Prevent nginx from serving files that start with a period or tilde will help.
# prevent hidden files from being served and logged
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
# prevent tilde files from being served and logged
location ~ ~$ {
access_log off;
log_not_found off;
deny all;
}
This is a bit of a hack, since you don't really know how the "backup" file will look like. It might end with tilde, but it might end with .bkp. It's impossible to iterate through all the possibilities, just like it's impossible to separate them from valid files.
A much cleaner solution would be to separate "callable" entry-point files (like index.php) from "library" files into separate directories and point nginx/Apache only to the directory with callable files.