AWAFAWAF

Configuration

AWAF stores core settings in config.ini, while rules and exceptions live in files under lists/.

Base mode

Start with logging and CAPTCHA; enable BLOCK only after real-user and proxy-header checks.

[main]
enabled = On
debug = On
header404 = Off

Proxy and real IP

If nginx, a load balancer, or a CDN stands before PHP, enable header_proxy so AWAF sees the visitor IP instead of the proxy address.

[header_proxy]
enabled = On
header_ip = X-Real-IP
header_http_version = X-Forwarded-Http-Version
header_protocol = X-Forwarded-Proto

Filter actions

Use CAPTCHA for risky heuristics and BLOCK for confirmed attack sources to reduce false positives.

[fps_checker]
enabled = On
action = CAPTCHA
fps = 50

[http_checker]
enabled = On
protocols = "HTTP/1.0"
action = BLOCK

Rule lists

Keep permanent exceptions in whitelist_*, temporary blocks in blacklist_*, and uncertain sources in captcha_*.

  • whitelist_ip, blacklist_ip, captcha_ip
  • whitelist_url, blacklist_uri, captcha_uri
  • whitelist_useragent, captcha_useragent
  • whitelist_asn, blacklist_asn, captcha_asn

Logs and updates

Use debug during rollout, then reduce verbosity and configure rotation. AWAF updates should preserve config.ini, lists/, and logs/.

[logs]
max_size = 10
rotate = 7

[sysupdate]
enabled = Off
branch = dev