Master Nginx IP Whitelisting & Blacklisting: Simple Allow/Deny Configurations
This tutorial explains how to use Nginx’s allow and deny directives, include external whitelist files, configure the ngx_http_geo_module for IP‑based access control, and set up country‑level restrictions with the geoip module, providing concrete configuration examples and command‑line steps for both black‑ and white‑listing.
Using allow and deny directives
The allow and deny directives belong to ngx_http_access_module, which is loaded by default in Nginx. You can place them directly in the server block to create a whitelist or blacklist for specific IP ranges.
server {
listen 80;
server_name your_domain_or_ip;
# Whitelist example
location / {
allow 192.168.1.1;
allow 192.168.1.2;
allow 192.168.1.3;
allow 192.168.1.4;
allow 192.168.1.5;
allow 192.168.1.6;
deny all; # block everything else
}
# High‑privilege admin IP
location /admin {
allow 192.168.1.7;
deny all;
}
# Limited‑privilege maintenance IPs
location /limited {
allow 192.168.1.8;
allow 192.168.1.9;
deny all;
}
}Including an external whitelist file
For easier management, you can store allowed IPs in a separate file and include it with the include directive. The file is typically placed under /etc/nginx/ or any custom path you prefer.
location / {
include /home/whitelist.conf;
deny all;
}
# /home/whitelist.conf example
allow 10.1.1.10;
allow 10.1.1.11;Configuring the ngx_http_geo_module
The ngx_http_geo_module allows you to map IP addresses to variables, enabling both black‑ and white‑listing logic as well as country‑level restrictions. The configuration must be placed in the http context, outside any server block.
geo $ip_list {
default 0; # default: deny
192.168.1.0/24 1; # whitelist range
10.1.0.0/16 1; # another whitelist range
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
# IP not in whitelist – treat as blacklist
proxy_pass http://192.168.152.100:8081;
}
}
}Country/region restrictions with the geoip module
To block or allow traffic based on geographic location, install the ngx_http_geoip_module. On Ubuntu, the nginx‑extras package includes this module; on CentOS, install nginx-module-geoip.
# Ubuntu
sudo apt install nginx-extras
# CentOS
yum install nginx-module-geoipDownload the MaxMind IP databases (both country and city), unzip them, and place them in /etc/nginx/:
sudo wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCountry.dat
sudo wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCity.datConfigure Nginx to use these databases and apply country‑level rules:
geoip_country /etc/nginx/GeoCountry.dat;
geoip_city /etc/nginx/GeoCity.dat;
server {
listen 80;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
if ($geoip_country_code = CN) {
return 403; # block requests from China
}
}
}Relevant geoip variables include $geoip_country_code, $geoip_country_name, $geoip_city, $geoip_region, $geoip_latitude, and $geoip_longitude, among others, allowing fine‑grained access control based on geographic data.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.