I'm just a bit surprised that "port_in_redirect off" does not also
work. But that's ok -- I'm often surprised.
There's a "if" in src/http/ngx_http_header_filter_module.c which changes port's value from 443 to 0 when on ssl + port initially 443 so https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when port_in_redirect is off.

"... but I don't know what is the set of conditions under which you would want this ssl-rewrite to happen, and how you would go about configuring that."
I'm not sure I understand what you mean (my bad english); the entire setup is one allowing me to access my home server through the corporate firewall wile not breaking what I already have (my web sites):
browser (ssl) -> sshttp:443 -> stunnel:1443 -> nginx:443:listen proxy_protocol:no ssl
ssh client -> sshttp:443 -> ssh:22 -> ssh traffic detectable by firewall (I don't want that)
ssh client -> stunnel in client mode:local-custom-port -> sshttp:443 -> stunnel:1443 -> ssh:22 -> firewall sees only ssl traffic (better)
See https://adrhc.go.ro/wordpress/ssh-http-and-https-multiplexing/ for instructions on full setup.

"It looks like nobody else has had that particular use case ..."
This seems odd for me; I'm sure I'm not the only guy starving for open ports to internet (only 80 and 443 allowed) :D

------------------------
https://adrhc.go.ro