MCPcopy Index your code
hub / github.com/JasonLovesDoggo/caddy-defender

github.com/JasonLovesDoggo/caddy-defender @v0.10.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.10.1 ↗ · + Follow
223 symbols 623 edges 53 files 87 documented · 39%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Caddy Defender Plugin

The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.


Features

  • IP Range Filtering: Block or manipulate requests from specific IP ranges.
  • Embedded IP Ranges: Predefined IP ranges for popular AI services (e.g., OpenAI, DeepSeek, GitHub Copilot).
  • Custom IP Ranges: Add your own IP ranges via Caddyfile configuration.
  • Multiple Responder Backends:
  • Block: Return a 403 Forbidden response.
  • Custom: Return a custom message.
  • Drop: Drops the connection.
  • Garbage: Return garbage data to pollute AI training.
  • Redirect: Return a 308 Permanent Redirect response with a custom URL.
  • Ratelimit: Ratelimit requests, configurable via caddy-ratelimit.
  • Tarpit: Stream data at a slow, but configurable rate to stall bots and pollute AI training.

Installation

Using Docker

The easiest way to use the Caddy Defender plugin is by using the pre-built Docker image.

  1. Pull the Docker Image:

bash docker pull ghcr.io/jasonlovesdoggo/caddy-defender:latest

  1. Run the Container: Use the following command to run the container with your Caddyfile:

bash docker run -d \ --name caddy \ -v /path/to/Caddyfile:/etc/caddy/Caddyfile \ -p 80:80 -p 443:443 \ ghcr.io/jasonlovesdoggo/caddy-defender:latest

Replace /path/to/Caddyfile with the path to your Caddyfile.

Please see the online documentation for other methods of installation.


Configuration

Caddyfile Syntax

The defender directive is used to configure the Caddy Defender plugin. It has the following syntax:

defender <responder> {
    message <custom message>
    ranges <ip_ranges...>
    url <url>
}
  • <responder>: The responder backend to use. Supported values are:
  • block: Returns a 403 Forbidden response.
  • custom: Returns a custom message (requires message).
  • drop: Drops the connection.
  • garbage: Returns garbage data to pollute AI training.
  • redirect: Returns a 308 Permanent Redirect response (requires url).
  • ratelimit: Marks requests for rate limiting (requires Caddy-Ratelimit to be installed as well ).
  • tarpit: Stream data at a slow, but configurable rate to stall bots and pollute AI training.
  • <ip_ranges...>: An optional list of CIDR ranges or predefined range keys to match against the client's IP. Defaults to aws azurepubliccloud deepseek gcloud githubcopilot openai.
  • <custom message>: A custom message to return when using the custom responder.
  • <url>: The URI that the redirect responder would redirect to.

For more information about the configuration, refer to the configuration page on the website.


Quick Start

The documentation website has info that includes the configurations of the plugin, code examples, and more.

For a quick start, follow the Getting Started guide to protect your server using the Caddy Defender Plugin.


For examples, check out docs/examples.md


Embedded IP Ranges

The plugin includes predefined IP ranges for popular AI services. These ranges are embedded in the binary and can be used without additional configuration.

Service Key IP Ranges
Alibaba Cloud aliyun aliyun.go
VPNs vpn vpn.go
AWS aws aws.go
AWS Region aws-us-east-1, aws-us-west-1, aws-eu-west-1 aws_region.go
DeepSeek deepseek deepseek.go
GitHub Copilot githubcopilot github.go
Google Cloud Platform gcloud gcloud.go
Oracle Cloud Infrastructure oci oracle.go
Microsoft Azure azurepubliccloud azure.go
OpenAI openai openai.go
Mistral mistral mistral.go
Vultr vultr vultr.go
Cloudflare cloudflare cloudflare.go
Digital Ocean digitalocean digitalocean.go
Linode linode linode.go
Private private private.go
All IP addresses all all.go

Disabled by default (require manual inclusion at build time)

Service Key IP Ranges
Tor Exit Nodes tor tor.go
ASN (Autonomous System Numbers) asn asn.go

More are welcome! for a precompiled list, see the embedded results

Contributing

We welcome contributions! To get started, see CONTRIBUTING.md.


License

This project is licensed under the MIT License. See the LICENSE file for details.


Acknowledgments

Star History

Star History Chart

Extension points exported contracts — how you extend this code

Responder (Interface)
Responder defines the interface for handling responses. [9 implementers]
responders/responder.go
IPRangeFetcher (Interface)
IPRangeFetcher defines the interface for fetching IP ranges. [20 implementers]
ranges/fetchers/fetcher.go
ContentReader (Interface)
ContentReader is an interface for fetching data from different data Contents to supply data to the tarpit. [5 implementers]
responders/tarpit/tarpit.go

Core symbols most depended-on inside this repo

Close
called by 32
responders/tarpit/timeout_reader.go
Get
called by 23
cache/cache.go
Set
called by 10
cache/cache.go
Read
called by 10
responders/tarpit/tarpit.go
Name
called by 10
ranges/fetchers/fetcher.go
IPInRanges
called by 9
matchers/ip/ip.go
NewIPChecker
called by 7
matchers/ip/ip.go
ipToAddr
called by 7
matchers/ip/ip.go

Shape

Method 106
Function 67
Struct 46
Interface 3
TypeAlias 1

Languages

Go100%

Modules by API surface

responders/tarpit/tarpit_test.go16 symbols
responders/tarpit/tarpit.go9 symbols
benchmarks/random/ip_test.go9 symbols
matchers/ip/ip.go7 symbols
responders/tarpit/timeout_reader.go6 symbols
responders/tarpit/http_reader_test.go6 symbols
ranges/fetchers/openai.go6 symbols
ranges/fetchers/gcloud.go6 symbols
middleware_test.go6 symbols
matchers/ip/ip_test.go6 symbols
cache/cache.go6 symbols
responders/garbage.go5 symbols

For agents

$ claude mcp add caddy-defender \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact