Reverse proxy - nginx not working

hi,
i have separate VM with nginx acting as reverse proxy 10.0.1.204 all other reverse proxies works fine … but … nextcloud doesnt work at all… and i am desperate already.

nextcloud has ip 10.0.1.163

https://cloxxx.duckdns.org from internal network:

image1092×475 19.3 KB

when i execute this from outside of the local network
[xp@localhost ~]$ curl -kv https://cloxx.duckdns.org/

• Trying xx217.96:443…
• Connected to cloxx.duckdns.org (xxx217.96) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=cloxx.duckdns.org
• start date: Aug 4 23:47:37 2022 GMT
• expire date: Nov 2 23:47:36 2022 GMT
• issuer: C=US; O=Let’s Encrypt; CN=R3
• SSL certificate verify ok.

GET / HTTP/1.1
Host: cloxx.duckdns.org
User-Agent: curl/7.74.0
Accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Mark bundle as not supporting multiuse
  < HTTP/1.1 308 Permanent Redirect
  < Server: nginx/1.18.0 (Ubuntu)
  < Date: Fri, 05 Aug 2022 16:08:37 GMT
  < Content-Length: 0
  < Connection: keep-alive
  < Location: https://cloxxx.duckdns.org/
  < Strict-Transport-Security: max-age=15768000;includeSubDomains
  <
• Connection #0 to host cloxxx.duckdns.org left intact

config.php

on the nextcloud vm when i execute
root@nextcloud:/usr/local/www/nextcloud/config # host 10.0.1.204
204.1.0.10.in-addr.arpa domain name pointer reverz-proxy.lan.

when i try to open nextcloud page https://cloxx…/ thats what i got in rever proxy log

10.0.1.138 - - [05/Aug/2022:16:14:04 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"

nginx reverz proxy

server {

       # root /var/www/cloxxx.duckdns.org/html;
       #index index.html index.htm index.nginx-debian.html;

        server_name cloxxx.duckdns.org;

       # location / {
       #         try_files $uri $uri/ =404;
       # }
    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

    access_log /var/log/nginx/cloxxx.duckdns.org.access.log;
    error_log /var/log/nginx/cloxxx.duckdns.org.error.log;


   # listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/cloxxx.duckdns.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cloxxx.duckdns.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
       proxy_pass http://10.0.1.163/;
       proxy_buffering off;
       proxy_request_buffering off;

#       proxy_set_header X-Real-IP $remote_addr;

#       Enable HSTS (HTTP Strict Transport Security)
    #    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
       # add_header Front-End-Https on;

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        #proxy_redirect off;
        proxy_max_temp_file_size 0;
    }

}

nextcloud was installed with that script
https://github.com/danb35/freenas-iocage-nextcloud

and this directive was enabled as described

HTTP Strict Transport Security

When you log into your Nextcloud instance as administrator, you may see a configuration warning that HSTS is not enabled. This is intentional. HSTS is a useful security measure, but it can also lock you out of your site if certificate renewal isn’t working properly. I recommend you let the system obtain its initial trusted cert, and then renewing at least once, before enabling HSTS, to ensure that automatic renewal works as intended. Ordinarily this will take about 60 days. To enable HSTS, follow these steps:

• iocage console nextcloud
• nano /usr/local/www/Caddyfile
• Uncomment (remove the #) from the line that begins with Strict-Transport-Security
• Save the edited file and exit nano.
• service caddy reload

when i changed
proxy_pass http://10.0.1.163
to
proxy_pass http://10.0.1.163:443

i got response in browser:
Client sent an HTTP request to an HTTPS server.

any idea here?
thanks!