Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/proteo5/waf-autoblock/llms.txt

Use this file to discover all available pages before exploring further.

All configuration values accepted by WAF Auto-Block can be supplied as environment variables. The .NET configuration system maps environment variables to nested JSON properties using the double-underscore (__) convention — each __ represents one level of nesting. For example, Cloudflare__ApiToken maps to Cloudflare.ApiToken in the JSON shape. Environment variables always take priority over any file-based configuration, making them the recommended approach for Docker deployments, CI pipelines, and secrets managers.

Complete Variable Reference

SettingEnvironment VariableDefault / Example
Cloudflare API tokenCloudflare__ApiToken(required)
Cloudflare zone tagCloudflare__ZoneTag(required)
Cloudflare account IDCloudflare__AccountId(required)
Cloudflare blocklist ID or nameCloudflare__BlocklistId$$auto_blocked_ips
Poll interval (seconds)Polling__IntervalSeconds15
Poll window (seconds)Polling__WindowSeconds300
Poll jitter (milliseconds)Polling__JitterMilliseconds2000
SQLite database pathStorage__DatabasePath./data/state.db
First rule nameRules__0__Namephp_scan
First rule IDRules__0__RuleId(required per rule)
First rule thresholdRules__0__Threshold1
First rule TTL (minutes)Rules__0__TtlMinutes1440
First rule enabledRules__0__Enabledtrue
HTTP status detection enabledHttpStatusDetection__Enabledfalse
HTTP status window (seconds)HttpStatusDetection__WindowSeconds300
Distributed path detection enabledHttpStatusDetection__DistributedPathDetection__Enabledfalse
Distributed status codes (first)HttpStatusDetection__DistributedPathDetection__StatusCodes__0404
Distributed min path errorsHttpStatusDetection__DistributedPathDetection__MinPathTotalErrors12
Distributed min distinct IPsHttpStatusDetection__DistributedPathDetection__MinDistinctIpsPerPath3
Distributed min IP hitsHttpStatusDetection__DistributedPathDetection__MinIpHitsOnSuspiciousPaths2
Distributed min distinct suspicious pathsHttpStatusDetection__DistributedPathDetection__MinDistinctSuspiciousPathsPerIp1
Distributed TTL (minutes)HttpStatusDetection__DistributedPathDetection__TtlMinutes120
Distributed block nameHttpStatusDetection__DistributedPathDetection__Namehttp_404_distributed_scan
Distributed excluded paths (first)HttpStatusDetection__DistributedPathDetection__ExcludedPaths__0/
First code statusHttpStatusDetection__Codes__0__StatusCode404
First code enabledHttpStatusDetection__Codes__0__Enabledtrue
First code min total errorsHttpStatusDetection__Codes__0__MinTotalErrors20
First code min distinct pathsHttpStatusDetection__Codes__0__MinDistinctPaths8
First code min ratioHttpStatusDetection__Codes__0__MinCodeRatio0.7
First code TTL (minutes)HttpStatusDetection__Codes__0__TtlMinutes240
First code nameHttpStatusDetection__Codes__0__Namehttp_404_scan
Default log levelLogging__LogLevel__DefaultInformation
Service log levelLogging__LogLevel__WafAutoblockInformation

Array Index Notation

Configuration arrays such as Rules and HttpStatusDetection.Codes use zero-based integer indexes in environment variable names. The index is the third segment after the array property name: 
Rules__0__Name=php_scan
Rules__0__RuleId=abc123def456abc123def456abc12301
Rules__0__Threshold=1
Rules__0__TtlMinutes=1440
Rules__0__Enabled=true

Rules__1__Name=geo_block
Rules__1__RuleId=abc123def456abc123def456abc12302
Rules__1__Threshold=3
Rules__1__TtlMinutes=240
Rules__1__Enabled=true
The same pattern applies to HttpStatusDetection.Codes (HttpStatusDetection__Codes__0__StatusCode, HttpStatusDetection__Codes__1__StatusCode, etc.) and to HttpStatusDetection.DistributedPathDetection.StatusCodes (HttpStatusDetection__DistributedPathDetection__StatusCodes__0, HttpStatusDetection__DistributedPathDetection__StatusCodes__1, etc.).
The .NET configuration system requires that array indexes be contiguous and zero-based. If you define Rules__0__Name and Rules__2__Name but omit Rules__1__Name, the second entry may not be loaded correctly. Always number entries sequentially starting from 0.

