#Hi guys, my website is getting spammed with http requests making my server overload and crash.

I had found a solution previously and that was enabling Security Level - High and whenever someone spammed too much, it gave them 403, but for normal users the requests were working normally and nothing was happening. Basically when you first enter the page, its SSR on first page so automatically you make a get request so someone is just spamming a fetch request on a loop and keep crashing my server. Cloudflare blocked it before with High mode security but now it passes through after trying to overload the website myself.

which waf rule was getting triggered? we have a similar issue where waf is blocking all traffic. 949110: Inbound Anomaly Score Exceeded

to be honest with you my issue is cloudflare security level high NOT blocking spam http requests

@dim jewel

so mine is the opposite of yours

I want to block traffic and give 403 for people who spam http requests

@feral ginkgo ah.. got it, thanks!

do you have any clue 😅

@feral ginkgo you should setup a rate limit instead of using a blanket policy like security level - you're using a hammer and need a screwdriver. check out https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/

It doesn't help really. Because it still makes the "attack" pass through after 10 seconds or something and still momentarily break the site

Before, it just didnt even let through a single http request when it came in a burst

Now its making it pass through so if someone makes a fetch loop wiith 10000 fetch atleast 500-600 goes through

and thats enough to cause an overload unfortunately cause of bad vps

I don't follow. try setting the request limit to a lower value eg. 3

its gonna make the normal user not be able to use the website

lol

which tier cloudflare license are you on

free dawg

im broke

do you get custom waf rules on free?

yes

you tried something like this?

make sure it's first in the rule order

10 second rate limit period might be an enterprise feature. do you have it or is it 1min

Fyi for custom waf doesnt have rate limiting features

well nut up the $20 bucks a month bru

Imma crack cloudflare

ofc

so you didn't actually try setting up a rate limit then. well there's your problem

I did setup rate limit

I have the brokie version

do it at the server

nginx/apache have functionality

change the block duration to longer than 10 seconds dingus

As I said

Brokie version

xDD

and don't match on verified bot. well you can if you setup the bot tagger. match on ip

im gonna check the

nginx /apache trik

trick

path

go download lmstudio and deepseek r1. ask that dude how to do it

freeee

hmmm

you really cant block longer than 10 seconds on free plan?

cloudflare are dicks

ikrr

idk what happend but after their dookie maintenance

security level broke down

OR they downgraded it

its been fubar the last 2 days

enterprise support is a joke

@feral ginkgo have you used any waf custom rules ? I think there is about 5 free 😊

i have used for my backend access for only whitelisted ips, and in general protection but i havent done anything for the frontend cause my ass dont wanna break sheet

i tried rate limitation nginx and it doesnt even work i followed 5000 documentation and 5000 videos. I just want to block too many requests at once so they cant overload my sheet

So yeah i want to block too frequent requests from python fetching / ddos etc. like all it takes is like 150 requests within a few seconds and my server goes down.

Oh I see, I had this as a base for my site. Blocks a lot of stupid calls. But I needed to tweek it a bit (this was for some wp features).
But overall it blocked 1.7K requests for me. And they where doing 2 request/sek.
https://webagencyhero.com/cloudflare-waf-rules-v3/#elementor-toc__heading-anchor-4

❤️