Context/portal_url replaced by http URL instead of https

I have inherited a Plone 4.0.10 site, which I migrated to a new server and for the most part works ok. The problem I'm having is that a small number among all of the resources loaded by any page has a http URL instead of https, which the browser doesn't like. Not only does this earn me the "Not secure" badge in the browser address bar instead of the lock icon, but the browser downright refuses to load/blocks the http resources. The maddening thing is that 99% of all resources are https and only a few are http, as seen on the Network tab of the Chrome inspector.

In some cases, ${context/portal_url} is replaced by a http URL instead of https. Same with &dtml-portal_url;, e.g.:

#social-links .facebook { background-image: url(&dtml-portal_url;/facebook.png); }

The biggest problem is TinyMCE, where the mix of http and https causes a bunch of things to break, such as the image browser dialog. In one page there is an <img> tag that uses a resolveuid src attribute:

<img alt="person name" class="image-left" height="184" src="resolveuid/5c46518b132ffd09f76452cad1b6a99f/image_mini" width="144" />

This resolveuid gets replaced by a http URL, as do many others.

Also, inside the TinyMCE iframe the <base> tag has a href=http://... attribute, as opposed to the top <base> tag which has a https href.

The same <img> with resolveuid works fine in a normal view (not edit), i.e. it resolves to https.

Here is an example of where one of the offending http URLs comes from:

Plone-4.0.10-py2.6.egg/Products/CMFPlone/skins/plone_forms/content_status_history.cpt:

  <metal:calendar fill-slot="javascript_head_slot">
    <style type="text/css" media="all"
            tal:content="string:@import url(${context/portal_url}/jscalendar/calendar-system.css);"></style>
    <script type="text/javascript"
            tal:attributes="src string:${context/portal_url}/jscalendar/calendar_stripped.js"></script>
    <script type="text/javascript" charset="iso-8859-1"
            tal:condition="exists: context/jscalendar/calendar-en.js"
            tal:attributes="src string:${context/portal_url}/jscalendar/calendar-en.js"></script>
  </metal:calendar>

The <style> tag puts an @import http:// directive in the page, whereas the <script> tags are both https. Same ${context/portal_url}, different URLs!

I have tried rebuilding portal_catalog, reference_catalog and uid_catalog, disabling the cache in @@caching-controlpanel, etc.

I have nginx in front of varnish, with all http requests redirected to https, and the main nginx rule is:

rewrite ^/(.*)$ /VirtualHostBase/https/$server_name:443/SITE_ID/VirtualHostRoot/$1 break;

Has anyone else seen this kind of problem?

Plone Foundation Code of Conduct