ON 8 May 2026, Erik-Jan de Kruijf details how to detect web server probing and fuzzing in Traefik using an out-of-the-box Elastic Security ES|QL detection rule to spot repeated 403/404 errors from a single source IP, signalling directory fuzzing or vulnerability scanning.
The approach ingests Traefik access logs via the official integration into the logs-traefik[.]access-default datastream and uses a custom ingest pipeline to populate the host[.]name field by copying agent[.]name, ensuring the detection rule functions correctly. When suspicious activity is detected, an automated Cloudflare workflow blocks the offending IP at the edge by appending it to the existing blocklist, then acknowledges the Elastic alert, creating a closed, end-to-end defensive loop.
The default threshold triggers if a source IP generates more than 500 errors across 250 distinct URI paths, but the author describes tuning to event_count > 100 and url_original_count_distinct > 50 for smaller environments, and notes the importance of excluding authorised tools. The workflow relies on a Cloudflare API token with Zone WAF edit privileges and a Zone ID, and cautions that Cloudflare’s custom WAF expression character limit can be reached in highly targeted setups.
Finally, the author demonstrates validating the setup with fuzzing tools like ffuf or gobuster and highlights the benefit of blocking attackers at the edge to reduce alert fatigue.