diff --git a/.etckeeper b/.etckeeper
index d366d45..3d7352a 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -915,7 +915,7 @@ maybe chmod 0755 'glances'
 maybe chmod 0755 'glvnd'
 maybe chmod 0755 'glvnd/egl_vendor.d'
 maybe chmod 0755 'gnupg'
-maybe chmod 0640 'grc.conf'
+maybe chmod 0640 'grc.conf_'
 maybe chmod 0640 'grc.fish'
 maybe chmod 0640 'grc.zsh'
 maybe chmod 0755 'groff'
@@ -3914,6 +3914,9 @@ maybe chmod 0640 'nginx/.htpasswd'
 maybe chown 'nginx' 'nginx/.passwd-madalin'
 maybe chgrp 'nginx' 'nginx/.passwd-madalin'
 maybe chmod 0640 'nginx/.passwd-madalin'
+maybe chown 'nginx' 'nginx/allowed_clients.config'
+maybe chgrp 'nginx' 'nginx/allowed_clients.config'
+maybe chmod 0640 'nginx/allowed_clients.config'
 maybe chown 'nginx' 'nginx/conf.d'
 maybe chgrp 'nginx' 'nginx/conf.d'
 maybe chmod 0750 'nginx/conf.d'
@@ -4382,6 +4385,8 @@ maybe chmod 0640 'nginx/conf.d/mail.anywhere.ro.conf'
 maybe chown 'nginx' 'nginx/conf.d/mail.club3d.ro.conf'
 maybe chgrp 'nginx' 'nginx/conf.d/mail.club3d.ro.conf'
 maybe chmod 0640 'nginx/conf.d/mail.club3d.ro.conf'
+maybe chown 'nginx' 'nginx/conf.d/maintenance.898.ro.conf'
+maybe chgrp 'nginx' 'nginx/conf.d/maintenance.898.ro.conf'
 maybe chmod 0640 'nginx/conf.d/maintenance.898.ro.conf'
 maybe chown 'nginx' 'nginx/conf.d/mtr.898.ro.conf'
 maybe chgrp 'nginx' 'nginx/conf.d/mtr.898.ro.conf'
@@ -4455,6 +4460,12 @@ maybe chmod 0750 'nginx/html/.well-known'
 maybe chown 'nginx' 'nginx/html/.well-known/acme-challenge'
 maybe chgrp 'nginx' 'nginx/html/.well-known/acme-challenge'
 maybe chmod 0750 'nginx/html/.well-known/acme-challenge'
+maybe chown 'nginx' 'nginx/lb_maint_5x.config'
+maybe chgrp 'nginx' 'nginx/lb_maint_5x.config'
+maybe chmod 0640 'nginx/lb_maint_5x.config'
+maybe chown 'nginx' 'nginx/lb_maintenance.config'
+maybe chgrp 'nginx' 'nginx/lb_maintenance.config'
+maybe chmod 0640 'nginx/lb_maintenance.config'
 maybe chown 'nginx' 'nginx/mime.types'
 maybe chgrp 'nginx' 'nginx/mime.types'
 maybe chmod 0640 'nginx/mime.types'
@@ -4464,9 +4475,6 @@ maybe chmod 0640 'nginx/nginx.conf'
 maybe chown 'nginx' 'nginx/nginx.conf.cwaf_orig'
 maybe chgrp 'nginx' 'nginx/nginx.conf.cwaf_orig'
 maybe chmod 0640 'nginx/nginx.conf.cwaf_orig'
-maybe chown 'nginx' 'nginx/nginx.conf.rpmnew'
-maybe chgrp 'nginx' 'nginx/nginx.conf.rpmnew'
-maybe chmod 0640 'nginx/nginx.conf.rpmnew'
 maybe chown 'nginx' 'nginx/off'
 maybe chgrp 'nginx' 'nginx/off'
 maybe chmod 0640 'nginx/off'
diff --git a/grc.conf b/grc.conf_
similarity index 100%
rename from grc.conf
rename to grc.conf_
diff --git a/nginx/allowed_clients.config b/nginx/allowed_clients.config
new file mode 100644
index 0000000..8c856ec
--- /dev/null
+++ b/nginx/allowed_clients.config
@@ -0,0 +1,5 @@
+geo $allowed_clients {
+    default 0;
+    192.168.1.0/24 1;
+    188.26.227.57/32 1;
+}
diff --git a/nginx/conf.d/maintenance.898.ro.conf b/nginx/conf.d/maintenance.898.ro.conf
index b55dfb9..023a4a8 100644
--- a/nginx/conf.d/maintenance.898.ro.conf
+++ b/nginx/conf.d/maintenance.898.ro.conf
@@ -1,16 +1,22 @@
-# allow list
-
-geo $allow {
-    192.168.1.0/24 allowed;
-    188.26.227.57/32 allowed;
-}
+# whitelisted clients
+include /etc/nginx/allowed_clients.config;
 
 server {
 	listen 192.168.1.2:80;
 	server_name maintenance.898.ro;
 	root /var/www/html/maintenance;
-	index index.html;
 
+	access_log /var/log/nginx/maintenance.access.log;
+	error_log /var/log/nginx/maintenance.error.log notice;
 
+	# maintenance error page
+	include /etc/nginx/lb_maint_5x.config;
 
+	location / {
+		# maintenance logic
+		include /etc/nginx/lb_maintenance.config;
+
+		index index.html;
+	}
 }
+
diff --git a/nginx/lb_maint_5x.config b/nginx/lb_maint_5x.config
new file mode 100644
index 0000000..c932f9a
--- /dev/null
+++ b/nginx/lb_maint_5x.config
@@ -0,0 +1,5 @@
+error_page 503 /maintenance.html;
+
+location = /maintenance.html {
+	root /var/www/html/maintenance;
+}
diff --git a/nginx/lb_maintenance.config b/nginx/lb_maintenance.config
new file mode 100644
index 0000000..4bd44af
--- /dev/null
+++ b/nginx/lb_maintenance.config
@@ -0,0 +1,13 @@
+set $maintenance 0;
+
+if (-f /var/www/html/maintenance/maintenance.html) {
+	set $maintenance 1;
+}
+
+if ($allowed_clients != 1) {
+	set $maintenance "${maintenance}1";
+}
+
+if ($maintenance = 11) {
+	return 503;
+}
diff --git a/nginx/nginx.conf.rpmnew b/nginx/nginx.conf.rpmnew
deleted file mode 100644
index 5e076aa..0000000
--- a/nginx/nginx.conf.rpmnew
+++ /dev/null
@@ -1,32 +0,0 @@
-
-user  nginx;
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    include /etc/nginx/conf.d/*.conf;
-}