Chef Server has two components I want behind SSL: The API service and the WebUI/Management Console. Miguel Cabeça and Jonathan Matthews had variations on a nifty technique to achieve this in a single Apache Virtual Host by detecting some HTTP request headers that a Chef API client, such as chef-client or Knife, typically sends and routing these requests to the API server.
What if you don't use Apache at all, though? In an Nginx-only world you can do a very similar thing. Here is a basic (abbreviated) Nginx config which detects the presence of the API client request headers and reverse proxies those requests to the API service and sends everything else to the Management Console.