I have fiddled a bit more with the nginx.conf and now everything is working alright. So if I may, for posterity, here is a “works for me” nginx.conf:
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl;
server_name example.com www.example.com;
ssl on;
ssl_certificate /usr/local/etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/example.com/privkey.pem;
root /usr/local/www/example.com;
index index.html index.php;
# don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;
# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;
# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;
# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d $request_filename) {
rewrite ^/(.+)/$ /$1 permanent;
}
# site links
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/var/run/php73-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}