From 716b1237c59146fe7b4c256285a62b313f2ff88c Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 8 Feb 2026 09:39:37 -0600
Subject: [PATCH 1/2] Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 readme-vars.yml                                |  1 +
 .../nginx/site-confs/default.conf.sample       | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/readme-vars.yml b/readme-vars.yml
index 27bde094..f3e2df79 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -219,6 +219,7 @@ init_diagram: |
   "swag:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
   - {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
   - {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index e2404967..51d0dfa4 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2025/07/18 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
 # redirect all traffic to https
 server {
@@ -13,9 +13,9 @@ server {
 # main server block
 server {
     listen 443 ssl default_server;
-#    listen 443 quic reuseport default_server;
     listen [::]:443 ssl default_server;
-#    listen [::]:443 quic reuseport default_server;
+    #listen 443 quic reuseport default_server;
+    #listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -74,9 +74,17 @@ server {
         include /etc/nginx/fastcgi_params;
     }
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
         deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
     }
 }
 

From 22bafef661685e92d04e90723505812e3923488d Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Tue, 5 May 2026 16:44:32 -0500
Subject: [PATCH 2/2] Move dotfile denial up

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 .../nginx/site-confs/default.conf.sample      | 37 ++++++++-----------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index 51d0dfa4..0653f9ca 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
 # redirect all traffic to https
 server {
@@ -24,6 +24,18 @@ server {
     root /config/www;
     index index.html index.htm index.php;
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
+
+    # deny access to all dotfiles
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     # enable subfolder method reverse proxy confs
     include /config/nginx/proxy-confs/*.subfolder.conf;
 
@@ -32,10 +44,8 @@ server {
 
     # enable for Authelia (requires authelia-location.conf in the location block)
     #include /config/nginx/authelia-server.conf;
-
     # enable for Authentik (requires authentik-location.conf in the location block)
     #include /config/nginx/authentik-server.conf;
-
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -46,10 +56,8 @@ server {
 
         # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
-
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
-
         try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
     }
 
@@ -63,29 +71,16 @@ server {
 
         # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
-
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
-
         fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
     }
-
-    # deny access to all dotfiles
-    location ~ /\. {
-        deny all;
-        log_not_found off;
-        access_log off;
-        return 404;
-    }
-
-    # Allow access to the ".well-known" directory
-    location ^~ /.well-known {
-        allow all;
-    }
 }
 
 # enable subdomain method reverse proxy confs