Hi guys, my website is getting spammed with http requests making my server overload and crash.
I had found a solution previously and that was enabling Security Level - High and whenever someone spammed too much, it gave them 403, but for normal users the requests were working normally and nothing was happening. Basically when you first enter the page, its SSR on first page so automatically you make a get request so someone is just spamming a fetch request on a loop and keep crashing my server. Cloudflare blocked it before with High mode security but now it passes through after trying to overload the website myself.
34 Replies
which waf rule was getting triggered? we have a similar issue where waf is blocking all traffic. 949110: Inbound Anomaly Score Exceeded
to be honest with you my issue is cloudflare security level high NOT blocking spam http requests
@vinegarstrokes
so mine is the opposite of yours
I want to block traffic and give 403 for people who spam http requests
@Wideneck#5505 ah.. got it, thanks!
do you have any clue 😅
@Wideneck#5505 you should setup a rate limit instead of using a blanket policy like security level - you're using a hammer and need a screwdriver. check out https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/
Cloudflare Docs
Create a rate limiting rule in the dashboard · Cloudflare Web Appli...
When you select the Block action in a rule you can optionally define a custom response.
It doesn't help really. Because it still makes the "attack" pass through after 10 seconds or something and still momentarily break the site
Before, it just didnt even let through a single http request when it came in a burst
Now its making it pass through so if someone makes a fetch loop wiith 10000 fetch atleast 500-600 goes through
and thats enough to cause an overload unfortunately cause of bad vps
I don't follow. try setting the request limit to a lower value eg. 3
its gonna make the normal user not be able to use the website
lol
which tier cloudflare license are you on
free dawg
im broke
do you get custom waf rules on free?
yes
you tried something like this?
make sure it's first in the rule order
10 second rate limit period might be an enterprise feature. do you have it or is it 1min
Fyi for custom waf doesnt have rate limiting features
well nut up the $20 bucks a month bru
Imma crack cloudflare
ofc
so you didn't actually try setting up a rate limit then. well there's your problem
I did setup rate limit
I have the brokie version
do it at the server
nginx/apache have functionality
change the block duration to longer than 10 seconds dingus
As I said
Brokie version
xDD
and don't match on verified bot. well you can if you setup the bot tagger. match on ip
im gonna check the
nginx /apache trik
trick
path
go download lmstudio and deepseek r1. ask that dude how to do it
freeee
hmmm
you really cant block longer than 10 seconds on free plan?
cloudflare are dicks
ikrr
idk what happend but after their dookie maintenance
security level broke down
OR they downgraded it
its been fubar the last 2 days
enterprise support is a joke
@Wideneck#5505 have you used any waf custom rules ? I think there is about 5 free 😊
i have used for my backend access for only whitelisted ips, and in general protection but i havent done anything for the frontend cause my ass dont wanna break sheet
i tried rate limitation nginx and it doesnt even work i followed 5000 documentation and 5000 videos. I just want to block too many requests at once so they cant overload my sheet
So yeah i want to block too frequent requests from python fetching / ddos etc. like all it takes is like 150 requests within a few seconds and my server goes down.
Oh I see, I had this as a base for my site. Blocks a lot of stupid calls. But I needed to tweek it a bit (this was for some wp features).
But overall it blocked 1.7K requests for me. And they where doing 2 request/sek.
https://webagencyhero.com/cloudflare-waf-rules-v3/#elementor-toc__heading-anchor-4
❤️
Helped a lot. Now it's blocking a lot of malicious methods im using