xtmpl | Xml template library for OCaml

I have a site in Drupal 7. On running security scan on the site, I came across threat saying "A known sensitive file was found to be published within a publicly accessible web directory. Depending on the file it could could disclose sensitive data such as user credentials and configuration data." For example I am able to access /sites/all/libraries/colorbox/package.json I need to block users from accessing similar files from urls. I have below code in my .htaccess file but it doesn't work for blocking json file access:

ENV: nginx + php-fpm

I have installed OC 2.1

When I use SEO URLs around website there is no problems.
example.com/news - [OK, 200]
example.com/de/news - [OK, 200]

But sometimes I don't have SEO URLs
example.com/index.php?route=information/testimonials&testimonial_id=6 - [OK, 200]
example.com/en/index.php?route=information/testimonials&testimonial_id=6 - [ERROR, 404]

NGINX:

With the code I can search for data without problem. But let´s say I know the "name" of a Virtual Machine, but don´t want to search for it manually, but don´t know it´s "uuid".. would it be possible that the code goes (loops?) through the whole json file (it´s deeply nested), finds that "name" and returns the "uuid"? Somewhat like this if "name" == "DEV Ubuntu 18": print("uuid") I know it´s not that simple, like above, but it serves only as explanation what I want to achieve.

I am using Php 7.3 on Debian 10. It functions well with various clients installed (Drupal, etc.).

However, with a simple file in a directory such as /var/www/some_directory/index.php, the file fails to execute and displays the PHP code (some_directory is not */public_html).

When I simply use the command line:

Context : I'm working on a Drupal 8 project and want to add new modules.

Problem: when I try to install new module through the web interface (logged as admin user), I get the error message:

Access denied, You are not authorized to access this page.

The problem I have is exactly the same as this problem. However, there are no clear solutions. I tried to play with allow_authorize_operations parameters in setting.php file, .htaccess file and files permissions without success.

After reading this similar issue, I suspect the problem is about the .htaccess or the site.conf file. I'm not confortable with these 2 files and suspect I'm missing something:

Edit: I founded this interesting discussion. They highlight in comment #35 also a similar issue. The problems might come from the fact that the index.php belongs to the web folder. To clean the URL, I apply the following in root directory:

.htaccess