However, if you only see a blank page with "Access denied" on it, it doesn't have to do with the default 403 Forbidden error, nginx or file permissions.
The reason for this error is the security.limit_extensions directive that has been added to php-fpm and limits the extensions that can be parsed by PHP. If it is not specified in your php-fpm configuration file, it defaults to .php and prevents all other extensions from being parsed. This produces an "Access denied" page.
So, if you are using PHP with HTML or other file types, make sure you add them to security.limit_extensions in your php-fpm configuration. For PHP and HTML, it will be security.limit_extensions = .php .html