Docs
How to Deny Access to Locations and Directories
If you want to protect a directory from being accessed through the web, create a location and deny access to it:
# Deny access to domain.com/some/location/
location ~ /some/location {
deny all;
# Deny access to all .php files
location ~ \.php$ {
deny all;
}
}