How it works...

Based on a simple PHP-FPM structure, we make a few key changes specific to the Drupal environment. The first change is as follows:

location ~ (^|/)\. { 
    return 403; 
} 

We put a block in for any files beginning with a dot, which are normally hidden and/or system files. This is to prevent accidental information leakage:

location ~ /vendor/.*\.php$ { 
    deny all; 
    return 404; 
} 

Any PHP file within the vendor directory is also blocked, as they shouldn't be called directly. Blocking the PHP files limits any potential exploit opportunity which could be discovered in third-party code.

Lastly, Drupal 8 changed the way the PHP functions are called for updates, which causes any old configuration to break. The location directive for the PHP files looks like this:

location ~ \.php$|^/update.php { 

This is to allow the distinct pattern that Drupal uses, where the PHP filename could be midway through the URI.

We also modify how the FastCGI process splits the string, so that we ensure we always get the correct answer:

fastcgi_split_path_info ^(.+?\.php)(|/.*)$;