Hi thanks for that

your suggestion:
-----------------
So you say that /shop/index.php doesn't land to /shop/ location? Then
ensure that you don't have location /shop/index.php , otherwise see
debug log
-------------------

I do want access to /shop/ as well as /shop/index.php - but only to a select ip-range or password

my directive works for /shop/

but if someone types in /shop/index.php they will see the index.php page since the directive for php files overwrites the shop subfolder directive.

They see the php file but the html, js, css, img resources does not load because those do still obey my "location /shop/" directive

I guess I have to either

1. declare as: "location /shop/ ~ \.php$"

or

2. inside the location "/shop/" directive have a clause to force php not to obey the above "location ~ \.php$" directive