I have functions in my static HTML website on NodeJS in a 'functions' directory. These functions hit end-points like 'login' and get '/user' info with XMLHTTPRequest.
I dont like the idea of exposing my end-points to end-users. Is it possible to put my 'functions' directory outside of my static html directory, like:
if ($request_uri ~ .*.functions.*)
The answer to your questions is: No, it's not possible.
If you host your "functions" script outside of your static directory then no one will be able to access it. If you put it somewhere when it can be accesses, then users will also be able to read it.
Even if people couldn't see the code itself, they would always be able to see the network traffic in their browser's developer tools where they can see all of the endpoints, parameters and data sent and received.
What you can do, though, is make sure that everyone can only do what you want them to do with those endpoints. So your endpoints should always check who is doing a request by using e.g. an authentication token and enforcing the rules of who can do what. That way people will be able to access your endpoints, but they will be able to do only the things that they can do with your frontend anyway.