Caddy Server AI Crawler Config: Monetizing Training Data with Modern Web Server Architecture
Quick Summary
- What this covers: Caddy's automatic HTTPS, native JSON handling, and modular middleware enable sophisticated AI crawler management and conditional access licensing without Nginx complexity.
- Who it's for: publishers and site owners managing AI bot traffic
- Key takeaway: Read the first section for the core framework, then use the specific tactics that match your situation.
Caddy represents next-generation web server design—automatic HTTPS, zero-config TLS, human-readable configuration, and native JSON APIs. These characteristics make it ideal infrastructure for AI crawler monetization strategies that require conditional access, usage metering, and license validation. Where Nginx demands complex regex and location blocks, Caddy achieves equivalent functionality through declarative configuration.
Publishers implementing AI training data licensing need technical infrastructure that distinguishes crawler types, validates API keys, meters usage, and serves appropriate content versions. Caddy's architecture handles these requirements without external dependencies. This guide demonstrates Caddy server AI crawler config for publishers
monetizing access to GPTBot, ClaudeBot, ByteSpider, and other training data harvesters.
Caddy Architecture Advantages
Traditional web servers (Apache, Nginx) evolved from 1990s design patterns. Caddy began in 2015 with modern requirements:
Automatic HTTPS: TLS certificates via Let's Encrypt with zero configuration. Traditional servers require separate certificate management infrastructure.
Native Reverse Proxy: Built-in load balancing, health checks, and upstream failover without third-party modules.
JSON Configuration: Machine-readable config enables dynamic updates without parser ambiguity.
Middleware Pipeline: Request handling flows through modular middleware (authentication, logging, rewriting) with clear ordering.
Single Binary: No separate processes or daemons. Single executable handles all functionality.
For AI crawler monetization, these features enable:
- Secure API key transmission over HTTPS (automatic certificates)
- Dynamic licensing logic without config file reloads (JSON API)
- Usage logging with structured data (native JSON logging)
- Request middleware for crawler detection and validation (modular pipeline)
Nginx achieves similar outcomes but requires Lua, OpenResty, or external auth services. Caddy handles it natively.
Basic Crawler Detection Configuration
Start with identifying AI training crawlers and routing them differently than search engines or human visitors.
Caddyfile syntax (human-readable):
example.com {
@ai_crawlers {
header User-Agent *GPTBot*
header User-Agent *ClaudeBot*
header User-Agent *cohere-ai*
header User-Agent *Bytespider*
header User-Agent *CCBot*
}
@search_engines {
header User-Agent *Googlebot*
header User-Agent *Bingbot*
header User-Agent *Slurp*
}
# Search engines get full access
handle @search_engines {
file_server
root * /var/www/html
}
# AI crawlers get special handling
handle @ai_crawlers {
respond "AI crawler detected. Licensing required." 403
}
# Regular traffic
handle {
file_server
root * /var/www/html
}
}
This configuration creates matchers for crawler types. The @ai_crawlers matcher triggers on user agents associated with training data collection. The @search_engines matcher permits legitimate search indexing. Each handle block defines different behavior.
Currently AI crawlers receive 403 responses. Next step: replace with licensing logic.
API Key Validation Middleware
Monetizing crawler access requires authentication. Implement API key validation:
Enhanced Caddyfile:
example.com {
@ai_crawlers {
header User-Agent *GPTBot*
header User-Agent *ClaudeBot*
header User-Agent *cohere-ai*
header User-Agent *Bytespider*
}
@licensed_crawler {
header User-Agent *GPTBot*
header User-Agent *ClaudeBot*
header User-Agent *cohere-ai*
header User-Agent *Bytespider*
header X-API-Key *
}
# Licensed crawlers with valid keys
handle @licensed_crawler {
reverse_proxy localhost:8080 {
header_up X-Crawler-Type {http.request.header.User-Agent}
header_up X-API-Key {http.request.header.X-API-Key}
}
}
# Unlicensed AI crawlers get preview
handle @ai_crawlers {
rewrite * /preview{path}
file_server
root * /var/www/preview
}
# Regular traffic
handle {
file_server
root * /var/www/html
}
}
This setup:
- @licensed_crawler matcher requires both AI user agent AND X-API-Key header
- Licensed requests reverse proxy to backend application (port 8080) that validates key against database
- Unlicensed crawler requests serve from
/var/www/preview(truncated content) - Human traffic serves from
/var/www/html(full content)
The backend application receives crawler type and API key via headers, validates license status, logs usage, and returns appropriate content.
