How can I return 404 when a user tries to manually browse to any ".php" extension on my site?

I use PHP. I like to hide that I do. I used to have all of my PHP inside .html files, but frankly it's annoying having to reconfigure every editor/tool I use that .html actually means a PHP file.

So I've moved them all to .php, like a grown-up.

The extensions are hidden via try_files anyway - I didn't know about that when I was first setting out.

But a user can guess www.domain.com/index.php, and given that it loads fine, they'll know the site is built using PHP.

A minor issue, but one I'd like to quash. But how?

I naively tried this, near the top of my server block:

location ~ (\.php$) {
    return 404;
}

But that 404'd everything on the site. I guess because the location matches on the actual script that gets run, as opposed to what's in the user's address bar?

I then commented out the 404 line which had the LOVELY (/s) effect of sending my backend code to visitors as a download, along with their 404 page. I think because you can only match one location block, so it was matching, but then doing nothing with it, and just serving the code up?

Eurgh.

Before that I had tried

if( $request_uri ~ '\.php$' ) { return 404 ; }

In my server block. But that didn't seem to have any effect.

Given the disaster I created, I've decided to ask the experts...

Thank you!

Don't. There's a few ways to solve this:

1. Give up. Let people do what you want to avoid. The downside is negligible; any attacker worth their salt won't be defeated by what you do.
2. Use a URL rewrite to rewrite URLs so what people see in the browser doesn't correspond to the filename. Keep your files as foo.php, but rewrite URL to example.com/foo.html.

For #2, something like

rewrite ^(.*)\.html$ $1.php last;

should probably work.