From 35417f23c28ca95f530797589fbe576feb7475b6 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 8 Feb 2026 09:39:45 -0600
Subject: [PATCH 1/2] Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 readme-vars.yml                                  |  1 +
 .../nginx/site-confs/default.conf.sample         | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/readme-vars.yml b/readme-vars.yml
index 96724b7..71bf1e8 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -86,6 +86,7 @@ init_diagram: |
   "grav:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "11.10.25:", desc: "Add php83-pdo and php83-pdo_sqlite"}
   - {date: "19.06.24:", desc: "Rebase to Alpine 3.20. Symlink robots.txt to /config. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
   - {date: "06.03.24:", desc: "Add brotli to nginx."}
diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index 72ef641..b7f730e 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,10 +1,12 @@
-## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -75,8 +77,16 @@ server {
         include /etc/nginx/fastcgi_params;
     }
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
         deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
     }
 }

From 6c4d7402e8b6621b2a0af133dda34f0a718dafd4 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Tue, 5 May 2026 16:42:50 -0500
Subject: [PATCH 2/2] Move dotfile denial up

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 .../nginx/site-confs/default.conf.sample      | 81 ++++++++++---------
 1 file changed, 44 insertions(+), 37 deletions(-)

diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index b7f730e..1bfee45 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,12 +1,10 @@
-## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-grav/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
-    listen 443 quic reuseport default_server;
-    listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -15,6 +13,18 @@ server {
     root /app/www/public;
     index index.html index.htm index.php;
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
+
+    # deny access to all dotfiles
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -27,13 +37,21 @@ server {
 
     ## Begin - Security
     # deny all direct access for these folders
-    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ {
+        return 403;
+    }
     # deny running scripts inside core system folders
-    location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
+        return 403;
+    }
     # deny running scripts inside user folder
-    location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
+        return 403;
+    }
     # deny access to specific files in the root folder
-    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) {
+        return 403;
+    }
     ## End - Security
 
     ## https://learn.getgrav.org/17/webservers-hosting/servers/nginx#nginx-cache-headers-for-assets
@@ -43,25 +61,25 @@ server {
     }
 
     location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
-            expires 30d;
-            add_header Vary Accept-Encoding;
-            log_not_found off;
+        expires 30d;
+        add_header Vary Accept-Encoding;
+        log_not_found off;
     }
 
     location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ {
-            access_log off;
-            expires 30d;
-            add_header Cache-Control public;
-
-    ## No need to bleed constant updates. Send the all shebang in one
-    ## fell swoop.
-            tcp_nodelay off;
-
-    ## Set the OS file cache.
-            open_file_cache max=3000 inactive=120s;
-            open_file_cache_valid 45s;
-            open_file_cache_min_uses 2;
-            open_file_cache_errors off;
+        access_log off;
+        expires 30d;
+        add_header Cache-Control public;
+
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+
+        ## Set the OS file cache.
+        open_file_cache max=3000 inactive=120s;
+        open_file_cache_valid 45s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors off;
     }
     ## End - Caching
 
@@ -71,22 +89,11 @@ server {
         #auth_basic_user_file /config/nginx/.htpasswd;
 
         fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
     }
-
-    # deny access to all dotfiles
-    location ~ /\. {
-        deny all;
-        log_not_found off;
-        access_log off;
-        return 404;
-    }
-
-    # Allow access to the ".well-known" directory
-    location ^~ /.well-known {
-        allow all;
-    }
 }