Skip to content

Update default.conf.sample to deny dotfile access #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nemchik wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update default.conf.sample to deny dotfile access #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
35417f2
Update default.conf.sample to deny dotfile access
nemchik Feb 8, 2026
6c4d740
Move dotfile denial up
nemchik May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions readme-vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ init_diagram: |
"grav:latest" <- Base Images
# changelog
changelogs:
- {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
- {date: "11.10.25:", desc: "Add php83-pdo and php83-pdo_sqlite"}
- {date: "19.06.24:", desc: "Rebase to Alpine 3.20. Symlink robots.txt to /config. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
- {date: "06.03.24:", desc: "Add brotli to nginx."}
Expand Down
71 changes: 44 additions & 27 deletions root/defaults/nginx/site-confs/default.conf.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample
## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample

server {
listen 80 default_server;
Expand All @@ -13,6 +13,18 @@ server {
root /app/www/public;
index index.html index.htm index.php;

# Allow access to the ".well-known" directory
location ^~ /.well-known {
allow all;
}

# deny access to all dotfiles
location ~ /\. {
access_log off;
log_not_found off;
return 404;
}

location / {
# enable for basic auth
#auth_basic "Restricted";
Expand All @@ -25,13 +37,21 @@ server {

## Begin - Security
# deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ {
return 403;
}
Comment on lines 39 to +42
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
# deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) {
return 403;
}
## End - Security

## https://learn.getgrav.org/17/webservers-hosting/servers/nginx#nginx-cache-headers-for-assets
Expand All @@ -41,25 +61,25 @@ server {
}

location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Vary Accept-Encoding;
log_not_found off;
expires 30d;
add_header Vary Accept-Encoding;
log_not_found off;
}

location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ {
access_log off;
expires 30d;
add_header Cache-Control public;

## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;

## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
access_log off;
expires 30d;
add_header Cache-Control public;

## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;

## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## End - Caching

Expand All @@ -69,14 +89,11 @@ server {
#auth_basic_user_file /config/nginx/.htpasswd;

fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}

# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}