Going over your error messages / full log output:
In all three alternatives, we see some variation of 2020/02/05 10:32:29.188 ERROR http.log.error dial tcp 127.0.0.1:5000: connect: connection refused
The listener at 127.0.0.1:5000 is rejecting your connection. Is Postgraphile actually running? If it is, is it actually running on port 5000? If yes, are there any settings that would cause it to refuse connections outright from localhost?
Now, the other problem we’re seeing:
Access to fetch at 'https://graphql.direktbegruenung.ch/graphql' from origin 'https://direktbegruenung.ch' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
However, we see you’re running header_down Access-Control-Allow-Origin * on… basically every proxy (except for json subdomain, which is header_up - you definitely do want header_down in order to get that header coming back to the client).
So, yeah, these are… strange. Can you issue a curl -IL graphql.direktbegruenung.ch and show what headers you actually get back? We need to see if we’re getting some malformed Access-Control-Allow-Origin header, or no header at all, or whatever else might be going on.
One option to try after checking that would be to use the header directive straight on the actual site itself, rather than adding header_down to all the proxies, e.g.: header Access-Control-Allow-Origin direktbegruenung.ch