From b596a3118c8abbdf9da05478f21dcbb16e5daa52 Mon Sep 17 00:00:00 2001 From: Johnathon Mihalop Date: Mon, 1 Jun 2026 10:57:06 +0100 Subject: [PATCH 1/4] update websocket billing docs --- cdn/websockets.mdx | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/cdn/websockets.mdx b/cdn/websockets.mdx index 564c954b..28dca129 100644 --- a/cdn/websockets.mdx +++ b/cdn/websockets.mdx @@ -20,19 +20,27 @@ You can enable WebSockets directly in the dashboard: ![](/images/docs/b56e5572907a8ff3d515a117590bfddc143fc244de41e30ac7057809d6954309-image.png) -# Pricing & Limits +# Connection Limits -WebSockets are included with bunny.net and scale with your needs. You get 500 concurrent connections free on every zone. Higher limits are available via simple monthly upgrades: +Each Pull Zone has a maximum number of simultaneous WebSocket connections it will accept. New zones default to 500 concurrent connections, and you can raise or lower this limit at any time from the dashboard or API. -| Concurrent Connections | Monthly Price | -| ---------------------- | ------------- | -| 500 (Free) | $0 | -| 1,000 | $10 | -| 2,500 | $25 | -| 5,000 | $40 | -| 10,000 | $70 | -| 25,000 | $150 | - -You can upgrade and downgrade your maximum allowed concurrent connections at any time, we will bill in second increments. We charge WebSocket bandwidth at the same rate as CDN bandwidth, and this will be included in your monthly CDN bill. +- The minimum limit is 100 connections. +- You can self-serve up to 25,000 concurrent connections. +- Limits are rounded up to the nearest 100. Need more than 25,000 concurrent connections? Our team can help tailor a plan to fit your needs. Simply contact sales via support to discuss higher limits. + +# Pricing + +WebSockets are billed pay-as-you-go based on how long connections stay open. There is no monthly subscription and no separate plan to choose. Your maximum-connection limit only caps how many simultaneous connections a zone will accept; it does not affect how you are billed. + +| Metric | Price | +| --------------- | ----------------------------------------- | +| Connection time | $0.235 per million connection-minutes | +| Bandwidth | Same rate as standard CDN bandwidth | + +Usage is metered on the total time your connections remain open. One connection-minute is a single open connection for one minute, so 1,000 connections held open for one minute equals 1,000 connection-minutes. Charges are calculated continuously and added to your account throughout the month. + +For example, holding 1,000 concurrent connections open continuously for a 30-day month is roughly 43.2 million connection-minutes, or about $10.15 for the month. + +WebSocket bandwidth is charged at the same rate as regular CDN bandwidth and is included in your monthly CDN bill. From 26158bf6ba325b02b11a1829a588ffab330fba5d Mon Sep 17 00:00:00 2001 From: Johnathon Mihalop Date: Tue, 9 Jun 2026 14:20:56 +0100 Subject: [PATCH 2/4] update verified bots based on new process --- shield/verified-bots.mdx | 84 +++++++++++++++------------------------- 1 file changed, 32 insertions(+), 52 deletions(-) diff --git a/shield/verified-bots.mdx b/shield/verified-bots.mdx index a50af286..2905b9a3 100644 --- a/shield/verified-bots.mdx +++ b/shield/verified-bots.mdx @@ -1,73 +1,53 @@ --- -title: "Verified SEO Bots" -description: "Bunny Shield automatically recognizes and allows legitimate SEO and social media crawlers to pass through all mitigation layers and challenges. These crawlers are critical for search indexing, link previews, and content sharing, and ensuring their uninterrupted access helps your site remain discoverable and accessible." +title: "Verified Bots" +description: "Bunny Shield recognizes well-known good bots - search crawlers, social and link-preview fetchers, AI agents, and other utility bots - verifies that they are genuine, and lets you decide per category or per bot whether they are allowed through, blocked, or treated as ordinary traffic." --- -To prevent abuse, Bunny Shield verifies the authenticity of every bot request before allowing it through. +Bunny Shield identifies a large set of well-known bots and verifies that each request claiming to be one is genuine. Recognizing a bot doesn't grant it any special treatment on its own, you stay in control of what happens to it. ## Verification Process -Not all traffic claiming to be a search engine bot is genuine. Many malicious actors spoof user