disallow access to dotfiles besides .well-known by default

templates/vhost.conf.j2

@@ -86,6 +86,15 @@ server {
 	}
 	{% endfor %}
 
+
+	{% if vhost.disallow_dotfiles %}
+	# disallow every path starting with a dot except .well-known/
+	location ~ /\.(?!well-known\/).* {
+		deny all;
+	}
+	{% endif %}
+
+
 	{% if vhost.auth.enable %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }};