After removing a whole deny block yesterday, we discovered that this might led to open access to certain directories we missed in our previous investigation.
Therefore, we have added the following location to the global nginx configuration again:
location ~* "(?i)((.*typo3(conf)?)\/(|.*\/)((private|test|build)\/).*)" {
deny all;
}
