to proxy the content of my website content on their domain, insert ads. They do rewrite domain name, so all links of my domain get changed to their domain, also when they send request to my server, they change Host, so it look like request is coming to my domain directly.
If i enable “I am Under Attack” or block their nginx backend IP (found via HTTP_CF_CONNECTING_IP when accessing my site through their domain), their site goes down. Keeping “I am Under Attack” will make it difficult for legit users to access it. Blocking by IP is not practical as they can change IP, also finding all their domains is not possible.
I have seen some site use Cloudflare browser integrity checking.
Are you sure they’re not coming directly to your origin (much easier to solve with firewall rules, tunnels or authenticated origin pull).
If you’re confident you have the right flow there whereby there’s an additional proxy (nginx) before the request comes back into Cloudflare - it depends on what request headers are left behind that indicate the original domain or original Cloudflare customer. You could then build a firewall rule that blocks or challenges based on the presence of those headers:
If they are cleaning up all headers, then bot management would probably work well here as essentially it’s a proxy pretending to to be a visitor:
It is not coming directly to my origin, they are inserting advertisements, and rewriting URLs so visitors they on their domain, making them advertisement income. I checked the headers, they are rewriting all.
Thanks for the link to bot management, I will check it.