From e84e47cb1867dc2e3e16af842a78759ff23d2893 Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Sat, 21 Mar 2026 13:31:39 +0000
Subject: [PATCH] feat: nginx stream level ip blocking

---
 templates/nginx_stream_ssl_map.conf.j2 | 33 +++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/templates/nginx_stream_ssl_map.conf.j2 b/templates/nginx_stream_ssl_map.conf.j2
index 2caff4a..a0db9b2 100644
--- a/templates/nginx_stream_ssl_map.conf.j2
+++ b/templates/nginx_stream_ssl_map.conf.j2
@@ -5,14 +5,45 @@ map $ssl_preread_server_name $proxy_name {
     {% endfor %}
 }
 
+geo $priviledged_networks {
+    default 0;
+    127.0.0.0/24 1;
+    159.69.136.222 1;      # atlantishq
+    95.217.57.49 1;        # atlantis-helsinki
+    142.132.212.54 1;      # katzencluster
+    10.0.0.0/8 1;          # wireguard & k3s
+    192.168.122.0/24 1;    # atlantishq-vms
+    192.168.123.0/24 1;    # katzencluster-vms
+    192.168.124.0/24 1;    # athq-helsinki-vms
+    192.168.125.0/24 1;    # reserved/vm test net
+    135.181.80.154 1;      # postgres master
+    46.62.175.169 1;       # postgres replica
+}
+
+map $block_connection $proxy_target {
+    1 127.0.0.1:1;   # blackhole (connection fails)
+    0 $proxy_name;
+}
+
+map $ssl_preread_server_name $is_restricted {
+    default 0;
+    ~^immich-ml\.services\.atlantishq\.de$ 1;
+}
+
+map "$is_restricted:$priviledged_networks" $block_connection {
+    default 0;
+    "1:0" 1;
+}
+
 server {
 
     listen 443 ;
     listen [::]:443 ;
 
+
     proxy_timeout 5m;
     proxy_responses 1;
     ssl_preread on;
-    proxy_pass $proxy_name;
+    proxy_pass $proxy_target;
     
 }