diff --git a/app/config.json.sample b/app/config.json.sample
index 26f8c39..1f8c29f 100644
--- a/app/config.json.sample
+++ b/app/config.json.sample
@@ -8,6 +8,9 @@
     "path": "/ssh/socket.io",
     "origins": ["localhost:2222"],
   },
+  "ipfilter": {
+    allowed_ips: []
+  },
   "user": {
     "name": null,
     "password": null,
diff --git a/app/package.json b/app/package.json
index c843c4d..ef6e46e 100644
--- a/app/package.json
+++ b/app/package.json
@@ -36,6 +36,7 @@
     "cidr-matcher": "^2.1.1",
     "debug": "^4.3.4",
     "express": "^4.18.1",
+    "express-ipfilter": "^1.3.1",
     "express-session": "^1.17.3",
     "morgan": "~1.10.0",
     "read-config-ng": "^3.0.5",
diff --git a/app/server/app.js b/app/server/app.js
index 195b614..1b38c2a 100644
--- a/app/server/app.js
+++ b/app/server/app.js
@@ -17,11 +17,12 @@ const server = require('http').Server(app);
 const favicon = require('serve-favicon');
 const io = require('socket.io')(server, config.socketio);
 const session = require('express-session')(config.express);
+const ipfilter = require('express-ipfilter').IpFilter
 
 const appSocket = require('./socket');
 const { setDefaultCredentials, basicAuth } = require('./util');
 const { webssh2debug } = require('./logging');
-const { reauth, connect, notfound, handleErrors } = require('./routes');
+const { reauth, connect, notfound, handleForbidden, handleErrors } = require('./routes');
 
 setDefaultCredentials(config.user);
 
@@ -38,6 +39,7 @@ function safeShutdownGuard(req, res, next) {
 // express
 app.use(safeShutdownGuard);
 app.use(session);
+if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' }))
 if (config.accesslog) app.use(logger('common'));
 app.disable('x-powered-by');
 app.use(favicon(path.join(publicPath, 'favicon.ico')));
diff --git a/app/server/config.js b/app/server/config.js
index bb3639b..aaac959 100644
--- a/app/server/config.js
+++ b/app/server/config.js
@@ -38,7 +38,10 @@ const configDefault = {
       setHeaders(res) {
         res.set('x-timestamp', Date.now());
       },
-    },
+    }
+  },
+  ipfilter: {
+    allowed_ips: [],
   },
   user: {
     name: null,
@@ -133,4 +136,7 @@ if (process.env.SOCKETIO_PATH) config.socketio.path = process.env.SOCKETIO_PATH;
 if (process.env.SOCKETIO_SERVECLIENT)
   config.socketio.serveClient = process.env.SOCKETIO_SERVECLIENT;
 
+if (process.env.ALLOWED_IP_ADDRESSES)
+  config.ipfilter.allowed_ips.push(process.env.ALLOWED_IP_ADDRESSES.split(" "))
+
 module.exports = config;