Configuration
AWAF stores core settings in config.ini, while rules and exceptions live in files under lists/.
Base mode
Start with logging and CAPTCHA; enable BLOCK only after real-user and proxy-header checks.
[main]
enabled = On
debug = On
header404 = OffProxy and real IP
If nginx, a load balancer, or a CDN stands before PHP, enable header_proxy so AWAF sees the visitor IP instead of the proxy address.
[header_proxy]
enabled = On
header_ip = X-Real-IP
header_http_version = X-Forwarded-Http-Version
header_protocol = X-Forwarded-ProtoFilter actions
Use CAPTCHA for risky heuristics and BLOCK for confirmed attack sources to reduce false positives.
[fps_checker]
enabled = On
action = CAPTCHA
fps = 50
[http_checker]
enabled = On
protocols = "HTTP/1.0"
action = BLOCKRule lists
Keep permanent exceptions in whitelist_*, temporary blocks in blacklist_*, and uncertain sources in captcha_*.
- whitelist_ip, blacklist_ip, captcha_ip
- whitelist_url, blacklist_uri, captcha_uri
- whitelist_useragent, captcha_useragent
- whitelist_asn, blacklist_asn, captcha_asn
Logs and updates
Use debug during rollout, then reduce verbosity and configure rotation. AWAF updates should preserve config.ini, lists/, and logs/.
[logs]
max_size = 10
rotate = 7
[sysupdate]
enabled = Off
branch = dev