Wow ... after poking and probing a little remotely (op shared true url to site) ... I'd say someone is 'extremely paranoid' about access to the server let alone moodle.
Additional security check is required
Why am I seeing this page?
The website you are visiting is protected and accelerated by Incapsula. Your computer may have been infected by malware and therefore flagged by the Incapsula network. Incapsula displays this page for you to verify that an actual human is the source of the traffic to this site, and not malicious software.
What should I do?
Just click the I'm not a robot checkbox to pass the security check. Incapsula will remember you and will not show this page again. We recommend you run a virus and malware scan on your computer to remove any infection.
After passing I am not a robot ... am able to get your redirect error ..
The .htaccess was empty and I wrote this
Moodle code doesn't come with an htaccess file. Yours does have a redirect.
Suggest renaming to htaccess.txt
mv .htaccess htaccess.txt
and let's remove that htaccess issue. Redirects might already be in place with main nginx config to force any traffic to https:// (port 443).
< X-Powered-By: PHP/7.2.11
Server: nginx/1.12.1
Access to https://yoursite/yourmoodledir/local/ one can see a directory listing of contents and the 2 readme's in there.
Check your nginx server access logs and you should see my 'robot passed' IP address and OS/Browser.
If I access https://yoursite/yourmoodle/xxx server does kick out a 404 ... not found page ... valid.
At this point, think you need to have a talk and assistance from your server/network techs. Your moodle 3.6 isn't that insecure:
Bug fixes for general core bugs in 3.6.x ended 11 November 2019 (12 months).
Bug fixes for security issues in 3.6.x will end 11 May 2020 (18 months).
It ain't May yet!
'SoS', Ken