Allow all files in well-known path

[torrinicholas]

PR Type

Enhancement

---

Description

• Places /.well-known/ location block before the .txt|log deny rule so all resources under that path are publicly accessible

• Adds an explicit deny all rule for PHP files under /.well-known/ to prevent PHP source leakage

• Ensures /.well-known/ path is not restricted by .txt|log deny rules, supporting ACME challenges (tokens without file extensions), security.txt, and other well-known endpoints

---

Diagram Walkthrough

flowchart LR
  A["robots.txt location block"] -- "followed by" --> B["/.well-known/*.php deny all"]
  B -- "followed by" --> C["/.well-known/ allow all"]
  C -- "followed by" --> D[".txt|log deny rule"]
  D -- "followed by" --> E["other location blocks"]

Loading

---

[sparkfabrik-ai-bot]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Hidden Files Access The /.well-known/ block uses allow all without any restrictions, but the subsequent rule location ~ (^|/)\. returns 403 for dot-files/directories. Since /.well-known/ starts with a dot, verify that nginx's location matching precedence (the ~* regex for well-known vs the ~ regex for dot paths) correctly prioritizes the well-known block. In nginx, when two regex locations match, the first one defined wins, so the order here should be correct — but this should be explicitly validated. location ~* ^/.well-known/ { allow all; }

[sparkfabrik-ai-bot]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Add fallback directive to well-known location The /.well-known/ location block only has allow all but lacks a deny all fallback or try_files directive. Without additional directives, this could expose sensitive files under /.well-known/ (e.g., configuration or credential files) to unauthorized access. Consider adding try_files $uri =404; to prevent directory traversal or access to non-existent resources. templates/default.conf [77-79] location ~* ^/.well-known/ { allow all; + try_files $uri =404; } Suggestion importance[1-10]: 5 __ Why: The suggestion to add try_files $uri =404; to the /.well-known/ location block is a reasonable security improvement to prevent access to non-existent resources. However, the /.well-known/ path is typically used for legitimate public discovery endpoints (like ACME challenges), and the existing allow all without a deny all is intentional. The improvement is minor and context-dependent.	Low

[Copilot]

Pull request overview

Updates the default Nginx server config to allow public access to resources under the /.well-known/ path (commonly used for ACME challenges and similar well-known endpoints).

Changes:

• Moves the /.well-known/ location block earlier in the server config so it takes precedence over other restrictive location rules.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.