feat: block dotfile requests across all sites

Adds a deny-dotfiles snippet that returns 403 for any URI matching /\. (e.g. .gitconfig, .env, .git/) and includes it in every server block.
2026-03-18 11:31:02 -07:00
parent 1d24a85e07
commit fc252e28e2
34 changed files with 108 additions and 0 deletions
@@ -10,4 +10,5 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,4 +10,5 @@ server {
    proxy_pass http://127.0.0.1:10080;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -9,6 +9,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5001;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -20,6 +21,7 @@ server {
  location / {
    return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -33,6 +35,7 @@ server {
    proxy_pass http://127.0.0.1:5002;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -44,6 +47,7 @@ server {
  location / {
    return 301 https://aria.nhcarrigan.com;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -56,4 +60,5 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://0.0.0.0:5000;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:6022;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -23,6 +24,7 @@ server {
    proxy_pass http://127.0.0.1:7044;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -36,6 +38,7 @@ server {
    proxy_pass http://127.0.0.1:5010;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -49,6 +52,7 @@ server {
    proxy_pass http://127.0.0.1:7055;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -62,6 +66,7 @@ server {
    proxy_pass http://127.0.0.1:6111;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -74,6 +79,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5018;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -87,6 +93,7 @@ server {
    proxy_pass http://127.0.0.1:5012;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -100,6 +107,7 @@ server {
    proxy_pass http://127.0.0.1:3333;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -112,6 +120,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5022;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -125,6 +134,7 @@ server {
    proxy_pass http://127.0.0.1:5011;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -137,6 +147,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5443;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -150,6 +161,7 @@ server {
    proxy_pass http://127.0.0.1:6019;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -162,6 +174,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass https://127.0.0.1:4443;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -175,6 +188,7 @@ server {
    proxy_pass http://127.0.0.1:9100;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -188,6 +202,7 @@ server {
    proxy_pass http://127.0.0.1:7066;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -200,6 +215,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5019;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -213,6 +229,7 @@ server {
    proxy_pass http://127.0.0.1:8123;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -225,6 +242,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:6088;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -237,6 +255,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3443;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -249,4 +268,5 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:6099;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -19,4 +19,5 @@ server {
  location = /index.html {
    internal;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -49,4 +49,5 @@ server {
            return 204;
        }
    }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:9080;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -21,4 +22,5 @@ server {
  location / {
    return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:3003;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -27,6 +28,7 @@ server {
  location /books.json {
    try_files /books.json =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -40,6 +42,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -57,6 +60,7 @@ server {
  location /songs.json {
    try_files /songs.json =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -70,6 +74,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -83,6 +88,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -96,4 +102,5 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,4 +10,5 @@ server {
    proxy_pass http://127.0.0.1:9999;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -23,6 +24,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -36,6 +38,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -49,6 +52,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -62,4 +66,5 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -11,4 +11,5 @@ server {
  location / {
    try_files $uri $uri/ /index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -15,4 +15,5 @@ server {
  location ~* \.(js|css)$ {
    try_files $uri $uri/ @rewrite;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -21,4 +21,5 @@ server {
  location ~* \.(js|css)$ {
    try_files $uri $uri/ @rewrite;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:1234;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -148,4 +149,5 @@ server {
        proxy_pass http://127.0.0.1:11111;
        proxy_redirect off;
    }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -18,6 +18,7 @@ server {
  location /prologue {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -44,6 +45,7 @@ server {
    add_header Cache-Control "public";
    access_log off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -57,6 +59,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -70,6 +73,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -83,6 +87,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -96,6 +101,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -124,6 +130,7 @@ server {
    location ~ /\.(?!well-known) {
        deny all;
    }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -137,6 +144,7 @@ server {
    proxy_pass http://127.0.0.1:5033;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -150,6 +158,7 @@ server {
