BotLimiter is a high-performance firewall designed specifically to stop "Faceted Search Scrapers" and aggressive bots that overload PrestaShop servers by iterating through filter combinations (e.g., ?q=Category-Food or ?order=price.asc).

Unlike standard CAPTCHAs that annoy users, BotLimiter uses a "Cookie Trap" mechanism. It detects heavy requests (filters/sorting) and seamlessly verifies the visitor using a lightweight JavaScript redirection flow. Real users pass instantly; dumb bots get stuck; aggressive scrapers are logged for Fail2Ban.

Features

Request Interception: Hooks into actionFrontControllerInitBefore to stop processing before the heavy Database/Theme loading starts.
HEAD Request Block: Instantly drops HEAD requests on filtered pages (a common bot tactic to check for 200 OK without downloading content).
The "Trap" logic:
- Redirects visitors without a valid session to a lightweight HTML/JS verification page.
- Generates an encrypted token based on the user's IP.
- Validates the token upon auto-submission.
Extensible Rules: Built on a generic RuleInterface architecture.
Fail2Ban Integration: Writes offending IPs to a dedicated log file compatible with server-side banning tools.

Installation

Upload the botlimiter folder to your /modules/ directory.
Go to Back Office > Modules > Module Manager.
Find Bot Limiter and click Install.
Clear your PrestaShop cache (Advanced Parameters > Performance).

Architecture

The module uses the following flow:

Hook: actionFrontControllerInitBefore
Rule Engine: Checks if the request is "Heavy" (contains q= or order= parameters).
Allowlist: Passes Googlebot, Bingbot, and legitimate users with a verified session cookie.
Verification:
- If unverified, redirects to module-botlimiter-verify.
- This controller renders a minimal template (no heavy footer/header).
- Javascript automatically appends an encrypted token and redirects back to the original URL.
Validation: The module decrypts the token. If it matches the IP, a session cookie is set, and the user can browse freely.

Fail2Ban Configuration (Virtualmin / Universal)

The module writes logs to:
/your_shop_root/var/logs/botlimiter_ban.log

The format is:
[YYYY-MM-DD HH:MM:SS] [IP:192.168.1.1] [REASON:HEAD_REQUEST_SPAM]

1. Create the Filter

Create a new file /etc/fail2ban/filter.d/prestashop-bot.conf:

[Definition]
# Regex to match the custom log format from BotLimiter
failregex = ^\[.*\] \[IP:<HOST>\] \[REASON:.*\]$

# Ignore nothing
ignoreregex =

2. Create the Jail (Virtualmin Universal Rule)

We need a rule that scans all virtual servers on your machine. Virtualmin typically stores web roots in /home/USERNAME/public_html or /home/USERNAME/domains/DOMAIN/public_html.

Add this to your /etc/fail2ban/jail.local (or jail.conf):

[prestashop-bot]
enabled  = true
port     = http,https
filter   = prestashop-bot
# Multi-path configuration to scan all Virtualmin domains
logpath  = /home/*/public_html/var/logs/botlimiter_ban.log
           /home/*/domains/*/public_html/var/logs/botlimiter_ban.log

# OPTIONS:
# maxretry: Number of times a bot can hit the trap before ban
maxretry = 5

# findtime: Time window (seconds) to count the retries (10 minutes)
findtime = 600

# bantime: How long to ban them (1 hour)
bantime  = 3600

# Backend: standard "auto" or "pyinotify" works best for wildcards
backend  = auto

3. Restart Fail2Ban

service fail2ban restart
# OR
systemctl restart fail2ban

4. Verify It Works

To check if Fail2Ban is correctly monitoring the files across your Virtualmin domains:

fail2ban-client status prestashop-bot

You should see a list of "File list" showing the log paths it found across your home directories.

Troubleshooting

Users complain about loops: Ensure JavaScript is enabled. The verification controller relies on JS to append the token.
Whitelisting: If you have a specific monitoring service (like UptimeRobot), ensure you add their User-Agent to classes/rules/FilterTrapRule.php.