diff --git a/d1/nginx_config.py b/d1/nginx_config.py
index 17d2172..f722554 100644
--- a/d1/nginx_config.py
+++ b/d1/nginx_config.py
@@ -1,4 +1,5 @@
 import json
+import socket
 import os
 import io
 import sys
@@ -291,6 +292,11 @@ stream {
     if 'default_server' in ssl_nginx:
         server = ssl_nginx['default_server']
 
+        if 'metrics_allowed' in server:
+            metrics_allowed_ip = socket.gethostbyname(server['metrics_allowed'])
+        else:
+            metrics_allowed_ip = '127.0.0.1'
+
         servers.append(
             r'''
 server {
@@ -300,8 +306,9 @@ server {
   location = /_metrics {
     stub_status;
     access_log off;
-    allow 172.0.0.0/8;
-    allow 127.0.0.1;
+    # allow 172.0.0.0/8;
+    allow {metrics_allowed_ip};
+    # allow 127.0.0.1;
     deny all;
   }
 
@@ -335,6 +342,8 @@ server {
                   '{domain_key}', server['domain_key'],
               ).replace(
                   '{ssl_port}', '%d' % ssl_port,
+              ).replace(
+                  '{metrics_allowed_ip}', metrics_allowed_ip
               )
         )