Forget NGINX! Use Apache2 instead, if you want to change the path to e.g. https://myserver/openhab/basicui/app – after quite a few hours, I got it working with the following config file:
<Location "/openhab">
Options SymLinksIfOwnerMatch
AuthType Basic
AuthName "openHAB"
## BEGIN LDAP
AuthLDAPURL "ldap://localhost:389/ou=person,dc=codewizards,dc=co?cn?sub?(objectClass=person)"
AuthLDAPBindDN "cn=CENSORED,ou=CENSORED,ou=person,dc=codewizards,dc=co"
AuthLDAPBindPassword "CENSORED"
#AuthzLDAPAuthoritative on
AuthBasicProvider ldap
Require valid-user
## END LDAP
RewriteEngine On
RewriteRule "/openhab/openhab/(.*)" "/openhab/$1" [R,L]
RewriteRule "/openhab/?(.*)" "http://localhost:10080/$1" [P,L]
# LogLevel alert rewrite:trace8
## We cannot use ProxyPass, because this implicitly adds its own rewrite-rules *before* ours!
## Hence, we cannot redirect the browser from .../openhab/openhab/... to .../openhab/...!
# ProxyPass http://localhost:10080
ProxyPassReverse http://localhost:10080
ProxyHTMLEnable On
## The ProxyHTMLExtended can be used to work on *embedded* JavaScript. It does not work
## on separate .js-files. Thus, I now use SUBSTITUTE instead -- which works on both separate
## and embedded. Thus, this ProxyHTML* is not needed, anymore.
# ProxyHTMLExtended On
# ProxyHTMLURLMap / /openhab/ [e]
# ProxyHTMLURLMap /basicui /openhab/basicui
# ProxyHTMLURLMap /openhab/basicui /openhab/basicui
## Seems the suppression of gzip is not needed. Found this hint in the web,
## before, but the problem was actually another one. Thus, commented the following line
## again.
## UPDATE: IT IS NEEDED! My smarthome.js was obviously cached, before.
RequestHeader unset Accept-Encoding
AddOutputFilterByType SUBSTITUTE text/html
AddOutputFilterByType SUBSTITUTE text/css
AddOutputFilterByType SUBSTITUTE application/javascript
AddOutputFilterByType SUBSTITUTE application/json
Substitute "s|/basicui/|/openhab/basicui/|n"
Substitute "s|/rest/|/openhab/rest/|n"
Substitute "s|'/rest'|'/openhab/rest'|n"
Substitute "s|/paperui/|/openhab/paperui/|n"
Substitute "s|/inbox/|/openhab/inbox/|n"
Substitute "s|/icon/|/openhab/icon/|n"
Substitute "s|http://|https://|n"
</Location>
This file is included in my default-ssl.conf:
<VirtualHost ... CENSORED ...>
... lots of other stuff ...
Include /etc/apache2/openhab/openhab-ssl.conf
</VirtualHost>
Both basicui and paperui work fine this way. But no guarantee: Maybe there are still more Substitute rules needed. I didn’t test everything, yet.
I hope this helps everyone who wants to use openHAB behind a reverse-proxy (and with LDAP-authentication)!
Best regards, Marco 
P.S.: It seriously sucks that openHAB doesn’t allow to configure a path-prefix! I have written quite a few programs in my life, already, and always when there were URLs involved, things like a prefix (or even more) were configurable. How can you even get the idea that this is an unnecessary feature?! And most importantly: If you really don’t want to configure it, why don’t you hard-code such a prefix (e.g. “openhab/”) – it would be far easier to remap an existing prefix than to deal with all these individual paths (like “basicui”, “paperui”, “rest” etc.).