Skip to main content
Table of contents

Security

Block access to arbitrary URLs in the GOV.UK estate

During a recent security incident it became necessary to block a GOV.UK section in order to prevent access to sensitive data.

A quick way to achieve this is to manually add a location block to the NGINX configuration on the cache machines or instances serving the affected pages.

In order to block <LEAK_URL> on <INSTANCE_CLASS> in <GOVUK_ENVIRONMENT>:

  1. Find out which <INSTANCE_CLASS> serves <LEAK_URL>.
  • For GOV.UK content, this can be done via the content-api: https://www.gov.uk/api/content/<LEAK_URL> or by using the GOV.UK browser extension.
  • For external/independent applications, e.g. CKAN, you may need to consult the respective routing table to find out from which machine the content is served.
  • Another option to determine which machine class runs an app is to consult the GOV.UK architecture overview.

  1. Disable Puppet on the respective <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'govuk_puppet --disable "RE:GOV.UK Temporary override nginx.conf in order to block <LEAK_URL>"'

  2. Edit /etc/nginx/nginx.conf on the <INSTANCE_CLASS> to add a location block to the server block, forcing to return 403 FORBIDDEN, e.g.

    server {
(...)
  location /<LEAK_URL>/ {
    return 403;
  }
}

    Location blocks are not limited to absolute paths, but can also include regular expressions if prefixed by the ~ operator. See the additonal external documentation [here][Digital ocean] and [here][Linode] for examples.

    Note:

    When using location blocks in general and regular expressions in particular take extra care to not accidentally block unaffected pages as a side effect.

  3. Test the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'sudo service nginx configtest'

    If the configuration test is successful, e.g. returns out: nginx: configuration file /etc/nginx/nginx.conf test is successful

  4. Reload the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'sudo service nginx restart'

  5. To make sure the change of configuration was successful, try to browse https://www.gov.uk/<LEAK_URL>

  6. To make the change permanent there are different options, ranging from additional vhost configuration inline in the respective Puppet class of the app (example PR) or introduce a separate NGINX configuration template for the app if more complex changes are required (example PR).
    Alternatively, changes to the app may remove the offending content.

  7. Finally, re-enable Puppet on the <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'govuk_puppet --enable'

Additional documentation of NGINX location block configuration:

  • [Digital ocean]: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
  • [Linode]: https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/#location-blocks

More in the Security section

How to...

This page was last reviewed on 30 March 2020. It needs to be reviewed again on 30 September 2020 by the page owner #re-govuk .
This page was set to be reviewed before 30 September 2020 by the page owner #re-govuk. This might mean the content is out of date.