https://briansnelson.com/index.php?action=history&feed=atom&title=Bash_Script_to_Enable_Under-Attack_in_Cloudflare
Bash Script to Enable Under-Attack in Cloudflare - Revision history
2026-06-04T02:40:59Z
Revision history for this page on the wiki
MediaWiki 1.24.1
https://briansnelson.com/index.php?title=Bash_Script_to_Enable_Under-Attack_in_Cloudflare&diff=1077&oldid=prev
Brian: Created page with "==Bash Script to Monitor PHP Process and Enable Under Attack Mode in Cloudflare== Does your domain hit max_children often due to high attacks from bots/scrapers? Did you kno..."
2026-03-20T01:36:21Z
<p>Created page with "==Bash Script to Monitor PHP Process and Enable Under Attack Mode in Cloudflare== Does your domain hit max_children often due to high attacks from bots/scrapers? Did you kno..."</p>
<p><b>New page</b></p><div>==Bash Script to Monitor PHP Process and Enable Under Attack Mode in Cloudflare==<br />
<br />
Does your domain hit max_children often due to high attacks from bots/scrapers?<br />
<br />
Did you know you can enable under-attack via the api?<br />
<br />
===API Enable Under-Attack Mode via Cloudflare===<br />
<br />
#!/usr/bin/env bash<br />
#<br />
# cf-phpfpm-attack-toggle.sh<br />
# Toggle Cloudflare Under Attack mode based on PHP-FPM max_children usage.<br />
<br />
### CONFIG #########################################################<br />
<br />
# Cloudflare<br />
CF_API_TOKEN="[Input your API Token]"<br />
CF_DOMAIN="[Input your Domain]" # your domain<br />
CF_NORMAL_LEVEL="medium" # normal security level<br />
CF_ATTACK_LEVEL="under_attack" # attack mode level <br />
<br />
# PHP-FPM<br />
PHP_FPM_POOL_CONF="[Input Pool Config Location]" # adjust for your distro<br />
PHP_FPM_PROCESS_NAME="php-fpm" # e.g. php-fpm, php-fpm82, php-fpm8.2<br />
PHP_USER="[Input your user]"<br />
<br />
# Thresholds<br />
HIGH_USAGE_PCT=90 # enable Under Attack if >= this % of max_children in use<br />
LOW_USAGE_PCT=50 # disable Under Attack if <= this % of max_children in use<br />
<br />
# State file to avoid flapping<br />
STATE_FILE="/var/run/cf_under_attack.state"<br />
<br />
#################################################################### <br />
<br />
set -euo pipefail<br />
<br />
log() {<br />
echo "[$(date -Is)] $*"<br />
}<br />
<br />
get_zone_id() {<br />
curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=${CF_DOMAIN}" \<br />
-H "Authorization: Bearer ${CF_API_TOKEN}" \<br />
-H "Content-Type: application/json" \<br />
| jq -r '.result[0].id'<br />
}<br />
<br />
get_cf_security_level() {<br />
local zone_id="$1"<br />
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${zone_id}/settings/security_level" \<br />
-H "Authorization: Bearer ${CF_API_TOKEN}" \<br />
-H "Content-Type: application/json" \<br />
| jq -r '.result.value'<br />
}<br />
<br />
set_cf_security_level() {<br />
local zone_id="$1"<br />
local level="$2"<br />
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zone_id}/settings/security_level" \<br />
-H "Authorization: Bearer ${CF_API_TOKEN}" \<br />
-H "Content-Type: application/json" \<br />
--data "{\"value\":\"${level}\"}" \<br />
| jq -r '.success'<br />
}<br />
<br />
get_max_children() {<br />
# reads first pm.max_children in pool conf<br />
awk -F'=' '/^[[:space:]]*pm\.max_children[[:space:]]*=/ {gsub(/[[:space:]]/, "", $2); print $2; exit}' \<br />
"${PHP_FPM_POOL_CONF}"<br />
}<br />
<br />
get_current_children_count() {<br />
# count running php-fpm workers (exclude master)<br />
# ps -o cmd= -C "${PHP_FPM_PROCESS_NAME}" 2>/dev/null | grep "sitesent" | wc -l<br />
local count<br />