Backend Validation Service
Caddy handles routing; backend service validates keys and enforces quotas. Example Python/Flask implementation:
from flask import Flask, request, jsonify, send_from_directory
import sqlite3
from datetime import datetime
app = Flask(__name__)
def validate_api_key(key):
"""Check if API key is valid and active"""
conn = sqlite3.connect('/var/data/licenses.db')
cursor = conn.cursor()
cursor.execute('''
SELECT license_id, status, quota_limit, quota_used, expires_at
FROM licenses
WHERE api_key = ?
''', (key,))
result = cursor.fetchone()
conn.close()
if not result:
return None
license_id, status, quota_limit, quota_used, expires_at = result
if status != 'active':
return None
if datetime.fromisoformat(expires_at) < datetime.now():
return None
if quota_limit and quota_used >= quota_limit:
return None
return {
'license_id': license_id,
'quota_remaining': quota_limit - quota_used if quota_limit else None
}
def log_access(license_id, user_agent, url, bytes_served):
"""Record crawler access for billing"""
conn = sqlite3.connect('/var/data/licenses.db')
cursor = conn.cursor()
cursor.execute('''
INSERT INTO access_logs (license_id, user_agent, url, bytes_served, timestamp)
VALUES (?, ?, ?, ?, ?)
''', (license_id, user_agent, url, bytes_served, datetime.now().isoformat()))
# Update quota usage
cursor.execute('''
UPDATE licenses
SET quota_used = quota_used + ?
WHERE license_id = ?
''', (bytes_served, license_id))
conn.commit()
conn.close()
@app.route('/<path:filepath>')
def serve_content(filepath):
api_key = request.headers.get('X-API-Key')
user_agent = request.headers.get('X-Crawler-Type')
license_info = validate_api_key(api_key)
if not license_info:
return jsonify({'error': 'Invalid or expired API key'}), 403
# Serve full content
try:
response = send_from_directory('/var/www/html', filepath)
bytes_served = len(response.get_data())
log_access(license_info['license_id'], user_agent, filepath, bytes_served)
return response
except FileNotFoundError:
return jsonify({'error': 'Not found'}), 404
if __name__ == '__main__':
app.run(host='127.0.0.1', port=8080)
Database schema:
CREATE TABLE licenses (
license_id TEXT PRIMARY KEY,
api_key TEXT UNIQUE NOT NULL,
customer_name TEXT,
status TEXT DEFAULT 'active',
quota_limit INTEGER, -- bytes, NULL for unlimited
quota_used INTEGER DEFAULT 0,
expires_at TEXT, -- ISO datetime
created_at TEXT DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE access_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
license_id TEXT,
user_agent TEXT,
url TEXT,
bytes_served INTEGER,
timestamp TEXT,
FOREIGN KEY (license_id) REFERENCES licenses(license_id)
);
This architecture:
- Caddy handles TLS, routing, and request classification
- Python service validates keys, enforces quotas, logs usage
- SQLite stores license data (use PostgreSQL for production scale)
Separation of concerns: web server does web serving, application logic stays in application layer.
Rate Limiting Configuration
Even licensed crawlers need rate limits to prevent abuse:
example.com {
@ai_crawlers header User-Agent *GPTBot* *ClaudeBot* *cohere-ai*
# Rate limit: 10 requests per second per crawler
rate_limit @ai_crawlers {
zone ai_crawlers 10m
rate 10
burst 20
key {http.request.header.X-API-Key}
}
handle @ai_crawlers {
reverse_proxy localhost:8080 {
header_up X-Crawler-Type {http.request.header.User-Agent}
header_up X-API-Key {http.request.header.X-API-Key}
}
}
}
Note: Rate limiting requires Caddy plugin. Install via:
xcaddy build --with github.com/mholt/caddy-ratelimit
Rate limit parameters:
- zone: Memory allocation for tracking (10MB)
- rate: Requests per second
- burst: Temporary excess allowed
- key: What to track (API key means per-license limiting)
Licensed crawlers can request 10/second sustained, up to 20/second briefly. Exceeding triggers 429 (Too Many Requests) response.
