Rework Apache deny access outside p (#7008)

* Rework Apache deny access outside p
The deny rules introduced by
https://github.com/FreshRSS/FreshRSS/pull/6881
gave problems for API access.
See also
https://github.com/FreshRSS/FreshRSS/discussions/6879

* Fix scope of deny logic

* Fix scope of deny logic

* Allow .txt
For e.g. `robots.txt`

1 files changed, 7 insertions, 2 deletions

diff --git a/.htaccess.dist b/.htaccess.dist
index 18475b849..33f794673 100644
--- a/.htaccess.dist
+++ b/.htaccess.dist
@@ -1,7 +1,12 @@
 # Copy this file to `.htaccess` for additional root-level protection
 # if you cannot set Apache `DocumentRoot` to `./p/` as recommended.
 
-# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions
-<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
+# Deny files starting with a dot or without extension or with specific extensions
+<FilesMatch "^\.|^[^.]+$|\.(config\.js|gz|json|md|neon|sqlite|xml|ya?ml|zip)$">
 	Require all denied
 </FilesMatch>
+
+# Deny some sub-folders, which may not be excluded by their own .htaccess
+<If "%{REQUEST_URI} =~ m#/(bin|data|node_modules|vendor|\..+)(/|$)#">
+	Require all denied
+</If>