Using RE2 Regular Expressions

Using RE2 Regular Expressions

Using RE2 Regular Expressions

Introduction

VergeCloud firewall rules support advanced filtering using RE2 regular expressions. These patterns help you match specific text — such as parts of URLs, headers, or query strings — to allow, block, or log specific traffic. RE2 is designed for speed and safety, avoiding crashes or slowdowns caused by complex regex patterns.

How It Works

Use the matches operator in your firewall expressions to apply a regex pattern to a field. For example, you can filter traffic based on the request path like this:

http.request.uri matches "^/admin"

This pattern means the request path must start with /admin.

RE2 Syntax Made Simple

1. Anchors

  • ^ – Start of the string
  • $ – End of the string

2. Wildcards

  • . – Matches any one character (except newline)

3. Character Sets

  • [abc] – Matches any one character: a, b, or c
  • [^abc] – Matches any character except a, b, or c

4. Predefined Character Sets

  • \d – Matches any digit (0–9)
  • \w – Matches a “word” character: letters, digits, or underscore
  • \s – Matches any whitespace (space, tab, newline)

Important: Use a single backslash when writing these patterns. Do not double escape like \\d. VergeCloud uses raw RE2 syntax — patterns should match exactly as described in the official RE2 syntax.

5. Escaping Special Characters

Some characters in RE2 have special meanings. If you want to match them literally, you must add a backslash (\) before the character.

For example, to match a literal dot like in file.jpg, use \. — not just ., which means “any character”.

  • \. – Dot
  • \= – Equals sign
  • \? – Question mark (useful in query strings)
  • \- – Hyphen inside character sets (e.g. [A\-Z])
  • \\ – Backslash
  • \*, \+, \|, \^, \$, \() – Escape these if you want them as literal characters

6. Repetition

  • * – Zero or more times
  • + – One or more times
  • ? – Zero or one time
  • {n} – Exactly n times
  • {n,} – n or more times
  • {n,m} – Between n and m times

7. Groups and Alternatives

  • (abc) – Groups patterns together
  • a|b – Matches either a or b

8. Inline Flags (Modifiers)

RE2 supports inline flags that change how patterns behave. The most common is (?i), which makes the expression case-insensitive.

  • (?i) – Case-insensitive match
  • (?-i) – Disable case-insensitive matching (back to default)

You can apply the flag to the entire pattern or just part of it using scoped syntax.

Examples
  • (?i)^/admin – Matches /admin, /Admin, /ADMIN
  • ^(?i)curl – Matches curl, CURL, CuRL
  • ^/(?-i)Static – Matches only lowercase Static
  • /(?i:api)/v1 – Makes only the api part case-insensitive

Note: Inline flags must appear at the start of the expression or inside a specific group.

Limitations

  • Lookaheads and lookbehinds (e.g., (?=...), (?<=...)) are not supported
  • Backreferences (e.g., \1) are not supported
  • Extremely long or complex patterns may be rejected to ensure performance

Examples with Explanations

GoalExpressionWhat It Does
Block admin paths^/admin(/|$)Matches /admin, /admin/, /admin/settings
Allow .jpg files\.jpg$Matches photo.jpg, banner.jpg
Find debug queries[?&]debug=trueMatches query strings with debug=true
Numeric user ID^/user/\d+$Matches /user/123, not /user/admin
Case-insensitive user-agent match(?i)^curlMatches curl, CURL, CuRL
Block executable extensions\.(exe|bat|cmd)$Matches file.exe, script.bat

Troubleshooting

  • Unexpected behavior? Make sure you're not using double backslashes. Use \d not \\d.
  • Match too broad or imprecise? Use anchors ^ and $ to narrow the match.
  • Expression rejected? Simplify the pattern to avoid performance limits.
  • Trying to match symbols? Remember to escape special characters like ., =, and ?.

Advanced Reference

If you’re comfortable with regex and want the full syntax guide, refer to the official RE2 documentation:

RE2 Official Syntax

Note: VergeCloud only supports valid RE2 syntax. Unsupported features such as lookarounds and backreferences will not work.

    • Related Articles

    • Browser Caching and HTTP Headers with VergeCloud

      Understanding Browser Caching and HTTP Headers with VergeCloud Browser caching involves storing certain website resources on a user's browser, so they don't need to be downloaded every time they visit. Resources are stored in the browser's local ...

    • How to Change Nameservers (NS)

      If you're switching to VergeCloud DNS provider, you’ll need to update the name servers (NS records) for your domain with your registrar (Godaddy, Namecheap, etc,.). This guide explains how to update your domain’s name servers quickly and safely. ...

    • Cross-Origin Resource Sharing (CORS)

      Cross-Origin Resource Sharing (CORS) Header Cross-Origin Resource Sharing (CORS) is a critical web security feature that allows servers to specify who can access their resources and how those resources can be accessed. By defining CORS policies, you ...

    • Content Security Policy (CSP)

      Content Security Policy (CSP) Header The Content Security Policy (CSP) header is a robust web security feature designed to prevent a variety of attacks, including Cross-Site Scripting (XSS), clickjacking, and other code injection threats. By defining ...

    • IP Address Classes and CIDR Notation

      IP Address Classes IP address classes are part of the classful network architecture that was used before the introduction of CIDR (Classless Inter-Domain Routing). They categorize IP addresses into different classes based on their range and intended ...