Update default.conf.sample to deny dotfile access

Signed-off-by: Eric Nemchik <eric@nemchik.com>

Author: nemchik

readme-vars.yml

@@ -144,7 +144,8 @@ init_diagram: |
   "nextcloud:previous" <- Base Images
 # changelog
 changelogs:
-  - {date: "14.10.25:", desc: "Rebase to Alpine 3.22."}
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
+  - {date: "10.07.25:", desc: "Rebase to Alpine 3.22."}
   - {date: "12.02.25:", desc: "Rebase to Alpine 3.21."}
   - {date: "09.01.25:", desc: "Fix uploading large files. Existing users should update their nginx confs."}
   - {date: "09.07.24:", desc: "Add `previous` tag for n-1 releases."}

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,4 +1,4 @@
-## Version 2025/10/14 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/previous/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/previous/root/defaults/nginx/site-confs/default.conf.sample
 
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
@@ -173,8 +173,16 @@ server {
         try_files $uri $uri/ /index.php$request_uri;
     }
 
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
+    # deny access to all dotfiles
+    location ~ /\. {
         deny all;
+        log_not_found off;
+        access_log off;
+        return 404;
+    }
+
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
     }
 }