Nginx Proxy GuardNginx Proxy Guard

Bot Protection & Access Control

Block malicious bots and indiscriminate crawling while applying fine-grained access control.

Bot Detection System

Malicious Bot Blocking (80+ signatures)

Automatically detect and block malicious bots such as SEO scrapers, content crawlers, and security scanners.

CategoryExamples
SEO scrapersAhrefsBot, MJ12bot, SemrushBot, DotBot
Content crawlersMegaIndex, BLEXBot, Sogou, YandexBot
Security scannersNmap, Nikto, sqlmap, Masscan
Spambotsspambot, emailharvest, WebZIP

AI Bot Detection (50+ signatures)

Detect and block the latest AI crawlers. (Updated December 2025)

AI BotOperator
GPTBotOpenAI
ClaudeBotAnthropic
BytespiderByteDance
PerplexityBotPerplexity AI
Applebot-ExtendedApple
Google-ExtendedGoogle
CCBotCommon Crawl
FacebookBotMeta
cohere-aiCohere

Search Engine Whitelist (40+)

Legitimate search engine bots are automatically allowed.

RegionSearch Engine
GlobalGooglebot, Bingbot, DuckDuckBot
RussiaYandexBot
ChinaBaiduspider, Sogou
KoreaYeti (Naver), Daumoa
JapanY!J-ASR

Allow bots that generate previews when links are shared on social media.

  • Facebook: facebookexternalhit
  • Twitter: Twitterbot
  • Discord: Discordbot
  • Slack: Slackbot
  • Telegram: TelegramBot
  • LinkedIn: LinkedInBot
  • WhatsApp: WhatsApp
  • KakaoTalk: Kakaotalk-Scrap

Suspicious Client Blocking

Block clients suspected of being automated tools or scripts.

  • curl, wget, HTTPie
  • python-requests, python-urllib
  • libwww-perl, Go-http-client
  • Java/, okhttp

Bot Filter Configuration

Per-Host Settings

You can configure an independent bot filter policy for each proxy host.

OptionDescription
Block malicious botsBlock 80+ malicious bot signatures
Block AI botsBlock 50+ AI crawlers
Allow search engines40+ search engine whitelist (includes SNS link-preview bots)
Block suspicious clientsBlock automation tools

SNS link-preview bots (facebookexternalhit, Twitterbot, Kakaotalk-Scrap, etc.) are part of the Allow search engines list, so enabling search-engine allow also allows them. There is no separate toggle.

Custom Rules

  • Custom block: Block specific User-Agent patterns
  • Custom allow: Allow specific User-Agent patterns
  • Regex support: Match complex patterns

Challenge Mode

Instead of blocking, display a CAPTCHA challenge so that real users can still pass through.

Security Headers

HSTS (HTTP Strict Transport Security)

  • Enforce HTTPS
  • max-age setting
  • includeSubDomains option
  • preload support

Clickjacking Prevention

  • X-Frame-Options: DENY, SAMEORIGIN
  • Content-Security-Policy: frame-ancestors directive

Other Security Headers

HeaderDescription
X-Content-Type-OptionsPrevent MIME type sniffing
X-XSS-ProtectionEnable browser XSS filter
Referrer-PolicyControl referrer information
Permissions-PolicyRestrict browser features

Header Presets

From the proxy host's security settings tab, apply headers in bulk according to predefined security levels.

PresetSecurity LevelDescription
StrictHighestIncludes HSTS preload, restrictive CSP, X-Frame-Options DENY
ModerateBalancedHSTS includeSubdomains, SAMEORIGIN, appropriate CSP
RelaxedCompatibilityBasic security headers only, compatibility first

After applying a preset you can still customize individual headers (HSTS, X-Frame-Options, Referrer-Policy, CSP, etc.) directly.

IP Access Control (ACL)

Whitelist/Blacklist

  • Specify IP addresses or CIDR ranges
  • IPv4 and IPv6 support
  • Priority-based rule application

Configuration Example

# Whitelist
192.168.1.0/24    # Internal network
10.0.0.0/8        # Private IP range

# Blacklist
203.0.113.0/24    # Known malicious IP range

GeoIP Access Control

Integrate the MaxMind GeoIP2 database to provide country-based access control.

Operating Modes

ModeDescription
WhitelistAllow only the specified countries
BlacklistBlock only the specified countries

Additional Options

  • Priority allow IPs: List of IPs that bypass regional restrictions
  • Allow private IPs: Automatically allow internal networks
  • Allow search bots: Automatically allow search engine bots
  • Challenge mode: Display a CAPTCHA instead of blocking

Continent/Region Presets

Quickly configure by continent instead of individual countries.

  • Asia (AS)
  • Europe (EU)
  • North America (NA)
  • South America (SA)
  • Africa (AF)
  • Oceania (OC)

GeoIP Auto-Update

Automatically update the MaxMind database.

OptionValue
Update intervalDaily, weekly, monthly
Auto applyAutomatically apply after update
Update historyRecord of all updates

Challenge System (CAPTCHA)

Provides a challenge system that requests user verification instead of blocking.

Supported Providers

ProviderCharacteristics
reCAPTCHA v2Checkbox-based, high compatibility
reCAPTCHA v3Score-based, seamless verification
hCaptchaPrivacy-focused
Cloudflare TurnstileLightweight and fast

Challenge Settings

  • Token validity period: How long verification is retained after authentication
  • reCAPTCHA v3 score threshold: 0.0 ~ 1.0
  • Scope: Bot filter, regional restrictions, or both
  • Page customization: Title, message, theme (light/dark)

Cloud Provider Blocking

Block automated traffic originating from cloud infrastructure.

Supported Providers

Providers are grouped by region.

RegionProviders
US πŸ‡ΊπŸ‡ΈAWS, Google Cloud, Microsoft Azure, DigitalOcean, Linode (Akamai), Oracle Cloud, Vultr
EU πŸ‡ͺπŸ‡ΊContabo, Hetzner, OVH, Scaleway
CN πŸ‡¨πŸ‡³Alibaba Cloud, Tencent Cloud, Huawei Cloud
KR πŸ‡°πŸ‡·Smileserv (CloudV/iwinv), Naver Cloud, KT Cloud

Quick Presets

Presets let you select multiple providers at once.

  • Major clouds: AWS, GCP, Azure, Oracle, Alibaba
  • Budget VPS: DigitalOcean, Linode, Vultr, Hetzner, Contabo, OVH
  • Asia providers: Alibaba, Tencent, Huawei, Naver, KT, Smileserv

Configuration

  • Select blocked providers per host
  • Apply a challenge (CAPTCHA) mode instead of blocking
  • Option to allow search bots through
  • Automatic IP range updates (based on ASNs or official IP-range feeds)