disallow access to dotfiles besides .well-known by default

questions i stumbled upon:

• use prefix match instead of regex?
  • takes higher precedence
  • only overwritable by more specific match

closes https://git.cccv.de/infra/documentation/-/issues/115