server {
  listen 80 ;

  root /var/www/howto.disroot.lan;
  index index.html index.php;
  server_name howto.disroot.org;
  server_tokens off;
  add_header X-XSS-Protection "1; mode=block";


  location / {
    try_files $uri $uri/ /index.php?_url=$uri&$query_string;
  }

  location /favicon.ico {
    alias /var/www/howto.disroot.lan/favicon.png;
  }

  # deny all direct access for these folders
  location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }

  # deny running scripts inside core system folders
  location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }

  # deny running scripts inside user folder
  location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }

  # deny access to specific files in the root folder
  location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }

  location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
  }
}