Skip to main content
Table of contents

Security

Block access to arbitrary URLs in the GOV.UK estate

During a recent security incident it became necessary to block a GOV.UK section in order to prevent access to sensitive data.

A quick way to achieve this is to manually add a location block to the NGINX configuration on the cache machines or instances serving the affected pages.

In order to block <LEAK_URL> on <INSTANCE_CLASS> in <GOVUK_ENVIRONMENT>:

  1. Find out which <INSTANCE_CLASS> serves <LEAK_URL>.
  • For GOV.UK content, this can be done via the content-api: https://www.gov.uk/api/content/<LEAK_URL> or by using the GOV.UK browser extension.
  • For external/independent applications, e.g. CKAN, you may need to consult the respective routing table to find out from which machine the content is served.
  • Another option to determine which machine class runs an app is to consult the GOV.UK architecture overview.
  1. Disable Puppet on the respective <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'govuk_puppet --disable "RE:GOV.UK Temporary override nginx.conf in order to block <LEAK_URL>"'
    
  2. Edit /etc/nginx/nginx.conf on the <INSTANCE_CLASS> to add a location block to the server block, forcing to return 403 FORBIDDEN, e.g.

    server {
    (...)
      location /<LEAK_URL>/ {
        return 403;
      }
    }
    

    Location blocks are not limited to absolute paths, but can also include regular expressions if prefixed by the ~ operator. See the additonal external documentation [here][Digital ocean] and [here][Linode] for examples.

    Note:

    When using location blocks in general and regular expressions in particular take extra care to not accidentally block unaffected pages as a side effect.

  3. Test the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'sudo service nginx configtest'
    

    If the configuration test is successful, e.g. returns out: nginx: configuration file /etc/nginx/nginx.conf test is successful

  4. Reload the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'sudo service nginx restart'
    
  5. To make sure the change of configuration was successful, try to browse https://www.gov.uk/<LEAK_URL>

  6. To make the change permanent there are different options, ranging from additional vhost configuration inline in the respective Puppet class of the app (example PR) or introduce a separate NGINX configuration template for the app if more complex changes are required (example PR).
    Alternatively, changes to the app may remove the offending content.

  7. Finally, re-enable Puppet on the <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'govuk_puppet --enable'
    

Additional documentation of NGINX location block configuration:

  • [Digital ocean]: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
  • [Linode]: https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/#location-blocks
This page was last reviewed on 30 March 2020. It needs to be reviewed again on 30 September 2020 by the page owner #re-govuk .
This page was set to be reviewed before 30 September 2020 by the page owner #re-govuk. This might mean the content is out of date.