From 4999eaa8964bcb922dfc807baf4edb9ca8b36a9e Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 3 May 2024 18:19:39 +0200
Subject: [PATCH] Give the options to allow dotfiles other than '.ht*'.

---
 defaults/main.yml           |  1 +
 templates/nginx-virthost.j2 | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 30f35b6..5302a7a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -134,6 +134,7 @@ nginx_websockets_support: false
 # When we do not use letsencrypt:
 # nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
 # nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
+nginx_block_dangerous_dotfiles: false
 nginx_block_dotfiles: true
 
 # k,M,G
diff --git a/templates/nginx-virthost.j2 b/templates/nginx-virthost.j2
index f608876..b46e441 100644
--- a/templates/nginx-virthost.j2
+++ b/templates/nginx-virthost.j2
@@ -38,6 +38,13 @@ server {
         log_not_found off;
         return 404;
     }
+{% elif nginx_block_dangerous_dotfiles %}
+    location ~ /\.ht.* {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
 {% endif %}
 
 {% if letsencrypt_acme_install %}
@@ -241,6 +248,7 @@ server {
         log_not_found off;
         access_log off;
     }
+
 {% if nginx_block_dotfiles %}
     location ~ /\.(?!well-known).* {
         deny all;
@@ -248,6 +256,13 @@ server {
         log_not_found off;
         return 404;
     }
+{% elif nginx_block_dangerous_dotfiles %}
+    location ~ /\.ht.* {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
 {% endif %}
 
     {% if haproxy_ips is defined %}