Blog Logo

23-Apr-2023 ~ 3 min read

Whitelisting of ips in nginx config

nginx

Note: This article assumes that you have installed Nginx on your server.

Prerequisites

  • An Nginx server.
  • Access to a Linux privileged user such as root.

Procedure

1. Login into your server via SSH and switch to root user.

su

2. Go to your Nginx site configuration.

cd /etc/nginx/sites-available

3. Open the configuration file where your site is located.

Note: This and the following steps may change depending on your configuration. We will assume that you are using the default one.

nano default

or

vim default

4. Whitelist IP in NGINX

There are multiple ways to whitelist an IP in NGINX. We will look at each of them. Let’s say you want to whitelist IP 87.65.43.21 for your entire website, you can add the following lines in your configuration file.

allow 87.65.43.21;
deny all;

The above lines will make NGINX deny all except IP 87.65.43.21. The first line allow 87.65.43.21 will allow access from that IP. deny all will block all other IPs.

Whitelist IP in NGINX for domain

Add these lines in any of the http, server or location blocks as shown here:

http{
   ...
   allow 87.65.43.21;
   deny all;
   ...
}

server{
    ...
    allow 87.65.43.21;
    deny all;
    ...
}


location / {
   allow 87.65.43.21;
   deny all;
}

Whitelist IP in NGINX for subdomain

Let’s say you have two subdomains (blog.example.com and articles.example.com) with their NGINX config files at /etc/nginx/sites-enabled/blog.conf and /etc/nginx/sites-enabled/articles.conf

If you want to whitelist IP in NGINX for only 1 subdomain (e.g blog.example.com) then place the above-mentioned 2 lines in blog.conf file of that subdomain

$ sudo vim /etc/nginx/sites-enabled/blog.conf
server {
  server blog.example.com;
  allow 87.65.43.21;
  deny all;
}

If you want to whitelist IP in both subdomains, then add the 2 lines in both blog.conf and articles.conf files.

Whitelist IP range in NGINX

If you want to allow an IP range such as 45.43.23.0 – 45.43.23.255, then use the CIDR format for your IP range, since NGINX accepts only IP addresses and CIDR formats. You can get the CIDR for your IP address range using IP to CIDR tools.

location / {
  allow 45.43.23.0/24;
  deny all;
}

Whitelist IP in NGINX for URL

If you want to whitelist IP for just one URL (e.g /accounts/login) then add the above allow directive in location block of that URL.

location /accounts/login {
   allow 87.65.43.21;
   deny all;
}

Whitelist Multiple IP in NGINX

If you want to whitelist multiple IP in NGINX to allow access to multiple IP addresses, just add multiple allow directives as shown below, one for each IP

allow 87.65.43.21;
allow 44.23.13.10;
deny all;

You can also combine IP and CIDR ranges together, as shown below

If you want to whitelist multiple IP in NGINX to allow access to multiple IP addresses, just add multiple allow directives as shown below, one for each IP

allow 44.23.13.10;
allow 45.43.23.0/24;
deny all;

5. Restart Nginx

Note: This step can change depending on your OS.

Run the following command to check syntax of your updated config file.

sudo nginx -t

If there were no errors, run the following command to restart NGINX server.

systemctl restart nginx

That’s it! Now NGINX will allow access to only those IP addresses and ranges mentioned in your configuration file.