From df47382a4b1f6b224a61acf8c299f324c40d46b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Lebleu?= <jerome@maroufle.fr>
Date: Mon, 23 May 2016 10:09:16 +0200
Subject: [PATCH] [fix] Imrpove nginx conf without .well-known blocking (fix
 #2)

---
 conf/nginx.conf | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index ee9561f..1e3d865 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,10 +1,32 @@
 location {LOCATION} {
     alias {DESTDIR}/www/;
+
+    # Force HTTPS
     if ($scheme = http) {
         rewrite ^ https://$server_name$request_uri? permanent;
     }
-    index index.html index.php ;
-    try_files $uri $uri/ index.php;
+
+    # Default indexes and catch-all
+    index index.html index.php;
+    try_files $uri $uri/ {PATH}/index.php?$args;
+
+    # Prevent useless logs
+    location = {PATH}/favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+    location = {PATH}/robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Deny access to hidden files and directories
+    location ~ ^{PATH}/(.+/|)\.(?!well-known\/) {
+        deny all;
+    }
+
+    # Execute and serve PHP files
     location ~ [^/]\.php(/|$) {
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         fastcgi_pass unix:/var/run/php5-fpm-{POOLNAME}.sock;
@@ -15,17 +37,6 @@ location {LOCATION} {
         fastcgi_param SCRIPT_FILENAME $request_filename;
     }
 
-    location = {PATH}/robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
     # Include SSOWAT user panel.
     include conf.d/yunohost_panel.conf.inc;
 }
-
-# Deny access to hidden files and directories
-location ~ ^{PATH}/\. {
-    deny all;
-}