diff --git a/roles/php_website/templates/nginx_site.j2 b/roles/php_website/templates/nginx_site.j2
index 543f5ce09396f483d3989083368e1cb4c57df88c..f43a06a54841456e4b397966b61170278f6f3fca 100644
--- a/roles/php_website/templates/nginx_site.j2
+++ b/roles/php_website/templates/nginx_site.j2
@@ -1,42 +1,41 @@
 server {
+    # Base settings.
     listen 80;
-
     root {{ home }}/htdocs/;
-
-    index index.php;
-
+    index {{ index }};
     server_name {{ fqdn }};
 
-    # Site rewrites.
+    # Generic URL rewrites.
     {% for rewrite in rewrites -%}
     rewrite {{ rewrite }};
     {% endfor %}
 
-    # Interpret PHP files via FastCGI.
-    location ~ \.php($|/) {
-        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php5-fpm/{{ fqdn }}.sock;
-    }
-
-    # Deny access to all hidden files (this will prevent access to
-    # .htaccess too).
-    location ~ /\. {
-        deny all;
-    }
-
-    {% for regex in deny_files_regex -%}
+    {% if deny_files_regex -%}
     # Deny access to user-specified files.
+    {% for regex in deny_files_regex -%}
     location ~ {{ regex }} {
         deny all;
     }
     {% endfor %}
+    {% endif %}
+
+    # Interpret PHP files via FastCGI.
+    location ~ {{ php_file_regex }} {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php5-fpm/{{ fqdn }}.sock;
+    }
 
-    {% if php_rewrite_url -%}
-    # Serve the remaining files directly or rewrite request for PHP processing
-    # (clean URLs).
+    # Serve the files.
     location ~ /(.*) {
-        set $suburi $1;
-	try_files $uri $uri/ {{ php_rewrite_url }};
+	try_files $uri $uri/{% if php_rewrite_urls %}@php_rewrite{% endif %};
+    }
+
+    {% if php_rewrite_urls -%}
+    # Apply URL rewrites.
+    location @php_rewrite {
+        {% for rewrite in php_rewrite_urls -%}
+        rewrite {{ rewrite }};
+        {% endfor %}
     }
     {% endif %}