Improve precision and security of .htaccess and nginx configuration

- Block direct access to HTML and XML files in all modules, themes, etc.
- Block direct access to environment information in files/env/*
- Block direct access to dotfiles and other developer resources
- Block direct access to cache store
- Block PHP execution in upload directory (for additional protection)
- Ensure consitency between Apache and nginx rewrite rules
- Remove redundant rewrite rules

common/manual/server_config/rhymix-nginx.conf

@@ -1,12 +1,22 @@
-# conf, query, schema, skins, layouts, m.layouts
-rewrite ^/(modules|addons|widgets|(m\.)?layouts)/(.+)\.(html|xml)$ /index.php last;
+# block direct access to templates, XML schemas, config files, dotfiles, environment info, etc.
+location ~ ^/modules/editor/(skins|styles)/.+\.html$ {
+	# pass
+}
+location ~ ^/(addons|common|files/ruleset|(m\.)?layouts|modules|plugins|themes|widgets|widgetstyles)/.+\.(html|xml)$ {
+	return 403;
+}
+location ~ ^/files/(attach|config|cache/store)/.+\.php$ {
+	return 403;
+}
+location ~ ^/files/env/ {
+	return 403;
+}
+location ~ ^/(\.|codeception\.|composer\.|Gruntfile\.js|package\.json|CONTRIBUTING|COPYRIGHT|LICENSE|README) {
+	return 403;
+}
 
-# reserve setting files
-rewrite ^/files/config/(.+)\.php$ /index.php last;
-
-# static files
-rewrite ^/(.+)/files/(member_extra_info|attach|cache|faceOff)/(.*) /files/$2/$3 last;
-rewrite ^/(.+)/(files|modules|widgets|widgetstyles|layouts|m.layouts|addons)/(.*) /$2/$3 last;
+# fix incorrect relative URLs (for legacy support)
+rewrite ^/(.+)/(addons|files|layouts|m\.layouts|modules|widgets|widgetstyles)/(.*) /$2/$3 last;
 
 # rss, blogAPI
 rewrite ^/(rss|atom)$ /index.php?module=rss&act=$1 last;