Hi Francis -
That would have been my suspicion as well. To test that theory, I installed the same nginx 1.10.1 RPM file on a similar CentOS 6 virtual machine in my environment. This particular VM has never been used for any nginx testing, nor has it ever had nginx installed.
I tested the same server configuration as your example, but the testing VM produced the same results. The satisfy/allow/deny directives allow bypassing of the basic_auth. Once those entries have been commented out, auth works as expected.
Would there be additional steps involved in determining if this is, in fact, a bug?
Thank you for your help.