Skip to content

Update default.conf.sample to deny dotfile access #601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nemchik wants to merge 3 commits into
base: master
Choose a base branch
from
+23 −10
Open

Update default.conf.sample to deny dotfile access #601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
716b123
Update default.conf.sample to deny dotfile access
nemchik Feb 8, 2026
22bafef
Move dotfile denial up
nemchik May 5, 2026
aa3f8bd
Merge branch 'master' into deny-dotfile-access
nemchik May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions readme-vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,7 @@ init_diagram: |
"swag:latest" <- Base Images
# changelog
changelogs:
- {date: "08.02.26:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Deny access to all dotfiles."}
- {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
- {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
- {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
Expand Down
32 changes: 22 additions & 10 deletions root/defaults/nginx/site-confs/default.conf.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Version 2026/03/07 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

# redirect all traffic to https
server {
Expand All @@ -13,9 +13,9 @@ server {
# main server block
server {
listen 443 ssl default_server;
# listen 443 quic reuseport default_server;
listen [::]:443 ssl default_server;
# listen [::]:443 quic reuseport default_server;
#listen 443 quic reuseport default_server;
#listen [::]:443 quic reuseport default_server;

server_name _;

Expand All @@ -24,6 +24,18 @@ server {
root /config/www;
index index.html index.htm index.php;

# Allow access to the ".well-known" directory
location ^~ /.well-known {
allow all;
}

# deny access to all dotfiles
location ~ /\. {
access_log off;
log_not_found off;
return 404;
}

# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;

Expand Down Expand Up @@ -60,7 +72,7 @@ server {
}

location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;

Expand All @@ -73,17 +85,17 @@ server {
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;

# enable for Tinyauth (requires tinyauth-server.conf in the server block)
#include /config/nginx/tinyauth-location.conf;

fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}

# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}

# enable subdomain method reverse proxy confs
Expand Down