ASN-Based Blocking
Some crawlers ignore user agent restrictions. Block by autonomous system number (ASN):
example.com {
@bytedance_asn {
remote_ip 110.249.200.0/21 118.184.176.0/20 161.117.0.0/16
}
@bytedance_crawler {
header User-Agent *Bytespider*
}
# Block ByteDance ASN unless licensed
handle @bytedance_asn {
@has_license header X-API-Key *
handle @has_license {
reverse_proxy localhost:8080
}
handle {
respond "Access denied. Licensing required for ByteDance crawlers." 403
}
}
# Also catch ByteSpider user agent from other IPs
handle @bytedance_crawler {
respond "ByteSpider must license access." 403
}
}
This configuration:
- Identifies ByteDance IP ranges
- Blocks unless valid API key present
- Also catches ByteSpider user agent from non-ByteDance IPs (spoofed)
Maintain IP range list from ByteDance ASN data (AS138997, AS209243, AS134705, AS396986).
Geographic Restrictions
Some publishers want to restrict AI training to specific regions:
example.com {
@ai_crawlers header User-Agent *GPTBot* *ClaudeBot*
@us_requests {
maxmind_geolite2 {
database_path /usr/share/GeoIP/GeoLite2-Country.mmdb
lookup_field country_code
}
expression {maxmind_geolite2.country_code} == "US"
}
@eu_requests {
maxmind_geolite2 {
database_path /usr/share/GeoIP/GeoLite2-Country.mmdb
lookup_field country_code
}
expression {maxmind_geolite2.country_code} in ["DE", "FR", "GB", "IT", "ES"]
}
# US crawlers allowed
handle @ai_crawlers @us_requests {
reverse_proxy localhost:8080
}
# EU crawlers require premium license
handle @ai_crawlers @eu_requests {
@premium_license header X-License-Tier "premium"
handle @premium_license {
reverse_proxy localhost:8080
}
handle {
respond "EU crawling requires premium license tier." 402
}
}
# Other regions blocked
handle @ai_crawlers {
respond "AI crawling not available in your region." 451
}
}
MaxMind GeoLite2 integration enables country-level restrictions. Use cases:
- GDPR compliance (different terms for EU entities)
- Market prioritization (license to domestic companies first)
- Data sovereignty (exclude certain jurisdictions)
Structured Logging for Billing
Usage-based billing requires detailed access logs:
example.com {
log {
output file /var/log/caddy/crawler_access.log {
roll_size 100mb
roll_keep 10
}
format json {
time_format iso8601
message_key msg
}
level INFO
}
handle @ai_crawlers {
reverse_proxy localhost:8080 {
header_up X-Crawler-Type {http.request.header.User-Agent}
header_up X-API-Key {http.request.header.X-API-Key}
# Log upstream response details
@success status 200
handle_response @success {
header X-Bytes-Served {http.response.header.Content-Length}
}
}
}
}
Log format includes:
- Timestamp (ISO8601)
- Client IP
- User agent (crawler type)
- API key
- Requested URL
- Response status
- Bytes served
- Processing time
Parse logs monthly for billing:
import json
from collections import defaultdict
def calculate_usage(log_file):
usage_by_license = defaultdict(lambda: {'requests': 0, 'bytes': 0})
with open(log_file) as f:
for line in f:
log_entry = json.loads(line)
api_key = log_entry.get('request', {}).get('headers', {}).get('X-Api-Key', [''])[0]
bytes_served = int(log_entry.get('size', 0))
if api_key:
usage_by_license[api_key]['requests'] += 1
usage_by_license[api_key]['bytes'] += bytes_served
return usage_by_license
usage = calculate_usage('/var/log/caddy/crawler_access.log')
for api_key, metrics in usage.items():
print(f"License {api_key}: {metrics['requests']} requests, {metrics['bytes']/1024/1024:.2f} MB")
This generates billing data from access logs without separate database queries.
