Compare commits

...

3 Commits

Author SHA1 Message Date
Eric Nemchik aa3f8bd0dd Merge branch 'master' into deny-dotfile-access 2026-05-05 16:59:17 -05:00
Eric Nemchik 22bafef661 Move dotfile denial up
Signed-off-by: Eric Nemchik <eric@nemchik.com>
2026-05-05 16:44:32 -05:00
Eric Nemchik 716b1237c5 Update default.conf.sample to deny dotfile access
Signed-off-by: Eric Nemchik <eric@nemchik.com>
2026-02-08 09:39:37 -06:00
2 changed files with 23 additions and 10 deletions
+1
View File
@@ -219,6 +219,7 @@ init_diagram: |
"swag:latest" <- Base Images "swag:latest" <- Base Images
# changelog # changelog
changelogs: changelogs:
- {date: "08.02.26:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Deny access to all dotfiles."}
- {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."} - {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
- {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."} - {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
- {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."} - {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
@@ -1,4 +1,4 @@
## Version 2026/03/07 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample ## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https # redirect all traffic to https
server { server {
@@ -13,9 +13,9 @@ server {
# main server block # main server block
server { server {
listen 443 ssl default_server; listen 443 ssl default_server;
# listen 443 quic reuseport default_server;
listen [::]:443 ssl default_server; listen [::]:443 ssl default_server;
# listen [::]:443 quic reuseport default_server; #listen 443 quic reuseport default_server;
#listen [::]:443 quic reuseport default_server;
server_name _; server_name _;
@@ -24,6 +24,18 @@ server {
root /config/www; root /config/www;
index index.html index.htm index.php; index index.html index.htm index.php;
# Allow access to the ".well-known" directory
location ^~ /.well-known {
allow all;
}
# deny access to all dotfiles
location ~ /\. {
access_log off;
log_not_found off;
return 404;
}
# enable subfolder method reverse proxy confs # enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf; include /config/nginx/proxy-confs/*.subfolder.conf;
@@ -60,7 +72,7 @@ server {
} }
location ~ ^(.+\.php)(.*)$ { location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth # enable for basic auth
#auth_basic "Restricted"; #auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd; #auth_basic_user_file /config/nginx/.htpasswd;
@@ -73,17 +85,17 @@ server {
# enable for Authentik (requires authentik-server.conf in the server block) # enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf; #include /config/nginx/authentik-location.conf;
# enable for Tinyauth (requires tinyauth-server.conf in the server block)
#include /config/nginx/tinyauth-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; } if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000; fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php; fastcgi_index index.php;
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
} }
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
} }
# enable subdomain method reverse proxy confs # enable subdomain method reverse proxy confs