Nerd blog.

01 Sep 2020

nginx ISP fence

Sometimes the easiest way to geo fence an application is to just whitelist certain ISP’s networks only. Nginx has a handy way to map IPs into subnets using the geo module.


  • job/aggregate6 to aggregate/unique-ify the prefix lists that are generated
  • OpenBSD Looking Glass to get a list of prefixes by source-as


geo $geolimit {
  default 1;
  include /etc/nginx/prefixlists/allowlist.txt;
  include /etc/nginx/prefixlists/manitoba-and-canadians.txt;

map $geolimit $out_of_area {
  0 "";
  1 $binary_remote_addr;

server {
    if ($out_of_area) {
      return 403;

Generating Lists

You’ll notice I’m feeding in 2 lists in this case, an explict allow list, and then a larger list of Manitoban and Canadian networks. The format for the lists of allowed IP addresses in this case is:

subnet/mask 0;

To generate a list for an ASN:

for ASN in 1 2 3; do
  curl -s \
  ''$ASN |\
  grep '\*>' | awk '{print $3}' | aggregate6 | awk '{print $1,0,";"}' \
  > /etc/nginx/prefixlists/${ASN}.txt


This is based heavily on the nginx-mb-prefixes script which Adam Thompson wrote to maintain a list of Manitoban networks for the Manitoba Unix Users Group Mirror.

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.