Security

Block access to arbitrary URLs in the GOV.UK estate

During a recent security incident it became necessary to block a GOV.UK section in order to prevent access to sensitive data.

A quick way to achieve this is to manually add a location block to the NGINX configuration on the cache machines or instances serving the affected pages.

In order to block <LEAK_URL> on <INSTANCE_CLASS> in <GOVUK_ENVIRONMENT>:

1. Find out from which <INSTANCE_CLASS> <LEAK_URL> is served.

• For GOV.UK content, this can be done via the content-api: https://www.gov.uk/api/content/<LEAK_URL> or by using the GOV.UK browser extension.
• For external/independent applications, e.g. CKAN, you may need to consult the respective routing table to find out from which machine the content is served.
• Another option to determine on which machine class an app is running is to consult the GOV.UK architecture overview.

1. Disable Puppet on the respective <INSTANCE_CLASS>, e.g. via Fabric:

   fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'govuk_puppet --disable "RE:GOV.UK Temporary override nginx.conf in order to block <LEAK_URL>"'
   

2. Edit /etc/nginx/nginx.conf on the <INSTANCE_CLASS> to add a location block to the server block, forcing to return 403 FORBIDDEN, e.g.

   server {
   (...)
     location /<LEAK_URL>/ {
       return 403;
     }
   }
   

   Location blocks are not limited to absolute paths, but can also include regular expressions if prefixed by the ~ operator. See the additonal external documentation (here)(Digital ocean) and (here)(Linode) for examples.

   Note:

   When using location blocks in general and regular expressions in particular take extra care to not accidentally block unaffected pages as a side effect.

3. Test the NGINX configuration, e.g. via Fabric

   fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'sudo service nginx configtest'
   

   If the configuration test is successful, e.g. returns out: nginx: configuration file /etc/nginx/nginx.conf test is successful

4. Reload the NGINX configuration, e.g. via Fabric

   fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'sudo service nginx restart'
   

5. To make sure the change of configuration was successful, try to browse https://www.gov.uk/<LEAK_URL>

6. To make the change permanent there are different options, ranging from additional vhost configuration inline in the respective Puppet class of the app (example PR) or introduce a separate NGINX configuration template for the app if more complex changes are required (example PR).
   Alternatively, changes to the app may remove the offending content.

7. Finally, re-enable Puppet on the <INSTANCE_CLASS>, e.g. via Fabric:

   fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'govuk_puppet --enable'
   

Additional documentation of NGINX location block configuration:

• Digital ocean
• Linode

More in the Security section

How to...

• Access to staging is limited to GDS office IPs
• Content Security Policy on GOV.UK
• Web Application Firewall (WAF) configuration

This page was last reviewed on 2 September 2019. It needs to be reviewed again on 2 March 2020 by the page owner #re-govuk .

This page was set to be reviewed before 2 March 2020 by the page owner #re-govuk. This might mean the content is out of date.