Of corse it works.

Is it safe to assume that your nginx.conf example is incomplete? As I understand you want to redirect http traffic from port 80 to port 443 and use the https server as reverse proxy to your container.

Shouldn’t it look more like this?

upstream mytestapp {
    server web:8000;
}

server {
    listen 80;

    location / {
        return 301 https://example.com$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com www.example.com;

    ssl_certificate /etc/nginx/ssl/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/example.com/privkey.pem;
 
    location / {
        proxy_pass http://mytestapp;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }   
}

I haven’t sanity checked the syntax. I just reorganized your config to do what I think that you want it to do. Also is the web service realy listending on port 8000 inside the container? The expose statement you added to the services configuration has no effect at all.

You might want to take a look at this post about dns-caching issue with nginx, as nginx will cache resolved ip’s until restart, unless you force it to dynamicly resolve it every time. Just think about what happens, if you change the config of the web service. Docker-compose would only re-create the web container (which will have a new ip), but the nginx server would still try to forward traffic to the ip it knows from before.