Forbid connections from non-production environments unless on IP allo…

…wlist
alphagov · Sep 12, 2024 · 443fd1f · 443fd1f
1 parent fa87013
commit 443fd1f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/datagovuk/datagovuk.vcl.tftpl b/datagovuk/datagovuk.vcl.tftpl
@@ -47,6 +47,14 @@ acl allowed_ip_addresses {
 sub vcl_recv {
   ${indent(2, file("${module_path}/../shared/_boundary_headers.vcl.tftpl"))}
 
+  %{ if environment != "production" ~}
+  # Only allow connections from allowed IP addresses in non production environments
+  if (! (req.http.True-Client-IP ~ allowed_ip_addresses)) {
+    error 403 "Forbidden";
+  }
+  %{ endif ~}
+
+
   if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
     set req.http.Client-JA3 = tls.client.ja3_md5;