Thanks so much for replying. OWIN is on a separate box from NGINX. Below is my traffic flow.
Internet------->Sonicwall------------(forward port 443)-------------------------------------->NGINX---------->IIS with OWIN
OWIN listens on ports 80 and 443 I believe. Our developers did the site. It has a legitimate certificate installed also.
They both listen on the physical NIC yes. Also yes I want to do SSL termination and HTTP/2 with nginx and proxy everything to OWIN/IIS. When I expose the site on the internet it works fine but when I put it (logically) behind NGINX, I get the error. The site still comes up even when behind NGINX but the error happens when I try to log in. Keeps saying Invalid login attempt. Not sure how to use curl to log into a site but I will look it up.