Private file storage area settings in Drupal 9.3 ($settings['file_private_path'] =)

Question

I use Drupal 9.3 and I have created a private folder outside the root directory. I followed the documentation [link] and added the following line in my settings.php file in drupal:

$settings['file_private_path'] = '../private';

The private file exists outside of my web root directory as follows: /var/www/example.com/private with web root in/var/www/example.com/html.

I am using nginx and I want to make sure that I have properly secured the private file. To do so, I added this block:

location ^~ {
    internal;
    alias /var/www/example.com/private;
}

Is this correct and have I properly secured the private file/folder? The documentation mentions this: Note that non-Apache web servers may need additional configuration to secure private file directories.

My complete Nginx virtual host (i.e., configuration file) is below:

server {
    root /var/www/example.com/html;
    index index.html index.htm index.nginx-debian.html index.php;
    server_name example.com www.example.com;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
        }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
        try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny all;
    }
    location ^~ {
        internal;
        alias /var/www/example.com/private;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80 ;

    server_name example.com www.example.com;
    return 404; # managed by Certbot


}

Answer 1

After thorough testing, I can confirm that in this situation it is not necessary to add a block to restrict access to the private file because the access has already been restricted and returned 404. In case you still want to add a block to restrict access to this private folder as described above, I tested the below and it worked. You can either use root or alias and both worked:

## Secure access to private files
    location ^~ /private {
#   alias /var/www/example.com; ## This option also works
    root /var/www/example.com;
    internal;
    }

This should be removed from the above block because it is incorrect and did not have any effect:

location ^~ {
        internal;
        alias /var/www/example.com/private;
    }