Bot Protection & Access Control
Block malicious bots and indiscriminate crawling while applying fine-grained access control.
Bot Detection System
Malicious Bot Blocking (80+ signatures)
Automatically detect and block malicious bots such as SEO scrapers, content crawlers, and security scanners.
| Category | Examples |
|---|---|
| SEO scrapers | AhrefsBot, MJ12bot, SemrushBot, DotBot |
| Content crawlers | MegaIndex, BLEXBot, Sogou, YandexBot |
| Security scanners | Nmap, Nikto, sqlmap, Masscan |
| Spambots | spambot, emailharvest, WebZIP |
AI Bot Detection (50+ signatures)
Detect and block the latest AI crawlers. (Updated December 2025)
| AI Bot | Operator |
|---|---|
| GPTBot | OpenAI |
| ClaudeBot | Anthropic |
| Bytespider | ByteDance |
| PerplexityBot | Perplexity AI |
| Applebot-Extended | Apple |
| Google-Extended | |
| CCBot | Common Crawl |
| FacebookBot | Meta |
| cohere-ai | Cohere |
Search Engine Whitelist (40+)
Legitimate search engine bots are automatically allowed.
| Region | Search Engine |
|---|---|
| Global | Googlebot, Bingbot, DuckDuckBot |
| Russia | YandexBot |
| China | Baiduspider, Sogou |
| Korea | Yeti (Naver), Daumoa |
| Japan | Y!J-ASR |
SNS Link Preview Bots
Allow bots that generate previews when links are shared on social media.
- Facebook: facebookexternalhit
- Twitter: Twitterbot
- Discord: Discordbot
- Slack: Slackbot
- Telegram: TelegramBot
- LinkedIn: LinkedInBot
- WhatsApp: WhatsApp
- KakaoTalk: Kakaotalk-Scrap
Suspicious Client Blocking
Block clients suspected of being automated tools or scripts.
curl,wget,HTTPiepython-requests,python-urlliblibwww-perl,Go-http-clientJava/,okhttp
Bot Filter Configuration
Per-Host Settings
You can configure an independent bot filter policy for each proxy host.
| Option | Description |
|---|---|
| Block malicious bots | Block 80+ malicious bot signatures |
| Block AI bots | Block 50+ AI crawlers |
| Allow search engines | 40+ search engine whitelist (includes SNS link-preview bots) |
| Block suspicious clients | Block automation tools |
SNS link-preview bots (facebookexternalhit, Twitterbot, Kakaotalk-Scrap, etc.) are part of the Allow search engines list, so enabling search-engine allow also allows them. There is no separate toggle.
Custom Rules
- Custom block: Block specific User-Agent patterns
- Custom allow: Allow specific User-Agent patterns
- Regex support: Match complex patterns
Challenge Mode
Instead of blocking, display a CAPTCHA challenge so that real users can still pass through.
Security Headers
HSTS (HTTP Strict Transport Security)
- Enforce HTTPS
- max-age setting
- includeSubDomains option
- preload support
Clickjacking Prevention
- X-Frame-Options: DENY, SAMEORIGIN
- Content-Security-Policy: frame-ancestors directive
Other Security Headers
| Header | Description |
|---|---|
| X-Content-Type-Options | Prevent MIME type sniffing |
| X-XSS-Protection | Enable browser XSS filter |
| Referrer-Policy | Control referrer information |
| Permissions-Policy | Restrict browser features |
Header Presets
From the proxy host's security settings tab, apply headers in bulk according to predefined security levels.
| Preset | Security Level | Description |
|---|---|---|
| Strict | Highest | Includes HSTS preload, restrictive CSP, X-Frame-Options DENY |
| Moderate | Balanced | HSTS includeSubdomains, SAMEORIGIN, appropriate CSP |
| Relaxed | Compatibility | Basic security headers only, compatibility first |
After applying a preset you can still customize individual headers (HSTS, X-Frame-Options, Referrer-Policy, CSP, etc.) directly.
IP Access Control (ACL)
Whitelist/Blacklist
- Specify IP addresses or CIDR ranges
- IPv4 and IPv6 support
- Priority-based rule application
Configuration Example
# Whitelist
192.168.1.0/24 # Internal network
10.0.0.0/8 # Private IP range
# Blacklist
203.0.113.0/24 # Known malicious IP range
GeoIP Access Control
Integrate the MaxMind GeoIP2 database to provide country-based access control.
Operating Modes
| Mode | Description |
|---|---|
| Whitelist | Allow only the specified countries |
| Blacklist | Block only the specified countries |
Additional Options
- Priority allow IPs: List of IPs that bypass regional restrictions
- Allow private IPs: Automatically allow internal networks
- Allow search bots: Automatically allow search engine bots
- Challenge mode: Display a CAPTCHA instead of blocking
Continent/Region Presets
Quickly configure by continent instead of individual countries.
- Asia (AS)
- Europe (EU)
- North America (NA)
- South America (SA)
- Africa (AF)
- Oceania (OC)
GeoIP Auto-Update
Automatically update the MaxMind database.
| Option | Value |
|---|---|
| Update interval | Daily, weekly, monthly |
| Auto apply | Automatically apply after update |
| Update history | Record of all updates |
Challenge System (CAPTCHA)
Provides a challenge system that requests user verification instead of blocking.
Supported Providers
| Provider | Characteristics |
|---|---|
| reCAPTCHA v2 | Checkbox-based, high compatibility |
| reCAPTCHA v3 | Score-based, seamless verification |
| hCaptcha | Privacy-focused |
| Cloudflare Turnstile | Lightweight and fast |
Challenge Settings
- Token validity period: How long verification is retained after authentication
- reCAPTCHA v3 score threshold: 0.0 ~ 1.0
- Scope: Bot filter, regional restrictions, or both
- Page customization: Title, message, theme (light/dark)
Cloud Provider Blocking
Block automated traffic originating from cloud infrastructure.
Supported Providers
Providers are grouped by region.
| Region | Providers |
|---|---|
| US πΊπΈ | AWS, Google Cloud, Microsoft Azure, DigitalOcean, Linode (Akamai), Oracle Cloud, Vultr |
| EU πͺπΊ | Contabo, Hetzner, OVH, Scaleway |
| CN π¨π³ | Alibaba Cloud, Tencent Cloud, Huawei Cloud |
| KR π°π· | Smileserv (CloudV/iwinv), Naver Cloud, KT Cloud |
Quick Presets
Presets let you select multiple providers at once.
- Major clouds: AWS, GCP, Azure, Oracle, Alibaba
- Budget VPS: DigitalOcean, Linode, Vultr, Hetzner, Contabo, OVH
- Asia providers: Alibaba, Tencent, Huawei, Naver, KT, Smileserv
Configuration
- Select blocked providers per host
- Apply a challenge (CAPTCHA) mode instead of blocking
- Option to allow search bots through
- Automatic IP range updates (based on ASNs or official IP-range feeds)