count=$(ps -o cmd= -C "${PHP_FPM_PROCESS_NAME}" 2>/dev/null | grep "${PHP_USER}" | wc -l)<br />
#Fix for math bug of if no process 0 are active<br />
echo $(( count + 1 ))<br />
}<br />
<br />
get_state() {<br />
if [[ -f "${STATE_FILE}" ]]; then<br />
cat "${STATE_FILE}"<br />
else<br />
echo "normal"<br />
fi<br />
}<br />
<br />
set_state() {<br />
echo "$1" > "${STATE_FILE}"<br />
}<br />
<br />
main() {<br />
# Get PHP-FPM usage<br />
local max_children<br />
max_children=$(get_max_children || echo 0)<br />
if [[ "${max_children}" -le 0 ]]; then<br />
log "ERROR: Could not determine pm.max_children from ${PHP_FPM_POOL_CONF}"<br />
exit 1<br />
fi<br />
<br />
local current_children<br />
current_children=$(get_current_children_count) <br />
<br />
local usage_pct<br />
usage_pct=$(( current_children * 100 / max_children )) <br />
<br />
log "PHP-FPM: ${current_children}/${max_children} children (${usage_pct}%)" <br />
<br />
# Get Cloudflare zone and current level<br />
local zone_id<br />
zone_id=$(get_zone_id)<br />
if [[ -z "${zone_id}" || "${zone_id}" == "null" ]]; then<br />
log "ERROR: Unable to determine Cloudflare zone ID for ${CF_DOMAIN}"<br />
exit 1<br />
fi<br />
<br />
local current_level<br />
current_level=$(get_cf_security_level "${zone_id}")<br />
log "Cloudflare security level: ${current_level}"<br />
<br />
local state<br />
state=$(get_state)<br />
log "Current state flag: ${state}"<br />
<br />
# Logic:<br />
# - If usage >= HIGH_USAGE_PCT and not already under attack -> enable<br />
# - If usage <= LOW_USAGE_PCT and currently under attack -> disable <br />
<br />
if (( usage_pct >= HIGH_USAGE_PCT )) && [[ "${state}" != "attack" ]]; then<br />
log "High PHP-FPM usage (>= ${HIGH_USAGE_PCT}%). Enabling Under Attack mode..."<br />
if [[ "${current_level}" != "${CF_ATTACK_LEVEL}" ]]; then<br />
local ok<br />
ok=$(set_cf_security_level "${zone_id}" "${CF_ATTACK_LEVEL}")<br />
if [[ "${ok}" == "true" ]]; then<br />
log "Cloudflare set to ${CF_ATTACK_LEVEL}"<br />
set_state "attack"<br />
else<br />
log "ERROR: Failed to enable Under Attack mode"<br />
fi<br />
else<br />
log "Cloudflare already in ${CF_ATTACK_LEVEL} level."<br />
set_state "attack"<br />
fi<br />
<br />
elif (( usage_pct <= LOW_USAGE_PCT )) && [[ "${state}" == "attack" ]]; then<br />
log "PHP-FPM usage low (<= ${LOW_USAGE_PCT}%). Disabling Under Attack mode..."<br />
if [[ "${current_level}" != "${CF_NORMAL_LEVEL}" ]]; then<br />
local ok<br />
ok=$(set_cf_security_level "${zone_id}" "${CF_NORMAL_LEVEL}")<br />
if [[ "${ok}" == "true" ]]; then<br />
log "Cloudflare set to ${CF_NORMAL_LEVEL}"<br />
set_state "normal"<br />
else<br />
log "ERROR: Failed to disable Under Attack mode"<br />
fi<br />
else<br />
log "Cloudflare already at normal level (${CF_NORMAL_LEVEL})."<br />
set_state "normal"<br />
fi <br />
<br />
else<br />
log "No change to Cloudflare mode (usage: ${usage_pct}%, state: ${state})."<br />
fi<br />
}<br />
<br />
main "$@"<br />
<br />
===Setup Cron to Auto Enable/Disable Under-Attack Mode in Cloudflare===<br />
<br />
Now set it up to run every minute <br />
<br />
* * * * * bash /path/to/script/cf-phpfpm-attack-toggle.sh >> /var/log/cf-under-attack.log<br />
<br />
Now when your site gets heavy traffic it will auto enable under-attack mode.<br />
<br />
===How to setup the API Key in Cloudflare===<br />
<br />
To generate the API key in cloudflare, you will need to go to<br />
<br />
'''Manage Account -> Account API Tokens -> Create Token<br />
'''<br />
<br />
Make sure to select '''Zone -> Zone Settings both (Edit/Read)<br />
'''<br />
<br />
Those are the only settings this API token needs</div>
Brian