In the map flip the 1 and 0 around, if $allowonly=1 then the IF is true (unless that's what you want).
General rule for IF's; only use it to return a state.
if ..... return ....
continue with complex configuration items.
Don't do: 'if ..... do complex things ....' (unless proceeded with Lua finishing with an nginx if....return)
If you want to expand the logic what is ok and what not, have a look at my conf\nginx-simple-WAF.conf
where 3 maps are combined into 1 result map.
In your case you could use 2 mappings, 1 for normal requests and 1 for passed-on php requests.
---
nginx for Windows http://nginx-win.ecsds.eu/