (host): The hostname in the request (Host header), such as www.example.com. Supports string operators.

  • Request method (req-method): The HTTP request method. Available values include CONNECT, DELETE, GET, HEAD, POST, PUT, TRACE, OPTIONS, and PATCH. Only supports String = (eq) and String ≠ (ne) operators.

  • Request header (req-header): The value of a specified request header. Requires filling in the header name, such as Accept-Language, Authorization, etc. Supports string, numeric, and empty operators.

  • Request cookie (req-cookie): The value of a specified request cookie. Requires filling in the cookie name. Supports string, numeric, and empty operators.

  • Scheme (scheme): The protocol scheme used by the request. Available values are http or https. Only supports String = (eq) and String ≠ (ne) operators.

  • Server Port (server-port): The port number of the server that accepted the current request. Supports numeric operators.

  • Server address (server-addr): The IP address of the server that accepted the current request. Supports IP address matching and string operators.

  • Request body (req-body): The content of the request body. Supports string and empty operators.

  • HTTP Version (http-version): The HTTP protocol version number. Available values are 2.0, 1.1, 1.0, and 0.9. Only supports String = (eq) and String ≠ (ne) operators.

  • First address in X-Forwarded-For (first-x-forwarded-addr): The first IP address in the X-Forwarded-For request header, typically representing the original client address. Supports IP address matching and string operators.

  • Last address in X-Forwarded-For (last-x-forwarded-addr): The last IP address in the X-Forwarded-For request header, typically representing the most recent proxy address. Supports IP address matching and string operators.

  • The length of the longest request header name (max-req-header-name-len): The character length of the longest name among all request headers. Supports numeric operators. Can be used for security protection to detect abnormally long request header names.

  • The length of the longest request header value (max-req-header-value-len): The character length of the longest value among all request headers. Supports numeric operators.

  • Number of cookie key-value pairs (req-cookie-count): The number of cookie key-value pairs in the request. Supports numeric operators.

  • Duplicate request headers (duplicate-req-header): Detects whether there are duplicate request header names in the request. Supports boolean operators (Is True / Is False).

  • Request was marked as rejected (req-rejected): Whether the request has been marked as rejected. Supports boolean operators (Is True / Is False).

  • Request was verified (req-verified): Whether the request has passed verification (such as CAPTCHA verification). Supports boolean operators (Is True / Is False).

  • Request header has underscore (req-header-has-underscore): Whether any request header name contains an underscore character. Supports boolean operators (Is True / Is False).

  • SNI Server Name (sni-server-name): The server name carried in the SNI (Server Name Indication) extension during the TLS handshake. Supports string operators.

  • Client address (client-addr): The client’s IP address. Supports IP address/CIDR matching and string operators. For IP matching, values should be in formats such as 192.168.0.1/24 or ::1/24; for exact string matching, formats such as 192.168.0.1 or ::1.

  • User agent (user-agent): The value of the User-Agent request header, identifying the client browser or application. Supports string and empty operators.

  • User agent is mobile (ua-is-mobile): Determines whether the client is a mobile device based on the User-Agent. Supports boolean operators (Is True / Is False).

  • Client continent (client-continent): The continent resolved from the client’s IP address. Only supports String = (eq) and String ≠ (ne) operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • Client country/region (client-country): The country or region resolved from the client’s IP address, represented as a country/region code (such as CN, US, UK, etc.). Only supports String = (eq) and String ≠ (ne) operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • Client provinces (client-province): The province resolved from the client’s IP address. Only supports String = (eq) and String ≠ (ne) operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • Client city (client-city): The city name resolved from the client’s IP address. Only supports String = (eq) and String ≠ (ne) operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • Client ISPs (client-isp): The Internet Service Provider resolved from the client’s IP address. Only supports String = (eq) and String ≠ (ne) operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • Client organization (client-org): The organization resolved from the client’s IP address. Only supports String = (eq) and String ≠ (ne) operators.

  • Client autonomous system number (client-asn): The Autonomous System Number (ASN) resolved from the client’s IP address. Supports numeric operators. Can optionally be based on the client address or the first address in X-Forwarded-For.

  • SSL Client Subject DN (ssl-client-s-dn): The Subject Distinguished Name of the client certificate. Supports string, numeric, and empty operators.

  • SSL Client Issuer DN (ssl-client-i-dn): The Issuer Distinguished Name of the client certificate. Supports string, numeric, and empty operators.

  • SSL Client Serial (ssl-client-serial): The serial number of the client certificate. Supports string, numeric, and empty operators.

  • SSL Client Verification Result (ssl-client-verify-result): The verification result of the client certificate. Supports string, numeric, and empty operators.

  • Uploaded file extensions (uploaded-file-extensions): The file extensions of uploaded files. Supports String = (eq), String ≠ (ne), Contains, Not contains, Prefix matches, and Suffix matches operators.

  • Uploaded file contents (uploaded-file-contents): The content of uploaded files. Supports string operators.

  • The uploaded file extension matches the file content (uploaded-file-contents-matched): Detects whether the uploaded file’s extension matches its actual content type. Supports boolean operators (Is True / Is False). Used to prevent file extension spoofing.

  • Time (date): The current time. Supports time interval operators (Within the time interval / Not within the time interval / Within the time period / Not within the time period).

Other

  • Gateway cluster (gateway-cluster): The identifier of the gateway cluster handling the current request. Only supports String = (eq) and String ≠ (ne) operators.

  • Custom (custom): A custom variable value. Requires filling in a custom value. Can be used for flexible matching in advanced scenarios.

User Variables and Global Variables

In addition to the built-in variables listed above, conditions also support referencing:

  • Application user variables: Custom variables defined at the application level, referenced by variable ID.

  • Global user variables: Custom variables defined at the global level, referenced by variable ID.