First of all, nice question, you got me there, I had to search for a decent way of doing it, but I could not find it. (so I will try to give you a "cowboy" answer for your problem that may work).
What I think it may work, is to map the ips,and giving them a value depending on which one of the 3 groups you stated it belongs.
map $remote_addr $perm_group {
1.1.1.1.1 2; #ips that don't need basic_auth
1.1.1.1.2 1; #Basic_auth ips
default 0; #Banned ips
}
Then at the server bracket:
server{
listen 80;
server_name example.com;
if ( $perm_group = 0 ){
return 403; # ips blacklisted return a 403;
}
if ( $perm_group = 1 ){
auth_basic "Restricted";
}
if ( $perm_group = 2 ){
auth_basic off;
}
auth_basic_user_file /etc/nginx/yourAuthFile; #make a file with user/password
# anything else will mean that are allowed, so we go with the normal handling.
location / {
#do what you need to do here
}
}
This is the first time I make this kind of code, but it should work,comment any error and we'll debut it if anything wrong happens.
If it's a big number of ips that you want to sort in groups, in the map you can include the file where the ips will be sorted, so you can mantain your configuration of nginx clean.
Hope I helped.