Skip to content
nginx module to use linux netfilter ipsets as blacklists
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial commit Oct 22, 2010
README.rdoc Initial commit Oct 22, 2010
config Initial commit Oct 22, 2010
ip_set.h Initial commit Oct 22, 2010
ipset_read.c Initial commit Oct 22, 2010
ngx_http_ipset_blacklist.c disable keepalive and use a 444 status when banning, remove debug print Oct 22, 2010



An nginx module for using netfilter ipsets as a black/white list. In comparison to standard nginx access module this allows for dynamic list updating, without nginx reload/restart.


  • Get youself a linux server with root access

  • Install ipset 4.4 (see

  • Get nginx source code, unpack etc.

  • Install libssl-dev, pcre and other nginx requirements

  • Configure nginx with this module:

    ./configure --with-module=/path/to/nginx_ipset_blacklist
  • Compile, install

  • Configure nginx to run workers as root (this is needed to allow access to ipsets)

  • Create yout ipset and add some 'offending' ips to it:

    sudo ipset -N myblacklist iphash
    sudo ipset -A myblacklist
  • Start nginx

  • Profit!


Sample nginx config:

user root;
worker_processes  1;

events {
  worker_connections  1024;

http {
  blacklist "myblacklist";
  include       mime.types;
  default_type  application/octet-stream;

  server {
    # your server configuration goes here

  server {
    whitelist "my_whitelist"; # this server will not use global blacklist, but instad use local whitelist

For blocked ips server will respond with 403 error to any request.


nginx_ipset_blacklist was written by Vasily Fedoseyev aka Vasfed

You can’t perform that action at this time.