Support

Admin Tools

#33709 Should I use Cloudflare WAF and Admin Tools WAF together?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 15 October 2020 01:17 CDT

indi0

Hi,

I have the doubt if should I enable the Cloudflare WAF in my hosting settings or just with the Admin Tools WAF is enough? They are complementary? or one excludes the other?

Thanks,

Jaime.

nicholas
Akeeba Staff
Manager

Yes, you should use both like we do.

CloudFlare's WAF is something that sits in front of your site and applies rules based solely on the content of the request, without any insight to the application's state or even knowing which application you are using. Conceptually it's the same as using mod_security2 in Apache. This is a great way to pre-filter what touches your site at all. It's like walking through the airport metal detection gate.

Admin Tools' WAF goes further since it runs inside Joomla. It's aware of the application state and how things will be used by Joomla and its extensions. As a result it can offer another layer of protection you can't have with an external WAF. It's basically giving each request a thorough pat-down.

I recommend using both at the same time. CloudFlare's  WAF will catch most attacks before they hit your server, minimizing the load your server experiences. Admin Tools' WAF will stop the few attacks that make it through which, without application context, would look like iffy but plausibly legitimate requests. Just remember that if you get blocked you need to first check your CloudFlare logs, especially if the error mentioned a Ray ID. If and only if you are absolutely positive the request wasn't blocked by CloudFlare should you check if it was blocked by Admin Tools. It's a bit more complicated but your site will be marginally safer and definitely faster. That's why we implemented the same solution I am suggesting on our own site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!