Contao 3 nginx setup

contao.conf

# Prevent logging favicon.ico and robots.txt
location = /favicon.ico {
  log_not_found off;
  access_log off;
}
location = /robots.txt {
  allow all;
  log_not_found off;
  access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
  return 404;
}

# Prevent access to the Contao template files
location ~ \.(tpl|html5|xhtml)$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Allow access from all domains for webfonts
location ~ \.(ttf|ttc|otf|eot|woff|font.css)$ {
  add_header Access-Control-Allow-Origin *;
}

# Expires headers (for better cache control)
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
  expires max;
  log_not_found off;
}

# Do not cache the cron.txt file
location = /cron/cron.txt {
  allow all;
  access_log off;
  add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform";
}

# Prevent access to /system
location /system/ {
  deny all;
}

# Prevent access to /composer
location /composer/ {
  deny all;
}

# Prevent access to /templates
location /templates/ {
  deny all;
}

# Allow access to assets in /system or /composer
# Hint: this is an optimistic approach!
location ~* ^/(system|composer)/.*\.(js|css|htc|png|gif|jpe?g|ico|swf|flv|mp4|webm|ogv|mp3|ogg|oga|eot|otf|tt[cf]|woff|svg|svgz)$ {
  allow all;
  access_log off;
  log_not_found off;
}

# Remove /index.php/ from url
location /index.php/ {
  rewrite ^/index.php(/.*) $scheme://$server_name$1? permanent;
}

# Finally, deliver file or bypass to index.php
location / {
  index index.php index.html;
  try_files $uri $uri/ /index.php?$args;
  rewrite "^/[a-z]{2}/$" /index.php last;
  rewrite "^/([a-z]{2})$" /$1/ redirect;
}