Bot traffic control

Hi there.

I’m trying to secure a PHP based website from security and performance perspective.

  1. WAF, Custom firewall rules, bot traffic identification / control and rate limiting tools are available but the sequence in which these execute is not clear.

  2. Additionally, there should be a possibility to configure exclusions / exceptions to exclude permitted bots / automated traffic eg. webhooks and apps. For example user agent like “okhttp” or appname is caught as definitely automated traffic. There should be option to exclude user agents / IPs / endpoints / paths from such classification.

  3. There should be some option to identify ajax requests is custom firewall rules, since putting up captcha / JS “challenge” is not suitable in such cases. Rather custom response + some error HTTP status code would make more sense to use in such cases.

Okay, seems I misunderstood your question and I read it as you want to make your PHP website to be less secured?

Or, to have better secured PHP website you want to know more how and which options to use and configure at Cloudflare, for better security and protection, and also better performance as well?

Just to make sure, could you rephrase what do you mean and want to achieve?

1st, 2nd and 3rd bullet points can be achieved by using Cloudflare service for your domain / website.

But, regarding PHP performance, that has to be done at your origin host / server first (like PHP OPCache, etc.).

Hopefully, your PHP website has been developed with some security design in the process, or actually not?

May I suggest looking into below posts to find out more useful and helpful information regarding Security options available at Cloudflare, also regarding DDoS protection at Cloudflare, and some more #tutorials and #tips in terms of better manual protection measurements (like effective usage of the Firewall Rules, WAF, blocking bad bots, Rate Limiting, limiting access by IP or country restrictions, etc.):

For even better protection, I would recommend to go with Pro Plan as far as it offers advanced features like Managed Web Application Firewall (especially for your PHP website in terms of OWASP rules, SQL injection detection and protection and other) and Bot Mitigation - what you are actually looking for (1st and 2nd bullet, 3rd can be achieved with custom Firewall Rules too).

See here:

1 Like

@fritex Yes, I want to optimize the site from performance and security perspective + limit bad bot traffic so that the site performs well for the real end users. Or in your words:

to have better secured PHP website you want to know more how and which options to use and configure at Cloudflare, for better security and protection, and also better performance as well?

The origin server practices like opcache, appropriate PHP version, DB query and webpage level optimizations are in place.

My current concern is better management on cloudflare side to limit impact bad bots and automated tools from firing up limited or full fledged DDoS attacks, while still allowing frequent webhook hits from 2-3 third party tools. I’m using Cloudflare WAF and looking into optimizing this through various tools available in the Firewall section: Firewall rules, Bot fight mode and rate limiting.

My questions from community and cloudflare team are:

  1. WAF, Custom firewall rules, bot traffic identification / control and rate limiting tools are available but the sequence in which these execute is not clear.
  1. Additionally, there should be a possibility to configure exclusions / exceptions to exclude permitted bots / automated traffic eg. webhooks and apps. For example user agent like “okhttp” or appname is caught as definitely automated traffic. There should be option to exclude user agents / IPs / endpoints / paths from such classification.
  1. There should be some option to identify ajax requests is custom firewall rules, since putting up captcha / JS “challenge” is not suitable in such cases. Rather custom response + some error HTTP status code would make more sense to use in such cases.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.