Trouble w/ nginx config for ES plugins using reverse proxy & ssl

Elastic Stack Elasticsearch
1

I am using reverse proxy w/ nginx in an ELK stack to access kibana dashboards over ssl. Works fine for kibana with following mostly "canned" config but I can't find the correct location block control to access a 2nd root directory path for ES plugins like HQ and BigDesk. All my.domain requests serve from
/var/www/html/kibana3 ... as for example https://my.domain/#/dashboard/elasticsearch/.... whether I enter my.domain or my.domain/HQ/_site/

I would like something like my.domain/HQ/_site/ to serve from /usr/share/elasticsearch/plugins/HQ/_site.

... or maybe a much cleaner way to do this?

Following is one of many attempted configs.

server 
  server_name my.domain;
  return 301 https://my.domain;
}

server {
  listen              *:443;

  ssl on;
  ssl_certificate     /etc/pki/tls/certs/localhost.crt;
  ssl_certificate_key /etc/pki/tls/private/localhost.key;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  server_name         my.domain;
  access_log          /var/log/nginx/kibana3.access.log;

  root  /var/www/html/kibana3;
  index  index.html  index.htm index.php;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }

  location ~ ^/_aliases$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  location ~ ^/.*/_aliases$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  location ~ ^/_nodes$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  location ~ /HQ/_site/ {
    root /usr/share/elasticsearch/plugins;
    index  index.html
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  location ~ ^/.*/_search$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  location ~ ^/.*/_mapping {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
  }
  # Password protected end points
  location ~ ^/kibana-int/dashboard/.*$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://111.222.333.14:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
    }
  }
  location ~ ^/kibana-int/temp.*$ {
    proxy_pass http://111.222.333.14:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://111.222.333.14:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
    }
  }
  location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME /var/www/html/kibana3$fastcgi_script_name;
  }