NginX: Restrict access to sensitive directories

Discussed in #21 
- NginX does not respect `.htaccess`
- Solution (until we move sensitive directories from webroot) is to use nginx config to prevent access
- Directory paths are specific to CMS (eg sites/_/files/civicrm/_ versus wp-content/something)
- But since the risk of collision is low and AMP is targeted at local use, IMO it's OK to block the lot.
