nhcarrigan/nginx-configs
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 1 Pull Requests Actions Releases Activity

feat: block dotfile requests across all sites
Test nginx configuration / Static Analysis (push) Failing after 4s
Details
Test nginx configuration / nginx Syntax Check (push) Successful in 20s
Details
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m8s
Details

Browse Source 
Adds a deny-dotfiles snippet that returns 403 for any URI matching /\.
(e.g. .gitconfig, .env, .git/) and includes it in every server block.
This commit is contained in:
Hikari
2026-03-18 11:31:02 -07:00
committed by Naomi Carrigan
parent 1d24a85e07
commit fc252e28e2
34 changed files with 108 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nginx/nginx/sites-available/404.conf
+1
View File
@@ -10,4 +10,5 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/afp.conf
+1
View File
@@ -10,4 +10,5 @@ server {
proxy_pass http://127.0.0.1:10080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/aria.conf
+5
View File
@@ -9,6 +9,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -20,6 +21,7 @@ server {
location / {
return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -33,6 +35,7 @@ server {
proxy_pass http://127.0.0.1:5002;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -44,6 +47,7 @@ server {
location / {
return 301 https://aria.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -56,4 +60,5 @@ server {
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:5000;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/bots.conf
+20
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:6022;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -23,6 +24,7 @@ server {
proxy_pass http://127.0.0.1:7044;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -36,6 +38,7 @@ server {
proxy_pass http://127.0.0.1:5010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -49,6 +52,7 @@ server {
proxy_pass http://127.0.0.1:7055;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -62,6 +66,7 @@ server {
proxy_pass http://127.0.0.1:6111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -74,6 +79,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5018;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -87,6 +93,7 @@ server {
proxy_pass http://127.0.0.1:5012;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -100,6 +107,7 @@ server {
proxy_pass http://127.0.0.1:3333;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -112,6 +120,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5022;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -125,6 +134,7 @@ server {
proxy_pass http://127.0.0.1:5011;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -137,6 +147,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -150,6 +161,7 @@ server {
proxy_pass http://127.0.0.1:6019;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -162,6 +174,7 @@ server {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:4443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -175,6 +188,7 @@ server {
proxy_pass http://127.0.0.1:9100;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -188,6 +202,7 @@ server {
proxy_pass http://127.0.0.1:7066;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -200,6 +215,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5019;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -213,6 +229,7 @@ server {
proxy_pass http://127.0.0.1:8123;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -225,6 +242,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6088;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -237,6 +255,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -249,4 +268,5 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6099;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/catch-all.conf
+1
View File
@@ -19,4 +19,5 @@ server {
location = /index.html {
internal;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/cdn.conf
+1
View File
@@ -49,4 +49,5 @@ server {
return 204;
}
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/celestine.conf
+2
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:9080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -21,4 +22,5 @@ server {
location / {
return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/content.conf
+7
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:3003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -27,6 +28,7 @@ server {
location /books.json {
try_files /books.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -40,6 +42,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -57,6 +60,7 @@ server {
location /songs.json {
try_files /songs.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -70,6 +74,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -83,6 +88,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -96,4 +102,5 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/data.conf
+1
View File
@@ -10,4 +10,5 @@ server {
proxy_pass http://127.0.0.1:9999;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/docs.conf
+5
View File
@@ -10,6 +10,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -23,6 +24,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -36,6 +38,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -49,6 +52,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -62,4 +66,5 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/eclaire.conf
+1
View File
@@ -11,4 +11,5 @@ server {
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/elowyn.conf
+1
View File
@@ -15,4 +15,5 @@ server {
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/elysium.conf
+1
View File
@@ -21,4 +21,5 @@ server {
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/forms.conf
+2
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:1234;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -148,4 +149,5 @@ server {
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/games.conf
+11
View File
@@ -18,6 +18,7 @@ server {
