Skip to content

Update default.conf.sample to deny dotfile access#192

Open
nemchik wants to merge 2 commits into3.23from
deny-dotfile-access
Open

Update default.conf.sample to deny dotfile access#192
nemchik wants to merge 2 commits into3.23from
deny-dotfile-access

Conversation

@nemchik
Copy link
Copy Markdown
Member

@nemchik nemchik commented Feb 8, 2026

No description provided.

@nemchik
Update default.conf.sample to deny dotfile access
b54d672 
Signed-off-by: Eric Nemchik <eric@nemchik.com>
@LinuxServer-CI
Copy link
Copy Markdown
Contributor

LinuxServer-CI commented Feb 8, 2026

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.2-r0_8.4.17-r0-pkg-13d71720-dev-b54d672019c2b363271da42224580c2184b6fb5f-pr-192/index.html
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.2-r0_8.4.17-r0-pkg-13d71720-dev-b54d672019c2b363271da42224580c2184b6fb5f-pr-192/shellcheck-result.xml

Tag Passed
amd64-3.23-1.28.2-r0_8.4.17-r0-pkg-13d71720-dev-b54d672019c2b363271da42224580c2184b6fb5f-pr-192
arm64v8-3.23-1.28.2-r0_8.4.17-r0-pkg-13d71720-dev-b54d672019c2b363271da42224580c2184b6fb5f-pr-192

@LinuxServer-CI
Copy link
Copy Markdown
Contributor

LinuxServer-CI commented Mar 1, 2026

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.2-r1_8.4.17-r0-pkg-051f9ed7-dev-a08b346419842f48184fd0c65ae7e5d3283970a6-pr-192/index.html
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.2-r1_8.4.17-r0-pkg-051f9ed7-dev-a08b346419842f48184fd0c65ae7e5d3283970a6-pr-192/shellcheck-result.xml

Tag Passed
amd64-3.23-1.28.2-r1_8.4.17-r0-pkg-051f9ed7-dev-a08b346419842f48184fd0c65ae7e5d3283970a6-pr-192
arm64v8-3.23-1.28.2-r1_8.4.17-r0-pkg-051f9ed7-dev-a08b346419842f48184fd0c65ae7e5d3283970a6-pr-192

@LinuxServer-CI
Copy link
Copy Markdown
Contributor

LinuxServer-CI commented Mar 28, 2026

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.4-r0-pkg-bde3ac84-dev-8cb2728b856bae9ad1a47bc00443deb2ac835961-pr-192/index.html
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.4-r0-pkg-bde3ac84-dev-8cb2728b856bae9ad1a47bc00443deb2ac835961-pr-192/shellcheck-result.xml

Tag Passed
amd64-3.23-1.28.3-r0_8.5.4-r0-pkg-bde3ac84-dev-8cb2728b856bae9ad1a47bc00443deb2ac835961-pr-192
arm64v8-3.23-1.28.3-r0_8.5.4-r0-pkg-bde3ac84-dev-8cb2728b856bae9ad1a47bc00443deb2ac835961-pr-192

@LinuxServer-CI
Copy link
Copy Markdown
Contributor

LinuxServer-CI commented Apr 24, 2026

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.5-r1-pkg-70ef4797-dev-47634b33a124de1679d2254fc09bae07978f0295-pr-192/index.html
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.5-r1-pkg-70ef4797-dev-47634b33a124de1679d2254fc09bae07978f0295-pr-192/shellcheck-result.xml

Tag Passed
amd64-3.23-1.28.3-r0_8.5.5-r1-pkg-70ef4797-dev-47634b33a124de1679d2254fc09bae07978f0295-pr-192
arm64v8-3.23-1.28.3-r0_8.5.5-r1-pkg-70ef4797-dev-47634b33a124de1679d2254fc09bae07978f0295-pr-192

@nemchik
Move dotfile denial up
d2c6bba 
Signed-off-by: Eric Nemchik <eric@nemchik.com>
Copilot AI review requested due to automatic review settings May 5, 2026 21:29
@LinuxServer-CI LinuxServer-CI moved this from PRs to PRs Ready For Team Review in Issue & PR Tracker May 5, 2026
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the default nginx site sample to block dotfile requests by default while carving out access to /.well-known, which is commonly needed for ACME and similar verification flows in the base image's default web server setup.

Changes:

  • Added a /.well-known location intended to remain publicly accessible.
  • Replaced the previous .ht*-only deny rule with a broader dotfile deny rule.
  • Reformatted the inline PHP file-existence guard and bumped the sample config version header.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread root/defaults/nginx/site-confs/default.conf.sample
Comment on lines +22 to +28
# Allow access to the ".well-known" directory
location ^~ /.well-known {
allow all;
}

# deny access to all dotfiles
location ~ /\. {
Comment thread root/defaults/nginx/site-confs/default.conf.sample
index index.html index.htm index.php;

# Allow access to the ".well-known" directory
location ^~ /.well-known {
@LinuxServer-CI
Copy link
Copy Markdown
Contributor

LinuxServer-CI commented May 5, 2026

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.5-r1-pkg-60bb1d50-dev-ef6ec3bb1e4877e5199e17c35c3acdaaa43ba907-pr-192/index.html
https://ci-tests.linuxserver.io/lspipepr/baseimage-nginx/3.23-1.28.3-r0_8.5.5-r1-pkg-60bb1d50-dev-ef6ec3bb1e4877e5199e17c35c3acdaaa43ba907-pr-192/shellcheck-result.xml

Tag Passed
amd64-3.23-1.28.3-r0_8.5.5-r1-pkg-60bb1d50-dev-ef6ec3bb1e4877e5199e17c35c3acdaaa43ba907-pr-192
arm64v8-3.23-1.28.3-r0_8.5.5-r1-pkg-60bb1d50-dev-ef6ec3bb1e4877e5199e17c35c3acdaaa43ba907-pr-192

@LinuxServer-CI LinuxServer-CI moved this from PRs Ready For Team Review to PRs in Issue & PR Tracker May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Issue & PR Tracker
Status: PRs

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nemchik @LinuxServer-CI