This is another reason why it was a good idea to have my big application consist of only one public file which can easily be whitelisted. Everything else lives outside the web root and is never directly executed.

    location ~ ^/index\.php {
        proxy_pass   http://localhost:8080;
    }

Everything else in the web root is static files and can be served directly. The rest of the application uses an URL routing scheme based on PATH_INFO