Difficulty getting shadowsocks/v2ray to work behind an nginx reverse proxy

I have an existing reverse proxy which uses a containerized bunkerweb instance, which is already working correctly for TLS terminating a few http services behind it.

So I figured I can easily add a shadowsocks service with v2ray plugin without TLS, and have the proxy terminate TLS and forward http to the shadowsocks instance.
I have the bunkerweb automatically generate a letsencrypt ssl certificate for a dedicated vhost under a domain that resolves to this host, and simply forward to the service at port 8388.

It is however not working for me.

My simple config:

{
"server":"0.0.0.0",
"server_port":8388,
"password":"mysecretpass",
"timeout":300,
"user":"nobody",
"method":"chacha20-ietf-poly1305",
"fast_open":false,
"nameserver":"8.8.8.8",
"mode":"tcp_and_udp",
"plugin":"/nix/store/ky34fc400bhnkw9dwwx6xpgck4500hv7-shadowsocks-v2ray-plugin-1.3.1/bin/v2ray-plugin",
"plugin_opts":"server;path=/"
}

when starting I see this:

 2023-03-29 18:03:01 INFO: plugin "/nix/store/ky34fc400bhnkw9dwwx6xpgck4500hv7-shadowsocks-v2ray-plugin-1.3.1/bin/v2ray-plugin" enabled
 2023-03-29 18:03:01 INFO: UDP relay enabled
 2023-03-29 18:03:01 INFO: initializing ciphers... chacha20-ietf-poly1305
 2023-03-29 18:03:01 INFO: using nameserver: 8.8.8.8
 2023-03-29 18:03:01 INFO: tcp server listening at 127.0.0.1:42943
 2023-03-29 18:03:01 INFO: udp server listening at 0.0.0.0:8388
2023/03/29 18:03:01 V2Ray 4.23.2 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.19.4 linux/amd64)
2023/03/29 18:03:01 A unified platform for anti-censorship.
2023/03/29 18:03:01 [Warning] v2ray.com/core: V2Ray 4.23.2 started

So I wonder how can this work since my forward with my proxy from external.host.org:443/ to http://internalip:8388 should lead to a http (i.e. TCP) service, but above we can see it’s UDP. Even though all examples, e.g. this one don’t mention anything about this.

Any Ideas how this is done consistently (i.e. using a reverse proxy)? And what role does the UDP connection play in such a scenario? Should I forward that separately directly to the service in the host’s firewall? Or switch it off? (Especially considering lowering chances of detection and blocking in CN).