diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index e75b6a584..994a1a3e7 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -238,11 +238,18 @@ server {
             index  index.html index.htm;
         }
 <% } else if ( endpoint === 'app' ) { %>
+    location = /appstatus.html {
+    }
+
     <% if (proxyAuth.enabled) { %>
+    location "<%= proxyAuth.path %>" {
         auth_request /proxy-auth;
         auth_request_set $auth_cookie $upstream_http_set_cookie;
         add_header Set-Cookie $auth_cookie;
         error_page 401 = @proxy-auth-login;
+
+        proxy_pass http://<%= ip %>:<%= port %>;
+    }
     <% } %>
 
     <% Object.keys(httpPaths).forEach(function (path) { -%>
@@ -251,9 +258,6 @@ server {
         }
     <% }); %>
 
-        location = /appstatus.html {
-        }
-
         proxy_pass http://<%= ip %>:<%= port %>;
 <% } else if ( endpoint === 'redirect' ) { %>
         # redirect everything to the app. this is temporary because there is no way
diff --git a/src/proxyauth.js b/src/proxyauth.js
index 17bd023ae..08aa24414 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -142,7 +142,7 @@ function authorize(req, res, next) {
 
 function logoutPage(req, res) {
     res.clearCookie('authToken');
-    res.redirect('/login');
+    res.redirect('/'); // do not redirect to '/login' as it may not be protected
 }
 
 function logout(req, res, next) {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index b716c8cb6..8950573a4 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -381,7 +381,7 @@ function writeDashboardNginxConfig(bundle, configFileName, vhost, callback) {
         certFilePath: bundle.certFilePath,
         keyFilePath: bundle.keyFilePath,
         robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
-        proxyAuth: { enabled: false, id: null }
+        proxyAuth: { enabled: false, id: null, path: '/' }
     };
     var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
     var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
@@ -460,7 +460,8 @@ function writeAppNginxConfig(app, bundle, callback) {
         hideHeaders,
         proxyAuth: {
             enabled: app.sso && app.manifest.addons && app.manifest.addons.proxyAuth,
-            id: app.id
+            id: app.id,
+            path: safe.query(app.manifest, 'addons.proxyAuth.path') || '/'
         },
         httpPaths: app.manifest.httpPaths || {}
     };
@@ -494,7 +495,7 @@ function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
         robotsTxtQuoted: null,
         cspQuoted: null,
         hideHeaders: [],
-        proxyAuth: { enabled: false, id: app.id }
+        proxyAuth: { enabled: false, id: app.id, path: '/' }
     };
     var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
 
@@ -682,7 +683,7 @@ function writeDefaultConfig(options, callback) {
         certFilePath,
         keyFilePath,
         robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
-        proxyAuth: { enabled: false, id: null }
+        proxyAuth: { enabled: false, id: null, path: '/' }
     };
     const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
     const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, constants.NGINX_DEFAULT_CONFIG_FILE_NAME);