Update default.conf.sample to deny dotfile access

readme-vars.yml

@@ -90,6 +90,7 @@ init_diagram: |
   "xbackbone:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "27.05.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
   - {date: "28.12.23:", desc: "Rebase to Alpine 3.19 with php 8.3."}
   - {date: "25.12.23:", desc: "Existing users should update: site-confs/default.conf - Cleanup default site conf."}

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,4 +1,4 @@
-## Version 2025/07/09 - Changelog: https://github.com/linuxserver/docker-xbackbone/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-xbackbone/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 server {
     listen 80 default_server;
@@ -15,6 +15,18 @@ server {
     root /app/www/public;
     index index.html index.htm index.php;
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
+
+    # deny access to all dotfiles
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     charset utf-8;
     error_page 404 /index.php;
     client_max_body_size 2G;
@@ -33,17 +45,14 @@ server {
         #auth_basic_user_file /config/nginx/.htpasswd;
 
         fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
     }
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
-        deny all;
-    }
-
     autoindex off;
     location ~ ^\.md {
         return 404;