    proxy_pass http://127.0.0.1:5033;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -169,6 +178,7 @@ server {
    add_header Content-Type text/plain;
    return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -188,4 +198,5 @@ server {
    add_header Content-Type text/plain;
    return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -11,4 +11,5 @@ server {
    proxy_pass http://127.0.0.1:53000;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -6,6 +6,7 @@ server {
  ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
  return 301 https://hikari.nhcarrigan.com/announcements;
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -33,6 +34,7 @@ server {
  location / {
    try_files $uri $uri/ /index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -44,4 +46,5 @@ server {
  location / {
    return 301 https://hikari.nhcarrigan.com/products;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,4 +10,5 @@ server {
    proxy_pass http://127.0.0.1:12321;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -22,4 +22,5 @@ server {
  location / {
    try_files $uri $uri/ /index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -9,6 +9,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5044;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -21,4 +22,5 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:5044;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:8009;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -23,6 +24,7 @@ server {
    proxy_pass http://127.0.0.1:8010;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -36,4 +38,5 @@ server {
    proxy_pass http://127.0.0.1:8008;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -17,6 +17,7 @@ server {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -29,6 +30,7 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3001;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -52,6 +54,7 @@ server {
    proxy_send_timeout      1m;
    proxy_read_timeout      1m;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -65,6 +68,7 @@ server {
    proxy_pass http://127.0.0.1:5080;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -77,4 +81,5 @@ server {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3001;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:1235;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -28,4 +29,5 @@ server {
  location ~* \.(js|css)$ {
    try_files $uri $uri/ @rewrite;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -23,4 +24,5 @@ server {
  location / {
    index index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -43,6 +43,7 @@ server {
    proxy_cache_lock on;
    proxy_http_version 1.1;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -89,4 +90,5 @@ server {
    proxy_cache_lock on;
    proxy_http_version 1.1;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -24,6 +24,7 @@ server {
  location /koikatsu {
    try_files /koikatsu.html =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -42,6 +43,7 @@ server {
    add_header Content-Type text/plain;
    return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -68,6 +70,7 @@ server {
  location /koikatsu {
    try_files /koikatsu.html =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -86,6 +89,7 @@ server {
    add_header Content-Type text/plain;
    return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -105,6 +109,7 @@ server {
    index index.html;
    try_files $uri $uri/ /index.html;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -126,6 +131,7 @@ server {
  location /koikatsu {
    try_files /koikatsu.html =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -147,6 +153,7 @@ server {
  location /koikatsu {
    try_files /koikatsu.html =404;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 # Wildcard catch-all — must remain last so specific subdomains take priority
@@ -160,4 +167,5 @@ server {
    location / {
        return 301 https://$subdomain.nhcarrigan.com$request_uri;
    }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -16,6 +16,7 @@ server {
    proxy_pass http://127.0.0.1:5003;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -29,4 +30,5 @@ server {
    proxy_pass http://127.0.0.1:5003;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -6,6 +6,7 @@ server {
  ssl_certificate_key /etc/letsencrypt/live/cyc.nhcarrigan.com/privkey.pem;
  return 301 https://zcal.co/nhcarrigan/cyc;
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -15,6 +16,7 @@ server {
  ssl_certificate_key /etc/letsencrypt/live/meet.nhcarrigan.com/privkey.pem;
  return 301 https://zcal.co/nhcarrigan/meet;
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -26,4 +28,5 @@ server {
  location / {
    return 301 https://melody.nhcarrigan.com$uri$is_args$args;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -12,6 +12,7 @@ server {
    proxy_pass http://127.0.0.1:9500;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -36,4 +37,5 @@ server {
    client_max_body_size 100M;
    proxy_read_timeout 90;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -8,6 +8,7 @@ server {
  location / {
    return 301 https://discord.gg/KKe7BaEnQB;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -19,6 +20,7 @@ server {
  location / {
    return 301 https://support.nhcarrigan.com;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -44,4 +46,5 @@ server {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -18,4 +18,5 @@ server {
  location / {
    return 403;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -10,6 +10,7 @@ server {
    proxy_pass http://127.0.0.1:12345;
    proxy_redirect off;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
 server {
@@ -28,4 +29,5 @@ server {
  location ~* \.(js|css)$ {
    try_files $uri $uri/ @rewrite;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -14,4 +14,5 @@ server {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  include /etc/nginx/snippets/deny-dotfiles.conf;
 }
@@ -0,0 +1,4 @@
 # Block requests for dotfiles (e.g. .gitconfig, .env, .git/).
 location ~ /\. {
  return 403;
 }