Traefik Middleware for AI Crawler Routing: Reverse Proxy Access Control
Quick Summary
- What this covers: Implement Traefik reverse proxy middleware to route, throttle, and block AI training crawlers at the edge with dynamic configuration and metrics.
- Who it's for: publishers and site owners managing AI bot traffic
- Key takeaway: Read the first section for the core framework, then use the specific tactics that match your situation.
Traefik reverse proxy offers publishers a powerful platform for implementing sophisticated AI crawler access control through middleware components that intercept requests before they reach backend services. Unlike firewall rules or CDN-level blocks, Traefik middleware operates at the application layer with full access to HTTP headers, request paths, and dynamic configuration that adapts to changing crawler behaviors without redeploying applications.
For publishers managing multiple services and applications, centralized AI crawler routing through Traefik provides consistent policy enforcement across the entire infrastructure. A single middleware configuration can protect WordPress blogs, headless CMS APIs, static documentation sites, and custom applications through unified rules that evolve as new training crawlers emerge or licensing agreements modify access requirements.
The middleware approach particularly benefits organizations running containerized workloads where Traefik already serves as the ingress controller. Rather than implementing crawler blocking independently in each microservice, centralized middleware applies protection uniformly while allowing per-service customization when needed. Integration with Traefik's metrics and logging infrastructure provides visibility into crawler activity patterns that inform both technical enforcement and licensing negotiation strategies.
Traefik Architecture for Crawler Management
Understanding Traefik's request processing pipeline establishes how middleware intercepts and controls AI crawler traffic before it consumes backend resources.
Request flow architecture in Traefik follows this sequence:
- Client request arrives at Traefik entry point (port 80/443)
- Router matches request to backend service based on Host header or path
- Middleware chain executes sequentially before forwarding to backend
- Backend service processes request (if middleware permits)
- Response flows back through middleware chain to client
AI crawler control middleware inserts into step 3, evaluating User-Agent, IP address, request rate, and other characteristics to decide whether requests proceed to backends or receive rejection responses. This positioning means crawler traffic never reaches application servers when blocked—infrastructure costs stay minimal even under heavy crawler load.
Middleware chaining enables composition of multiple protective layers. A comprehensive crawler management chain might include:
- IP allowlist middleware: Permits verified crawler IPs, blocks spoofed requests
- User-Agent filtering middleware: Identifies crawler types from User-Agent strings
- Rate limiting middleware: Enforces request quotas per crawler type
- Content routing middleware: Directs crawlers to specific content tiers based on licensing
- Logging middleware: Records crawler activity for compliance monitoring
Each middleware component focuses on a single concern, with composition creating defense-in-depth. If IP verification middleware is bypassed through a novel technique, User-Agent filtering provides backup protection.
Dynamic configuration distinguishes Traefik from static reverse proxies. Configuration changes deploy without restarting Traefik—new crawler user agents, updated IP ranges, or modified rate limits take effect immediately. This agility proves critical as AI companies launch new crawlers or existing crawlers change behaviors. Publishers can respond to test verification discoveries within minutes rather than hours required for traditional web server configuration deployment.
Provider integrations enable Traefik to source configuration from various backends:
- File provider: YAML/TOML configuration files for simple deployments
- Docker provider: Auto-discovers services from container labels
- Kubernetes provider: Integrates with Ingress resources and CRDs
- Consul/etcd providers: Centralized configuration for distributed deployments
Publishers running Kubernetes might define crawler policies in CustomResourceDefinitions that Traefik watches, automatically updating middleware as policies change. Docker-based deployments might tag containers with labels specifying crawler access rules that Traefik enforces without separate configuration files.
Observability integration surfaces crawler activity through Traefik's metrics and tracing systems. Publishers can:
- Export crawler request metrics to Prometheus for alerting and dashboards
- Integrate with Datadog or New Relic for commercial observability platforms
- Enable OpenTelemetry tracing to follow crawler requests through microservice chains
- Stream access logs to centralized logging systems with crawler-specific fields
This observability enables data-driven decision making about whether throttling versus blocking serves publisher interests and provides evidence for licensing negotiations.
User-Agent Detection Middleware
The foundation of crawler identification relies on User-Agent strings that crawlers include in HTTP headers. Well-behaved AI training crawlers identify themselves with distinctive user agents like GPTBot or ClaudeBot, enabling straightforward detection.
