# Deny access to files the public doesn't need
location ^~ /(app|config|includes|lib|media/customer|media/downloadable|pkginfo|report/config.xml|shell|var)/ {
    internal;
}

# Restrict access to admins
location /var/export {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    autoindex on;
}

# Attempt to serve the request by trying direct file, directory, Magento controller
location / {
    try_files $uri $uri/ /index.php?$args;
    expires max;
}

# The downloader has its own index.php that needs to be used
location ~* ^(/downloader)(.*) {
    try_files $uri $uri/ /downloader/index.php$1;
}

# REST API endpoint
location /api {
    rewrite ^/api/rest /api.php?type=rest last;
}