diff --git a/root/defaults/nginx/internal.conf b/root/defaults/nginx/internal.conf
new file mode 100644
index 00000000..e1670a64
--- /dev/null
+++ b/root/defaults/nginx/internal.conf
@@ -0,0 +1,7 @@
+# List of private IP addresses to ensure all traffic is local.
+## Remove or comment any out to be even more restrictive.
+allow 10.0.0.0/8;
+allow 172.16.0.0/12;
+allow 192.168.0.0/16;
+allow 100.64.0.0/16; # Tailcale's default IP range
+deny all;