I have managed to find out that if in Auth.js the secure property will be changed to false, then it will work but the cookie itself won’t be saved in browser. I could also see that with this solution (this is the very same config as that for local dev server) the authenticated request aren’t working as intended - the cookie won’t be send on prod server. Weird enough if I log in locally and then make authenticated request, Strapi does know it was sent by an authenticated user. On production it doesn’t work like that and I don’t know why.
It could be possible fix by setting proxy: true in server.js file from Strapi. Sadly it breaks my app on the server, where I can’t adjust Nginx proxy by myself.