Deploxa Documentation

Firewall & WAF

Block, challenge, or log traffic at the edge before it reaches your site. Rules are enforced by the Deploxa proxy on every request, so no code changes are needed in your app.

In the dashboardProject → Firewall

Each rule has a type (what to match), a value, and an action (what to do on a match). Rules can be toggled on and off individually and each tracks a hit count.

Rule types

Type	Matches	Example value
`IP`	A single client IP	`203.0.113.5`
`CIDR`	An IP range	`203.0.113.0/24`
`COUNTRY`	Requests from a country (ISO code)	`RU`
`PATH`	A request path	`/wp-admin`
`USER_AGENT`	A User-Agent substring	`curl`

Actions

Action	Effect
`BLOCK`	Reject the request with a 403 error page
`CHALLENGE`	Serve an interstitial challenge before allowing through
`LOG`	Allow the request but record it in the firewall log

Use LOG first to see what a rule would catch, then switch it to BLOCK once you're confident it isn't catching legitimate traffic.

Built-in protections

Beyond manual rules, the firewall page has several managed protections you can toggle:

Protection	What it does
Bot protection	Detects and blocks (or challenges) automated/bot traffic
DDoS protection	Throttles abusive request floods from single sources
Challenge mode	Requires a JS/interstitial challenge for suspicious visitors
IP intelligence	Scores requests using known-bad IP reputation data

How rules evaluate

On every CRUD change, rules are pushed to a fast edge cache that the proxy reads on each request. A request is checked against your enabled rules; the first matching rule's action applies.

Fail-open by design

If the rule cache is briefly unreachable, the proxy fails open — it serves your site rather than blocking everyone. The firewall protects availability; it never takes your site down on its own error.

Cron Jobs Observability