diff --git a/data/deployments/admin/common.yaml b/data/deployments/admin/common.yaml
--- a/data/deployments/admin/common.yaml
+++ b/data/deployments/admin/common.yaml
@@ -3,6 +3,10 @@
 swh::deploy::reverse_proxy::services:
   - hedgedoc
 
+swh::deploy::reverse_proxy::vhost_forbidden_access:
+  swh-rproxy3.inria.fr:
+    - 128.93.166.10
+
 swh::postgresql::shared_buffers: 4GB
 
 swh::deploy::hedgedoc::reverse_proxy::backend_http_host: bardo.internal.admin.swh.network
diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
--- a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
+++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
@@ -96,4 +96,14 @@
       tag           => 'icinga2::exported',
     }
   }
+
+  $forbidden_vhosts = lookup('swh::deploy::reverse_proxy::vhost_forbidden_access')
+
+  each($forbidden_vhosts) |$vhost_name, $vhost_aliases| {
+    ::profile::varnish::vhost {$vhost_name:
+      order             => "90",
+      aliases           => $vhost_aliases,
+      forbidden         => true,
+    }
+  }
 }
diff --git a/site-modules/profile/manifests/varnish/vhost.pp b/site-modules/profile/manifests/varnish/vhost.pp
--- a/site-modules/profile/manifests/varnish/vhost.pp
+++ b/site-modules/profile/manifests/varnish/vhost.pp
@@ -4,22 +4,31 @@
   String $servername = $title,
   String $order = '50',
   Array[String] $aliases = [],
-  String $backend_name,
-  String $backend_http_host,
-  String $backend_http_port,
+  Variant[Undef, String] $backend_name = undef,
+  Variant[Undef, String] $backend_http_host = undef,
+  Variant[Undef, String] $backend_http_port = undef,
   Boolean $websocket_support = false,
   Optional[String] $vcl_recv_extra = undef,
   Optional[String] $vcl_deliver_extra = undef,
   Variant[Undef, String, Integer[1]] $hsts_max_age = undef,
+  Boolean $forbidden = false,
 ) {
 
-  ::profile::varnish::vcl_include {$backend_name:
-    order   => '01',
-    content => template('profile/varnish/backend.vcl.erb'),
+  if $forbidden {
+    ::profile::varnish::vcl_include {"vhost_forbidden_access_${servername}":
+      order   => $order,
+      content => template('profile/varnish/vhost_forbidden_access.vcl.erb'),
+    }
   }
+  else {
+    ::profile::varnish::vcl_include {$backend_name:
+      order   => '01',
+      content => template('profile/varnish/backend.vcl.erb'),
+    }
 
-  ::profile::varnish::vcl_include {"vhost_${servername}":
-    order   => $order,
-    content => template('profile/varnish/vhost.vcl.erb'),
+    ::profile::varnish::vcl_include {"vhost_${servername}":
+      order   => $order,
+      content => template('profile/varnish/vhost.vcl.erb'),
+    }
   }
 }
diff --git a/site-modules/profile/templates/varnish/vhost_forbidden_access.vcl.erb b/site-modules/profile/templates/varnish/vhost_forbidden_access.vcl.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/varnish/vhost_forbidden_access.vcl.erb
@@ -0,0 +1,16 @@
+# vhost_forbidden_access_<%= @servername %>.vcl
+#
+# Settings for <%= @servername %> vhost to refuse access
+#
+# File managed by puppet. All modifications will be lost.
+
+sub vcl_recv {
+    if (
+<% @aliases.each do |alias_| -%>
+        req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
+<% end -%>
+        req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
+    ) {
+        return(synth(403, "Forbidden access"));
+    }
+}