While testing to bypass the Apache2 proxy at the Discourse container host, and disabling forced HTTPS redirects at Cloudflare to test plain HTTP connections via curl as well, I finally found the culprit at Cloudflare:
I am not sure what changed with our VPS switch and/or Discourse 3.5.0.beta3 to 3.5.0.beta4 upgrade and/or coincidentally at Discourse at the same time, but it seems that something in the Discourse HTML, CSS or JavaScript documents causes Cloudflare’s HTTPS rewrite of embedded URLs to choke. Looks like the partial and hanging curl requests were not really related, or maybe they are. Weird that in the browser network tab one can see the partial content of HTML document, as if the HTTPS rewrite feature does it while streaming through the document.
Does maybe someone else have an instance and a Cloudflare account to test this with, whether it is a general issue or related to our particular instance/setup?
Btw, to test bypassing the proxy as well as HTTP, while keeping the connection via proxy active, manually adjusting the Nginx config within the container like this works perfectly fine:
root@dietpi-discourse:/var/www/discourse# cat /etc/nginx/conf.d/outlets/server/10-http.conf
listen unix:/shared/nginx.http.sock;
set_real_ip_from unix:;
listen 8080;
listen [::]:8080;
listen 8443 ssl;
listen [::]:8443 ssl;
http2 on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_certificate /shared/fullchain.cer;
ssl_certificate_key /shared/dietpi.com.key;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
Important to remove HTTPS redirects and HSTS header, of course, and to expose the added ports.