Using RE2 Regular Expressions

Using RE2 Regular Expressions

Using RE2 Regular Expressions

Introduction

VergeCloud firewall rules support advanced filtering using RE2 regular expressions. These patterns help you match specific text — such as parts of URLs, headers, or query strings — to allow, block, or log specific traffic. RE2 is designed for speed and safety, avoiding crashes or slowdowns caused by complex regex patterns.

How It Works

Use the matches operator in your firewall expressions to apply a regex pattern to a field. For example, you can filter traffic based on the request path like this:

http.request.uri matches "^/admin"

This pattern means the request path must start with /admin.

RE2 Syntax Made Simple

1. Anchors

  • ^ – Start of the string
  • $ – End of the string

2. Wildcards

  • . – Matches any one character (except newline)

3. Character Sets

  • [abc] – Matches any one character: a, b, or c
  • [^abc] – Matches any character except a, b, or c

4. Predefined Character Sets

  • \d – Matches any digit (0–9)
  • \w – Matches a “word” character: letters, digits, or underscore
  • \s – Matches any whitespace (space, tab, newline)

Important: Use a single backslash when writing these patterns. Do not double escape like \\d. VergeCloud uses raw RE2 syntax — patterns should match exactly as described in the official RE2 syntax.

5. Escaping Special Characters

Some characters in RE2 have special meanings. If you want to match them literally, you must add a backslash (\) before the character.

For example, to match a literal dot like in file.jpg, use \. — not just ., which means “any character”.

  • \. – Dot
  • \= – Equals sign
  • \? – Question mark (useful in query strings)
  • \- – Hyphen inside character sets (e.g. [A\-Z])
  • \\ – Backslash
  • \*, \+, \|, \^, \$, \() – Escape these if you want them as literal characters

6. Repetition

  • * – Zero or more times
  • + – One or more times
  • ? – Zero or one time
  • {n} – Exactly n times
  • {n,} – n or more times
  • {n,m} – Between n and m times

7. Groups and Alternatives

  • (abc) – Groups patterns together
  • a|b – Matches either a or b

8. Inline Flags (Modifiers)

RE2 supports inline flags that change how patterns behave. The most common is (?i), which makes the expression case-insensitive.

  • (?i) – Case-insensitive match
  • (?-i) – Disable case-insensitive matching (back to default)

You can apply the flag to the entire pattern or just part of it using scoped syntax.

Examples
  • (?i)^/admin – Matches /admin, /Admin, /ADMIN
  • ^(?i)curl – Matches curl, CURL, CuRL
  • ^/(?-i)Static – Matches only lowercase Static
  • /(?i:api)/v1 – Makes only the api part case-insensitive

Note: Inline flags must appear at the start of the expression or inside a specific group.

Limitations

  • Lookaheads and lookbehinds (e.g., (?=...), (?<=...)) are not supported
  • Backreferences (e.g., \1) are not supported
  • Extremely long or complex patterns may be rejected to ensure performance

Examples with Explanations

GoalExpressionWhat It Does
Block admin paths^/admin(/|$)Matches /admin, /admin/, /admin/settings
Allow .jpg files\.jpg$Matches photo.jpg, banner.jpg
Find debug queries[?&]debug=trueMatches query strings with debug=true
Numeric user ID^/user/\d+$Matches /user/123, not /user/admin
Case-insensitive user-agent match(?i)^curlMatches curl, CURL, CuRL
Block executable extensions\.(exe|bat|cmd)$Matches file.exe, script.bat

Troubleshooting

  • Unexpected behavior? Make sure you're not using double backslashes. Use \d not \\d.
  • Match too broad or imprecise? Use anchors ^ and $ to narrow the match.
  • Expression rejected? Simplify the pattern to avoid performance limits.
  • Trying to match symbols? Remember to escape special characters like ., =, and ?.

Advanced Reference

If you’re comfortable with regex and want the full syntax guide, refer to the official RE2 documentation:

RE2 Official Syntax

Note: VergeCloud only supports valid RE2 syntax. Unsupported features such as lookarounds and backreferences will not work.

    • Related Articles

    • Browser Caching and HTTP Headers with VergeCloud

      Understanding Browser Caching and HTTP Headers with VergeCloud Browser caching involves storing certain website resources on a user's browser, so they don't need to be downloaded every time they visit. Resources are stored in the browser's local ...

    • How to Change Nameservers (NS)

      If you're switching to VergeCloud DNS provider, you’ll need to update the name servers (NS records) for your domain with your registrar (Godaddy, Namecheap, etc,.). This guide explains how to update your domain’s name servers quickly and safely. ...

    • How To Check Website Speed?

      Understanding Website Speed Testing and Optimization The loading time of a website is crucial for attracting visitors and achieving success in an online business. Faster load times lead to better search engine rankings, higher conversion rates, lower ...

    • Understanding and Optimizing Time To First Byte (TTFB).

      What is Time To First Byte (TTFB)? TTFB stands for "Time To First Byte," referring to the time it takes from the moment a browser sends an HTTP request to a server until the first byte of data is received. This duration includes DNS lookup and ...

    • Cross-Origin Resource Sharing (CORS)

      Cross-Origin Resource Sharing (CORS) Header Cross-Origin Resource Sharing (CORS) is a critical web security feature that allows servers to specify who can access their resources and how those resources can be accessed. By defining CORS policies, you ...