Basic User-Agent matching implements simple string comparison. Traefik middleware configuration might include:
http:
middlewares:
block-ai-crawlers:
plugin:
userAgentBlocker:
blockedUserAgents:
- "GPTBot"
- "ClaudeBot"
- "Bingbot.*"
- ".*ChatGPT.*"
blockResponse:
status: 403
body: "AI training crawlers are not permitted"
This approach blocks requests where User-Agent headers match the specified patterns. Regular expression support enables flexible matching—Bingbot.* catches various Bingbot version strings, while .*ChatGPT.* blocks any user agent containing that substring.
Allowlist-based filtering inverts the logic for publishers who prefer denying by default. Rather than enumerating crawlers to block, middleware permits only recognized legitimate user agents:
http:
middlewares:
allowlist-crawlers:
plugin:
userAgentAllowlist:
allowedUserAgents:
- "Googlebot"
- "Bingbot"
defaultDeny: true
denyStatus: 403
This approach improves security by preventing novel unlisted crawlers from accessing content. However, it requires maintenance as new legitimate crawlers emerge and risks blocking beneficial traffic if allowlists become stale.
Categorized matching creates user agent groups with different handling policies. Publishers might define:
- Search crawlers: Googlebot, Bingbot, DuckDuckBot (allowed)
- AI training crawlers: GPTBot, ClaudeBot, Google-Extended (blocked)
- Research crawlers: University-affiliated user agents (throttled)
- Unknown crawlers: Unrecognized user agents (challenged)
Middleware routes each category to appropriate handling logic—search crawlers proceed unrestricted, training crawlers face blocks, research crawlers encounter rate limits, and unknown crawlers must complete JavaScript challenges.
User-Agent normalization addresses variation and case sensitivity. Crawlers might report user agents as GPTBot/1.0, gptbot, or GPTBot-experimental. Middleware normalization converts all variations to canonical forms before comparison:
func normalizeUserAgent(ua string) string {
ua = strings.ToLower(ua)
ua = regexp.MustCompile(`[/-]\d+\.\d+.*`).ReplaceAllString(ua, "")
return strings.TrimSpace(ua)
}
This function converts to lowercase, removes version numbers, and trims whitespace, ensuring GPTBot/1.0 and gptbot both match gptbot in configuration.
Spoofing detection catches malicious crawlers that falsely claim to be legitimate bots. A crawler might set User-Agent to Googlebot to evade blocks targeting training crawlers. Detection combines User-Agent inspection with IP verification—if User-Agent claims Googlebot but IP doesn't belong to Google's published ranges, the request is spoofed. Middleware implementation:
http:
middlewares:
verify-crawler-identity:
plugin:
crawlerVerifier:
verificationRules:
- userAgent: "Googlebot"
ipRanges:
- "66.249.64.0/19"
- "2001:4860:4000::/36"
onFailure: block
- userAgent: "ClaudeBot"
dnsVerification:
pattern: "*.anthropic.com"
onFailure: block
This configuration blocks requests claiming to be Googlebot unless originating from Google IP ranges, and verifies ClaudeBot through DNS reverse lookup.
IP-Based Access Control
User-Agent headers are easily forged, making IP-based verification essential for robust crawler management. Publishers can verify crawler identity and implement geographic restrictions through IP middleware.
Published IP range verification leverages crawler IP documentation from AI companies. OpenAI publishes GPTBot IP ranges; Anthropic documents ClaudeBot infrastructure. Middleware can enforce that requests match claimed identities:
http:
middlewares:
verify-crawler-ips:
ipWhiteList:
sourceRange:
- "23.98.142.0/24" # OpenAI GPTBot
- "3.144.0.0/16" # Anthropic ClaudeBot
strategy:
depth: 1 # Trust X-Forwarded-For header depth
The depth parameter accounts for CDNs and proxies that add X-Forwarded-For headers. Setting depth to 1 examines the client IP immediately before Traefik; deeper values look further through the proxy chain.
Dynamic IP list updates accommodate changes as AI companies expand infrastructure. Rather than static configuration files, middleware might fetch IP ranges from external sources:
http:
middlewares:
dynamic-ip-allowlist:
plugin:
dynamicIPList:
sources:
- url: "https://openai.com/gptbot-ranges.json"
refreshInterval: "24h"
format: "json"
path: "$.ipv4Ranges"
- url: "https://anthropic.com/claudebot-ips.txt"
refreshInterval: "24h"
format: "cidrs"
cacheFile: "/etc/traefik/dynamic-ips.json"
Middleware refreshes IP lists daily, caching them locally to continue operating if external sources become unavailable. This automation eliminates manual configuration updates as crawler infrastructure evolves.
