Skip to content

Spike: Front Door WAF rules to block crawling on invalid paths (#2613)#223

Open
shaheislamdfe wants to merge 4 commits intomasterfrom
2613-spike-fd-block-by-path
Open

Spike: Front Door WAF rules to block crawling on invalid paths (#2613)#223
shaheislamdfe wants to merge 4 commits intomasterfrom
2613-spike-fd-block-by-path

Conversation

@shaheislamdfe
Copy link
Copy Markdown
Contributor

@shaheislamdfe shaheislamdfe commented Mar 18, 2026

What

Add block_paths variable to the environment_domains module that creates custom WAF rules to block requests matching specified URL patterns.

Why

Ticket #2613 — Front Door should block web crawling on invalid paths (e.g. .php, .asp, /wp-admin) at the WAF level before requests reach the origin.

How

  • New block_paths variable accepts a list of rule objects with name, priority, patterns, and optional operator
  • Dynamic custom_rule blocks added to the existing rate-limit firewall policy in the terraform-modules repo (branch 2613-spike-fd-block-by-path)
  • Review config with two rules: BlockPHP (.php, .asp, .aspx) and BlockWordPress (/wp-admin, /wp-login, /wp-content)
  • Makefile targets added for review-domains-plan, review-domains-apply, review-domains-destroy

Testing

Deploy to review domain and verify:

# Should be blocked (429)
curl -I https://review.technical-guidance.education.gov.uk/test.php
curl -I https://review.technical-guidance.education.gov.uk/wp-admin/

# Should pass through (200)
curl -I https://review.technical-guidance.education.gov.uk/

Notes

  • Spike/POC — not intended for production merge as-is
  • WAF currently returns 429; production should use 403
  • Depends on terraform-modules branch 2613-spike-fd-block-by-path

@shaheislamdfe
Spike: Front Door WAF rules to block crawling on invalid paths
669efb3 
Add block_paths variable to environment_domains module that creates
custom WAF rules to block requests matching specified URL patterns
(e.g. .php, .asp, /wp-admin).

Review config included with placeholder origin hostname.

Ticket: #2613
@shaheislamdfe shaheislamdfe requested a review from a team as a code owner March 18, 2026 17:15
@shaheislamdfe
Set review origin hostname to PR #223
de83129
@shaheislamdfe
Merge remote-tracking branch 'origin/master' into 2613-spike-fd-block…
1d9126f 
…-by-path

# Conflicts:
#	terraform/application/.terraform.lock.hcl
#	terraform/domains/environment_domains/.terraform.lock.hcl
@shaheislamdfe
Copy link
Copy Markdown
Contributor Author

shaheislamdfe commented Mar 18, 2026
edited
Loading

Date: 2026-03-18
Environment: Review (Front Door custom domain)
URL: https://review.technical-guidance.education.gov.uk

Infrastructure Deployed

  • azurerm_cdn_frontdoor_firewall_policy.rate_limit[0]technicalgedurvRateLimitFirewallPolicy
  • azurerm_cdn_frontdoor_security_policy.rate_limit[0]rvRateLimitSecurityPolicy
  • 13 resources total (endpoint, origin, custom domain, DNS, WAF policy, security policy, route, rule set)

WAF Rules

Rule Priority Operator Patterns
BlockPHP 20 EndsWith .php, .asp, .aspx
BlockWordPress 21 Contains /wp-admin, /wp-login, /wp-content

Test Results

All blocked paths correctly returned HTTP 429 from the WAF. Non-matching paths passed through to the origin.

❯ curl -kI https://review.technical-guidance.education.gov.uk/test.php
HTTP/2 429

❯ curl -kI https://review.technical-guidance.education.gov.uk/wp-admin/
HTTP/2 429

❯ curl -kI https://review.technical-guidance.education.gov.uk/page.asp
HTTP/2 429

❯ curl -kI https://review.technical-guidance.education.gov.uk/
HTTP/2 404   ← not blocked, passed through to origin (404 because review app not deployed due to unrelated Snyk failure)

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

Review app deployed to https://technical-guidance-223.test.teacherservices.cloud/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shaheislamdfe