diff --git a/production/nginx/http-acl.conf b/production/nginx/http-acl.conf
new file mode 100644
index 000000000..9fa2d6493
--- /dev/null
+++ b/production/nginx/http-acl.conf
@@ -0,0 +1,6 @@
+# used for "internal" API restriction
+geo $remote_addr $mempool_external {
+	127.0.0.1	'';
+	::1		'';
+	default		1;
+}
diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf
index bee4ce50d..49bda31a4 100644
--- a/production/nginx/location-api.conf
+++ b/production/nginx/location-api.conf
@@ -4,10 +4,17 @@
 
 # Block the internal APIs of esplora
 location /api/internal/ {
-	return 403;
+	if ($mempool_external) {
+		return 403;
+	}
+	rewrite ^/api/(.*) /$1 break;
+	try_files /dev/null @esplora-api-cache-disabled;
 }
 location /api/v1/internal/ {
-	return 403;
+	if ($mempool_external) {
+		return 403;
+	}
+	try_files /dev/null @mempool-api-v1-cache-normal;
 }
 
 # websocket has special HTTP headers
diff --git a/production/nginx/nginx.conf b/production/nginx/nginx.conf
index c08005d14..3646dd316 100644
--- a/production/nginx/nginx.conf
+++ b/production/nginx/nginx.conf
@@ -19,6 +19,7 @@ http {
 
 	# HTTP basic configuration
 	include mempool/production/nginx/http-basic.conf;
+	include mempool/production/nginx/http-acl.conf;
 	include mempool/production/nginx/http-proxy-cache.conf;
 	include mempool/production/nginx/http-language.conf;