Geographic filtering blocks or throttles crawlers from specific regions. Publishers might allow North American crawler access while blocking Asian or European traffic based on licensing agreements or data sovereignty concerns:
http:
middlewares:
geo-restrict-crawlers:
plugin:
geoIP:
allowedCountries:
- "US"
- "CA"
denyStatus: 451 # Unavailable For Legal Reasons
geoDatabase: "/etc/traefik/GeoLite2-Country.mmdb"
Implementation requires MaxMind GeoLite2 or similar geolocation databases that map IPs to countries. The middleware looks up request source IPs and compares against allowed countries before permitting backend access.
Reputation-based blocking integrates with threat intelligence feeds identifying malicious IPs. While not specifically targeting AI crawlers, reputation blocking catches residential proxies and compromised infrastructure that adversarial crawlers might use for circumvention:
http:
middlewares:
ip-reputation:
plugin:
threatIntel:
feeds:
- "https://reputation-service.example/api/v1/check"
blockThreshold: 0.7 # Block IPs with reputation score < 0.7
cacheTimeout: "1h"
The middleware queries reputation services, blocking IPs that score below threshold. Caching prevents excessive reputation lookups that could add latency to every request.
Rate Limiting Implementation
Even when publishers permit crawler access, rate limiting prevents infrastructure overload. Traefik middleware offers sophisticated rate limiting that adapts to crawler behavior patterns.
Per-crawler rate limits apply different quotas to different user agents. Search crawlers might receive generous limits while training crawlers face tight restrictions:
http:
middlewares:
adaptive-rate-limit:
rateLimit:
rateSets:
search-crawlers:
average: 100
period: "1m"
burst: 200
ai-crawlers:
average: 10
period: "1m"
burst: 20
The average parameter specifies sustained request rate, period defines the time window, and burst permits short spikes. These settings throttle AI crawlers to 10 requests per minute sustained with 20 request bursts, while search crawlers enjoy 10x higher limits.
Token bucket algorithm implementation provides smooth traffic shaping. Rather than hard cutoffs at window boundaries, token buckets refill continuously:
- Bucket holds tokens representing request permission
- Each request consumes a token
- Tokens regenerate at the specified average rate
- Burst parameter determines maximum tokens the bucket can hold
- Requests arriving when the bucket is empty face delay or rejection
This algorithm prevents exploitation where crawlers time requests to window boundaries, spreading load more evenly across time.
Distributed rate limiting synchronizes quotas across multiple Traefik instances. Clustered deployments must prevent individual instances from independently applying quotas, which would effectively multiply limits by instance count. Solutions include:
http:
middlewares:
clustered-rate-limit:
plugin:
distributedRateLimit:
storage: "redis://redis-cluster:6379/0"
keyPrefix: "traefik-ratelimit:"
average: 10
period: "1m"
Middleware stores quota state in Redis, ensuring all Traefik instances consult centralized counters. This prevents crawlers from exploiting distributed architectures by spreading requests across backend instances.
Adaptive throttling adjusts limits based on observed behavior. Crawlers respecting initial limits might earn quota increases, while aggressive crawlers face progressive restrictions:
http:
middlewares:
adaptive-crawler-throttle:
plugin:
behaviorBasedThrottle:
initialRate: 10
goodBehaviorIncrease: 1.5 # Multiply limit by 1.5 after 1 hour compliance
violationDecrease: 0.5 # Halve limit upon violations
evaluationInterval: "1h"
This creates incentive structures rewarding polite crawler behavior while punishing aggressive scraping, automatically optimizing resource allocation without manual intervention.
Cost-based rate limiting varies quotas by resource consumption. Requests for large media files, expensive search queries, or dynamic personalized content might count more heavily against quotas than static text pages:
http:
middlewares:
cost-based-limit:
plugin:
costRateLimit:
budget: 1000 # Total cost units per period
period: "1m"
costs:
- pathPattern: "/api/search"
cost: 10
- pathPattern: "/images/.*\\.jpg"
cost: 5
- pathPattern: ".*"
cost: 1 # Default cost for unmatched paths
A crawler requesting 10 search queries and 100 images would consume 150 cost units (10 × 10 + 100 × 5), leaving 850 units for additional requests that minute. This approach aligns throttling with actual infrastructure impact rather than raw request counts.
Content Routing and Access Tiers
Publishers implementing tiered licensing need middleware that routes authenticated crawlers to appropriate content based on their tier, while blocking unlicensed access entirely.
