nginx local reverse proxy with firewalld

Question

I am running a service on a docker container. The service is exposed on a given port (eg. 12345).

On top of it I added a nginx reverse proxy to get extra functionality like HTTPS and HTTP/2.

nginx configuration is the following:

worker_processes auto;

http {
    sendfile        on;

    gzip  on;

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl ipv6only=on http2;
        
        server_name example.com

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot        

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;

            proxy_pass http://localhost:12345/;

            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}

Without any firewall, it works properly (I can access the service on LAN both on port 443 and on port 12345).

I have firewalld with nftables backend configured as following:

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-06ceff0ffa49 docker0
  sources: 
  services: 
  ports: 12345/tcp 12345/udp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 wlan0
  sources: 
  services: http https ssh
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

When I try to access the service from a PC on LAN with this configuration, I can access it directly through port 12345, but if I try accessing it via nginx I get a timeout.

My feeling is that firewalld is preventing nginx from exchanging data with the container, but I have no clue what am I missing to make it work.

What may I be missing?