agents to bypass protections. To solve this, Bunny Shield verifies the authenticity of SEO bots using reverse DNS lookups (PTR records): +Not all traffic claiming to be a search engine or social crawler is genuine. Many malicious actors spoof user agents to bypass protections. Before trusting a bot, Bunny Shield verifies its authenticity: -1. The bot’s IP address is resolved to its PTR hostname. -2. The hostname is checked against our whitelist of trusted domains. -3. If the hostname matches, Bunny Shield confirms the authenticity by performing a forward DNS lookup to ensure the hostname resolves back to the same IP range. +1. The request's user agent is matched against the catalog of known bots, identifying a candidate bot and its category. +2. For bots that publish a verifiable identity, the client IP is confirmed: + - **Reverse DNS (PTR)** - the IP is resolved to its hostname, which is checked against the bot operator's trusted domains, and then a **forward DNS** lookup confirms the hostname resolves back to the same IP. + - **Published IP ranges** - some bots are instead verified against the operator's officially published IP ranges. +3. Only when these checks pass is the request marked as a **verified** bot. -Only when these checks pass is the bot classified as legitimate and allowed through. +Some bots are recognized by user agent but publish no verifiable identity (no reverse-DNS domain or IP range). These are identified but cannot be verified, and can be allowed or blocked at your own discretion. -## Supported Verified Bots +## Controlling Bot Access -The following crawlers are verified and allowed across all Bunny Shield mitigation methods and challenges: +Being recognized as a known bot does not automatically allow a request through. On a new Shield Zone nothing is configured: a recognized bot is identified, and its category is made available to your rules, but is otherwise subject to your normal protections. You decide how each bot is handled at two levels: -- **Google** `.googlebot.com, .google.com` - - **Googlebot** - - **Google-InspectionTool** - - **Google-Site-Verification** - - **FeedFetcher-Google** - - **GoogleProducer** - - **Mediapartners-Google** - - **AdsBot-Google** - - **APIs-Google** - - **Storebot-Google** - - **Googlebot-Image** - - **Googlebot-Video** +- **Per category** - apply an action to every bot in a category at once. +- **Per bot** - override a single bot. A per-bot setting always takes precedence over its category. -- **Yahoo! Slurp**: `.crawl.yahoo.net` +The available actions are: -- **Bingbot (Microsoft)**: `.search.msn.com` +- **Allow** - the bot bypasses most of Shield's mitigations (DDoS challenges, Bot Detection and Access Lists). This only takes effect once the bot's identity is verified. A bot that cannot be verified is allowed only if you explicitly allow it, choosing to trust the user-agent match alone. +- **Block** - the request is rejected at the edge (before cache) with a `403`. +- **Ignore** *(default)* - the bot is recognized but receives no special treatment; it is subject to your WAF rules, rate limits, and challenges like any other request. -- **Yandex**: `.yandex.ru`, `.yndx.net` +## Bot Categories -- **Baiduspider**: `.crawl.baidu.com` +Bots are grouped into categories so you can manage them together: -- **Facebookexternalhit**: `.facebook.com, .fbsv.net` +- **Search engine crawlers (SEO)** - indexing bots such as search engine spiders. +- **Social media** - social network crawlers that fetch shared links. +- **Link previews** - bots that generate link preview cards and unfurls. +- **AI scrapers** - crawlers that gather content for AI training and datasets. +- **AI tools** - AI assistants and agents that fetch pages on a user's behalf. +- **Advertising** - ad verification and ad-serving bots. +- **Tools** - monitoring, uptime, and other utility bots. -- **Twitterbot**: `.twitter.com` +## Using Verified Bots in Rules -- **LinkedInBot**: `.linkedin.com` - -- **Pinterest**: `.pinterest.com` - -- **Applebot**: `.apple.com` - -- **WhatsApp**: `.whatsapp.net` - -- **Tumblr**: `.tumblr.com` - -- **SkypeUriPreview**: `.skype.com` - -- **Discordbot**: `.discordapp.com` - -- **TelegramBot**: `.telegram.org` - -- **MojeekBot**: `.mojeek.com` - -- **QwantBot**: `.qwant.com` +When a bot is verified, its category is exposed to the Shield rule engine through the `VERIFIED_BOT_CATEGORY` variable. You can use this in custom rules to