Setting up Cloudflare WAF for 1C-Bitrix

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Showing 1 of 1 servicesAll 1626 services

Simple

~1 business day

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

B2B ADVANCE company website development
1177
Website development for FIXPER company
811
Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
564
Development based on 1C Enterprise for MIRSANBEL
747
Website development on CRM Bitrix24 for DOLBIMBY
655
Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
976

Show more works

Configuring Cloudflare WAF for 1C-Bitrix

A Bitrix-powered online store receives thousands of requests to /bitrix/admin/ every day from bots attempting brute-force password attacks. Simultaneously, DDoS attacks target the search page, generating heavy database load. The built-in Bitrix WAF (the security module) handles some threats, but only after the request has already reached PHP. Cloudflare WAF filters traffic before it ever reaches your server.

Delegating the Domain to Cloudflare

The domain's DNS is delegated to Cloudflare's nameservers. After that, all traffic passes through Cloudflare before reaching the server. A/AAAA/CNAME DNS records must be set to "Proxied" mode (the orange cloud icon) — otherwise the WAF does not function.

Cloudflare passes the real server IP in the CF-Connecting-IP header. Bitrix must log the real IP, not the Cloudflare IP. In /bitrix/.settings.php or nginx.conf:

# Set real IP from CF-Connecting-IP header
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
# ... remaining Cloudflare ranges
real_ip_header CF-Connecting-IP;

Current list of Cloudflare IP ranges: https://www.cloudflare.com/ips-v4/.

Managed Rules (Pre-built Rule Sets)

In the Cloudflare dashboard → Security → WAF → Managed Rules, enable:

Cloudflare Managed Ruleset — base ruleset against SQLi, XSS, Path Traversal
Cloudflare OWASP Core Ruleset — OWASP ModSecurity Core Rule Set

For 1C-Bitrix, exceptions must be configured — Bitrix generates requests that can trigger false positives on XSS and SQLi rules:

Exception rule for the admin panel:

Expression: http.request.uri.path contains "/bitrix/admin/"
Action: Skip → Cloudflare Managed Ruleset

Exception rule for 1C data exchange API:

Expression: http.request.uri.path contains "/bitrix/1c_exchange.php"
Action: Skip or reduce sensitivity

Exception rule for file uploads:

Expression: http.request.uri.path contains "/bitrix/tools/upload.php"
Action: Skip

Custom Rules for Bitrix-Specific Threats

Blocking brute-force attacks on admin:

(http.request.uri.path eq "/bitrix/admin/index.php"
 and http.request.method eq "POST"
 and not ip.src in {151.101.0.0/16 104.16.0.0/13})

Action: Rate Limiting — no more than 5 POST requests per minute from a single IP. When exceeded — Challenge (JS challenge or CAPTCHA).

Blocking vulnerability scanners:

(http.request.uri.path contains "/bitrix/admin/"
 and not cf.client.bot_score gt 30
 and http.user_agent contains "sqlmap")
or
(http.request.uri.path contains "wp-admin")
or
(http.request.uri.path contains ".env")

Action: Block with HTTP 403.

Protecting the login page from bots:

(http.request.uri.path eq "/login/"
 and http.request.method eq "POST"
 and cf.threat_score gt 10)

Action: Managed Challenge.

Bot Management

In Cloudflare → Security → Bots:

Bot Fight Mode — basic protection, free
Super Bot Fight Mode (Pro plan) — blocks known malicious bots, allows search engine bots

For Bitrix stores: make sure Yandex.Bot and GoogleBot are allowed. Cloudflare does not block them by default, but it is worth checking Bot Analytics to confirm they are not being caught by false positives.

Page Rules and Cache Rules for Admin

The Bitrix admin panel must not be cached by Cloudflare:

URL: example.com/bitrix/admin/*
Cache Level: Bypass

The same applies to the user account, cart, and checkout pages — any pages containing personal data.

Rate Limiting for Search and Filter Pages

Search pages (/search/) and faceted filter pages (/catalog/?PAGEN_1=...) are frequent targets of application-layer DDoS attacks. Rate Limiting:

Expression: http.request.uri.path eq "/search/" and http.request.method eq "GET"
Rate: 30 requests per minute per IP
Action: Block for 1 hour

For the catalog filter: limit by the number of ? parameters in the URL.

Monitoring and Tuning

After enabling rules — 24–48 hours of monitoring in "Log" mode (no blocking). Cloudflare shows which rules are triggering and which legitimate requests are being flagged. Only after analysis should rules be switched to "Block" or "Challenge".

Scope of Work

DNS delegation to Cloudflare, configuring real IP on the server
Enabling Managed Rules with exceptions for Bitrix
Custom Rules: admin brute-force, scanners, login page
Rate Limiting for search and catalog filter
Bot Management, exceptions for search engine bots
Monitoring false positives, final tuning

Timeline: 3–5 days for basic configuration. 1–2 weeks including a monitoring period and final rule calibration.

1C Bitrix presentation 1C Bitrix24 presentation 1C Enterprise presentation