Just realized that installing the nginx plugin and allowing access to the websites (on it) from the internet is a very high security risk!
If a hacker somewhere with their hacking practices uploads any malicios script, then can browse, list, modify, etc all r or rw files directories in OMV.
Can do this e.g. running a php file with scandir().
Recently applied a temporary solution with acl banning the www-data customer and group from all shares and disabled scandir and file_uploads in php.ini, but this isn't the best solution.
Still all directories wiht r or rw rigths can be accessed/modifid thru a simple php script.
Played with different security practices as enabling PHP-FPM's chroot variable, open_basedir, etc. but without success.
If someone knows the solution please let me know.