Using RE2 Regular Expressions

Introduction

VergeCloud firewall rules support advanced filtering using RE2 regular expressions. These patterns help you match specific text — such as parts of URLs, headers, or query strings — to allow, block, or log specific traffic. RE2 is designed for speed and safety, avoiding crashes or slowdowns caused by complex regex patterns.

How It Works

Use the matches operator in your firewall expressions to apply a regex pattern to a field. For example, you can filter traffic based on the request path like this:

http.request.uri matches "^/admin"

This pattern means the request path must start with /admin.

RE2 Syntax Made Simple

1. Anchors

• ^ – Start of the string
• $ – End of the string

2. Wildcards

• . – Matches any one character (except newline)

3. Character Sets

• [abc] – Matches any one character: a, b, or c
• [^abc] – Matches any character except a, b, or c

4. Predefined Character Sets

• \d – Matches any digit (0–9)
• \w – Matches a “word” character: letters, digits, or underscore
• \s – Matches any whitespace (space, tab, newline)

Important: Use a single backslash when writing these patterns. Do not double escape like \\d. VergeCloud uses raw RE2 syntax — patterns should match exactly as described in the official RE2 syntax.

5. Escaping Special Characters

Some characters in RE2 have special meanings. If you want to match them literally, you must add a backslash (\) before the character.

For example, to match a literal dot like in file.jpg, use \. — not just ., which means “any character”.

• \. – Dot
• \= – Equals sign
• \? – Question mark (useful in query strings)
• \- – Hyphen inside character sets (e.g. [A\-Z])
• \\ – Backslash
• \*, \+, \|, \^, \$, \() – Escape these if you want them as literal characters

6. Repetition

• * – Zero or more times
• + – One or more times
• ? – Zero or one time
• {n} – Exactly n times
• {n,} – n or more times
• {n,m} – Between n and m times

7. Groups and Alternatives

• (abc) – Groups patterns together
• a|b – Matches either a or b

8. Inline Flags (Modifiers)

RE2 supports inline flags that change how patterns behave. The most common is (?i), which makes the expression case-insensitive.

• (?i) – Case-insensitive match
• (?-i) – Disable case-insensitive matching (back to default)

You can apply the flag to the entire pattern or just part of it using scoped syntax.

Examples

• (?i)^/admin – Matches /admin, /Admin, /ADMIN
• ^(?i)curl – Matches curl, CURL, CuRL
• ^/(?-i)Static – Matches only lowercase Static
• /(?i:api)/v1 – Makes only the api part case-insensitive

Note: Inline flags must appear at the start of the expression or inside a specific group.

Limitations

• Lookaheads and lookbehinds (e.g., (?=...), (?<=...)) are not supported
• Backreferences (e.g., \1) are not supported
• Extremely long or complex patterns may be rejected to ensure performance

Examples with Explanations

Troubleshooting

• Unexpected behavior? Make sure you're not using double backslashes. Use \d not \\d.
• Match too broad or imprecise? Use anchors ^ and $ to narrow the match.
• Expression rejected? Simplify the pattern to avoid performance limits.
• Trying to match symbols? Remember to escape special characters like ., =, and ?.

Advanced Reference

If you’re comfortable with regex and want the full syntax guide, refer to the official RE2 documentation:

RE2 Official Syntax

Note: VergeCloud only supports valid RE2 syntax. Unsupported features such as lookarounds and backreferences will not work.