We have removed the following location from our global nginx configuration:
location ~* "(^|/)(typo3(conf)?(/.*|)/(private|tests|build)|secure_[^/]+|(?!css_secure)[^/]*_secure|\.)/" {
deny all;
}
The configuration was originally created for the TYPO3 extension secure_downloads, but was never documented. As we ran into some problems with other applications, and this setting was required for a very limited number of sites, we decided to remove it altogether. We talked to all affected customers already and applied custom configurations on every affected website.
As of now, please add corresponding deny rules within the local configuration if you want to protect a certain directory.