License tier authentication validates crawler credentials against entitlements databases. API keys or JWT tokens in Authorization headers identify the crawler and their tier:
http:
middlewares:
tier-authentication:
plugin:
licenseAuth:
authEndpoint: "https://licensing-api.publisher.com/validate"
headerName: "X-API-Key"
cacheDuration: "5m"
onAuthFailure: 403
Middleware extracts API keys from request headers, queries the licensing API to determine tier, caches results to minimize auth overhead, and attaches tier information to requests forwarded to backends.
Tier-based content filtering restricts access to content appropriate for each license tier. A crawler with Historical Archive tier access should only reach content older than defined thresholds:
http:
middlewares:
tier-content-filter:
plugin:
tierFilter:
rules:
- tier: "historical"
allowPaths:
- "/archive/.*"
denyPaths:
- "/recent/.*"
- "/premium/.*"
- tier: "commercial"
allowPaths:
- "/.*" # Full access
defaultDeny: true
Middleware checks authenticated tier against path patterns, permitting historical tier crawlers to access /archive/* while blocking /recent/* and /premium/*. Commercial tier receives unrestricted access.
Dynamic content watermarking embeds tier-specific identifiers enabling violation detection. Middleware injects markers that vary by license tier, enabling publishers to trace content redistribution:
http:
middlewares:
tier-watermarking:
plugin:
watermark:
headerInjection:
- name: "X-Content-Tier"
value: "${tier}"
htmlModification:
insertBeforeTag: "</body>"
content: "<!-- Licensed to ${licenseeID} tier ${tier} -->"
When content accessed by Historical tier crawlers appears in contexts suggesting higher-tier usage, HTML comments reveal the source license. This passive monitoring complements active compliance auditing.
Usage tracking and quota enforcement monitors tier consumption for volume-based licenses. Middleware counts accessed content against tier limits:
http:
middlewares:
usage-metering:
plugin:
usageTracker:
meteringEndpoint: "https://licensing-api.publisher.com/meter"
batchSize: 100 # Send usage batches of 100 requests
flushInterval: "60s" # Force flush every minute
onQuotaExceeded:
action: "throttle"
rate: 1 # 1 request per minute when over quota
Every successful content delivery triggers usage recording sent to the metering endpoint. When crawlers exceed tier quotas, middleware automatically throttles future requests until quota resets or tier upgrades occur.
robots.txt Integration
While robots.txt provides standard crawler guidance, Traefik middleware can enforce robots.txt directives for non-compliant crawlers and enhance the protocol with dynamic rules.
robots.txt parsing and enforcement translates standard directives into Traefik access control. Rather than trusting crawlers to honor robots.txt, middleware actively blocks disallowed paths:
http:
middlewares:
robotstxt-enforcer:
plugin:
robotsTxt:
robotsFile: "/var/www/robots.txt"
reloadInterval: "5m"
enforceMode: "block" # Or "log" for monitoring without blocking
defaultAllow: true # Allow if no matching directive
Middleware parses robots.txt, identifying User-Agent-specific disallow directives, and blocks requests violating those rules before they reach backends. This mandatory enforcement prevents the most common circumvention vector—crawlers simply ignoring robots.txt.
Per-crawler robots.txt generation serves customized robots.txt files based on requesting user agent. Publishers might want different crawlers to see different restrictions:
http:
middlewares:
dynamic-robots:
plugin:
dynamicRobots:
templates:
- userAgent: "GPTBot"
template: "/etc/traefik/robots-ai-crawlers.txt"
- userAgent: "Googlebot"
template: "/etc/traefik/robots-search.txt"
- userAgent: "*"
template: "/etc/traefik/robots-default.txt"
When GPTBot requests /robots.txt, middleware serves restrictive AI crawler rules. Googlebot receives permissive search crawler rules. This segmentation communicates different expectations to different crawler classes.
Compliance monitoring and honeypots detect crawlers violating robots.txt. Middleware serves honeypot content in robots.txt-disallowed paths, triggering alerts when accessed:
http:
middlewares:
robots-honeypot:
plugin:
honeypot:
disallowedPaths:
- "/admin"
- "/api/internal"
honeypotResponse:
status: 200
body: "Honeypot content with unique identifier ${requestID}"
alertWebhook: "https://monitoring.publisher.com/alert"
Compliant crawlers never request disallowed paths. Access attempts indicate violations, triggering webhooks that notify security teams and potentially auto-escalate restrictions against violating crawler IPs.
