location ~ \..*/.*\.php$
{
return 403;
}
I am interpreting this as: case sensitive .[any character repeated 0 or more times]/[any character repeated 0 or more times].php
Examples:
.abc/abc.php
./.php
I don't understand why I need this for drupal
you're right case sensitive matching .anything/anything.php. i believe it's for security reason. in case someone make/upload malicious hidden file or dir (in *nix, file/dir start with "." dot mean hidden file), it will return http 403 (forbidden)
It's intended to block any requests for a .php file in a directory beginning with a dot. These files can appear in .svn directories, for example, where a clever hacker could manage to run an old version of a file. There are also circumstances where you might have a .drush directory within your docroot, which could also contain .php files you won't want run in the context of the web server.
It certainly won't hurt the vast majority of cases to allow this rule to continue to be in place, and depending on what you have sitting around in your docroot, the gain in security might be substantial.
