# Nepenthes Tarpit Deployment Guide (Docker, nginx, Apache)

The Church of Malware (CoM) does not condone the use or introduction of carnivorous plants onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This focused installation and configuration tutorial provides complete, production-ready steps for deploying Nepenthes as a tarpit behind `Disallow` rules. It covers Docker deployment and full integration with standard nginx and Apache, including conditional serving based on the aggressive-bot UA list.

## 1. Docker Deployment (Recommended)

```bash
# Run Nepenthes on an internal port
docker run -d \
  --name nepenthes \
  --restart unless-stopped \
  -p 127.0.0.1:8081:8080 \
  -v $(pwd)/robots.txt:/app/robots.txt:ro \
  zadzmo/nepenthes:latest
```

Verify it is running:
```bash
docker logs nepenthes
```

## 2. nginx Full Configuration (with Aggressive-Bot Map)

```nginx
# /etc/nginx/snippets/aggressive-bots.conf (from known-aggressive-bot-user-agents.md)
map $http_user_agent $aggressive_bot {
    default 0;
    ~*GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot 1;
}

server {
    listen 80;
    server_name example.com;
    root /var/www/html;

    access_log /var/log/nginx/ai_violators.log combined if=$aggressive_bot;
    access_log /var/log/nginx/access.log combined;

    location / {
        if ($aggressive_bot) {
            # Optional: serve tarpit instead of normal content for violators
        }
        try_files $uri $uri/ =404;
    }

    # Tarpit endpoint - only aggressive bots should reach here
    location /tarpit/ {
        internal;
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
```

Enable and reload:
```bash
sudo nginx -t && sudo systemctl reload nginx
```

## 3. Apache Full Configuration (with SetEnvIf + Proxy)

```apache
# /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html

    SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless|anthropic-ai|OAI-SearchBot" aggressive_bot
    CustomLog /var/log/apache2/ai_violators.log combined env=aggressive_bot
    CustomLog /var/log/apache2/access.log combined

    <Directory /var/www/html>
        Options -Indexes
        AllowOverride All
        Require all granted
    </Directory>

    # Tarpit endpoint
    ProxyPass /tarpit/ http://127.0.0.1:8081/
    ProxyPassReverse /tarpit/ http://127.0.0.1:8081/

    <Location /tarpit/>
        <If "%{ENV:aggressive_bot} == 1">
            Header set X-Tarpit "nepenthes"
        </If>
    </Location>
</VirtualHost>
```

Enable modules and restart:
```bash
sudo a2enmod proxy proxy_http headers setenvif
sudo systemctl restart apache2
```

## 4. robots.txt (Critical)

```txt
User-agent: *
Disallow: /tarpit/

# Allow major engines
User-agent: Googlebot
Allow: /

User-agent: Bingbot
Allow: /
```

## 5. Testing

```bash
# Normal visitor
curl -I -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" https://example.com/tarpit/

# Aggressive bot (should receive tarpit garbage)
curl -I -A "GPTBot/1.0" https://example.com/tarpit/
```

Check logs:
```bash
sudo tail -f /var/log/nginx/ai_violators.log
```

## 6. Maintenance

- Monitor Nepenthes container logs for errors.
- Update the aggressive-bot map when new patterns are published in `known_aggressive_bot_user_agents.md`.
- Rotate `ai_violators.log` weekly.

*Companion to `howto_anubis_deployment.md` and `howto-rate-limiting-fail2ban-deployment.md`.*