You’re not forwarding any information about whether this request was an HTTPS-terminated request or not. Normally, in a server, the “ssl on;” directive will set these headers, but you’re using a combined block.
Rack (and force_ssl) determines SSL by:
- If the request came in on port 443 (this is likely not being passed back to Unicorn from nginx)
- If ENV[‘HTTPS’] == “on”
- If the X-Forwarded-Proto header == “HTTPS”
See the force_ssl source for the full story.
Since you’re using a combined block, you want to use the third form. Try:
proxy_set_header X-Forwarded-Proto $scheme;
in your server or location block per the nginx documentation.
This will set the header to “http” when you come in on a port 80 request, and set it to “https” when you come in on a 443 request.