Enforce HTTPS in Bluemix

nginx.conf

worker_processes 1;
daemon off;

error_log <%= ENV["APP_ROOT"] %>/nginx/logs/error.log;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  access_log <%= ENV["APP_ROOT"] %>/nginx/logs/access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;

  gzip on;
  gzip_disable "msie6";
  gzip_comp_level 6;
  gzip_min_length 1100;
  gzip_buffers 16 8k;
  gzip_proxied any;
  gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;

  tcp_nopush on;
  keepalive_timeout 30;
  port_in_redirect off; # Ensure that redirects don't include the internal container PORT - <%= ENV["PORT"] %>
  server_tokens off;

  server {
    listen <%= ENV["PORT"] %>;
    server_name localhost;

    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }
    add_header Strict-Transport-Security "max-age=31536000;includeSubdomains";
    location / {
        root <%= ENV["APP_ROOT"] %>/public;
        index index.html index.htm Default.htm;
        <% if File.exists?(File.join(ENV["APP_ROOT"], "nginx/conf/.enable_directory_index")) %>
        autoindex on;
        <% end %>
        <% if File.exists?(auth_file = File.join(ENV["APP_ROOT"], "nginx/conf/.htpasswd")) %>
        auth_basic "Restricted";                                #For Basic Auth
        auth_basic_user_file <%= auth_file %>;  #For Basic Auth
        <% end %>
        <% if ENV["FORCE_HTTPS"] %>
        if ($http_x_forwarded_proto = http) {
          return 301 https://$host$request_uri;
        }
        <% end %>
    }
  }
}