AWAFAWAF

FAQ

Short answers about installation, modes, logs, CMS integration, and AWAF limits.

What AWAF does

AWAF protects PHP sites by checking visitor IP, URL, User-Agent, Referer, ASN, fingerprint, protocol, FPS, and other signals. Suspicious traffic can be blocked or challenged with captcha.

Install path

AWAF is usually placed in /antibot/ and included before HTML output.

require_once $_SERVER['DOCUMENT_ROOT'].'/antibot/index.php';

CAPTCHA vs BLOCK

Use BLOCK for confident rules and CAPTCHA for uncertain signals, first rollout days, mobile browsers, RDP users, and FPS checks.

Lists and proxy

Rules live in lists/. Configure header_proxy when the site is behind nginx, CDN, Cloudflare, or a load balancer so AWAF sees the real visitor IP.

Logs and false positives

Use RayID from the block page to find the event in logs/antibot.log, then remove the IP from blacklist_ip or add a narrow whitelist_* exception.

Why the cache directory grows

On sites with a lot of bot traffic, the cache directory can grow quickly because AWAF performs many checks and handles repeated requests.

cache/dns stores PTR/DNS lookup cache. It is used to identify legitimate search bots. You can clean this directory regularly, for example once per hour or less often. Avoid cleaning it too frequently: without this cache, AWAF will query DNS servers more often, and the host may limit those requests.

cache/sessid stores AWSESSION user sessions, similar to PHPSESSID. You can remove files older than expire_days and all empty files. If the [cookie] section uses storage_type = cookie, cache/sessid can be cleaned completely because the visitor marker is stored in the browser cookie.

[cookie]
cookie_name = 9d59347 ; changing the value resets the marker for all users
expire_days = 3       ; marker lifetime in days
storage_type = cookie ; marker storage type: cookie or awsession

Updates and limits

Updates are published at https://github.com/githubniko/antibot. AWAF reduces application-level bot load, but it does not replace network DDoS protection or CDN/nginx rate limiting.