Symbolic Blocklist Name

Cloudflare__BlocklistId accepts two formats:
  • UUID — the raw list identifier from the Cloudflare API (e.g. a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4)
  • Symbolic name — a human-readable name prefixed with a single $ character (e.g. $auto_blocked_ips). The service resolves this to the matching list by name at startup.
When placing the symbolic form in a Docker Compose .env file, escape the leading $ as $$ so that Docker Compose does not attempt to expand it as a shell variable: 
# Correct — Docker Compose .env file
Cloudflare__BlocklistId=$$auto_blocked_ips

# Incorrect — Compose will try to expand $auto_blocked_ips as a variable
Cloudflare__BlocklistId=$auto_blocked_ips
When passing the value directly as an environment variable in a shell (not through a Compose .env file), use a single $: 
export Cloudflare__BlocklistId='$auto_blocked_ips'

Docker Compose .env File Example

The following .env file covers a typical deployment with one WAF rule and HTTP status detection enabled: 
# Cloudflare credentials
Cloudflare__ApiToken=your_api_token_here
Cloudflare__ZoneTag=your_zone_id_here
Cloudflare__AccountId=your_account_id_here
Cloudflare__BlocklistId=$$auto_blocked_ips

# Polling
Polling__IntervalSeconds=15
Polling__WindowSeconds=300
Polling__JitterMilliseconds=2000

# Storage
Storage__DatabasePath=./data/state.db

# WAF rule monitoring
Rules__0__Name=php_scan
Rules__0__RuleId=your_cloudflare_rule_id_here
Rules__0__Threshold=1
Rules__0__TtlMinutes=1440
Rules__0__Enabled=true

# HTTP status detection
HttpStatusDetection__Enabled=true
HttpStatusDetection__WindowSeconds=300

HttpStatusDetection__Codes__0__StatusCode=404
HttpStatusDetection__Codes__0__Enabled=true
HttpStatusDetection__Codes__0__MinTotalErrors=20
HttpStatusDetection__Codes__0__MinDistinctPaths=8
HttpStatusDetection__Codes__0__MinCodeRatio=0.7
HttpStatusDetection__Codes__0__TtlMinutes=240
HttpStatusDetection__Codes__0__Name=http_404_scan

HttpStatusDetection__Codes__1__StatusCode=400
HttpStatusDetection__Codes__1__Enabled=true
HttpStatusDetection__Codes__1__MinTotalErrors=15
HttpStatusDetection__Codes__1__MinDistinctPaths=6
HttpStatusDetection__Codes__1__MinCodeRatio=0.6
HttpStatusDetection__Codes__1__TtlMinutes=120
HttpStatusDetection__Codes__1__Name=http_400_abuse

# Distributed path detection
HttpStatusDetection__DistributedPathDetection__Enabled=true
HttpStatusDetection__DistributedPathDetection__StatusCodes__0=404
HttpStatusDetection__DistributedPathDetection__StatusCodes__1=400
HttpStatusDetection__DistributedPathDetection__StatusCodes__2=500
HttpStatusDetection__DistributedPathDetection__StatusCodes__3=403
HttpStatusDetection__DistributedPathDetection__MinPathTotalErrors=12
HttpStatusDetection__DistributedPathDetection__MinDistinctIpsPerPath=3
HttpStatusDetection__DistributedPathDetection__MinIpHitsOnSuspiciousPaths=2
HttpStatusDetection__DistributedPathDetection__MinDistinctSuspiciousPathsPerIp=1
HttpStatusDetection__DistributedPathDetection__TtlMinutes=120
HttpStatusDetection__DistributedPathDetection__Name=http_status_distributed_scan
HttpStatusDetection__DistributedPathDetection__ExcludedPaths__0=/
HttpStatusDetection__DistributedPathDetection__ExcludedPaths__1=/favicon.ico

# Logging
Logging__LogLevel__Default=Information
Logging__LogLevel__WafAutoblock=Information
Do not commit .env files containing real API tokens to source control. Add .env to your .gitignore and use .env.example (with blank credential fields) as a safe template for other developers.

Build docs developers (and LLMs) love

Get started for freeTalk to us