I've been hacking with this for a long time, and whilst I think nginx can technically do it, it's likely to be over-complicated and problem-prone (see the comments about "ifs are evil" in the nginx doco).
Instead, I've used Apache. It's still something of a project to do, but
RewriteRule allow for the permutations needed. Apache has some annoying defaults with regards to setting
X-Forwarded-* headers which we have to overcome. Apparently setting
X-Forwarded-Server trips up FusionAuth in some way.
However, I think I've got this working (or rather, I've got it working as well as I can see, and my in-development app can log in too). I've raised a PR on fusionauth-contrib: https://github.com/FusionAuth/fusionauth-contrib/pull/2. There may be more edge cases for API users I haven't considered here - comments welcome.
I've had a look at the github issue @dan posted, and in fact a few others. They all seem to be pretty worthwhile. The hoops I've jumped through here are excessive, and the differences in headers set by Nginx and Apache also tripped me up - all stuff that's not clearly documented or described in FusionAuth. There's definitely something to do here that would really help all of this. I'm not yet sure if the existing issues will solve this, or if another needs raising.
Either way, I hope my PR will save someone else the 1-2 days I've spent hacking about with this!? Thanks all for your help getting this far.