Prevent access from internet router IP (not source IP)

Percentage · January 3, 2026, 9:03pm

Please use this template for troubleshooting questions.

My issue: I have an internal network of 192.168.2.x, my nginx is on .2.2. I have some websites that I do NOT want to be accessed from the internet. My internet router is on .2.1. How do I deny traffic coming through the router since the router address is not the source address?

How I encountered the problem:

Solutions I’ve tried: various allow / deny configurations.

Deployment environment: Latest nginx on debian 13.

liam · January 5, 2026, 2:26pm

You’re on the right track with the access module (allow/deny directives). This sort of thing should do it.

server {
    listen …;
    server_name private.example.org;

    allow 192.168.2.0/24;
    deny all;

    root …;
}

route443 · January 8, 2026, 2:13am

I’d additionally make sure that your inbound wan->lan port forwarding applies DNAT only and that SNAT/masquerade is not applied, otherwise, nginx will see your router’s IP as the source => allow rule will incorrectly match

system · February 7, 2026, 2:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to restrict access to /jri (JasperReports) without relying on proxy IP (dynamic reverse proxy environment)? NGINX security , reverse-proxy , nginx , access , real-ip	0	19	March 26, 2026
Is it possible to use set_real_ip_from n a dynamic fashion based on request parameters? NGINX config , nginx-open-source , reverse-proxy	1	57	April 2, 2026
Can't Reach Allowed File when My User Agent is Blocked NGINX access , error-page , if	5	128	July 11, 2025
How to define/create a public IP and use it in NGINX? NGINX networking , ip	4	185	December 15, 2025
NGINX stream real IP client NGINX reverse-proxy , stream	2	147	October 1, 2025

Prevent access from internet router IP (not source IP)

Related topics