Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <eric@nemchik.com>
2026-02-20 04:57:50 +08:00 · 2026-02-08 09:39:52 -06:00 · 2026-02-08 09:39:52 -06:00 · 84c03bf9fe
commit 84c03bf9fe
parent c88096ff39
2 changed files with 14 additions and 4 deletions
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -144,6 +144,7 @@ init_diagram: |
  "diskover:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
  - {date: "06.09.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
  - {date: "06.03.24:", desc: "Existing users should update: site-confs/default.conf - Cleanup default site conf."}
  - {date: "06.03.24:", desc: "Rebase to Alpine 3.19 with php 8.3."}
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@ -1,11 +1,12 @@
-## Version 2024/09/06 - Changelog: https://github.com/linuxserver/docker-diskover/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-diskover/commits/master/root/defaults/nginx/site-confs/default.conf.sample

 server {
    listen 80 default_server;
    listen [::]:80 default_server;
-
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;

    server_name _;

@ -38,8 +39,16 @@ server {
        fastcgi_buffer_size 32k;
    }

-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
        deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
    }
 }