[gurkendoktor]

I've also fallen into this trap, thinking that Apache wouldn't serve up any dotfiles. Wouldn't that be a saner default?

[akerro]

For nginx:

  # block .files
  location ~ /\. {
    deny  all;
  }
  # allow Lets encrypt
  location ~ /.well-known {
    root YOUR LE DIRECTORY
    allow all;
  }