Updated and Fixed error on updating Letsencrypt cert with NGINX's drupal template.

install/debian/7/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/7/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/8/templates/web/nginx/php5-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/debian/9/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/5/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/6/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/rhel/7/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/12.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/13.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/14.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/15.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.04/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal8.stpl

@@ -31,49 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/16.10/templates/web/nginx/php-fpm/drupal8.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$)|^/update.php {
-            fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/17.04/templates/web/nginx/php-fpm/drupal6.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
+    }    
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/17.04/templates/web/nginx/php-fpm/drupal6.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,49 +27,43 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
 
     location / {
         try_files $uri @rewrite;
-
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
     }
 
     location @rewrite {
-        # For Drupal 6 and bwlow:
-        # Some modules enforce no slash (/) at the end of the URL
-        # Else this rewrite block wouldn't be needed (GlobalRedirect)
         rewrite ^/(.*)$ /index.php?q=$1;
     }
+    
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }    
+
+    location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
+        try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~ ^/sites/.*/files/imagecache/ {
         try_files $uri @rewrite;
     }
+        
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;             
+        include /etc/nginx/fastcgi_params;
+    }
 
     error_page  403 /error/404.html;
     error_page  404 /error/404.html;

install/ubuntu/17.04/templates/web/nginx/php-fpm/drupal7.stpl

@@ -31,48 +31,42 @@ server {
         return 403;
     }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
 
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-            return 403;
-        }
-
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
-
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+    
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;

install/ubuntu/17.04/templates/web/nginx/php-fpm/drupal7.tpl

@@ -18,7 +18,6 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
         allow 192.168.0.0/16;
         deny all;
@@ -28,48 +27,42 @@ server {
         return 403;
         }
 
-    # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
     }
-
-    # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
-    location ~ (^|/)\. {
-        return 403;
+    
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
     }
-
+    
     location / {
-        try_files $uri @rewrite;
+        try_files $uri /index.php?$query_string;
+    }
 
-        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
-            expires     max;
-        }
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }        
 
-        location ~ [^/]\.php(/|$) {
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            if (!-f $document_root$fastcgi_script_name) {
-                return  404;
-            }
-
-            fastcgi_pass    %backend_lsnr%;
-            fastcgi_index   index.php;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-            fastcgi_intercept_errors on;
-            include         /etc/nginx/fastcgi_params;
-        }
+    location ~ ^/sites/.*/files/styles/ {
+        try_files $uri @rewrite;
     }
 
-    location @rewrite {
-        # You have 2 options here
-        # For D7 and above:
-        # Clean URLs are handled in drupal_environment_initialize().
-        rewrite ^ /index.php;
+    location ~ ^(/[a-z\-]+)?/system/files/ {
+        try_files $uri /index.php?$query_string;
     }
 
-    location ~ ^/sites/.*/files/styles/ {
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
         try_files $uri @rewrite;
+        expires max;
+        log_not_found off;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass %backend_lsnr%;
+        include         /etc/nginx/fastcgi_params;
     }
 
     error_page  403 /error/404.html;