From 81f7b5337c016562cccbe3cdd94fcbda1ca329f9 Mon Sep 17 00:00:00 2001
From: psy <psy@cccv.de>
Date: Sat, 19 Mar 2022 10:32:12 +0000
Subject: [PATCH] disallow access to dotfiles besides .well-known by default

---
 README.md               | 3 +++
 defaults/main.yml       | 1 +
 templates/vhost.conf.j2 | 9 +++++++++
 3 files changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 5f2e89b..8c1d5a7 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ key: ~
 
 # SSL certificat, mutally exclusive with letsencrypt option
 crt: ~
+
+# Disallow access to dotfiles besides .well-known by default
+disallow_dotfiles: True
 ```
 
 **locationconfig**:
diff --git a/defaults/main.yml b/defaults/main.yml
index a7c56a1..86ffecf 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -45,6 +45,7 @@ nginx_vhosts_defaults:
   add_proxy_headers: {}
   hide_proxy_headers: {}
   backend: ~
+  disallow_dotfiles: True
 
 nginx_streams_defaults:
   listen:
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
index bbffbec..255d316 100644
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@@ -86,6 +86,15 @@ server {
 	}
 	{% endfor %}
 
+
+	{% if vhost.disallow_dotfiles %}
+	# disallow every path starting with a dot except .well-known/
+	location ~ /\.(?!well-known\/).* {
+		deny all;
+	}
+	{% endif %}
+
+
 	{% if vhost.auth.enable %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }}; 
-- 
GitLab