location /prologue {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -44,6 +45,7 @@ server {
add_header Cache-Control "public";
access_log off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -57,6 +59,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -70,6 +73,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -83,6 +87,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -96,6 +101,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -124,6 +130,7 @@ server {
location ~ /\.(?!well-known) {
deny all;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -137,6 +144,7 @@ server {
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -150,6 +158,7 @@ server {
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -169,6 +178,7 @@ server {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -188,4 +198,5 @@ server {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/git.conf
+1
View File
@@ -11,4 +11,5 @@ server {
proxy_pass http://127.0.0.1:53000;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/hikari.conf
+3
View File
@@ -6,6 +6,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
return 301 https://hikari.nhcarrigan.com/announcements;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -33,6 +34,7 @@ server {
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -44,4 +46,5 @@ server {
location / {
return 301 https://hikari.nhcarrigan.com/products;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/library.conf
+1
View File
@@ -10,4 +10,5 @@ server {
proxy_pass http://127.0.0.1:12321;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/lucinda.conf
+1
View File
@@ -22,4 +22,5 @@ server {
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/lynira.conf
+2
View File
@@ -9,6 +9,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -21,4 +22,5 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/mommy.conf
+3
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:8009;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -23,6 +24,7 @@ server {
proxy_pass http://127.0.0.1:8010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -36,4 +38,5 @@ server {
proxy_pass http://127.0.0.1:8008;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/monitoring.conf
+5
View File
@@ -17,6 +17,7 @@ server {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -29,6 +30,7 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -52,6 +54,7 @@ server {
proxy_send_timeout 1m;
proxy_read_timeout 1m;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -65,6 +68,7 @@ server {
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -77,4 +81,5 @@ server {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/nails.conf
+2
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:1235;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -28,4 +29,5 @@ server {
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/nocturne.conf
+2
View File
@@ -10,6 +10,7 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -23,4 +24,5 @@ server {
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/notes.conf
+2
View File
@@ -43,6 +43,7 @@ server {
proxy_cache_lock on;
proxy_http_version 1.1;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -89,4 +90,5 @@ server {
proxy_cache_lock on;
proxy_http_version 1.1;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/portfolio.conf
+8
View File
@@ -24,6 +24,7 @@ server {
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -42,6 +43,7 @@ server {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -68,6 +70,7 @@ server {
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -86,6 +89,7 @@ server {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -105,6 +109,7 @@ server {
index index.html;
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -126,6 +131,7 @@ server {
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -147,6 +153,7 @@ server {
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# Wildcard catch-all — must remain last so specific subdomains take priority
@@ -160,4 +167,5 @@ server {
location / {
return 301 https://$subdomain.nhcarrigan.com$request_uri;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/rosalia.conf
+2
View File
@@ -16,6 +16,7 @@ server {
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -29,4 +30,5 @@ server {
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/scheduling.conf
+3
View File
@@ -6,6 +6,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/cyc.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/cyc;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -15,6 +16,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/meet.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/meet;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -26,4 +28,5 @@ server {
location / {
return 301 https://melody.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/security.conf
+2
View File
@@ -12,6 +12,7 @@ server {
proxy_pass http://127.0.0.1:9500;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -36,4 +37,5 @@ server {
client_max_body_size 100M;
proxy_read_timeout 90;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/support.conf
+3
View File
@@ -8,6 +8,7 @@ server {
location / {
return 301 https://discord.gg/KKe7BaEnQB;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -19,6 +20,7 @@ server {
location / {
return 301 https://support.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -44,4 +46,5 @@ server {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/tarot.conf
+1
View File
@@ -18,4 +18,5 @@ server {
location / {
return 403;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/vitalia.conf
+2
View File
@@ -10,6 +10,7 @@ server {
proxy_pass http://127.0.0.1:12345;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
@@ -28,4 +29,5 @@ server {
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/sites-available/wtf.conf
+1
View File
@@ -14,4 +14,5 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
nginx/nginx/snippets/deny-dotfiles.conf
+4
View File
@@ -0,0 +1,4 @@
# Block requests for dotfiles (e.g. .gitconfig, .env, .git/).
location ~ /\. {
return 403;
}