Your private images should stay private – not become part of an accidental "index of" page on the open web.
location ^~ /private-images internal; # Cannot be accessed directly. alias /data/secure-images; # Only accessible via X-Accel-Redirect from a PHP script. parent directory index of private images better