I want to shield my website

I recently suffered a DDos attack, which caused my domain to be blocked due to abusive traffic. I followed the recommendations that were advanced to me in this community but in one way or another they knew the source IP address of the server. At the moment acquired another domain and a new IP address of the VPS server. I want to know how I can protect my website as much as possible so that DDos attacks are automatically mitigated and they cannot find the source IP address. Please help me, I’m in trouble.

Some attackers are very resourceful. That’s somewhat unavoidable and Cloudflare can’t help when that happens.

If you have a fair amount of configuration control over your server, the standard recommendation is to block any traffic not from Cloudflare’s IP address list at cloudflare.com/ips

from what I understand, I can do this from the .htaccess right?

something like this?

SetEnvIf remote_addr ^ $ allowedip = 1
SetEnvIf remote_addr ^ $ allowedip = 1
SetEnvIf remote_addr ^ $ allowedip = 1
SetEnvIf remote_addr ^ $ allowedip = 1

Order deny, allow
Deny everything
allow from env = allowedip


That’s not the best solution.

  1. It’s still a load on the server

  2. You server should be configured to restore Visitor IP addresses:

  3. If you do want to take the htaccess approach, it’s easier to check for a secret request header your set with a Transform Rule:
    Prevent visitors bypassing cloudflare - #3 by sdayman


excuse the ignorance, this is done through SSH or it can also be through Cpanel

Which? #2 has to be done via SSH by an admin of the server.
#3 is a combination of Transform Rules in the Cloudflare Dashboard (Rules tab) and your htaccess file.

I have already followed the steps in the guide for point two. Also, it created a list with the ip addresses and created the rule in the firewall. Exactly what should I put in the .htaccess now?

What exactly? It’s up to you. The thread linked to in Point 3 starts off with the syntax. If that CF Country header doesn’t exist, then block. Change that header to whatever secret request header you added in your transform rule. It doesn’t even matter what the value of that header is.

The question is: if I already did step number 2, don’t I need number 3?

You’d still need Step 3.

The problem with Step 2 is that your htaccess is trying to block Cloudflare IP addresses. This indicates that your analytics will be wrong because your site isn’t logging actual visitor IP addresses. Or maybe your server is restoring visitor IP addresses and that approach will end up blocking all your legitimate visitors.

My earlier comment about blocking non-Cloudflare addresses has to be done at the server lever (inbound network traffic), not the website level.

1 Like

I understand, so I just add this code in the .htaccess without modifying anything?

RewriteEngine is
RewriteCond% {HTTP: CF-IPCountry} ^ $
RewriteRule ^ - [F, L]

Make that you have IP Geolocation enabled in the Network section for your domain at dash.cloudflare.com

But if your attacker is attentive enough, they may suspect what you’ve done and insert that cf-ipcountry header in their attack requests. That’s why the tip I suggested was to add a secret header they won’t guess.

do you mean this one? starts_with (http.request.uri.path, “/ en /”)

I’m sorry I’m a very beginner at this and I thank you for the help.

Should I substitute any value?

Try something like below. So instead of checking for cf-ipcountry, you’ll check for top-secret-WHATEVER (use your own numerical code). The content (“allow”) is irrelevant and can be whatever you want. The hostname check is just looking to see if “example” is part of your domain name. Please use the actual core of your domain name. This will apply to requests sent to ‘www’ as well as the naked domain.

Ok, I have already created that rule with my domain, I have already specified step 2, should I do something in the .htaccess?

Yes, this:

Where do I get that numeric code?

Let’s see if I understand, excuse me, I’m using a translator.

If I put something like “top-secret-101010” as the header name

Would something like this remain in my .htaccess?

RewriteEngine is
RewriteCond% {HTTP: top-secret-101010} ^ $
RewriteRule ^ - [F, L]

Yes, like that. And the header secret number has to match your transform rule secret number.

Sorry to hear about that! You should consult the articles bellow

Non-embeded article

This text will be hidden