# general-discussions
- d
dave
05/27/2023, 8:57 PMis that correct? - e
Erisa | Support Engineer
05/27/2023, 8:57 PMyeah - e
Erisa | Support Engineer
05/27/2023, 8:57 PMthats the one - c
Chaika
05/27/2023, 8:57 PMI believe there's some weird fun edge case where if a worker fetches from a same-zone origin with rate limiting on it, it bypasses rate limiting - e
Erisa | Support Engineer
05/27/2023, 8:57 PMyou cant vary counting based on which worker zone but you sure can exclude the rule entirely for certain worker zones - d
dave
05/27/2023, 8:58 PMpage rule makes the most sense here right? - d
dave
05/27/2023, 8:58 PMwait no - e
Erisa | Support Engineer
05/27/2023, 8:58 PMnot at all - d
dave
05/27/2023, 8:58 PMsorry lol I realized that's wrong after hitting enter - e
Erisa | Support Engineer
05/27/2023, 8:58 PMeither custom rule with skip action or just put an "if not" in the RL rule itself - d
dave
05/27/2023, 9:01 PMSane?https://cdn.discordapp.com/attachments/909458221419356210/1112123369039605852/image.png▾
- e
Erisa | Support Engineer
05/27/2023, 9:01 PMif you trust your workers, sure - d
dave
05/27/2023, 9:02 PMhmm - d
dave
05/27/2023, 9:02 PMmore sane?https://cdn.discordapp.com/attachments/909458221419356210/1112123798964150303/image.png▾
- e
Erisa | Support Engineer
05/27/2023, 9:03 PMid be cautious about the workers.dev since it cant have WAF on itself so if a worker on it was exposed that made a request to another zone bypassing rules then it would create a doorway through which someone could send unblocked requests to the zone - d
dave
05/27/2023, 9:04 PMgood point. - d
dave
05/27/2023, 9:04 PMoverlooked that - d
dave
05/27/2023, 9:04 PMcf.worker.upstream_zone eq "ai.moda" - a
AA
05/27/2023, 9:04 PMoh, y'all are talking about the exact subject I'm looking for. cloudflareD. I have a tunnel running, how can I expose postgresql (TCP) only to cloudflare workers, and not the internet in general? - e
Erisa | Support Engineer
05/27/2023, 9:05 PMyou can protect it with Cloudflare Access & Service Tokens, then make the worker send those service tokens in the headers - d
dave
05/27/2023, 9:05 PMdoes this have the @Erisa | Support Engineer TM Official Seal of Quality Approval?https://cdn.discordapp.com/attachments/909458221419356210/1112124407083716668/image.png▾
- e
Erisa | Support Engineer
05/27/2023, 9:05 PMsure 😛 it will depend on your overall setup, but that makes some sense - c
Chaika
05/27/2023, 9:06 PMyou might want to turn off log matching requests lol - a
AA
05/27/2023, 9:06 PMwait.. the headers? for postgresql? - e
Erisa | Support Engineer
05/27/2023, 9:06 PMHaha - d
dave
05/27/2023, 9:06 PMI think I want that at first to see how often it's happening - e
Erisa | Support Engineer
05/27/2023, 9:06 PMYeah so cloudflared can only expose things as HTTPS, the Worker will have to connect through a websocket - a
AA
05/27/2023, 9:06 PMhmm, but workers now supports postgresql natively.. but cloudflared doesnt? - e
Erisa | Support Engineer
05/27/2023, 9:07 PMyeah - e
Erisa | Support Engineer
05/27/2023, 9:07 PMcloudflared cant expose plain TCP ports