diff --git a/environments/ithc/ithc.tfvars b/environments/ithc/ithc.tfvars index 6204b93e7..a4f033827 100644 --- a/environments/ithc/ithc.tfvars +++ b/environments/ithc/ithc.tfvars @@ -1732,17 +1732,214 @@ frontends = [ name = "paybubble" custom_domain = "paybubble.ithc.platform.hmcts.net" dns_zone_name = "ithc.platform.hmcts.net" - mode = "Detection" + mode = "Prevention" backend_domain = ["firewall-nonprodi-palo-cftithc.uksouth.cloudapp.azure.com"] + global_exclusions = [ + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "referer" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "iss" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__auth-token" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__user-info" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__redirect" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "dtSa" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "rf" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "DecodedUrl" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__pcipal-info" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "connect.sid" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "ccpay-bubble-cookie-preferences" + }, + ] }, { name = "fees-register" custom_domain = "fees-register.ithc.platform.hmcts.net" dns_zone_name = "ithc.platform.hmcts.net" - mode = "Detection" + mode = "Prevention" backend_domain = ["firewall-nonprodi-palo-cftithc.uksouth.cloudapp.azure.com"] + custom_rules = [ + { + name = "IPMatchWhitelist" + priority = 1 + type = "MatchRule" + action = "Block" + match_conditions = [ + { + match_variable = "RequestUri" + operator = "EndsWith" + negation_condition = false + match_values = [ + "/fees" + ] + }, + { + match_variable = "RemoteAddr" + operator = "IPMatch" + negation_condition = true + match_values = [ + "81.134.202.29/32", + "51.145.6.230/32", + "194.33.192.0/25", + "51.149.249.0/27", + "194.33.193.0/25", + "194.33.196.0/25", + "51.149.249.32/27", + "194.33.197.0/25", + "52.210.206.51/32", + "62.25.109.201/32", + "62.25.109.203/32", + "51.143.139.240/32", + "51.145.4.100/32" + ] + } + ] + }, + ], + global_exclusions = [ + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "iss" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__auth-token" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "__redirect" + }, + { + match_variable = "RequestCookieNames" + operator = "Equals" + selector = "fee-register-admin-web-cookie-preferences" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "rf" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "DecodedUrl" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "QueryParamName" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "DecodedPath" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "PostParamName" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "expression" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "GroupName" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "NFuse_Application" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "banner_id" + }, + { + match_variable = "QueryStringArgNames" + operator = "Equals" + selector = "callback" + }, + { + match_variable = "RequestBodyPostArgNames" + operator = "Equals" + selector = "reply_message_template" + }, + { + match_variable = "RequestBodyPostArgNames" + operator = "Equals" + selector = "name" + }, + { + match_variable = "RequestHeaderNames" + operator = "Equals" + selector = "User-Agent" + }, + { + match_variable = "RequestHeaderNames" + operator = "Equals" + selector = "content-type" + }, + { + match_variable = "RequestBodyPostArgNames" + operator = "Equals" + selector = "csvFees" + }, + { + match_variable = "RequestBodyPostArgNames" + operator = "Equals" + selector = "description" + }, + ] }, { name = "idam-user-dashboard"