The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.
403 Forbidden response.308 Permanent Redirect response with a custom URL.The easiest way to use the Caddy Defender plugin is by using the pre-built Docker image.
bash
docker pull ghcr.io/jasonlovesdoggo/caddy-defender:latest
Caddyfile:bash
docker run -d \
--name caddy \
-v /path/to/Caddyfile:/etc/caddy/Caddyfile \
-p 80:80 -p 443:443 \
ghcr.io/jasonlovesdoggo/caddy-defender:latest
Replace /path/to/Caddyfile with the path to your Caddyfile.
Please see the online documentation for other methods of installation.
The defender directive is used to configure the Caddy Defender plugin. It has the following syntax:
defender <responder> {
message <custom message>
ranges <ip_ranges...>
url <url>
}
<responder>: The responder backend to use. Supported values are:block: Returns a 403 Forbidden response.custom: Returns a custom message (requires message).drop: Drops the connection.garbage: Returns garbage data to pollute AI training.redirect: Returns a 308 Permanent Redirect response (requires url).ratelimit: Marks requests for rate limiting (requires Caddy-Ratelimit to be installed as well ).tarpit: Stream data at a slow, but configurable rate to stall bots and pollute AI training.<ip_ranges...>: An optional list of CIDR ranges or predefined range keys to match against the client's IP. Defaults to aws azurepubliccloud deepseek gcloud githubcopilot openai.<custom message>: A custom message to return when using the custom responder.<url>: The URI that the redirect responder would redirect to.For more information about the configuration, refer to the configuration page on the website.
The documentation website has info that includes the configurations of the plugin, code examples, and more.
For a quick start, follow the Getting Started guide to protect your server using the Caddy Defender Plugin.
The plugin includes predefined IP ranges for popular AI services. These ranges are embedded in the binary and can be used without additional configuration.
| Service | Key | IP Ranges |
|---|---|---|
| Alibaba Cloud | aliyun | aliyun.go |
| VPNs | vpn | vpn.go |
| AWS | aws | aws.go |
| AWS Region | aws-us-east-1, aws-us-west-1, aws-eu-west-1 | aws_region.go |
| DeepSeek | deepseek | deepseek.go |
| GitHub Copilot | githubcopilot | github.go |
| Google Cloud Platform | gcloud | gcloud.go |
| Oracle Cloud Infrastructure | oci | oracle.go |
| Microsoft Azure | azurepubliccloud | azure.go |
| OpenAI | openai | openai.go |
| Mistral | mistral | mistral.go |
| Vultr | vultr | vultr.go |
| Cloudflare | cloudflare | cloudflare.go |
| Digital Ocean | digitalocean | digitalocean.go |
| Linode | linode | linode.go |
| Private | private | private.go |
| All IP addresses | all | all.go |
| Service | Key | IP Ranges |
|---|---|---|
| Tor Exit Nodes | tor | tor.go |
| ASN (Autonomous System Numbers) | asn | asn.go |
More are welcome! for a precompiled list, see the embedded results
We welcome contributions! To get started, see CONTRIBUTING.md.
This project is licensed under the MIT License. See the LICENSE file for details.
$ claude mcp add caddy-defender \
-- python -m otcore.mcp_server <graph>