Node-red nginx set up issue

I am using node-red and have it set up where abc.domain sends to you to a login page where you authenticate then redirects you to /ui using the node-red-contrib-users where I have the base url path set to /. That works fine. However I found a hole in the security. If you go to abc.domain/ui you bypass the login and go straight into the ui. I experimented with nginx sub-filters and was only able to lock out all requests to /ui. My settings.js are:

httpAdminRoot: 'admin',

ui: { path: "/ui" },

Here is Nginx code:

#proxy for node-red @ port :1880
server {

        server_name abc.domain;

        location = /robots.txt {
                add_header  Content-Type  text/plain;
                return 200 "User-agent: *\nDisallow: /\n";
        }


        location / {
                #subfilter
                sub_filter_types  text/css text/javascript;
                sub_filter  ui /;
                sub_filter_once on;

                proxy_pass http://127.0.0.1:1880;

                #Defines the HTTP protocol version for proxying
                #by default it it set to 1.0.
                #For Websockets and keepalive connections you need to use the version 1.1
                proxy_http_version  1.1;

                #Sets conditions under which the response will not be taken from a cache.
                proxy_cache_bypass  $http_upgrade;

                #These header fields are required if your application is using Websockets
                proxy_set_header Upgrade $http_upgrade;

                #These header fields are required if your application is using Websockets
                proxy_set_header Connection "upgrade";

                #The $host variable in the following order of precedence contains:
                #hostname from the request line, or hostname from the Host request header field
                #or the server name matching a request.
                proxy_set_header Host $host;

                #Forwards the real visitor remote IP address to the proxied server
                proxy_set_header X-Real-IP $remote_addr;

                #A list containing the IP addresses of every server the client has been proxied through
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                #When used inside an HTTPS server block, each HTTP response from the proxied server is rewritten to HTTPS.
                proxy_set_header X-Forwarded-Proto $scheme;

                #Defines the original host requested by the client.
                proxy_set_header X-Forwarded-Host $host;

                #Defines the original port requested by the client.
                proxy_set_header X-Forwarded-Port $server_port;

                #Defines sub_filter to accept compressed response.
                proxy_set_header Accept-Encoding "";

           }


}

The problem is I can filter out the /ui but then then the redirect from node-red--contrib-users is blocked as well.
Mick