okay - after lots of trying I think there was a problem with redis cache.
It works without those rules - however as I cannnot use let's encrypt it's getting tedious. I need ssl and if I do a site update/site create and have the ssl rules - by default http:// redirect is not active.
However I cannot put a server directive into the /var/www/domain.com/conf/nginx/ folder - as it's not allowed. So I need to add it to the normal server config - where it will get deleted on any "site update domain.com" command.
So my ssl.conf looks like this:
listen 443 ssl http2;
listen [::]:443 ssl http2 ;
and I have to add the following lines to my normal .conf else the http:// to https:// forward is not active:
server_name www.domain.com domain.com;
return 301 https://www.domain.com$request_uri;
this will be deleted on any ee site domain.com update.
dunno why this is not needed for a website setup with --letsencrypt switch though. And yeah still don't understand where this redirect comes from - as on my old nginx setup I just put the 301 into the server block to www - and it was fine.... here it's not accepted.
There really should be a switch like --ssl which means you will install your own ssl cert - but not need for the listen 80 server block