diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index e3ff184..b306b83 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -76,6 +76,7 @@ nginx_basic_auth_users:
   - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
 # nginx_ldap_login_attribute: uid
 # nginx_ldap_pam_groupdn:
+nginx_webroot: /usr/share/nginx/html
 nginx_letsencrypt_managed: True
 nginx_websockets_support: False
 nginx_use_common_virthost: False
@@ -96,7 +97,7 @@ nginx_ssl_type: ssl
 #     ssl_enabled: False
 #     ssl_only: False
 #     ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
-#     root: /usr/share/nginx/html/
+#     root: {{ nginx_webroot }}
 #     server_tokens: 'off'
 #     proxy_standard_setup: True
 #     proxy_additional_options:
diff --git a/nginx/tasks/nginx-virtualhosts.yml b/nginx/tasks/nginx-virtualhosts.yml
index d875685..17d3381 100644
--- a/nginx/tasks/nginx-virtualhosts.yml
+++ b/nginx/tasks/nginx-virtualhosts.yml
@@ -1,12 +1,17 @@
 ---
-- name: Install the nginx virtualhost files
-  template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
-  with_items: '{{ nginx_virthosts | default(omit) }}'
-  notify: Reload nginx
-  tags: [ 'nginx', 'virtualhost' ]
+- block:
+    - name: Create the nginx webroot if different from the default
+      file: dest={{ nginx_webroot }} mode=0755
+      when: nginx_webroot != '/usr/share/nginx/html'
+
+    - name: Install the nginx virtualhost files
+      template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
+      with_items: '{{ nginx_virthosts | default(omit) }}'
+      notify: Reload nginx
+
+    - name: Enable the nginx virtualhosts
+      file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
+      with_items: '{{ nginx_virthosts | default(omit) }}'
+      notify: Reload nginx
 
-- name: Enable the nginx virtualhosts
-  file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
-  with_items: '{{ nginx_virthosts | default(omit) }}'
-  notify: Reload nginx
   tags: [ 'nginx', 'virtualhost' ]
diff --git a/nginx/templates/nginx-virthost.j2 b/nginx/templates/nginx-virthost.j2
index 0328527..a2f895c 100644
--- a/nginx/templates/nginx-virthost.j2
+++ b/nginx/templates/nginx-virthost.j2
@@ -1,7 +1,13 @@
 server {
     listen {{ item.http_port | default (80) }};
     server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
+    location ~ /\.(?!well-known).* {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
 {% if letsencrypt_acme_install %}
+## Disable .htaccess and other hidden files
     include /etc/nginx/snippets/letsencrypt-proxy.conf;
 {% endif %}
     {% if item.access_log is defined %}
@@ -36,6 +42,11 @@ server {
         log_not_found off;
         access_log off;
     }
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
     {% if haproxy_ips is defined %}
     # We are behind haproxy
     {% for ip in haproxy_ips %}
@@ -128,6 +139,9 @@ server {
         log_not_found off;
         access_log off;
     }
+    location ~ /\. {
+        deny all;
+    }
     {% if haproxy_ips is defined %}
     # We are behind haproxy
     {% for ip in haproxy_ips %}