Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <eric@nemchik.com>
Bot Updating Package Versions
2026-03-03 17:03:35 +09:00 · 2026-02-08 09:39:37 -06:00 · 2026-02-07 04:43:17 +00:00 · 2026-02-06 14:17:14 +00:00
3 changed files with 39 additions and 30 deletions
--- a/package_versions.txt
+++ b/package_versions.txt
@@ -5,7 +5,7 @@ acme                            5.3.0                 python
 alpine-baselayout               3.7.0-r0              apk                      
 alpine-baselayout-data          3.7.0-r0              apk                      
 alpine-keys                     2.5-r0                apk                      
-alpine-release                  3.22.2-r0             apk                      
+alpine-release                  3.22.3-r0             apk                      
 aom-libs                        3.12.1-r0             apk                      
 apache2-utils                   2.4.66-r0             apk                      
 apk-tools                       2.14.9-r3             apk                      
@@ -22,8 +22,8 @@ azure-mgmt-dns                  9.0.0                 python
 backports-tarfile               1.2.0                 python                   
 bash                            5.2.37-r0             apk                      
 beautifulsoup4                  4.14.3                python                   
-boto3                           1.42.40               python                   
-botocore                        1.42.40               python                   
+boto3                           1.42.44               python                   
+botocore                        1.42.44               python                   
 brotli-libs                     1.1.0-r2              apk                      
 bs4                             0.0.2                 python                   
 busybox                         1.37.0-r20            apk                      
@@ -167,7 +167,7 @@ libcurl                         8.14.1-r2             apk
 libdav1d                        1.5.1-r0              apk                      
 libedit                         20250104.3.1-r1       apk                      
 libevent                        2.1.12-r8             apk                      
-libexpat                        2.7.3-r0              apk                      
+libexpat                        2.7.4-r0              apk                      
 libffi                          3.4.8-r0              apk                      
 libgcc                          14.2.0-r6             apk                      
 libgcrypt                       1.10.3-r1             apk                      
@@ -235,25 +235,25 @@ ncurses-terminfo-base           6.5_p20250503-r0      apk
 netcat-openbsd                  1.229.1-r0            apk                      
 nettle                          3.10.1-r0             apk                      
 nghttp2-libs                    1.65.0-r0             apk                      
-nginx                           1.28.0-r3             apk                      
-nginx-mod-devel-kit             1.28.0-r3             apk                      
-nginx-mod-http-brotli           1.28.0-r3             apk                      
-nginx-mod-http-dav-ext          1.28.0-r3             apk                      
-nginx-mod-http-echo             1.28.0-r3             apk                      
-nginx-mod-http-fancyindex       1.28.0-r3             apk                      
-nginx-mod-http-geoip2           1.28.0-r3             apk                      
-nginx-mod-http-headers-more     1.28.0-r3             apk                      
-nginx-mod-http-image-filter     1.28.0-r3             apk                      
-nginx-mod-http-perl             1.28.0-r3             apk                      
-nginx-mod-http-redis2           1.28.0-r3             apk                      
-nginx-mod-http-set-misc         1.28.0-r3             apk                      
-nginx-mod-http-upload-progress  1.28.0-r3             apk                      
-nginx-mod-http-xslt-filter      1.28.0-r3             apk                      
-nginx-mod-mail                  1.28.0-r3             apk                      
-nginx-mod-rtmp                  1.28.0-r3             apk                      
-nginx-mod-stream                1.28.0-r3             apk                      
-nginx-mod-stream-geoip2         1.28.0-r3             apk                      
-nginx-vim                       1.28.0-r3             apk                      
+nginx                           1.28.2-r0             apk                      
+nginx-mod-devel-kit             1.28.2-r0             apk                      
+nginx-mod-http-brotli           1.28.2-r0             apk                      
+nginx-mod-http-dav-ext          1.28.2-r0             apk                      
+nginx-mod-http-echo             1.28.2-r0             apk                      
+nginx-mod-http-fancyindex       1.28.2-r0             apk                      
+nginx-mod-http-geoip2           1.28.2-r0             apk                      
+nginx-mod-http-headers-more     1.28.2-r0             apk                      
+nginx-mod-http-image-filter     1.28.2-r0             apk                      
+nginx-mod-http-perl             1.28.2-r0             apk                      
+nginx-mod-http-redis2           1.28.2-r0             apk                      
+nginx-mod-http-set-misc         1.28.2-r0             apk                      
+nginx-mod-http-upload-progress  1.28.2-r0             apk                      
+nginx-mod-http-xslt-filter      1.28.2-r0             apk                      
+nginx-mod-mail                  1.28.2-r0             apk                      
+nginx-mod-rtmp                  1.28.2-r0             apk                      
+nginx-mod-stream                1.28.2-r0             apk                      
+nginx-mod-stream-geoip2         1.28.2-r0             apk                      
+nginx-vim                       1.28.2-r0             apk                      
 npth                            1.8-r0                apk                      
 oniguruma                       6.9.10-r0             apk                      
 openssl                         3.5.5-r0              apk                      
@@ -313,7 +313,7 @@ php84-xmlwriter                 8.4.16-r0             apk
 php84-xsl                       8.4.16-r0             apk                      
 php84-zip                       8.4.16-r0             apk                      
 pinentry                        1.3.1-r0              apk                      
-pip                             26.0                  python                   
+pip                             26.0.1                python                   
 pkb-client                      2.2.0                 python                   
 platformdirs                    4.4.0                 python                   
 popt                            1.19-r4               apk                      
@@ -345,7 +345,7 @@ requests-mock                   1.12.1                python
 rsa                             4.9.1                 python                   
 s3transfer                      0.16.0                python                   
 scanelf                         1.3.8-r1              apk                      
-setuptools                      80.10.2               python                   
+setuptools                      81.0.0                python                   
 shadow                          4.17.3-r0             apk                      
 six                             1.17.0                python                   
 skalibs-libs                    2.14.4.0-r0           apk                      
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -219,6 +219,7 @@ init_diagram: |
  "swag:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Deny access to all dotfiles."}
  - {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
  - {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
  - {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2025/07/18 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

 # redirect all traffic to https
 server {
@@ -13,9 +13,9 @@ server {
 # main server block
 server {
    listen 443 ssl default_server;
-#    listen 443 quic reuseport default_server;
    listen [::]:443 ssl default_server;
-#    listen [::]:443 quic reuseport default_server;
+    #listen 443 quic reuseport default_server;
+    #listen [::]:443 quic reuseport default_server;

    server_name _;

@@ -74,9 +74,17 @@ server {
        include /etc/nginx/fastcgi_params;
    }

-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
        deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
    }
 }
Author	SHA1	Message	Date
Eric Nemchik	716b1237c5	Update default.conf.sample to deny dotfile access Signed-off-by: Eric Nemchik <eric@nemchik.com>	2026-02-08 09:39:37 -06:00
LinuxServer-CI	6182a75998	Bot Updating Package Versions Some checks failed External Trigger Scheduler / external-trigger-scheduler (push) Has been cancelled Details Mark stale issues and pull requests / stale (push) Has been cancelled Details	2026-02-07 04:43:17 +00:00
LinuxServer-CI	145c5d84f6	Bot Updating Package Versions Some checks failed External Trigger Scheduler / external-trigger-scheduler (push) Has been cancelled Details Package Trigger Scheduler / package-trigger-scheduler (push) Has been cancelled Details	2026-02-06 14:17:14 +00:00