handle categories differently - for example, allowing search crawlers while challenging AI scrapers. ## Why Verification Matters -- **Prevents abuse**: Many malicious crawlers disguise themselves with fake user-agent strings. PTR verification ensures that only real search and social bots get access. -- **Preserves SEO**: Legitimate crawlers are never blocked by WAF rules, rate limits, or bot detection challenges. -- **Improves security**: Fake bots are denied, reducing the chance of scraping, spam, and credential stuffing attempts. - -Legitimate SEO bots are vital for site visibility and usability. With Bunny Shield, you can rest assured that authentic crawlers pass freely while fakes are stopped at the edge. +- **Prevents abuse** - many malicious crawlers disguise themselves with fake user-agent strings. Identity verification ensures only genuine bots are treated as such. +- **Keeps you in control** - you decide which bots to allow, block, or leave subject to your normal protections, per category or per individual bot. +- **Preserves access for the bots you trust** - bots you allow pass freely through challenges and rate limits, so search indexing, link previews, and other legitimate automation keep working. \ No newline at end of file From 70801cd5f08b6caa3545977cbf3b68d87af7e449 Mon Sep 17 00:00:00 2001 From: Johnathon Mihalop Date: Tue, 9 Jun 2026 14:27:03 +0100 Subject: [PATCH 3/4] trigger mintify? --- shield/verified-bots.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shield/verified-bots.mdx b/shield/verified-bots.mdx index 2905b9a3..34645ced 100644 --- a/shield/verified-bots.mdx +++ b/shield/verified-bots.mdx @@ -50,4 +50,4 @@ When a bot is verified, its category is exposed to the Shield rule engine throug - **Prevents abuse** - many malicious crawlers disguise themselves with fake user-agent strings. Identity verification ensures only genuine bots are treated as such. - **Keeps you in control** - you decide which bots to allow, block, or leave subject to your normal protections, per category or per individual bot. -- **Preserves access for the bots you trust** - bots you allow pass freely through challenges and rate limits, so search indexing, link previews, and other legitimate automation keep working. \ No newline at end of file +- **Preserves access for the bots you trust** - bots you allow pass freely through challenges and rate limits, so search indexing, link previews, and other legitimate automation keep working. From 7bc0e6901c96fe62d83780564a26ba375cf8bb3b Mon Sep 17 00:00:00 2001 From: Johnathon Mihalop Date: Tue, 9 Jun 2026 15:14:43 +0100 Subject: [PATCH 4/4] update ignore --- shield/verified-bots.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shield/verified-bots.mdx b/shield/verified-bots.mdx index 34645ced..51e26458 100644 --- a/shield/verified-bots.mdx +++ b/shield/verified-bots.mdx @@ -22,13 +22,13 @@ Some bots are recognized by user agent but publish no verifiable identity (no re Being recognized as a known bot does not automatically allow a request through. On a new Shield Zone nothing is configured: a recognized bot is identified, and its category is made available to your rules, but is otherwise subject to your normal protections. You decide how each bot is handled at two levels: - **Per category** - apply an action to every bot in a category at once. -- **Per bot** - override a single bot. A per-bot setting always takes precedence over its category. +- **Per bot** - override a single bot. A per-bot setting always takes precedence over its category, and clearing it (Ignore) returns the bot to following its category. The available actions are: - **Allow** - the bot bypasses most of Shield's mitigations (DDoS challenges, Bot Detection and Access Lists). This only takes effect once the bot's identity is verified. A bot that cannot be verified is allowed only if you explicitly allow it, choosing to trust the user-agent match alone. - **Block** - the request is rejected at the edge (before cache) with a `403`. -- **Ignore** *(default)* - the bot is recognized but receives no special treatment; it is subject to your WAF rules, rate limits, and challenges like any other request. +- **Ignore** *(default)* - the bot has no setting of its own and follows its category. Unless its category allows or blocks it, it gets no special treatment and is subject to your WAF rules, rate limits, and challenges like any other request. ## Bot Categories