From e76402d9b90fec688bee3d31c3edeaf00277c1e9 Mon Sep 17 00:00:00 2001
From: Chris Banks <chris.banks@digital.cabinet-office.gov.uk>
Date: Tue, 2 Apr 2024 14:04:22 +0100
Subject: [PATCH] Fix missing denylist in datagovuk vcl_recv.

---
 modules/datagovuk/datagovuk.vcl.tftpl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/datagovuk/datagovuk.vcl.tftpl b/modules/datagovuk/datagovuk.vcl.tftpl
index fb702e3..8abd6a6 100644
--- a/modules/datagovuk/datagovuk.vcl.tftpl
+++ b/modules/datagovuk/datagovuk.vcl.tftpl
@@ -39,6 +39,11 @@ backend F_cname_find_eks_${environment}_govuk_digital {
 sub vcl_recv {
   ${indent(2, file("${module_path}/../shared/_boundary_headers.vcl.tftpl"))}
 
+  # Serve 404 if source IP/netblock is denylisted.
+  if (table.lookup(ip_address_denylist, client.ip)) {
+    error 404 "Not Found";
+  }
+
   # Require authentication for PURGE requests
   set req.http.Fastly-Purge-Requires-Auth = "1";
 
@@ -204,4 +209,4 @@ sub vcl_error {
 
 sub vcl_pass {
 #FASTLY pass
-}
\ No newline at end of file
+}