diff --git a/server.coffee b/server.coffee
index 873fca2..55b6d8b 100644
--- a/server.coffee
+++ b/server.coffee
@@ -6,6 +6,7 @@ QueryString = require 'querystring'
 
 port            = process.env.PORT                 || 8081
 version         = "0.3.0"
+excluded        = process.env.CAMO_HOST_EXCLUSIONS || '*.example.org'
 shared_key      = process.env.CAMO_KEY             || '0x24FEEDFACEDEADBEEFCAFE'
 logging_enabled = process.env.CAMO_LOGGING_ENABLED || "disabled"
 pidfile         = process.env.PIDFILE              || 'tmp/camo.pid'
@@ -16,6 +17,9 @@ log = (msg) ->
     console.log(msg)
     console.log("--------------------------------------------")
 
+EXCLUDED_HOSTS = new RegExp(excluded.replace(".", "\\.").replace("*", "\\.*"))
+RESTRICTED_IPS = /^(10\.)|(127\.)|(169\.254)|(192\.168)|(172\.(1[6-9])|(2[0-9])|(3[0-1]))/
+
 server = Http.createServer (req, resp) ->
   if req.method != 'GET' || req.url == '/'
     resp.writeHead 200
@@ -53,7 +57,10 @@ server = Http.createServer (req, resp) ->
       if hmac_digest == query_digest
         url = Url.parse query_params.url
 
-        if url.host?
+        if url.host? && !url.host.match(RESTRICTED_IPS)
+          if url.host.match(EXCLUDED_HOSTS)
+            return four_oh_four("Hitting excluded hostnames")
+
           src = Http.createClient url.port || 80, url.hostname
 
           src.on 'error', (error) ->
@@ -113,7 +120,7 @@ server = Http.createServer (req, resp) ->
           srcReq.end()
 
         else
-          four_oh_four("No host found")
+          four_oh_four("No host found #{url.host}")
       else
         four_oh_four("checksum mismatch #{hmac_digest}:#{query_digest}")
     else
diff --git a/test/proxy_test.rb b/test/proxy_test.rb
index 452f84d..4c49308 100644
--- a/test/proxy_test.rb
+++ b/test/proxy_test.rb
@@ -62,4 +62,36 @@ def test_404s_on_non_image_content_type
       request('https://github.com/atmos/cinderella/raw/master/bootstrap.sh')
     end
   end
+
+  def test_404s_on_10_0_ip_range
+    assert_raise RestClient::ResourceNotFound do
+      request('http://10.0.0.1/foo.cgi')
+    end
+  end
+
+  16.upto(31) do |i|
+    define_method :"test_404s_on_172_#{i}_ip_range" do
+      assert_raise RestClient::ResourceNotFound do
+        request("http://172.#{i}.0.1/foo.cgi")
+      end
+    end
+  end
+
+  def test_404s_on_169_254_ip_range
+    assert_raise RestClient::ResourceNotFound do
+      request('http://169.254.0.1/foo.cgi')
+    end
+  end
+
+  def test_404s_on_192_168_ip_range
+    assert_raise RestClient::ResourceNotFound do
+      request('http://192.168.0.1/foo.cgi')
+    end
+  end
+
+  def test_404s_on_environmental_excludes
+    assert_raise RestClient::ResourceNotFound do
+      request('http://iphone.internal.example.org/foo.cgi')
+    end
+  end
 end