WAF custom rules are more flexible, of course, and from a business perspective, I can understand why they would recommend that option instead.
I currently filter on an nginx access log file among other filters (sshd, bot-search, bad-requests) and let fail2ban execute the ban/unban action itself.
From a quick search, it should be possible to handle bans/unbans externally, if that’s what you’re after.
FYI, IP access rules don’t count towards the 5 custom rules limit, but the more generous 50k limit.
With fail2ban, you can setup IP access rules via the cftoken-action quite easily.
Security --> WAF --> Tools to access the IP rules in the dashboard. https://developers.cloudflare.com/waf/tools/ip-access-rules/
Hijacking: With the above solution, it’s also super easy to install modpacks and I would recommend Modrinth as both the modded Minecraft launcher and mod-shareplace.
https://docker-minecraft-server.readthedocs.io/en/latest/mods-and-plugins/
Went the same route last year and had no issues.
Perfect! My shitty code qualifies as a cognitohazard, so nobody should be seeing it anyways.