Update default.conf.sample to deny dotfile access#133
Conversation
Signed-off-by: Eric Nemchik <eric@nemchik.com>
|
I am a bot, here is the pushed image/manifest for this PR:
|
|
I am a bot, here is the pushed image/manifest for this PR:
|
|
I am a bot, here is the pushed image/manifest for this PR:
|
|
This pull request has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
Signed-off-by: Eric Nemchik <eric@nemchik.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the sample Nginx site config for the Mastodon container, primarily to block access to hidden files under the public web root while preserving .well-known access for expected public endpoints.
Changes:
- Add a broader dotfile-deny rule to
default.conf.sample. - Add an explicit
/.well-knownexception ahead of that deny rule. - Update the changelog entry for operators who maintain a copied Nginx config.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
root/defaults/nginx/site-confs/default.conf.sample |
Adds dotfile blocking, a .well-known exception, and new QUIC listen directives. |
readme-vars.yml |
Adds a changelog entry describing the config update for existing users. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Allow access to the ".well-known" directory | ||
| location ^~ /.well-known { |
| listen 443 quic reuseport default_server; | ||
| listen [::]:443 quic reuseport default_server; |
| "mastodon:latest" <- Base Images | ||
| # changelog | ||
| changelogs: | ||
| - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."} |
No description provided.