Skip to content

Commit e7d9de6

Browse files
committed
Update default.conf.sample to deny dotfile access
Signed-off-by: Eric Nemchik <[email protected]>
1 parent f4f4f56 commit e7d9de6

2 files changed

Lines changed: 15 additions & 5 deletions

File tree

readme-vars.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@ init_diagram: |
8585
"babybuddy:latest" <- Base Images
8686
# changelog
8787
changelogs:
88+
- {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
8889
- {date: "27.07.25:", desc: "Rebase to Alpine 3.22."}
8990
- {date: "30.06.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
9091
- {date: "23.12.23:", desc: "Rebase to Alpine 3.19 with php 8.3."}

root/defaults/nginx/site-confs/default.conf.sample

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
1-
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-babybuddy/commits/main/root/defaults/nginx/site-confs/default.conf.sample
1+
## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-babybuddy/commits/main/root/defaults/nginx/site-confs/default.conf.sample
22

33
server {
44
listen 80 default_server;
55
listen [::]:80 default_server;
66
listen 443 ssl default_server;
77
listen [::]:443 ssl default_server;
8+
listen 443 quic reuseport default_server;
9+
listen [::]:443 quic reuseport default_server;
810

911
listen 8000;
1012
listen [::]:8000;
@@ -21,17 +23,24 @@ server {
2123
proxy_redirect off;
2224
}
2325

24-
location ^~ /media/ {
26+
location ^~ /media/ {
2527
root /app/www/public;
2628
}
2729

28-
location ^~ /static/ {
30+
location ^~ /static/ {
2931
root /app/www/public;
3032
}
3133

32-
# deny access to .htaccess/.htpasswd files
33-
location ~ /\.ht {
34+
# deny access to all dotfiles
35+
location ~ /\. {
3436
deny all;
37+
log_not_found off;
38+
access_log off;
39+
return 404;
3540
}
3641

42+
# Allow access to the ".well-known" directory
43+
location ^~ /.well-known {
44+
allow all;
45+
}
3746
}

0 commit comments

Comments
 (0)