fix nginx configuration to protect against CVE-2019-11043.

changes are pulled from nextcloud blogpost covering the issue.
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

should also pull and build a new web container.

web/nginx.conf

@@ -94,7 +94,7 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$request_uri;
+            rewrite ^ /index.php;
         }
 
         location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
@@ -104,14 +104,16 @@ http {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-            # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+            fastcgi_param SCRIPTFILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATHINFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;