Add IP-based block list to wp-config

** Why are these changes being introduced: * We are starting to see problematic site traffic, and want to have a way to block access to the application selectively. ** Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/pw-86 ** How does this address that need: * This adds an ability to block specific IP addresses from getting site responses, sending a 403 status message instead. The list of blocked IP addresses is managed via environment variables. ** Document any side effects to this change: * There is a small increase in site overhead, as every page load will now be checked against the IP block list. However, this is done at the PHP level, without needing to spin up WordPress itself.
MITLibraries · Feb 16, 2024 · 2d11048 · 2d11048
1 parent acbf963
commit 2d11048
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/.github/README.md b/.github/README.md
@@ -259,7 +259,7 @@ Please see the readme for that project for [installation](https://github.com/pan
 #### Optional application secrets
 
 - `SENTRY_DSN` Unique identifier for this project within Sentry.
-
+- `BLOCKED_IPS` A space-separated list of IP addresses which should be blocked from getting a Wordpress response.
 
 ### Environment variables
 

diff --git a/web/wp-config.php b/web/wp-config.php
@@ -69,8 +69,30 @@
       define( 'WP_SENTRY_VERSION', 'v1' );
       define( 'WP_SENTRY_ENV', $_ENV['PANTHEON_ENVIRONMENT'] );
     }
+
+    // Blocked IP address handling - defined as a space-separated string in secrets, and
+    // parsed to an array.
+    if ( array_key_exists( 'BLOCKED_IPS', $secrets ) ) {
+      define( 'BLOCKED_IPS', $secrets['BLOCKED_IPS'] );
+    }
   }
+}
+
+/**
+ * Respond with a 403 error message if the user IP address is on our block list.
+ *
+ * This assumes that BLOCKED_IPS is a string that can be exploded to an array of values.
+ * It also assumes that the block list consists of individual IP addresses, and not
+ * ranges that need to be calculated.
+ */
+if ( defined( 'BLOCKED_IPS' ) ) {
+  $array_blocked_ips = explode( " ", BLOCKED_IPS );
+  $request_remote_addr = $_SERVER['REMOTE_ADDR'];
 
+  if ( in_array($request_remote_addr, $array_blocked_ips) ) {
+    header( 'HTTP/1.0 403 Forbidden' );
+    exit;
+  }
 }
 
 /**