Master Nginx IP Whitelisting & Blacklisting: Simple Configurations and Geo Restrictions
Learn how to control access in Nginx by configuring IP-based allow/deny rules, using external whitelist files, leveraging the ngx_http_geo_module for IP and country restrictions, and setting up GeoIP modules with sample configurations and commands for both Linux distributions.
Control Access in Nginx with Allow/Deny Rules
The allow and deny directives belong to ngx_http_access_module, which is loaded by default in Nginx.
Direct Configuration in nginx.conf
server {
listen 80;
server_name your_domain_or_ip;
# Whitelist example
location / {
allow 192.168.1.1;
allow 192.168.1.2;
allow 192.168.1.3;
allow 192.168.1.4;
allow 192.168.1.5;
allow 192.168.1.6;
deny all; # block all other IPs
}
# High‑privilege admin IP
location /admin {
allow 192.168.1.7;
deny all;
}
# Limited‑privilege maintenance IPs
location /limited {
allow 192.168.1.8;
allow 192.168.1.9;
deny all;
}
}Include an External Whitelist File
location / {
include /home/whitelist.conf;
deny all;
}Create /home/whitelist.conf and list the allowed IPs, e.g.:
# whitelist IPs
allow 10.1.1.10;
allow 10.1.1.11;Using ngx_http_geo_module for IP or Country Restrictions
This module is usually compiled into Nginx. It can be placed inside the http block (outside any server block).
Define IP Lists Directly
geo $ip_list {
default 0; # default value
192.168.1.0/24 1;
10.1.0.0/16 1;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
# default (0) means blocked – treat as blacklist
proxy_pass http://192.168.152.100:8081;
}
}
}Load IP List from a File
geo $ip_list {
default 0;
include ip_white.conf;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
return 403; # block the IP (could also use 503/504)
}
}
}Country/Region IP Restriction with GeoIP
Install the GeoIP module (e.g., nginx-extras on Ubuntu or nginx-module-geoip on CentOS) and download the MaxMind databases.
# Ubuntu
sudo apt install nginx-extras
# CentOS
yum install nginx-module-geoip
# Download country database
sudo wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCountry.dat
# Download city database
sudo wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCity.datConfigure Nginx to use the databases and block a specific country (e.g., China):
geoip_country /etc/nginx/GeoCountry.dat;
geoip_city /etc/nginx/GeoCity.dat;
server {
listen 80;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
if ($geoip_country_code = CN) {
return 403; # deny access from China
}
}
}GeoIP Variables
$geoip_country_code: two‑letter country code (e.g., CN, US) $geoip_country_code3: three‑letter country code (e.g., CHN, USA) $geoip_country_name: full country name in English $geoip_city_country_code, $geoip_city_country_name, $geoip_city, $geoip_region, $geoip_postal_code, $geoip_city_continent_code, $geoip_latitude, $geoip_longitude: various city‑level details
These configurations enable precise control over which IPs or geographic regions can access your web services.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.