Does that mean we have to access Kibana server through a proxy once the server.basePath is set? I ask this question because I want to make sure there is no way that users can directly access kibana server except through the proxy server.
No. Your kibana server is still very much accessible around the proxy. You are just getting a 404 because there is noone in the middle to remove the base path that kibana is adding. If you took a request to a path like, say, kibana/plugins/vega/index.css, you could still access that asset by hitting something.com:5601/plugins/vega/index.css.
Security-wise, if you don't want users to access your kibana server directly, then you should block all traffic to that port (other than that going through the loopback interface) with a firewall.
- Just as you stated, at the very least this isn't something you can deal with through nginx since clients don't send the anchor part in the first place (web server - Nginx Redirect Rule with a anchor tag - Server Fault).