nginx basic-authentication nginx-location static-content

Why ignores nginx my "auth_basic off" for sub-path location directive?

Nginx (docker image, 1.17.2) requires a basic authentication for a subpath. Although my config says otherwise for https://example.org/subpath:

//  /etc/nginx/conf.d/mysetup.conf

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

server {
    listen 443 ssl;
    server_name example.org;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/logs/nginx/example.org.access.log;
    error_log /var/logs/nginx/example.org.error.log info;

    root /var/www/domains/example.org/stage_root/;        

    location / {
        auth_basic "example.org server";
        auth_basic_user_file /var/htaccess/htaccess_example.org;
    }
    location /subpath {
        auth_basic off;
        root /var/www/domains/example.org/;
    }
}

Some Facts:

nignx accepts my conf without warnings
There are more domains served (all in similar server directives) and an upstream plex.
the docker image is part of docker-compose setup with its own network (nginx is the gate)
The correct content is served: /var/www/domains/example.org/subpath/
Commenting-out the global auth_basic disables the auth request

What I've tried so far:

Moving the auth_basic setup from the location / block up to the server block.
off with double-quotes (suggested, although not required in the docs)
searched for invalid chars/whitespaces
removing the complete location / block

IMHO this is standard use case, hence I guess something small slipped my eye or I am missing out some context knowledge.

Maybe nginx has a problem with a location block root that higher than the global root? It serves the content though..

What I haven't tried, yet:

Working with allow / deny, as it should work without

Possible duplicate question:

Specifically this question is quite similar. However it does not have the 'twist' with the different root dir and the answers haven't helped: 1st not working, 2nd seems to be quite a workaround.

Solution

The solution is to set the auth_basic_user_file directive within the server block and the auth_basic directive within the various location blocks.

I have only included the relevant configuration, for clarity. The document root and other mandatory settings are omitted on purpose.

server {
    auth_basic_user_file /path/to/auth.txt;
    location /other {
        auth_basic off;
    }
    location / {
        auth_basic "Restricted";
    }
}