Master Nginx Firewall: IP Whitelisting, Blacklisting, and GeoIP Restrictions
This guide explains how to configure Nginx access control using allow/deny directives, external whitelist files, the ngx_http_geo_module for IP range rules, and the ngx_http_geoip_module for country and city based restrictions, including installation steps and example configurations.
In Nginx, the ngx_http_access_module provides simple allow and deny directives for IP‑based access control. By editing /etc/nginx/nginx.conf or /etc/nginx/sites-available/default, you can define white‑list IPs and deny all others:
server {
listen 80;
server_name your_domain_or_ip;
# White‑list
location / {
allow 192.168.1.1; # specific IPs
allow 192.168.1.2;
allow 192.168.1.3;
allow 192.168.1.4;
allow 192.168.1.5;
allow 192.168.1.6;
deny all; # block the rest
}
# High‑privilege admin IP
location /admin {
allow 192.168.1.7;
deny all;
}
# Limited‑privilege maintenance IPs
location /limited {
allow 192.168.1.8;
allow 192.168.1.9;
deny all;
}
}For larger lists, store IPs in an external file (e.g., /home/whitelist.conf) and include it:
location / {
include /home/whitelist.conf;
deny all;
}Example whitelist.conf:
allow 10.1.1.10;
allow 10.1.1.11;The ngx_http_geo_module enables IP‑range based variables. Define a variable $ip_list with default 0 and set matching CIDR blocks to 1:
geo $ip_list {
default 0;
192.168.1.0/24 1;
10.1.0.0/16 1;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
proxy_pass http://192.168.152.100:8081;
}
}
}To block by country or city, install the ngx_http_geoip_module. On Ubuntu, install nginx‑extras; on CentOS, install nginx-module-geoip. Then download MaxMind .dat files for country and city databases and place them under /etc/nginx/:
sudo wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCountry.dat
sudo wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCity.datConfigure Nginx to use these databases:
geoip_country /etc/nginx/GeoCountry.dat;
geoip_city /etc/nginx/GeoCity.dat;
server {
listen 80;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
if ($geoip_country_code = CN) {
return 403; # block China
}
}
}Relevant GeoIP variables include: $geoip_country_code – two‑letter country code (e.g., CN, US) $geoip_country_code3 – three‑letter country code $geoip_country_name – full country name $geoip_city_country_code, $geoip_city_country_name, $geoip_city, $geoip_region, $geoip_postal_code, $geoip_latitude, $geoip_longitude – city‑level details
These configurations allow fine‑grained control over who can access your web services, whether by individual IP, IP range, or geographic location, and are useful for security hardening and compliance requirements.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.