Nginx redirect on "Upgrade-Insecure-Requests: 1"

If you want to allow for both http and https requests, but redirect new browsers capable of https to https version, here is simple nginx configuration snippet:

set $do_http_upgrade "$https$http_upgrade_insecure_requests";
location / {
     if ($do_http_upgrade = "1") {
         add_header Vary Upgrade-Insecure-Requests;
         return 307 https://$host$request_uri;
     root   /var/www/your-website-root;

$https can be either "on" or empty, $http_upgrade_insecure_requests can be either "1" or empty → this means $do_http_upgrade will be set to "1" only in case request came in via http and browser set the Upgrade-Insecure-Requests header.