diff --git a/conf/nginx.conf b/conf/nginx.conf
index f3b3194..b0516b8 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,8 +1,8 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location ^~ __PATH__/ {
+server __PATH__/{
 
-  # Path to source
-  alias __FINALPATH__/ ;
+    # Path to source
+    alias  __FINALPATH__/;
 
   # Force usage of https
   if ($scheme = http) {
@@ -12,25 +12,14 @@ location ^~ __PATH__/ {
   more_set_headers "Referrer-Policy; origin always";
   more_set_headers "X-Content-Type-Options: nosniff";
   more_set_headers "X-XSS-Protection: 1; mode=block";
+  
+    index index.php;
 
-  index index.php;
-
-  # Common parameter to increase upload size limit in conjunction with dedicated PHP-FPM file
-  client_max_body_size 100M;
-
-  try_files $uri $uri/ =404;
-
-  location ~ [^/]\.php(/|$) {
-    include snippets/fastcgi-php.conf;
-    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-    fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
-
-    #fastcgi_index index.php;
-    #include fastcgi_params;
-    #fastcgi_param REMOTE_USER $remote_user;
-    #fastcgi_param PATH_INFO $fastcgi_path_info;
-    #fastcgi_param SCRIPT_FILENAME $request_filename;
-  }
+    ## only allow accessing the following php files
+    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
+        fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
+        fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; #replace with the path to your PHP socket file
+    }
 
     ## deny access to all other .php files
     location ~* ^.+\.php$ {
@@ -38,20 +27,22 @@ location ^~ __PATH__/ {
         return 403;
     }
 
+    try_files $uri $uri/ =404;
+
     ## disable all access to the following directories
     location ~ ^__PATH__/(config|tmp|core|lang) {
         deny all;
-        return 404;
+        return 403; # replace with 404 to not show these directories exist
     }
 
-    location __PATH__/\.ht {
+    location ~ __PATH__/\.ht {
         deny  all;
         return 403;
     }
 
     location ~ js/container_.*_preview\.js$ {
         expires off;
-        more_set_headers "Cache-Control: private, no-cache, no-store";
+        add_header Cache-Control 'private, no-cache, no-store';
     }
 
     location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
@@ -59,20 +50,17 @@ location ^~ __PATH__/ {
         ## Cache images,CSS,JS and webfonts for an hour
         ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
         expires 1h;
-        more_set_headers "Cache-Control: public";
-        more_set_headers "Pragma: public";
+        add_header Pragma public;
+        add_header Cache-Control "public";
     }
 
-    location __PATH__/(libs|vendor|plugins|misc|node_modules) {
+    location ~ ^__PATH__/(libs|vendor|plugins|misc|node_modules) {
         deny all;
         return 403;
     }
 
     ## properly display textfiles in root directory
-    location __PATH__/(.*\.md|LEGALNOTICE|LICENSE) {
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
         default_type text/plain;
     }
-
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
 }