Fixed! Finally, only my external nginx server uses HTTPS,
proxying to an internal one that only does HTTP. Also I
fixed a redirect bug that meant that locations visited
without a trailing slash would respond with a 301 to
http://.../ - notice the trailing slash. After that, the
external nginx would send a 301 to https://.../.