Skip to content

Update default.conf.sample to deny dotfile access #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nemchik wants to merge 2 commits into
base: master
Choose a base branch
from
+7 −3
Open

Update default.conf.sample to deny dotfile access #533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dfc0cd5
Update default.conf.sample to deny dotfile access
nemchik Feb 8, 2026
6cf354f
Remove duplicate '.well-known' location
nemchik May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions readme-vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ init_diagram: |
"nextcloud:latest" <- Base Images
# changelog
changelogs:
- {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
- {date: "10.07.25:", desc: "Rebase to Alpine 3.22."}
- {date: "12.02.25:", desc: "Rebase to Alpine 3.21."}
- {date: "09.01.25:", desc: "Fix uploading large files. Existing users should update their nginx confs."}
Expand Down
9 changes: 6 additions & 3 deletions root/defaults/nginx/site-confs/default.conf.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Version 2025/07/10 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/master/root/defaults/nginx/site-confs/default.conf.sample
## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/master/root/defaults/nginx/site-confs/default.conf.sample

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
Expand Down Expand Up @@ -173,8 +173,11 @@ server {
try_files $uri $uri/ /index.php$request_uri;
}

# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
# deny access to all dotfiles
location ~ /\. {
deny all;
log_not_found off;
access_log off;
return 404;
Comment on lines +176 to +181
Copy link
Copy Markdown
Member Author

@nemchik nemchik May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a peculiar thing to consider. I would imagine the general intention would be to deny all dotfile access, but in special cased like with Nextcloud having a lot of its own configuration (that we copy/paste from upstream) I think their confs should take priority.

I doubt many PHP applications are written to handle denying access to dotfiles (ex: /foo/.hidden.php) but if any container is going to actually handle them at all I would bet it would be Nextcloud (whether it denies or actually does something with them).

I am inclined to move this further up (at least above the php handling) in the PRs made to the other repos, but I'll think on this and revisit it later.

}
}