We recently experience a DDOS attack on our site which Cloudflare handled.
However, going through the logs, i see that Cloudflare also blocked a bunch of IPs that had the user agent “nginx-ssl early hints”. At first i thought it was a spoofed User Agent or something but upon further investigation i saw that some legitimate IPs were being blocked as well.
I proceeded to turn off Early Hints (Speed/Optimization).
Can you anyone tell me why these were being blocked? Is there something i need to add into my WAF to prevent this from happening? There were a lot of legitimate DDOS attacks being blocked with the Nginx-ssl early hints user agent but there were also alot of false positives for that user agent.
How can i prevent legit IPs from being blocked cause of early hints?
Thanks