There are two ways I know you could solve this problem.
-
Allow-list in separated config: Works on all common NginX installs
You can place all of the allow statements in a simple text file, per site, that contains nothing but allow statements. Include that under the client’s server block. Use scripts as needed to alter the list. Finally reload (not restart) the nginx config every time you update the allow list. This might look as follows:
cat /var/www-allow/client1-allow.conf allow 192.168.1.1; allow 10.0.0.1; cat /etc/nginx/sites/client1.conf ... server { include /var/www-allow/client1-allow.conf; deny all; } echo Test NginX configuration nginx -t echo Reload NginX configuration (**adjust for your setup**) service nginx reload -
Use embedded Lua: Required custom compile of NginX
Recompile NginX from source with the 3rd party embedded Lua add on module. Use a lua script to actively deny unsupported IP addresses. See the second example under
access_by_lua. There are a variety of ways you could use the add on. I suggest usingaccess_by_lua_fileto put the lua script in an external location.
Both of these approaches will still require some effort on your part. I don’t believe a drop-in solution is already available for your specific objectives.