Custom Middleware Development
Publishers with unique requirements beyond standard middleware capabilities can develop custom Traefik plugins in Go that implement specialized crawler management logic.
Plugin architecture provides a framework for extending Traefik. Plugins implement the Handler interface, receiving HTTP requests, performing custom logic, and either forwarding to the next middleware or terminating with responses:
package main
import (
"context"
"net/http"
)
type CrawlerManager struct {
next http.Handler
config *Config
}
func (cm *CrawlerManager) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
// Custom crawler detection and handling logic
if cm.isBannedCrawler(req) {
http.Error(rw, "Crawler blocked", http.StatusForbidden)
return
}
cm.next.ServeHTTP(rw, req)
}
This skeleton shows the plugin structure—ServeHTTP intercepts requests, applies custom logic (here checking if the crawler is banned), and either blocks requests or forwards them to next.ServeHTTP.
Advanced fingerprinting combines multiple signals beyond User-Agent and IP. Custom plugins might analyze:
- TLS fingerprints (cipher suites, extensions, curves)
- HTTP/2 settings frames and stream prioritization
- Header ordering and capitalization patterns
- JavaScript execution capabilities through challenge-response
- Browser automation artifact detection
These sophisticated techniques identify headless browsers and automation frameworks that AI training operations use, even when they rotate IPs and user agents:
func (cm *CrawlerManager) fingerprintClient(req *http.Request) CrawlerType {
tlsFingerprint := cm.extractTLSFingerprint(req.TLS)
headerFingerprint := cm.extractHeaderFingerprint(req.Header)
if cm.matchesHeadlessBrowser(tlsFingerprint, headerFingerprint) {
return CrawlerTypeAutomated
}
return CrawlerTypeHuman
}
Machine learning-based detection trains models on historical crawler behavior to identify novel crawlers not yet catalogued. Plugins can integrate ML inference:
func (cm *CrawlerManager) classifyCrawler(req *http.Request) (CrawlerCategory, float64) {
features := cm.extractFeatures(req)
prediction := cm.mlModel.Predict(features)
return prediction.Category, prediction.Confidence
}
The model ingests request features (timing patterns, path sequences, referrer chains) and outputs classifications with confidence scores. Low-confidence predictions might trigger human review while high-confidence results automate blocking decisions.
Real-time licensing API integration queries publisher licensing systems to determine crawler permissions dynamically. Rather than caching credentials, plugins make real-time decisions:
func (cm *CrawlerManager) checkLicense(ctx context.Context, crawlerID string) (*LicenseStatus, error) {
resp, err := cm.licenseAPI.Query(ctx, crawlerID)
if err != nil {
return nil, err
}
return &LicenseStatus{
Tier: resp.Tier,
QuotaRemaining: resp.QuotaRemaining,
ExpirationDate: resp.ExpirationDate,
}, nil
}
This integration ensures middleware reflects current licensing state, automatically revoking access for expired licenses or enforcing tier downgrades without configuration changes.
Observability and Monitoring
Effective crawler management requires visibility into who's accessing content, how enforcement policies perform, and where circumvention attempts occur.
Structured logging emits crawler activity in machine-parsable formats enabling analysis:
http:
middlewares:
crawler-logging:
plugin:
structuredLog:
format: "json"
fields:
- "timestamp"
- "sourceIP"
- "userAgent"
- "requestPath"
- "crawlerCategory"
- "actionTaken"
- "tier"
destination: "stdout"
sampling:
rate: 0.1 # Log 10% of requests to reduce volume
JSON-formatted logs feed into centralized logging systems (Elasticsearch, Loki) where queries aggregate patterns: which crawlers access most frequently, which paths they target, how often rate limits trigger, and compliance with licensing terms.
Prometheus metrics expose time-series data about crawler activity:
# Example metrics exported by middleware
traefik_crawler_requests_total{user_agent="GPTBot",action="blocked"} 1523
traefik_crawler_requests_total{user_agent="ClaudeBot",action="throttled"} 842
traefik_crawler_requests_total{user_agent="Googlebot",action="allowed"} 15420
traefik_ratelimit_dropped_total{middleware="ai-crawlers"} 234
traefik_license_quota_remaining{licensee="OpenAI",tier="commercial"} 450000
Publishers create Grafana dashboards visualizing crawler trends, alert on anomalous activity (sudden traffic spikes, new unknown crawlers), and measure enforcement effectiveness.
