I’m running Drupal 8.4.3 on PHP 7.0.22 atop Ubuntu 16.04LTS, Nginx 1.10.3 and MySQL 5.7.20, using the OpenSocial distribution. Whenever I try to add an inline image into a basic page using CKeditor, I get broken image displayed. The image i’m trying to load appears in Chrome Dev Tools as being collected from


 <img alt="Angela Luker" data-entity-type="file" data-entity-uuid="f6af8f2e-3450-440d-a154-f45d4a552a7f" src="/system/files/inline-images/Angela-Luker-Then.JPG"


 but this file is appearing in my Linux filesystem (not the database) as:


 /var/www/html/private:/inline-images/Angela-Luker-Then.JPG


so i’m guessing I have an issue with my Nginx rewrites. I’ve based the Nginx config on the suggested Nginx settings for Drupal 8 – and several enhancements down the years suggested as work arounds, but still no joy. 


Public file base URL: http://www.software-enabled.eu/sites/default/files

Private file system path: /var/www/html/sites/default/files/private

Temporary Directory: /tmp


Both the above directories present, owned by www-data:www-data and chmod’d to 770. Default download method set to Public local files served by the webserver. 


Is there a rewrite in the Apache versions for Drupal 8 that i’m missing in my Nginx setup?

`server { listen 80; listen 443 ssl http2;  server_name software-enabled.eu www.software-enabled.eu 138.68.143.231;  root /var/www/html;  # Redirect to https if user has come in on http  # if ( $  scheme = "http") { #    return 301 https://$  server_name$  request_uri; # }  # Add index.php to the list if you are using PHP  index index.php index.html index.htm index.nginx-debian.html;  location = /favicon.ico {     log_not_found off;     access_log off; }  location = /robots.txt {     allow all;     log_not_found off;     access_log off; }  # Very rarely should these ever be accessed outside of your lan location ~* \.(txt|log)$   {     allow 192.168.0.0/16;     deny all; }  location ~ \..*/.*\.php$   {     return 403; }  #    location ~ ^/sites/.*/private/ { #        return 403; #    }  # Allow "Well-Known URIs" as per RFC 5785 location ~* ^/.well-known/ {     allow all; }  # Block access to "hidden" files and directories whose names begin with a # period. This includes directories used by version control systems such # as Subversion or Git to store control files. location ~ (^|/)\. {     return 403; }  location / { root /var/www/html; index index.php; error_page 404 = @drupal; # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. # try_files $  uri /index.php?query_string; # For Drupal >= 7 }  location @drupal { rewrite ^(.*)$   /index.php?q=$  1; }  # Don't allow direct access to PHP files in the vendor directory. location ~ /vendor/.*\.php$   {     deny all;     return 404; }  # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # # In Drupal 8, we must also match new paths where the '.php' appears in # the middle, such as update.php/selection. The rule we use is strict, # and only allows this pattern with the update.php front controller. # This allows legacy path aliases in the form of # blog/index.php/legacy-path to continue to route to Drupal nodes. If # you do not have any paths like that, then you might prefer to use a # laxer rule, such as: #   location ~ \.php(/|$  ) { # The laxer rule will continue to work if Drupal uses this new URL # pattern with front controllers other than update.php in a future # release. (Note: $   removed as .php extension may not be at end of # URL in Drupal 8.  location ~ '\.php|^/update.php' { include snippets/fastcgi-php.conf; # #   # With php7.0-cgi alone: #   fastcgi_pass 127.0.0.1:9000; #   # With php7.0-fpm:  fastcgi_split_path_info ^(.+?\.php)(|/.*)$  ;  # Security note: If you're running a version of PHP older than the # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. # See http://serverfault.com/q/627903/94922 for details.  include fastcgi_params;   # Block httpoxy attacks. See https://httpoxy.org/.  fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $  document_root$  fastcgi_script_name; fastcgi_param PATH_INFO $  fastcgi_path_info; fastcgi_param QUERY_STRING $  query_string; fastcgi_intercept_errors on;  # PHP 5 socket location.     #fastcgi_pass unix:/var/run/php5-fpm.sock;  # PHP 7 socket location. fastcgi_pass unix:/run/php/php7.0-fpm.sock; }  # Fighting with Styles? This little gem is amazing. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6  location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7     try_files $  uri @rewrite; }  # Handle private files through Drupal. Private file's path can come # with a language prefix.  location ~ ^/sites/default/files/private/ { rewrite ^/sites/default/files/private/(.*) /system/files/$  1 last; }    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7     try_files $  uri /index.php?$  query_string; }  location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$   {     try_files $  uri @rewrite;     expires max;     log_not_found off; }  # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; }  ssl_certificate /etc/letsencrypt/live/software-enabled.eu/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/software-enabled.eu/privkey.pem; # managed by Certbot  }`