Is storing files under a web server root unsafe if it is handled by PHP and blocked by the web server site configuration file?
You handle the upload with POST requests to a PHP script which checks the file extension and renames the file
You should check the mime type. PHP have mime_content_type
function for that. Even if it's possible to fool the mime header and have some code on the metadata of the file, this raises the bar for exploiting your system.
If I understand correctly, the files cannot be accessed/executed by any means.
Not really. They cannot be executed directly by the shell. Nothing stops any attacker to uploading a script named as script.mp4
and somehow executing bash the-new-name.mp4
later.
Or using a local file include (LFI) vulnerability and use include videos/the-new-name.mp4
and running a code on the ID3 description field. You could remove metadata from the files, so even if an attacker sends a video with a shell embedded in metadata and includes it exploiting a LFI, it cannot execute.
Your Nginx settings are good.