Dynamic Configuration Updates
Caddy supports zero-downtime configuration updates via JSON API:
# Add new licensed crawler
curl -X POST http://localhost:2019/config/apps/http/servers/srv0/routes \
-H "Content-Type: application/json" \
-d '{
"match": [{
"header": {"X-API-Key": ["new_license_key_abc123"]}
}],
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{"dial": "localhost:8080"}]
}]
}'
# Remove expired license
curl -X DELETE http://localhost:2019/config/apps/http/servers/srv0/routes/3
This enables automated license provisioning:
- Customer signs up via web form
- Payment processed via Stripe
- Backend generates API key
- Script calls Caddy API to add routing rule
- Customer receives API key via email
No manual Caddyfile editing or server reloads required.
Content Versioning for Crawlers
Serve different content versions to human visitors versus crawlers:
example.com {
@ai_crawlers header User-Agent *GPTBot* *ClaudeBot*
# Crawlers get Markdown
handle @ai_crawlers {
@licensed header X-API-Key *
handle @licensed {
rewrite * /content/markdown{path}.md
file_server
root * /var/www/
}
handle {
rewrite * /content/preview{path}.md
file_server
root * /var/www/
}
}
# Humans get HTML
handle {
file_server
root * /var/www/content/html
try_files {path}.html {path}
}
}
Directory structure:
/var/www/
├── content/
│ ├── html/ # Styled web pages for humans
│ ├── markdown/ # Full content for licensed crawlers
│ └── preview/ # Truncated samples for unlicensed crawlers
This allows:
- Humans see designed website
- Licensed AI crawlers download clean Markdown
- Unlicensed crawlers sample truncated previews
Markdown format is optimal for training—no HTML noise, pure structured text. Serving native Markdown reduces crawler bandwidth consumption and improves training data quality.
API Endpoint for Bulk Access
Some AI companies prefer bulk downloads over incremental crawling:
example.com {
# Regular website traffic
handle / {
file_server
root * /var/www/html
}
# Bulk API for licensed crawlers
handle /api/v1/content* {
@authenticated {
header Authorization "Bearer *"
}
handle @authenticated {
reverse_proxy localhost:8080 {
header_up X-API-Key {http.request.header.Authorization}
}
}
handle {
respond "Authentication required" 401
}
}
}
Backend API implementation:
@app.route('/api/v1/content')
def list_content():
"""Return catalog of available content"""
api_key = request.headers.get('Authorization', '').replace('Bearer ', '')
if not validate_api_key(api_key):
return jsonify({'error': 'Invalid API key'}), 401
# Return JSON listing all articles
articles = get_article_catalog()
return jsonify({'articles': articles, 'total': len(articles)})
@app.route('/api/v1/content/<article_id>')
def get_article(article_id):
"""Return specific article content"""
api_key = request.headers.get('Authorization', '').replace('Bearer ', '')
license_info = validate_api_key(api_key)
if not license_info:
return jsonify({'error': 'Invalid API key'}), 401
article_data = get_article_by_id(article_id)
log_api_access(license_info['license_id'], article_id)
return jsonify(article_data)
API provides cleaner integration than HTML scraping. Customers make standard HTTP requests, receive structured JSON responses.
Monitoring and Alerts
Track crawler behavior and license usage:
example.com {
handle /metrics {
@internal {
remote_ip 127.0.0.1
}
handle @internal {
metrics
}
handle {
respond "Access denied" 403
}
}
}
Caddy exposes Prometheus-compatible metrics at /metrics endpoint (restricted to localhost). Metrics include:
- Request counts by user agent
- Response times
- Bytes transferred
- Error rates
Integrate with monitoring:
# prometheus.yml
scrape_configs:
- job_name: 'caddy'
static_configs:
- targets: ['localhost:2019']
Set alerts:
# alertmanager.yml
groups:
- name: crawler_alerts
rules:
- alert: ExcessiveCrawlerTraffic
expr: rate(caddy_http_requests_total{user_agent=~".*GPTBot.*"}[5m]) > 100
annotations:
summary: "GPTBot exceeding rate limits"
- alert: UnlicensedCrawlingSpike
expr: rate(caddy_http_response_status{status="403",user_agent=~".*Bot.*"}[1h]) > 500
annotations:
summary: "High volume of unlicensed crawler attempts"
This provides visibility into crawler activity and automated alerting for anomalies.
