We are currently using rate limiting to ensure instances trying to access site at aggressive threshold asked for JS challenge but we hitting issues from users saying they are seeing the JS challenge when they are trying to access site with sitting behind the common proxy.
NAT option sounds good for allowing real users sitting behind the common proxy, but at same time I am not sure if bot can take benefit of it just by ignoring special cookies transmitted when (__cfruid, cf_clearance) when NAT mode is ON.
Is that possible to use NAT option under rate limiting to filter the bot traffic ?
Real benefit we see after enabling the rate limiting was that 90% traffic was crawlers/bots and we are able to stop it with this rule in. But rest some % traffic is real user traffic who is trying to access site from multiple device/working in same offices and like to skip challenging them.
Can someone help please ? Any strategies/work around for such cases?
Normal users/browsers will consume/use the cookie. A bot or poorly written script will not. Nat doesn’t replace IP based rate limits (the default behavior) it just allows for the cookie to be used to uniquely identify users behind a NAT if it exists.
If the traffic was being filtered before enabling the cookie, it likely would continue to be.
That’s exactly the intended use case of the NAT option, so I think you’re on the right track.