On a second thought, I think I get what you mean by "internal" directive. It will blocks ALL external requests from browsers, thus my browser request to "/foo/bar/sth" is block immediately and 404 is returned, without doing any proxy_pass.
I may need to rethink my design here. Ideally, I want users who request "/foo/bar/sth" in their browsers get served by nginx with the file "/foo/bar/sth/sth.html", while letting the backend application server control the access to the file. I may need to rethink the design here. Thanks for the pointers.