From 1bb8cab6ff63db39525ee5faffb31913d1cdf2f3 Mon Sep 17 00:00:00 2001
From: Tawmu <git@online.ferguson.id>
Date: Tue, 5 Mar 2024 14:07:45 +0000
Subject: [PATCH] blocks certain paths in Nginx config

---
 .../openresty/nginx/conf/site.conf.default    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/openresty/rootfs/usr/local/openresty/nginx/conf/site.conf.default b/openresty/rootfs/usr/local/openresty/nginx/conf/site.conf.default
index 8f63d6a..790e10b 100644
--- a/openresty/rootfs/usr/local/openresty/nginx/conf/site.conf.default
+++ b/openresty/rootfs/usr/local/openresty/nginx/conf/site.conf.default
@@ -66,4 +66,28 @@ server {
     	root /usr/local/openresty/nginx/html;
     	internal;
     }
+
+    # Block access to dot files except the .well-known directory
+	location ~* /\.(?!well-known\/) {
+        deny all;
+		return 404;
+    }
+
+	# Unlikely to have these but block access to certain filetypes
+	location ~* (?:\.(?:bak|conf|yaml|yml|cfg|fla|in[ci]|log|psd|sh|sql)|~)$ {
+        deny all;
+		return 404;
+    }
+
+	# Block access to composer files
+	location ~* composer\.(?:json|lock) {
+        deny all;
+		return 404;
+    }
+
+	# Block certain directories
+	location ~ /(vendor|behat|node_modules) {
+        deny all;
+        return 404;
+	}
 }