FAQ
Q: Why use Caddy instead of Nginx for AI crawler management? Caddy offers automatic HTTPS, simpler configuration syntax, native JSON APIs for dynamic updates, and zero-dependency operation. Nginx requires Lua or OpenResty for equivalent functionality. For publishers without DevOps teams, Caddy reduces complexity significantly.
Q: How do I migrate existing Nginx crawler config to Caddy? Caddy translates Nginx location blocks to handle directives, rewrite rules stay similar, and upstream blocks become reverse_proxy. Most Nginx configs port directly. Complex Lua logic requires rewriting as separate backend service.
Q: Can Caddy handle high traffic volumes from aggressive crawlers? Yes. Caddy is production-ready, powering sites with millions of requests daily. For extreme scale (10K+ requests/second), consider load balancing across multiple Caddy instances or using Caddy as frontend with backend Golang services.
Q: Does Caddy support IP allowlisting for specific crawler IPs?
Yes via remote_ip matcher. Example: @openai_ips remote_ip 20.15.240.0/23 13.65.240.0/23 matches known OpenAI ranges. Combine with user agent checks for defense-in-depth.
Q: How do I serve different content to crawlers without duplicating files? Use templating at application layer. Backend service receives crawler type header, renders appropriate content version from single source. Alternatively, use Caddy templates with conditionals based on user agent.
Q: Can Caddy validate API keys against external services like Auth0?
Yes via forward_auth directive:
handle @ai_crawlers {
forward_auth localhost:9000 {
uri /validate
copy_headers X-API-Key
}
reverse_proxy localhost:8080
}
External auth service at port 9000 validates keys, returns 200 (authorized) or 403 (denied).
Q: What's the performance overhead of per-request API key validation? Minimal if validation is fast. SQLite lookups take <1ms, in-memory caches (Redis) take <0.1ms. For reference, TLS handshake overhead is 50-100ms. Key validation adds negligible latency compared to network transport.
Q: How do I prevent API key theft via crawler logs or man-in-the-middle attacks? Require HTTPS (automatic in Caddy), rotate keys quarterly, implement rate limiting per key (abnormal usage patterns suggest compromise), and hash keys in logs (log first 8 characters only). Never transmit keys in URLs—use headers exclusively.
Q: Can Caddy automatically provision API keys when customers sign up? Not directly, but integrate with payment processor webhooks. Stripe webhook triggers your script → generates key → stores in database → calls Caddy API to add routing rule. Entire flow automated.
When Blocking AI Crawlers Isn't the Move
Skip this if:
- Your site has less than 1,000 monthly organic visits. AI crawlers aren't your problem — getting indexed by traditional search is. Focus on content quality and link acquisition before worrying about bot management.
- You're running a personal blog or portfolio site. AI citation of your content is free exposure at this scale. Blocking crawlers costs you visibility without protecting meaningful revenue.
- Your revenue comes entirely from direct sales, not content. If your content isn't the product (e-commerce, SaaS with no content moat), AI crawlers are neutral. Your competitive advantage lives in the product, not the pages.
Frequently Asked Questions
Should I block all AI crawlers from my site?
Not necessarily. Blocking indiscriminately cuts you off from AI-powered search results and citation traffic. The better approach is selective access — allow crawlers from platforms that drive referral traffic or pay for content, block those that only scrape without attribution. Start with robots.txt analysis, then layer in more granular controls based on your traffic data.
How do I know which AI bots are crawling my site?
Check your server access logs for user-agent strings containing GPTBot, ClaudeBot, Googlebot (with AI-related query patterns), Bytespider, CCBot, and others. Most hosting platforms expose these in analytics. If you lack raw log access, tools like Cloudflare or server-side middleware can surface bot traffic patterns without custom infrastructure.
Can I monetize AI crawler access to my content?
Some publishers are negotiating licensing deals directly with AI companies. For smaller sites, the practical path is controlling access (robots.txt, rate limiting, paywalling API endpoints) and measuring whether AI-sourced citation traffic converts. The pay-per-crawl model is emerging but not standardized — position yourself by documenting your content value and traffic patterns now.