From debbcb1a1b7a4c256b50a4bee4d747ab0c3892d7 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Sat, 23 May 2020 22:32:20 +0200
Subject: [PATCH] nginx: Moved dot-file-exclution from global snippet to root
 snippet

Only file based servers may require this directive,
other servers are not expected to leak hidden files other than on purpose
---
 roles/nginx/application/templates/global.conf | 9 ---------
 roles/nginx/application/templates/root.conf   | 9 +++++++++
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/roles/nginx/application/templates/global.conf b/roles/nginx/application/templates/global.conf
index 90027b5..57251bf 100644
--- a/roles/nginx/application/templates/global.conf
+++ b/roles/nginx/application/templates/global.conf
@@ -1,14 +1,5 @@
 include {{ nginx_snippets_directory }}/acme;
 
-# Do not serve hidden files except
-# - well-known as common web standard
-# - files prefixed with file because Nextcloud requires these locations for uploading files
-location ~ /\.(?!well-known)(?!file).* {
-    log_not_found off;
-    access_log off;
-    return 404;
-}
-
 location = /robots.txt {
     allow all;
     log_not_found off;
diff --git a/roles/nginx/application/templates/root.conf b/roles/nginx/application/templates/root.conf
index 9430e3f..272450b 100644
--- a/roles/nginx/application/templates/root.conf
+++ b/roles/nginx/application/templates/root.conf
@@ -1 +1,10 @@
 include {{ nginx_snippets_directory }}/global;
+
+# Do not serve hidden files except
+# - well-known as common web standard
+# - files prefixed with file because Nextcloud requires these locations for uploading files
+location ~ /\.(?!well-known)(?!file).* {
+    log_not_found off;
+    access_log off;
+    return 404;
+}