docs: block access to metadata files in nginx sample configs

[szaimen]

☑️ Resolves

• Fix Block superfluous file access #15101

The nginx sample configs (nginx-root.conf.sample and nginx-subdir.conf.sample) served the following top-level metadata files as plain files:

• https://nc-domain/composer.json
• https://nc-domain/composer.lock
• https://nc-domain/package.json
• https://nc-domain/package-lock.json
• https://nc-domain/core/shipped.json

These paths matched neither an existing return 404 block nor the static-asset extension list, so they fell through to location / → try_files $uri and were served verbatim, leaking dependency information.

This adds a 404 location block matching these files to both samples, placed alongside the existing rules that hide non-public paths:

location ~ ^/(?:composer\.(?:json|lock)|package(?:-lock)?\.json|core/shipped\.json)$ { return 404; }

The block is positioned before the \.php and static-asset regex blocks so nginx (which evaluates regex location blocks in file order) matches it first.

Note

The upstream server/.htaccess does not block these files either — it only covers the build|tests|config|lib|3rdparty|templates directories and dotfiles. Apache installs likely have the same exposure. It may be worth opening a nextcloud/server issue to add the equivalent rule there so the two configs don't drift.

🖼️ Screenshots

No visual change — these are literalinclude-d config samples, not rendered page content.

✅ Checklist

• I have built the documentation locally and reviewed the output
• Screenshots are included for visual changes
• I have not moved or renamed pages (or added a redirect if I did)
• I have run codespell or similar and addressed any spelling issues

🤖 Generated with Claude Code

[github-actions]

📖 Documentation Preview

🔍 Open preview →

No RST documentation pages changed in this PR.

Last updated: Tue, 09 Jun 2026 17:22:56 GMT