Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/proteo5/waf-autoblock/llms.txt

Use this file to discover all available pages before exploring further.

WAF Auto-Block bridges the gap between Cloudflare’s WAF analytics and its account-level IP lists. It continuously polls your zone’s firewall events, matches hits against your configured rules, adds offending IPs to a Cloudflare blocklist, and removes them automatically when their TTL expires — all without manual intervention.

Introduction

Understand what WAF Auto-Block does, why it exists, and how it fits into your Cloudflare setup.

Quickstart

Get the service running locally or in Docker in under 10 minutes.

Cloudflare Setup

Create the IP list, WAF rule, and scoped API token required before running the service.

Configuration

Explore all configuration options for polling, rules, HTTP detection, and storage.

How It Works

WAF Auto-Block runs as a containerized .NET background service. On every polling cycle it:
1

Queries Cloudflare GraphQL Analytics

Fetches recent firewall events and HTTP status signals for your zone using the Cloudflare Analytics GraphQL API.
2

Matches Configured Rules

Filters results against your explicitly configured WAF rule IDs and HTTP status code thresholds. Unknown rule IDs are ignored by design.
3

Blocks Qualifying IPs

Adds offending IPs to your Cloudflare account-level IP list and records the block in a local SQLite store with an expiration timestamp.
4

Expires and Removes Blocks

Removes IPs from the Cloudflare list and the local store when their configured TTL elapses — no manual cleanup needed.

Key Features

WAF Rule Blocking

Block IPs that exceed hit thresholds for specific Cloudflare WAF rule IDs, with per-rule TTL settings.

HTTP Status Detection

Detect scanning and abuse patterns by analyzing HTTP error rates, distinct paths, and per-code ratios per IP.

Distributed Path Detection

Identify coordinated scans across multiple IPs by grouping error signals at the path level.

TTL-Based Expiry

All blocks expire automatically — the service manages the full lifecycle without Cloudflare-native TTLs.

Docker Deployment

Run with a single Docker command or Docker Compose, with environment-variable configuration and persistent SQLite storage.

Status Endpoint

Monitor the service health and last poll time via the built-in GET /status endpoint.

Build docs developers (and LLMs) love

Get started for freeTalk to us