diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index 0fa3da94c..702efb2c5 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -162,9 +162,9 @@ server {
 <% if (proxyAuth.enabled) { %>
     proxy_set_header X-App-ID "<%= proxyAuth.id %>";
 
-    location = /auth {
+    location = /proxy-auth {
         internal;
-        proxy_pass http://127.0.0.1:3001;
+        proxy_pass http://127.0.0.1:3001/auth;
         proxy_pass_request_body off;
         proxy_set_header Content-Length "";
     }
@@ -173,7 +173,9 @@ server {
         proxy_pass http://127.0.0.1:3001;
     }
 
-    error_page 401 403 /login;
+    location @proxy-auth-login {
+        return 302 /login?redirect=$request_uri;
+    }
 <% } %>
 
     location / {
@@ -235,9 +237,10 @@ server {
         }
 <% } else if ( endpoint === 'app' ) { %>
     <% if (proxyAuth.enabled) { %>
-        auth_request /auth;
+        auth_request /proxy-auth;
         auth_request_set $auth_cookie $upstream_http_set_cookie;
         add_header Set-Cookie $auth_cookie;
+        error_page 401 = @proxy-auth-login;
     <% } %>
 
         proxy_pass http://127.0.0.1:<%= port %>;
diff --git a/src/proxyauth.js b/src/proxyauth.js
index 3eda6f9ec..fff273eb8 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -45,7 +45,7 @@ function jwtVerify(req, res, next) {
 }
 
 function loginPage(req, res) {
-    return res.sendfile(path.join(paths.DASHBOARD_DIR, 'proxyauth-login.html'));
+    return res.sendFile(path.join(paths.DASHBOARD_DIR, 'proxyauth-login.html'));
 }
 
 // called by nginx to authorize any protected route
@@ -128,7 +128,7 @@ function initializeAuthwallExpressSync() {
         .use(router)
         .use(middleware.lastMile());
 
-    router.get ('/',          (req, res) => { res.redirect('/login'); });
+    router.get ('/',          (req, res) => { res.redirect('/login'); }); // this can never happen
     router.get ('/login',     loginPage);
     router.get ('/auth',      auth);
     router.post('/login',     login);