Distributed tracing follows crawler requests through microservice architectures. When middleware permits a request, trace context propagates showing:
- Which middleware components processed the request
- Authentication lookups and license validation latency
- Backend service processing time
- Database queries triggered by crawler content access
Tracing identifies performance bottlenecks in crawler handling and reveals when crawler behavior (requesting expensive queries) degrades system performance.
Alerting rules notify publishers of significant events:
# Prometheus alerting rules
groups:
- name: crawler_alerts
rules:
- alert: NewCrawlerDetected
expr: rate(traefik_crawler_requests_total{user_agent!~"Googlebot|Bingbot|ClaudeBot|GPTBot"}[5m]) > 10
annotations:
summary: "Unknown crawler detected"
- alert: LicenseQuotaExhausted
expr: traefik_license_quota_remaining < 1000
annotations:
summary: "Licensee {{$labels.licensee}} approaching quota limit"
Alerts enable rapid response to circumvention attempts and proactive licensing discussions when quotas near exhaustion.
Frequently Asked Questions
How does Traefik middleware compare to CDN-based crawler blocking?
Traefik operates at the application layer with full HTTP context, enabling sophisticated logic like authentication integration, dynamic content routing, and license tier enforcement. CDNs typically offer simpler rules focusing on IP/user-agent blocking and rate limiting. Traefik provides more flexibility and customization for complex licensing scenarios, while CDNs deliver blocking closer to the network edge with lower latency overhead. Many publishers use both—CDN for coarse-grained protection and Traefik for fine-grained policy enforcement.
Can Traefik middleware prevent all AI crawler circumvention?
No technical solution stops determined adversaries. Middleware raises circumvention costs by requiring sophisticated evasion (residential proxies, browser automation, behavior mimicry) but sufficiently motivated crawlers can bypass protections. Effective strategies combine technical middleware enforcement with legal frameworks through Terms of Service, monitoring for circumvention indicators, and willingness to pursue legal action against violators. Middleware makes unauthorized access difficult enough that most AI companies choose licensing over circumvention.
What performance impact does crawler middleware add?
Well-optimized middleware adds minimal latency—typically single-digit milliseconds for simple user-agent checks, 10-20ms for IP verification with caching, and 50-100ms for authentication against external licensing APIs. Rate limiting state lookups add negligible overhead when using in-memory or Redis-backed storage. Custom plugins with complex logic (ML model inference, TLS fingerprinting) might add 100-200ms. Publishers should benchmark specific middleware configurations under realistic load to quantify impact and optimize critical paths.
How should publishers update middleware configuration as new AI crawlers emerge?
Dynamic configuration allows zero-downtime updates. Publishers monitoring for unknown user agents (via metrics or logs) can add them to middleware blocklists or throttling rules without restarting Traefik. Automated approaches might fetch crawler lists from threat intelligence feeds or industry consortia, refreshing configuration hourly or daily. Custom plugins can implement fallback policies for unknown user agents—aggressive blocking for zero-trust approaches, or temporary throttling with alerts for investigation.
Can Traefik enforce different policies per domain in multi-tenant deployments?
Yes. Traefik routers match requests to services based on Host headers, with each service having independent middleware chains. A multi-tenant publisher might configure:
- Domain A: Blocks all AI crawlers (subscriber content)
- Domain B: Throttles AI crawlers (ad-supported content)
- Domain C: Requires license authentication (premium API)
Each domain's router references appropriate middleware, enabling policy segmentation within a single Traefik instance.
How does middleware handle crawlers that respect robots.txt versus those that don't?
Compliant crawlers honor robots.txt without middleware enforcement—middleware allows their requests through unless other policies (rate limiting, licensing) apply. Non-compliant crawlers that ignore robots.txt trigger middleware enforcement that actively blocks access to disallowed paths. Middleware effectively makes robots.txt mandatory rather than advisory, creating consistent policy enforcement regardless of crawler cooperation. This ensures publishers maintain control even when crawlers don't voluntarily respect technical signals.
When Blocking AI Crawlers Isn't the Move
Skip this if:
- Your site has less than 1,000 monthly organic visits. AI crawlers aren't your problem — getting indexed by traditional search is. Focus on content quality and link acquisition before worrying about bot management.
- You're running a personal blog or portfolio site. AI citation of your content is free exposure at this scale. Blocking crawlers costs you visibility without protecting meaningful revenue.
- Your revenue comes entirely from direct sales, not content. If your content isn't the product (e-commerce, SaaS with no content moat), AI crawlers are neutral. Your competitive advantage lives in the product, not the pages.