From a2530f4cca2d8da036787aedc5928f10e5e0f206 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 8 Feb 2026 09:39:54 -0600 Subject: [PATCH 1/2] Update default.conf.sample to deny dotfile access Signed-off-by: Eric Nemchik --- readme-vars.yml | 1 + root/defaults/nginx/site-confs/default.conf.sample | 14 +++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 4b49dbe..8df48aa 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -114,6 +114,7 @@ init_diagram: | "cops:latest" <- Base Images # changelog changelogs: + - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."} - {date: "08.02.26:", desc: "Adding missing php-tokenizer package."} - {date: "10.10.25:", desc: "Adding missing icu-data-full package."} - {date: "10.07.25:", desc: "Rebase to Alpine 3.22."} diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 4265cfc..5275585 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2025/07/10 - Changelog: https://github.com/linuxserver/docker-cops/commits/master/root/defaults/nginx/site-confs/default.conf.sample +## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-cops/commits/master/root/defaults/nginx/site-confs/default.conf.sample server { listen 80 default_server; @@ -48,8 +48,16 @@ server { include /etc/nginx/fastcgi_params; } - # deny access to .htaccess/.htpasswd files - location ~ /\.ht { + # deny access to all dotfiles + location ~ /\. { deny all; + log_not_found off; + access_log off; + return 404; + } + + # Allow access to the ".well-known" directory + location ^~ /.well-known { + allow all; } } From 31dc8357dfd11def4c22cc79ce87fb9ccc0185b7 Mon Sep 17 00:00:00 2001 From: mikespub Date: Tue, 10 Feb 2026 14:33:56 +0100 Subject: [PATCH 2/2] update redirect location and use front controller --- readme-vars.yml | 3 ++- root/defaults/config/local.php | 13 +++++++++---- .../nginx/site-confs/default.conf.sample | 18 ++++++++++++------ 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 8df48aa..6ec39ba 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -57,7 +57,7 @@ param_ports: # application setup block app_setup_block_enabled: true app_setup_block: | - Access the webui at `http://:80`. For connecting via OPDS on a mobile device use `http://:80/index.php/feed`. It is strongly suggested that you reverse proxy this prior to exposing to the internet. For more information, such as requiring credentials, check the COPS Wiki (linked above). + Access the webui at `http://:80`. For connecting via OPDS on a mobile device use `http://:80/index.php/feed` or `http://:80/feed`. It is strongly suggested that you reverse proxy this prior to exposing to the internet. For more information, such as requiring credentials, check the COPS Wiki (linked above). The linuxserver version gives you access to `config/local.php` in `/config` to customise your install to suit your needs, it also includes the dependencies required to directly view epub books in your browser. # init diagram @@ -114,6 +114,7 @@ init_diagram: | "cops:latest" <- Base Images # changelog changelogs: + - {date: "10.06.26:", desc: "Existing users should verify: site-confs/default.conf and config/local.php - Update redirect location and use front controller."} - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."} - {date: "08.02.26:", desc: "Adding missing php-tokenizer package."} - {date: "10.10.25:", desc: "Adding missing icu-data-full package."} diff --git a/root/defaults/config/local.php b/root/defaults/config/local.php index 2b7572b..06c10d3 100644 --- a/root/defaults/config/local.php +++ b/root/defaults/config/local.php @@ -35,6 +35,13 @@ */ $config['cops_x_accel_redirect'] = "X-Accel-Redirect"; +/* + * Map /books/ to internal redirect location for COPS 4.2+ + */ +$config['cops_x_accel_mapping'] = [ + '/books/' => '/_redirect_/', +]; + /* Enable cache folder * especially useful for lower power hosts */ @@ -100,8 +107,6 @@ * - Nginx: nginx.conf * - PHP built-in: router.php * - ... - * - * @todo update nginx/site-confs/default.conf.sample to make use of front controller */ -$config['cops_front_controller'] = ''; -//$config['cops_front_controller'] = 'index.php'; +//$config['cops_front_controller'] = ''; +$config['cops_front_controller'] = 'index.php'; diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 5275585..905b944 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2026/02/08 - Changelog: https://github.com/linuxserver/docker-cops/commits/master/root/defaults/nginx/site-confs/default.conf.sample +## Version 2026/02/10 - Changelog: https://github.com/linuxserver/docker-cops/commits/master/root/defaults/nginx/site-confs/default.conf.sample server { listen 80 default_server; @@ -31,11 +31,6 @@ server { expires 31d; } - location /books { - root /; - internal; - } - location ~ ^(.+\.php)(.*)$ { # enable the next two lines for http auth #auth_basic "Restricted"; @@ -48,6 +43,17 @@ server { include /etc/nginx/fastcgi_params; } + # use internal redirect location for X-Accel-Redirect - do not use /books/ or other COPS urls with front controller + location /_redirect_/ { + internal; + alias /books/; + } + + # use front controller for COPS 4.2+ + location ~ ^/(?!(index\.php|_redirect_)) { + try_files $uri /index.php$request_uri; + } + # deny access to all dotfiles location ~ /\. { deny all;