ActionController::InvalidAuthenticityToken when using nginx to proxy https requests to other nginx (http) to proxy to rails (http)

I have following server structure:

1. first nginx, that redirects all requests to nginx in docker container. I want it just to handle https and proxy requests to nginx that cant handle https

Full config

Related config (nginx-recommended-proxy-headers here) (I just tried every header that could help, didn't work):

location / {

    proxy_pass http://127.0.0.1:23000;


    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-Forwarded-Port $server_port;

    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-Protocol https;
    proxy_set_header X-Url-Scheme https;
    proxy_set_header X-Forwarded-Host $host:$server_port;

    proxy_set_header X-Real_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_pass_header Set-Cookie;

    proxy_buffering off;
    proxy_ssl_session_reuse off;

    include /nix/store/avmqrlsy7dfh6bz1r6yzw3wvrvb0wzf1-nginx-recommended-proxy-headers.conf;
}

2. nginx in docker container. It glues rails server and responsivefilemanager. It exists to allow tesing of both server and filemanager, but does not handle https.

Docker-compose

  nginx:
    stdin_open: true
    tty: true
    extends:
      file: chunks/nginx.yml
      service: nginx
    build:
      args:
        - NGINX_CACHE=on
    ports:
      - 23000:80
    env_file:
      - ./envs/filemanager-static-path.env
      - ./envs/carrierwave-dirs.env
    environment:
      - BACKEND_URL=http://be:3000
      - FILEMANAGER_URL=http://filemanager:80
    volumes:
      - filemanager_upload_data:/filemanager_upload_dir
      - carrierwave_public_upload_data:/public_upload
      - carrierwave_cache_data:/carrierwave_cache_dir
      - ${SOURCE_DIR:-..}:/public
    depends_on:
      - be
      - filemanager

Full config Related config

  location / {
    proxy_pass     $BACKEND_URL;
    proxy_http_version 1.1;

    proxy_set_header Host       $http_host;
    proxy_set_header Upgrade    $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Accept-Encoding "";
    proxy_set_header X-Real-IP  $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;

    proxy_buffering  off;
    proxy_ssl_session_reuse off;
  }

3. rails server, just rails server, default prod config

And with this config I have ActionController::InvalidAuthenticityToken issue.

Please help me. How this should work? What rails is expecting? https worked with this config when I had only 1 nginx and backend.