Skip to main content
Table of contents

Security

Block access to arbitrary URLs in the GOV.UK estate

During a recent security incident it became necessary to block a GOV.UK section in order to prevent access to sensitive data.

A quick way to achieve this is to manually add a location block to the NGINX configuration on the cache machines or instances serving the affected pages.

In order to block <LEAK_URL> on <INSTANCE_CLASS> in <GOVUK_ENVIRONMENT>:

  1. Find out from which <INSTANCE_CLASS> <LEAK_URL> is served.
  • For GOV.UK content, this can be done via the content-api: https://www.gov.uk/api/content/<LEAK_URL> or by using the GOV.UK browser extension.
  • For external/independent applications, e.g. CKAN, you may need to consult the respective routing table to find out from which machine the content is served.
  • Another option to determine on which machine class an app is running is to consult the GOV.UK architecture overview.
  1. Disable Puppet on the respective <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'govuk_puppet --disable "RE:GOV.UK Temporary override nginx.conf in order to block <LEAK_URL>"'
    
  2. Edit /etc/nginx/nginx.conf on the <INSTANCE_CLASS> to add a location block to the server block, forcing to return 403 FORBIDDEN, e.g.

    server {
    (...)
      location /<LEAK_URL>/ {
        return 403;
      }
    }
    

    Location blocks are not limited to absolute paths, but can also include regular expressions if prefixed by the ~ operator. See the additonal external documentation (here)(Digital ocean) and (here)(Linode) for examples.

    Note:

    When using location blocks in general and regular expressions in particular take extra care to not accidentally block unaffected pages as a side effect.

  3. Test the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'sudo service nginx configtest'
    

    If the configuration test is successful, e.g. returns out: nginx: configuration file /etc/nginx/nginx.conf test is successful

  4. Reload the NGINX configuration, e.g. via Fabric

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS> do:'sudo service nginx restart'
    
  5. To make sure the change of configuration was successful, try to browse https://www.gov.uk/<LEAK_URL>

  6. To make the change permanent there are different options, ranging from additional vhost configuration inline in the respective Puppet class of the app (example PR) or introduce a separate NGINX configuration template for the app if more complex changes are required (example PR).
    Alternatively, changes to the app may remove the offending content.

  7. Finally, re-enable Puppet on the <INSTANCE_CLASS>, e.g. via Fabric:

    fab <GOVUK_ENVIRONMENT> class:<INSTANCE_CLASS>  do:'govuk_puppet --enable'
    

Additional documentation of NGINX location block configuration:

This page was last reviewed on 2 September 2019. It needs to be reviewed again on 2 March 2020 by the page owner #re-govuk .
This page was set to be reviewed before 2 March 2020 by the page owner #re-govuk. This might mean the content is out of date.