Update default.conf.sample to deny dotfile access

nemchik · nemchik · commit 277d121decaa · 2026-02-08T10:17:45.000-06:00
Signed-off-by: Eric Nemchik &lt;eric@nemchik.com&gt;
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -172,6 +172,7 @@ init_diagram: |
   "mastodon:develop" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "21.10.25:", desc: "Add prometheus exporter support."}
   - {date: "20.10.25:", desc: "Add vips-heif."}
   - {date: "06.06.25:", desc: "Rebase to Alpine 3.22, replace deprecated imagemagick with vips."}
diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,8 +1,8 @@
-## Version 2024/08/26 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/develop/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/develop/root/defaults/nginx/site-confs/default.conf.sample
 
 map $http_upgrade $connection_upgrade {
     default upgrade;
-    ''      close;
+    '' close;
 }
 
 upstream backend {
@@ -20,6 +20,8 @@ server {
     listen [::]:80 default_server;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -141,9 +143,16 @@ server {
 
     error_page 404 500 501 502 503 504 /500.html;
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
         deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
     }
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
 }
