Mastering Nginx IP Whitelists and Blacklists: Step‑by‑Step Guide
This tutorial explains how to configure Nginx to control access by IP using allow/deny directives, include files, the ngx_http_geo_module for subnet and country restrictions, and the ngx_http_geoip_module for geographic blocking, with complete configuration examples and installation commands.
allow, deny
deny and allow directives belong to ngx_http_access_module, which is loaded by default in Nginx.
Define allowed IP addresses directly in the Nginx configuration file (e.g., /etc/nginx/nginx.conf or /etc/nginx/sites-available/default).
Direct configuration in the file
server {
listen 80;
server_name your_domain_or_ip;
# Set whitelist
location / {
allow 192.168.1.1;
allow 192.168.1.2;
allow 192.168.1.3;
allow 192.168.1.4;
allow 192.168.1.5;
allow 192.168.1.6;
deny all; # deny all other IPs
}
# Highest‑privilege maintenance IP
location /admin {
allow 192.168.1.7;
deny all;
}
# Limited‑privilege maintenance IPs
location /limited {
allow 192.168.1.8;
allow 192.168.1.9;
deny all;
}
}Include a whitelist file
location /{
include /home/whitelist.conf;
deny all;
}Create /home/whitelist.conf and list the IPs to allow, e.g.:
allow 10.1.1.10;
allow 10.1.1.11;ngx_http_geo_module
This module can set IP or country restrictions and is configured inside the http block, outside any server block.
Direct configuration
geo $ip_list {
default 0; # default value
192.168.1.0/24 1;
10.1.0.0/16 1;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
proxy_pass http://192.168.152.100:8081;
}
}
}Read IP list from a file
geo $ip_list {
default 0;
include ip_white.conf;
}
server {
listen 8081;
server_name 192.168.152.100;
location / {
root /var/www/test;
index index.html index.htm index.php;
if ($ip_list = 0) {
return 403; # blocked IP returns 403 (or 503/504)
}
}
}Country/Region IP restriction
Install ngx_http_geoip_module (e.g., nginx-extras on Ubuntu or nginx-module-geoip on CentOS) and download the MaxMind IP databases.
sudo apt install nginx-extras
# or for CentOS
yum install nginx-module-geoip
# Download country database
sudo wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCountry.dat
# Download city database
sudo wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
gunzip maxmind.dat.gz
sudo mv maxmind.dat /etc/nginx/GeoCity.datConfigure Nginx to use the databases:
geoip_country /etc/nginx/GeoCountry.dat;
geoip_city /etc/nginx/GeoCity.dat;
server {
listen 80;
server_name 144.11.11.33;
location / {
root /var/www/html/;
index index.html index.htm;
if ($geoip_country_code = CN) {
return 403; # block access from China
}
}
}Useful variables: $geoip_country_code: two‑letter country code (e.g., CN, US) $geoip_country_code3: three‑letter country code (e.g., CHN, USA) $geoip_country_name: full country name $geoip_city_country_code, $geoip_city_country_name, $geoip_city, $geoip_region, $geoip_postal_code, $geoip_city_continent_code, $geoip_latitude, $geoip_longitude Original source: https://www.cnblogs.com/hahaha111122222/p/18702355
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.