Basic IP Whitelist Configuration

To restrict access to specific IP addresses while allowing local connections:

allow 100.110.15.16;
allow 100.110.15.17;
allow 100.110.15.18;
allow 127.0.0.1;
deny all;

IP-Based Access Redirection

Method 1: Direct IP Comparison

Redirect specific client IP addresses using the $remote_addr variable:

if ($remote_addr = 192.168.1.123) {
    return 301 https://blog.whsir.com;
}

Method 2: Lua Module Implementation

Using Nginx with Lua module for dynamic IP redirection. IP addresses are stored in /tmp/ip file, supporting both individual IPs and network ranges:

set_by_lua $allowed_ip '
    local client_ip = ngx.var.remote_addr
    local cmd_result = io.popen("ip=" .. client_ip .. "; if grep -q $ip /tmp/ip; then echo $ip; exit 0; fi; for network in $(grep / /tmp/ip); do [ $(ipcalc -n $ip/${network#*/}) = $(ipcalc -n $network) ] && echo $ip && break; done")
    local output = cmd_result:read("*l")
    return output
';

if ($allowed_ip = $remote_addr) {
    return 301 https://blog.whsir.com;
}

Comprehensive IP Whitelist Setup

Analyze Access Logs

Identify IP addresses acessing your Nginx server:

awk '{print $1}' logs/access.log | sort | uniq -c | sort -nr -k1

Sample output:

1053 192.168.3.15
893 192.168.3.10
818 192.168.0.8

Create IP Whitelist File

Create ip.conf in nginx conf diretcory:

192.168.3.11 1;
192.168.3.10 1;
192.168.0.112 1;

Configure nginx.conf

Add geo mapping in http block:

http {
    # ...
    geo $remote_addr $ip_whitelist {
        default 0;
        include ip.conf;
    }
    # ...
}

Server block configuration with whitelist validation:

server {
    listen 80;
    # ...
    set $access_allowed 1;
    
    if ($ip_whitelist != 1) {
        set $access_allowed "${access_allowed}0";
    }
    
    if ($request_uri !~* '/access_denied') {
        set $access_allowed "${access_allowed}0";
    }
    
    if ($access_allowed = "100") {
        rewrite ^(.*)$ $scheme://$host:$server_port/access_denied break;
    }
    # ...
}

Location-Specific Whitelist

Apply whitelist to specific locations:

location /test {
    proxy_pass http://backend_server/test;
    
    set $location_access 1;
    
    if ($ip_whitelist != 1) {
        set $location_access "${location_access}0";
    }
    
    if ($request_uri !~* '/access_denied') {
        set $location_access "${location_access}0";
    }
    
    if ($location_access = "100") {
        rewrite ^(.*)$ $scheme://$host:$server_port/access_denied break;
    }
}

Access Denied Page Configuration

server {
    listen 80;
    # ...
    location /access_denied {
        root /opt/nginx/access_pages;
        index access_denied.html;
        rewrite ^(.*)$ /access_denied.html break;
    }
}

Access Denied Page Template

<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Access Restricted</title>
    <style>
        body {
            background: #f5f5f5;
            font-family: Arial, sans-serif;
        }
        .container {
            margin: 50px auto;
            max-width: 600px;
            padding: 20px;
            background: white;
            border-radius: 5px;
            box-shadow: 0 2px 5px rgba(0,0,0,0.1);
        }
    </style>
</head>
<body>
    <div class="container">
        <h2>Access Notification</h2>
        <p>Your IP address is not authorized to access this system directly.</p>
        <p>Please contact the administrator to add your IP to the whitelist.</p>
        <p>Domain access: <a href="https://www.example.com">https://www.example.com</a></p>
    </div>
</body>
</html>