cockpit and nginx reversed proxy

I was trying to make my intranet cockpit web console accessed via Internet, I set up nginx proxy just as other intranet web sites like file server, the cockpit login interface appeared finely in the Internet, but when I tried to logon, it just refreshed, not logged in. After I searching on bing.com, I realized that nginx need a https proxy, not http. I used cockpit's certificate as https certificate. The nginx config file looks like:

server {
    listen         8001 ssl;
    server_name    lufy.top;

    ssl_certificate /etc/nginx/conf.d/ws-certs.d/0-self-signed.cert;
    ssl_certificate_key /etc/nginx/conf.d/ws-certs.d/0-self-signed.key;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://10.0.1.2:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

Also, some change of cockpit config file is needed:

cat /etc/cockpit/cockpit.conf
[WebService]
Origins = https://lufy.org:8001 wss://lufy.org
ProtocolHeader = X-Forwarded-Proto