Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <[email protected]>

Author: nemchik

readme-vars.yml

@@ -85,6 +85,7 @@ init_diagram: |
   "babybuddy:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "27.07.25:", desc: "Rebase to Alpine 3.22."}
   - {date: "30.06.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
   - {date: "23.12.23:", desc: "Rebase to Alpine 3.19 with php 8.3."}

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,10 +1,12 @@
-## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-babybuddy/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-babybuddy/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
 
     listen 8000;
     listen [::]:8000;
@@ -21,17 +23,24 @@ server {
         proxy_redirect off;
     }
 
-    location ^~ /media/  {
+    location ^~ /media/ {
         root /app/www/public;
     }
 
-    location ^~ /static/  {
+    location ^~ /static/ {
         root /app/www/public;
     }
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
         deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
     }
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
 }