Quick start
Install AWAF into /antibot/, verify write permissions, and include protection before the PHP application starts.
Installation steps
- Copy AWAF files into /antibot/ at the site root.
- Allow the web server to write to lists/, logs/, and cache/.
- Open /antibot/ in a browser and create config.ini through the first-run check.
- Include AWAF as the first line in index.php or another early shared site entry point.
- Open the site in a normal browser and inspect logs/antibot.log for errors.
require_once $_SERVER["DOCUMENT_ROOT"]."/antibot/index.php";Post-launch checks
- /antibot/ opens without 500/403.
- config.ini exists and is not publicly downloadable.
- logs/antibot.log contains RayID, IP, and check result entries.
- Legitimate users pass while suspicious traffic receives CAPTCHA or BLOCK according to config.ini.
If the site is behind nginx proxy, a CDN, or Cloudflare, configure header_proxy before enabling strict blocking.
Next steps
- Confirm real visitor IPs in logs before enabling BLOCK.
- Add whitelist_url entries for API, XML, callback, and health-check paths.
- Review source code and updates in the AWAF GitHub repository.