diff --git a/backend/templates/_access.conf b/backend/templates/_access.conf
index c06d8a6f..583322b3 100644
--- a/backend/templates/_access.conf
+++ b/backend/templates/_access.conf
@@ -2,17 +2,24 @@
     set $auth_basic "Authorization required";
     {% if access_list.satisfy_any == 1 %}
     # Satisfy Any - any check can succeed - so look for success
+        {% if access_list.clients.size != 0 %}
     if ( $access_list_{{ access_list_id }} = 1) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
+        {% endif %}
     if ( $ssl_client_verify = "SUCCESS" ) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
     {% else %}
     # Satisfy All - all checks must succeed (so handle fails)
+        {% if access_list.clients.size != 0 %}
+    # {{ access_list.clients.size }} IP rules
     if ( $access_list_{{ access_list_id }} = 0) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }
+        {% else %}
+    # Empty IP rules list so no client IP check
+        {% endif %}
     if ( $ssl_client_verify != "SUCCESS" ) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }
diff --git a/backend/templates/access.conf b/backend/templates/access.conf
index 90121fb4..7d2d663d 100644
--- a/backend/templates/access.conf
+++ b/backend/templates/access.conf
@@ -1,10 +1,6 @@
 # Access List Clients for {{ access_list.id }} - {{ access_list.name }}
 geo $realip_remote_addr $access_list_{{ access_list.id }} {
-{% if access_list.client.size == 0 %}
-    default 1;
-{% else %}
     default 0;
-{% endif %}
 {% for client in access_list.clients %}
 {% if client.directive == "allow" %}
     {{client.address}} 1;