Remove previous IP_RANGES, use nginx init script to populate conf file.

.env.example

@@ -62,11 +62,14 @@ OAUTH_CLIENT_ID=
 OAUTH_TENANT_ID=
 OAUTH_CLIENT_SECRET=""
 
-# IP addresses, with optional CIDR notation. Separated by newlines & # comments.
-ALLOWED_IPS="
-# Home netowrk IP range - at http://intranet.docker/info.php > HTTP_X_REAL_IP
-192.168.0.0/16
-"
+# IP ranges in nginx geo format. 1 IP range per line, each range is followed by it's value.
+# @see https://nginx.org/en/docs/http/ngx_http_geo_module.html
+IPS_FORMATTED="
+proxy 172.17.0.0/16;
+proxy 172.25.0.0/16;
+
+192.168.65.1   1;
+192.168.65.3   2;"
 
 # The following 4 environment variables can be generated with `make key-gen`.
 JWT_SECRET="generated-key"

.github/workflows/deploy.yml

@@ -50,7 +50,6 @@ jobs:
           # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${{ secrets.AWS_CLOUDFRONT_PUBLIC_KEY_B }}"
           BASIC_AUTH_USER: ${{ secrets.BASIC_AUTH_USER }}
           BASIC_AUTH_PASS: ${{ secrets.BASIC_AUTH_PASS }}
-          IP_RANGES: ${{ inputs.ip_ranges }}
           IPS_FORMATTED: ${{ inputs.ips_formatted }}
           IGNORE_IP_RANGES: ${{ vars.IGNORE_IP_RANGES }}
         run: |
@@ -88,14 +87,11 @@ jobs:
           ## Nb. set IGNORE_IP_RANGES env var to `true` for the intended GH environment.
           
           if [ "$IGNORE_IP_RANGES" = "true" ]; then
-            IP_RANGES    =$'{"ignore":true}'
             IPS_FORMATTED=""
           fi
 
-          IP_RANGES_BASE64    =$(echo -n "$IP_RANGES"     | base64 -w 0)
           IPS_FORMATTED_BASE64=$(echo -n "$IPS_FORMATTED" | base64 -w 0)
 
-          export IP_RANGES_BASE64
           export IPS_FORMATTED_BASE64
 
 

.github/workflows/ip-ranges-configure.yml

@@ -3,9 +3,6 @@ name: "Get IP ranges"
 on:
   workflow_call:
     outputs:
-      ip_ranges:
-        description: "IPs Ranges"
-        value: ${{ jobs.get_ip_ranges.outputs.ip_ranges }}
       ips_formatted:
         description: "IPs Ranges (formatted)"
         value: ${{ jobs.get_ip_ranges.outputs.ips_formatted }}
@@ -15,7 +12,6 @@ jobs:
     name: "Build"
     runs-on: ubuntu-latest
     outputs:
-      ip_ranges: ${{ steps.get-ips.outputs.ip_ranges }}
       ips_formatted: ${{ steps.get-ips.outputs.ips_formatted }}
     steps:
       - name: "Checkout"
@@ -32,10 +28,7 @@ jobs:
         uses: mikefarah/yq@master
         with:
           cmd: |
-            IP_RANGES=$(yq 'explode(.) | {"deprecating": .deprecating_access_to_moj_intranet | flatten, "allow": .allow_access_to_moj_intranet | flatten }' -o json -I=0 moj-cidr-addresses.yml)
-            echo "ip_ranges=$IP_RANGES" >> $GITHUB_OUTPUT
-
-            # Transform into nginx geo format. 1 IP range per line, each range is followed by it's value.
+            # Transform IPs into nginx geo format. 1 IP range per line, each range is followed by it's value.
             # @see https://nginx.org/en/docs/http/ngx_http_geo_module.html
             ALLOW_VALUE=1
             DEPRI_VALUE=2

Dockerfile

@@ -75,8 +75,7 @@ RUN mkdir /var/run/nginx-cache && \
 # contains gzip and module include
 COPY --chown=nginx:nginx deploy/config/nginx.conf /etc/nginx/nginx.conf
 
-# Disabled on 22 July 2024 - no deployment init files for Nginx
-#COPY deploy/config/init/nginx-* /docker-entrypoint.d/
+COPY deploy/config/init/nginx-* /docker-entrypoint.d/
 
 RUN chmod +x /docker-entrypoint.d/*; \
     echo "# This file is configured at runtime." > /etc/nginx/real_ip.conf

deploy/config/init/nginx-geo.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "$IPS_FORMATTED" >> /etc/nginx/geo.conf

deploy/config/local/nginx/server.conf

@@ -28,16 +28,8 @@ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 
 
 geo $geo {
-    # Trusted IPs where 'X-Forwarded-For' is used.
-    proxy 172.17.0.0/16;
-    proxy 172.25.0.0/16;
-
-    # TODO
-    # read from include a .conf file
-    # Maybe use init script to substitude env vars
-    default        0;
-
-    192.168.65.1   1;
+    default 0;
+    include /etc/nginx/geo.conf;
 }
 
 server {

deploy/demo/config.yml

@@ -12,10 +12,3 @@ data:
   # See Azure Setup for more information on how to get these values.
   OAUTH_CLIENT_ID: "8d928bcf-c45e-41ec-aedf-059828aa6e3f"
   OAUTH_TENANT_ID: "c6874728-71e6-41fe-a9e1-2e8c36776ad8"
-  # IP addresses, with optional CIDR notation. Separated by newlines and using # for comments.
-  ALLOWED_IPS: |
-    # Global Protect
-    18.169.147.172
-    35.176.93.186
-    18.130.148.126
-    35.176.148.126

