I found this question asked on Serverfault, but the answer just provided alternatives instead of actually detailing the implications. I had to set DEFAULT_FORWARD_POLICY to "ACCEPT" to be able to connect to my docker applications, even behind an nginx reverse proxy. However, it seems to still be secure as trying to access said apps by http://droplet-ip:app-port won't work while http://app-domain does. Are there any serious repercussions to having DEFAULT_FORWARD_POLICY "ACCEPT"?