The guide details adding Mitchell Krogza’s “NGINX Ultimate Bad Bot Blocker” to an existing NGINX installation on Ubuntu 20.04 by cloning the GitHub repository into /opt, copying its *.conf files into /etc/nginx/conf.d, and including those configs in each site’s server block. After inserting the includes you verify syntax with nginx -t and reload the service so that requests from known bad user‑agents or IPs receive a 403 response. An optional cron job pulls updates from the repository twice daily, copies any new rule files, and silently reloads NGINX to keep the blocklist current. Finally, you can fine‑tune protection by adding trusted crawlers or internal tools to whitelist-ips.conf and reloading NGINX whenever changes are made.

Install NGINX Ultimate Bad Bot Blocker on Ubuntu 20.04 LTS

You’ll get the blocker downloaded, hooked into your existing NGINX install, and tuned so it actually stops the crawlers that waste bandwidth. By the end of this guide you’ll have a working bad_bot.blocklist.conf file and know how to keep it updated without breaking your site.

Prerequisites

• Ubuntu 20.04 LTS with a functional NGINX installation (the default package works fine).
• Root or sudo access – you’ll be editing files in /etc/nginx.

I’ve seen sites go from “steady traffic” to “CPU at 100 % for minutes” after a single bad bot started hammering /wp-login.php. The blocker saves that headache.

1. Grab the latest blocklist repository

sudo apt update
sudo apt install git -y # if you don’t already have it
git clone https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker.git /opt/nginx-badbots

Cloning into /opt keeps the list out of your web root, so a stray request can’t download it.

2. Copy the core config into NGINX’s conf.d directory

sudo cp /opt/nginx-badbots/conf/*.conf /etc/nginx/conf.d/

NGINX reads every *.conf file in that folder automatically, so you don’t have to touch the main nginx.conf. This step also makes future updates a one‑liner.

3. Include the blocklist in your site configuration

Open the server block for the site you want to protect (e.g., /etc/nginx/sites-available/example.com) and add:

include /etc/nginx/conf.d/badbots.conf;
include /etc/nginx/conf.d/blacklist-user-agents.conf;
include /etc/nginx/conf.d/whitelist-ips.conf;

Placing the includes near the top ensures the rules run before any location blocks that might otherwise serve the request.

4. Test the syntax and reload NGINX

sudo nginx -t

If you see “syntax is ok” and “test is successful”, apply the changes:

sudo systemctl reload nginx

Testing now with curl -A "badbot" against your site should return a 403. If it doesn’t, double‑check that the includes are in the right server block.

5. Set up automatic updates (optional but recommended)

The blocker’s authors push new entries daily. You can pull them automatically with a cron job:

sudo crontab -e

Add the line:

0 */12 * * * cd /opt/nginx-badbots && git pull && sudo cp conf/*.conf /etc/nginx/conf.d/ && sudo nginx -s reload > /dev/null 2>&1

This runs twice a day, copies any new rules, and silently reloads NGINX. If you ever notice a legitimate crawler getting blocked, just comment out the offending line in /etc/nginx/conf.d/whitelist-ips.conf.

6. Tweak the whitelist for your own bots

If you run internal monitoring tools that get flagged, add their IPs or user‑agents to whitelist-ips.conf. The file is plain text; each entry lives on its own line.

sudo nano /etc/nginx/conf.d/whitelist-ips.conf

Save and reload NGINX again. This tiny step saves you from mysterious 403s in your logs later.

That’s it – the blocker is live, updating, and you’ve got a quick way to roll back if something goes sideways.