Merge branch 'master' into deny-dotfile-access

Move dotfile denial up
Signed-off-by: Eric Nemchik <eric@nemchik.com>
2026-05-10 12:44:44 +09:00 · 2026-05-05 16:59:17 -05:00 · 2026-05-05 16:44:32 -05:00 · 2026-02-08 09:39:37 -06:00
2 changed files with 23 additions and 10 deletions
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -219,6 +219,7 @@ init_diagram: |
  "swag:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Deny access to all dotfiles."}
  - {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
  - {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
  - {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2026/03/07 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

 # redirect all traffic to https
 server {
@@ -13,9 +13,9 @@ server {
 # main server block
 server {
    listen 443 ssl default_server;
-#    listen 443 quic reuseport default_server;
    listen [::]:443 ssl default_server;
-#    listen [::]:443 quic reuseport default_server;
+    #listen 443 quic reuseport default_server;
+    #listen [::]:443 quic reuseport default_server;

    server_name _;

@@ -24,6 +24,18 @@ server {
    root /config/www;
    index index.html index.htm index.php;

+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
+
+    # deny access to all dotfiles
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

@@ -60,7 +72,7 @@ server {
    }

    location ~ ^(.+\.php)(.*)$ {
-        # enable the next two lines for http auth
+        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

@@ -73,17 +85,17 @@ server {
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

+        # enable for Tinyauth (requires tinyauth-server.conf in the server block)
+        #include /config/nginx/tinyauth-location.conf;
+
        fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
-
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
-        deny all;
-    }
 }

 # enable subdomain method reverse proxy confs
Author	SHA1	Message	Date
Eric Nemchik	aa3f8bd0dd	Merge branch 'master' into deny-dotfile-access	2026-05-05 16:59:17 -05:00
Eric Nemchik	22bafef661	Move dotfile denial up Signed-off-by: Eric Nemchik <eric@nemchik.com>	2026-05-05 16:44:32 -05:00
Eric Nemchik	716b1237c5	Update default.conf.sample to deny dotfile access Signed-off-by: Eric Nemchik <eric@nemchik.com>	2026-02-08 09:39:37 -06:00