I tried to ban the IP address, but I still see it in the logs.
Restarting the web server has no effect.
Cloudflare blocks 99% of all requests. But I encountered a situation where tens of thousands of requests were coming from one IP address at intervals of 1-2 seconds. All of them were going to the same link. It’s possible that some kind of bot malfunctioned. Cloudflare considered these requests to be legitimate. I decided to add the IP address to the block, but without results. That’s why I was surprised. The functionality seems to be there, but it seems to be completely useless.
But the IP you see in the logs is not the real client IP connecting to your server, Cloudflare is the one connecting to your server. The IP you see is the origin IP extracted from the CF-Connecting-IP header sent by Cloudflare. Therefore, you can’t block the IP shown in the logs at the server level, you must block it on Cloudflare’s end.
But when I blocked the IP at the nginx level (deny xxx.xxx.xxx.xxx;), I got a 403 error in the logs. That is, I potentially unloaded the web server from executing requests to the database.
In short, if you proxy through CF (orange cloud), HestiaCP cannot block that IP address. You’ve effectively handed security over to CF. For some reason, CF still forwards IPs with an abuse score of 100 to our servers. If you want to block the IP address on the HestiaCP side, you need to switch it to the gray cloud. So you need to decide which side will handle security.
