[ingress-nginx] Proper way of restricting ingress subpaths?

I’ve been struggling a bit with trying to use a location-snippet annotation on an ingress to restrict a subpath of the ingress with an IP ACL. The root of the ingress can use whitelist-source-range annotation, but I want subpaths to have a different CIDR range (or more likely, no restriction at the root and a restriction on subpaths).

I’ve tried a nested location block but ran into roadblocks with needing to define proxy_pass again and it failing if no service endpoints are available yet. I’ve tried keying off of $upstream_proxy_name, but that still appears to want to resolve the proxy_pass just the same at reload time.

Finally, I tried using a geo block for CIDR matching and an if block to return a 403, but if is really limited in nginx and doesn’t allow ANDs/ORs so I can’t match against a request URI and geo match.

Are there any clever tricks to use a snippet to accomplish this? Or do I need to make a redundant ingress on the subpath and use whitelist-source-range for it? The biggest downfall of that would be I couldn’t use a regex for the path.