Security & WAF

smoxy includes a built-in Web Application Firewall (WAF) and security layer that protects your sites from malicious traffic. The security module operates at the proxy layer and works independently of CDN — you do not need CDN enabled to use security features.

Overview

smoxy's security system provides multiple layers of protection:

Layer

Description

WAF

Automatically detects and blocks malicious requests

Access Rules

Custom rules you define to allow, block, or challenge traffic based on conditions

Basic Auth

Password-protect your site or specific pages with HTTP Basic Authentication

Under Attack Mode

Emergency mode that adds additional protection during active attacks

Enabling Security

Security is configured per site and requires the proxy feature to be active.

Navigate to your Site in smoxy
Open the Security settings
Toggle Security on
Save

Note: Security requires the proxy to be enabled on your site. If the proxy is disabled, security is automatically disabled as well.

WAF (Web Application Firewall)

When security is enabled, smoxy's WAF automatically inspects incoming requests and blocks those that match known malicious patterns.

The WAF is designed to be safe to activate for all sites. It targets clearly malicious traffic without impacting legitimate visitors. You do not need to configure or tune individual WAF rules — smoxy manages the ruleset automatically.

What the WAF Protects Against

The WAF provides protection against common web attacks and malicious request patterns. The specific rules are managed by smoxy and updated continuously to respond to evolving threats.

Custom Security Page

When the WAF blocks a request, the visitor sees a 403 Forbidden response. You can customize this page to match your branding. See Custom Pages for details on uploading a custom security page.

Access Rules

Access rules give you fine-grained control over which traffic is allowed, blocked, or challenged. You can create rules that match on request properties like IP address, country, user agent, URL path, and more — then choose to allow, block, challenge, or skip security checks for matching traffic.

Access rules are evaluated before any other processing, including WAF. This makes them ideal for whitelisting trusted traffic or blocking known bad actors.

For the complete guide on creating and managing access rules — including all available conditions, operators, and detailed examples — see Access Rules.

Basic Auth

Basic Auth adds HTTP Basic Authentication to your site, requiring visitors to enter a username and password before accessing content. This is useful for protecting staging environments, internal tools, or restricting access during development.

Managing Users

Basic Auth users are managed per site. Each user has a username, password, and optional comment.

Username rules: Must start with a letter, contain only alphanumeric characters, hyphens, and underscores, and not end with a hyphen or underscore.

Password rules: Minimum 5 characters.

Enabling Basic Auth

You can enable Basic Auth in three modes:

Mode

Description

Off

No authentication required

All users

Any configured Basic Auth user can access the site

Selected users

Only specific Basic Auth users can access the site

Per-Request Overrides

Basic Auth can be enabled or disabled for specific requests using Conditional Rules. This allows you to:

Protect only specific URL paths (e.g., /admin)
Require authentication only from certain IP ranges
Bypass authentication for trusted IPs while requiring it for everyone else

Under Attack Mode

Under Attack Mode is an emergency setting for when your site is experiencing an active DDoS attack or unusually high volumes of malicious traffic.

When enabled, smoxy applies more aggressive security checks to all incoming requests. This may cause a brief delay for legitimate visitors as they pass through additional verification, but it significantly reduces the impact of attack traffic.

When to Use

Your site is experiencing a DDoS attack
You see a sudden spike in blocked or challenged requests
Your origin server is under heavy load from malicious traffic

When to Disable

Turn off Under Attack Mode once the attack subsides. The additional verification adds slight latency for all visitors, so it should only be active during incidents.

Important Considerations

Safe to activate: The WAF is designed for broad activation. It targets malicious patterns without affecting legitimate traffic, making it safe to enable for all sites.
Proxy required: Security features require the proxy to be enabled. Without the proxy, security is automatically disabled.
CDN not required: Security operates at the proxy layer and works independently of CDN. You can use security features without enabling CDN on your hostnames.
Rule order matters: Access rules are processed in order. Place your most specific rules first and use the stop flag to prevent unnecessary rule evaluation.
Skip rules for APIs: If you have API endpoints that handle unusual payloads (code snippets, binary data), consider adding skip rules to prevent false positive WAF blocks.
Under Attack Mode is temporary: Only enable Under Attack Mode during active attacks. Disable it when the situation normalizes to avoid unnecessary latency for legitimate visitors.
Custom pages: You can customize the 403 (security block) page to match your branding. See Custom Pages.

Last updated 4 days ago

Was this helpful?

hashtagOverview

hashtagEnabling Security

hashtagWAF (Web Application Firewall)

hashtagWhat the WAF Protects Against

hashtagCustom Security Page

hashtagAccess Rules

hashtagBasic Auth

hashtagManaging Users

hashtagEnabling Basic Auth

hashtagPer-Request Overrides

hashtagUnder Attack Mode

hashtagWhen to Use

hashtagWhen to Disable

hashtagImportant Considerations