@Glombersik and everybody reading this, there are security issues in the configuration above. I recently PR'd an update to the official instructions to block storage and vendor access.
Check http://flarum.org/docs/installation/#url-rewriting for the latest official nginx configuration example.
A quick TL;DR:
replace
location /flarum {
deny all;
return 404;
}
with
location ~* ^/(composer\.(json|lock)|config\.php|flarum|storage|vendor) {
deny all;
return 404;
}
this will block access to the storage and vendor folders, as well as composer and config files. Just like the Apache htaccess has been doing for a long time.