deploy/development/config.yml

@@ -11,6 +11,3 @@ data:
   # See Azure Setup for more information on how to get these values.
   OAUTH_CLIENT_ID: "1dac3cbf-91d2-4c0e-9c80-0bf3f8fabd75"
   OAUTH_TENANT_ID: "c6874728-71e6-41fe-a9e1-2e8c36776ad8"
-  # IP addresses, with optional CIDR notation. Separated by newlines and using # for comments.
-  # TODO: This block will be removed as part of CDPT-887.
-  ALLOWED_IPS: ""

deploy/development/secret.tpl.yml

@@ -27,7 +27,6 @@ metadata:
 type: Opaque
 data:
   AWS_CLOUDFRONT_PRIVATE_KEY: "${AWS_CLOUDFRONT_PRIVATE_KEY_BASE64}"
-  IP_RANGES: "${IP_RANGES_BASE64}"
   IPS_FORMATTED: "${IPS_FORMATTED_BASE64}"
 ---
 apiVersion: v1

deploy/staging/config.yml

@@ -11,10 +11,3 @@ data:
   # See Azure Setup in the README for more information on how to get these values.
   OAUTH_CLIENT_ID: "ffb808d2-312b-4ffe-a6e5-d6eacfd9f06f"
   OAUTH_TENANT_ID: "c6874728-71e6-41fe-a9e1-2e8c36776ad8"
-  # IP addresses, with optional CIDR notation. Separated by newlines and using # for comments.
-  ALLOWED_IPS: |
-    # Global Protect
-    18.169.147.172
-    35.176.93.186
-    18.130.148.126
-    35.176.148.126

docker-compose.yml

@@ -37,17 +37,20 @@ services:
       - php-socket:/sock
       ### Deploy scripts
       - ./deploy/config/local/nginx/php-fpm.conf:/etc/nginx/php-fpm.conf
+      - ./deploy/config/local/nginx/php-fpm-auth.conf:/etc/nginx/php-fpm-auth.conf
       - ./deploy/config/local/nginx/server.conf:/etc/nginx/conf.d/default.conf
       - ./deploy/config/nginx.conf:/etc/nginx/nginx.conf
       ### Assets
       - ./public/app/plugins:/var/www/html/public/app/plugins
       - ./public/app/themes/clarity/screenshot.png:/var/www/html/public/app/themes/clarity/screenshot.png
+      - ./public/app/themes/clarity/error-pages:/var/www/html/public/app/themes/clarity/error-pages
       - ./public/wp:/var/www/html/public/wp
       - ./public/index.php:/var/www/html/public/index.php
     environment:
       VIRTUAL_HOST: ${SERVER_NAME}
       VIRTUAL_PORT: 8080
       SERVER_NAME: ${SERVER_NAME}
+      IPS_FORMATTED: ${IPS_FORMATTED}
     ports:
       - "8080:8080"
     depends_on:

public/app/mu-plugins/moj-auth/traits/utils.php

@@ -28,68 +28,6 @@ public function log(string $message, $data = null): void
         error_log($message . ' ' . print_r($data, true));
     }
 
-    /**
-     * Checks if a given IP address matches the specified CIDR subnet/s
-     * 
-     * @see https://gist.github.com/tott/7684443?permalink_comment_id=2108696#gistcomment-2108696
-     * 
-     * @param string $ip The IP address to check
-     * @param mixed $cidrs The IP subnet (string) or subnets (array) in CIDR notation
-     * @param string $match optional If provided, will contain the first matched IP subnet
-     * @return boolean TRUE if the IP matches a given subnet or FALSE if it does not
-     */
-
-    public function ipMatch($ip, $cidrs, &$match = null): bool
-    {
-        $this->log('ipMatch()');
-
-        foreach ((array) $cidrs as $cidr) {
-            if (empty($cidr)) {
-                continue;
-            }
-            $parts = explode('/', $cidr);
-            $subnet = $parts[0];
-            $mask = $parts[1] ?? 32;
-            if (((ip2long($ip) & ($mask = ~((1 << (32 - $mask)) - 1))) == (ip2long($subnet) & $mask))) {
-                $match = $cidr;
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-
-    /**
-     * Check if the IP address is allowed.
-     * 
-     * Checks that we have the environment variable ALLOWED_IPS and server property HTTP_X_REAL_IP set.
-     * Runs the ipMatch method to check if the HTTP_X_REAL_IP is in the ALLOWED_IPS.
-     * 
-     * @return bool Returns true if the IP address is allowed, otherwise false.
-     */
-
-    public function ipAddressIsAllowed(): bool
-    {
-        $this->log('ipAddressIsAllowed()');
-
-        return false;
-
-        if (empty($_ENV['ALLOWED_IPS']) || empty($_SERVER['HTTP_X_REAL_IP'])) {
-            return false;
-        }
-
-        $newline_pattern  = '/\r\n|\n|\r/'; // Match newlines.
-        $comments_pattern = '/\s*#.*/'; // Match comments.
-
-        $allowedIps = array_map(
-            'trim',
-            preg_split($newline_pattern, preg_replace($comments_pattern, '', $_ENV['ALLOWED_IPS']))
-        );
-
-        return $this->ipMatch($_SERVER['HTTP_X_REAL_IP'], $allowedIps);
-    }
-
     /**
      * Hash a value using SHA256 and a salt.
      *