Folks, I have a question about marking packets on our NGINX platforms. The traffic that I'll be talking about below is all on our internal WAN, so DSCP marking is what we're looking for. Our WAN supports full QoS, and we understand that part.

We have NGINX proxies that are deployed in AWS. These boxes are accepting inbound requests on ports TCP/8080 and TCP/443 and then proxying them to AWS load balancers. What we want is for the packets to be marked with DSCP bits for the return traffic to client machines on our network. We have managed to successfully mark packets that originate on the NGIX boxes themselves by using iptables, but we've had no luck so far marking the packets that are delivered back toward the clients by the NGIX proxy. Is there someone here who has had luck marking traffic that is proxied by the NGINX boxes back toward the clients?

I have attached a quick diagram of the infrastructure and the traffic that we're attempting to mark with DSCP bits.