diff --git a/README.md b/README.md
index 6e2c1ba6f2ec9477aecaaa1bb778e78aed06d950..55edc74c15b9df0221d2cff862c869eb9321e8ee 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ key: ~
 
 # SSL certificat, mutally exclusive with letsencrypt option
 crt: ~
+
+# Disallow access to dotfiles besides .well-known by default
+disallow_dotfiles: True
 ```
 
 **locationconfig**:
diff --git a/defaults/main.yml b/defaults/main.yml
index a7c56a1d3cc09937866fd7075248a87080e9c965..62343413d6f7f11e4dff14ba0c46b6eb88a95c48 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -45,6 +45,8 @@ nginx_vhosts_defaults:
   add_proxy_headers: {}
   hide_proxy_headers: {}
   backend: ~
+  disallow_dotfiles: True
+  force_forwarded_ssl_header: False
 
 nginx_streams_defaults:
   listen:
@@ -75,3 +77,4 @@ phpinidefault:
   post_max_size: 64M
   upload_max_filesize: 64M
   memory_limit: 128M
+  date_timezone: UTC
diff --git a/templates/php-fpm/php.ini.j2 b/templates/php-fpm/php.ini.j2
index 7a2c89c68df1ab651b491e5c0a450d70ebd0fe8e..9430046dd1e55181c0cc4fafc3a90a51312c5ef2 100644
--- a/templates/php-fpm/php.ini.j2
+++ b/templates/php-fpm/php.ini.j2
@@ -925,7 +925,7 @@ cli_server.color = On
 [Date]
 ; Defines the default timezone used by the date functions
 ; http://php.net/date.timezone
-date.timezone = "UTC"
+date.timezone = "{{ phpini.date_timezone }}"
 
 ; http://php.net/date.default-latitude
 ;date.default_latitude = 31.7667
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
index bbffbecf348df222a94d4af842d7082cc4a6c98c..9b968a805f9f7749163ab99459658f9974981bae 100644
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@@ -53,9 +53,15 @@ server {
 		proxy_set_header Host			{{ location.host|d(vhost.host) }};
 		proxy_set_header X-Real-IP		$remote_addr;
 		proxy_set_header X-Forwarded-For	$proxy_add_x_forwarded_for;
+		{% if not location.force_forwarded_ssl_header|d(vhost.force_forwarded_ssl_header) %}
 		proxy_set_header X-Forwarded-Proto	$scheme;
 		proxy_set_header X-Forwarded-Ssl	$https;
 		proxy_set_header X-Url-Scheme		$scheme;
+		{% else %}
+		proxy_set_header X-Forwarded-Proto	https;
+		proxy_set_header X-Forwarded-Ssl	on;
+		proxy_set_header X-Url-Scheme		https;
+		{% endif %}
 
 		# add custom proxy headers
 		{% for header in vhost.add_proxy_headers if header %}
@@ -86,6 +92,15 @@ server {
 	}
 	{% endfor %}
 
+
+	{% if vhost.disallow_dotfiles %}
+	# disallow every path starting with a dot except .well-known/
+	location ~ /\.(?!well-known\/).* {
+		deny all;
+	}
+	{% endif %}
+
+
 	{% if vhost.auth.enable %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }};