Merge branch 'feature/disallow_dotfiles' into 'master'

disallow access to dotfiles besides .well-known by default Closes infra/documentation#115 See merge request infra/ansible/roles/nginx!2
2022-03-19 10:32:12 +00:00 · 2022-03-19 10:32:12 +00:00 · 3ef51e3be1
commit 3ef51e3be1
parent 8fd7a20a7c 81f7b5337c
3 changed files with 13 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -102,6 +102,9 @@ key: ~

 # SSL certificat, mutally exclusive with letsencrypt option
 crt: ~
+
+# Disallow access to dotfiles besides .well-known by default
+disallow_dotfiles: True
 ```

 **locationconfig**:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -45,6 +45,7 @@ nginx_vhosts_defaults:
  add_proxy_headers: {}
  hide_proxy_headers: {}
  backend: ~
+  disallow_dotfiles: True

 nginx_streams_defaults:
  listen:
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@ -86,6 +86,15 @@ server {
 	}
 	{% endfor %}

+
+	{% if vhost.disallow_dotfiles %}
+	# disallow every path starting with a dot except .well-known/
+	location ~ /\.(?!well-known\/).* {
+		deny all;
+	}
+	{% endif %}
+
+
 	{% if vhost.auth.enable %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }};