Nginx HTTP to HTTPS configuration with Azure ACI

Question

I am building a flask-socketio service that is deployed in an Azure container group. The problem that I am encountering is a Mixed Content error since the client providing the page (HTTPS) needs to connect to our service using web sockets (HTTP).

I found a guide showing how you can create a TLS endpoint in a sidecar container here, however, I suspect the nginx configuration is not working as I receive a net::ERR_CERT_AUTHORITY_INVALID client-side error when trying to connect to the web socket.

I am very new to nginx and its configuration files; it would be much appreciated if something wrong in my config can be pointed out. I have tried changing the proxy_pass value to localhost, yet, nothing changes.

nginx.config

# nginx Configuration File
# https://wiki.nginx.org/Configuration

# Run as a less privileged user for security reasons.
user nginx;

worker_processes auto;

events {
  worker_connections 1024;
}

pid        /var/run/nginx.pid;

http {

    #Redirect to https, using 307 instead of 301 to preserve post data

    server {
        listen [::]:443 ssl;
        listen 443 ssl;

        server_name askme.eastus.azurecontainer.io;

        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
        # SSLv3 to the list of protocols below.
        ssl_protocols              TLSv1.2;

        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;

        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;


        # Use a higher keepalive timeout to reduce the need for repeated handshakes
        keepalive_timeout 300; # up from 75 secs default

        # remember the certificate for a year and automatically connect to HTTPS
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;

        location / {
            proxy_pass http://askme.eastus.azurecontainer.io:80; # TODO: replace port if app listens on port other than 80

            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }
}

aci-deploy.yml

apiVersion: '2019-12-01'
location: eastus
name: containergroup
type: Microsoft.ContainerInstance/containerGroups
properties:
  osType: Linux
  ipAddress:
    type: Public
    dnsNameLabel: askme
    ports:
    - protocol: tcp
      port: 22
    - protocol: tcp
      port: 443
  containers:
  - name: nginx-with-ssl
    properties:
      image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine
      ports:
      - port: 443
        protocol: tcp
      resources:
        requests:
          cpu: 2.0
          memoryInGB: 1.5
      volumeMounts:
      - name: nginx-config
        mountPath: /etc/nginx
  - name: flask-app
    properties:
      image: containerregistry.azurecr.io/flask-app:1.0
      resources:
        requests:
          memoryInGb: 2.0
          cpu: 1.0
      ports:
      - protocol: tcp
        port: 80
      volumeMounts:
      - name: shared-data
        mountPath: /my-app/uploaded_files
  - name: sftp
    properties:
      image: containerregistry.azurecr.io/atmoz/sftp:latest
      resources:
        requests:
          memoryInGb: 1.5
          cpu: 1.0
      ports:
      - protocol: tcp
        port: 22
      environmentVariables:
      - name: SFTP_USERS
        value: XX:XX:::sftp_files
      volumeMounts:
      - name: shared-data
        mountPath: /home/myuser/sftp_files
  imageRegistryCredentials:
  - server: containerregistry.azurecr.io
    username: ...
    password: ...
  volumes:
  - name: shared-data
    azureFile:
      shareName: ...
      storageAccountName: ...
      storageAccountKey: ...
  - secret:
      ssl.crt: ...
      ssl.key: ...
      nginx.conf: ...
    name: nginx-config