I have website with lot of visitors but since few weeks, some days, i’m facing some Http request flood attacks. I have subscribe the pro plan from Cloudflare for try to prevent that but it’s useless. I have checked here : https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ then it say we can prevent that by enabling the cloudflare WAF in the pro plan. So I did and the result is the same. Here too they made ads for prevent that : https://www.cloudflare.com/ddos/ . So I dont understand, it’s useful to subscribe a Pro plan for prevent that ? Or maybe there’s some rules to configure that I ignore. Can you help me for that ?
I have also tried to put a rate limit on my HTTP server (apache2) but It’s totally useless because the IP is replaced by Cloudflare IPs and I’m afraid of the performance issue to block directly on Apache or on a reverse proxy instead of iptables or fail2ban. And because I cant rate limit on iptables too because it’s the real IP of the client (it’s the client) IP. So I’m a bit lost… Have you some advices ?
Thanks by advance.