Rework Apache deny access outside p (#7008)

* Rework Apache deny access outside p
The deny rules introduced by
https://github.com/FreshRSS/FreshRSS/pull/6881
gave problems for API access.
See also
https://github.com/FreshRSS/FreshRSS/discussions/6879

* Fix scope of deny logic

* Fix scope of deny logic

* Allow .txt
For e.g. `robots.txt`

.htaccess.dist

@@ -1,7 +1,12 @@
 # Copy this file to `.htaccess` for additional root-level protection
 # if you cannot set Apache `DocumentRoot` to `./p/` as recommended.
 
-# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions
-<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
+# Deny files starting with a dot or without extension or with specific extensions
+<FilesMatch "^\.|^[^.]+$|\.(config\.js|gz|json|md|neon|sqlite|xml|ya?ml|zip)$">
 	Require all denied
 </FilesMatch>
+
+# Deny some sub-folders, which may not be excluded by their own .htaccess
+<If "%{REQUEST_URI} =~ m#/(bin|data|node_modules|vendor|\..+)(/|$)#">
+	Require all denied
+</If>

p/.htaccess

@@ -1,10 +1,3 @@
-<IfModule mod_authz_core.c>
-	# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions
-	<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
-		Require all denied
-	</FilesMatch>
-</IfModule>
-
 <IfModule mod_dir.c>
 	DirectoryIndex	index.php index.html
 </IfModule>

p/themes/.htaccess

@@ -1,3 +1,10 @@
+<IfModule mod_authz_core.c>
+	# Deny files without extension or with specific extensions
+	<FilesMatch "^[^.]+$|\.(json|md|scss|sh)$">
+		Require all denied
+	</FilesMatch>
+</IfModule>
+
 <IfModule mod_mime.c>
 	AddType font/woff .woff
 	AddType font/woff2 .woff2