Thanks @andreas - yes, I have been busy exploring this and the doubling up occurred to me while I was implementing the solution. Thanks for confirming my suspicion. 
Re: the double nginx:
In my Dockerfile I presume I can simply use FROM lucee/lucee:5.3 instead of FROM lucee/lucee:5.3-nginx now and let Tomcat handle the traffic. I will try that.
Re: the SSL issue:
So, I want the vm nginx so the SSL on the domain is managed and also much much later I can use it for other redirecting, load balancing, etc.
Therefore what I did was to run the docker compose with Lucee ports mapped as:
ports:
- β81:80β
ie dropped mapping port 443 altogether and host 81 maps to container 80.
Then I amended my /etc/nginx/sites-available/apiv1.flowt.com.au file to use the
proxy_pass http://localhost:81;
plus I added some comments so I remember what this all means next time!
Included here for others who might be similarly confused - never having seen nginx config before!
server {
# This is the 443 HTTPS block
root /var/www/apiv1.flowt.com.au/html;
index index.html index.htm index.cfm index.nginx-debian.html;
server_name apiv1.flowt.com.au www.apiv1.flowt.com.au;
location / {
# I removed this:
# try_files $uri $uri/ =404;
# I added this line to forward the requests on port 443 (SSL) to port 81
# on localhost which is what the Lucee container is listening on
# because in your docker compose you set port 81:80
# ie host port 81 maps to container port 80
proxy_pass http://localhost:81;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/apiv1.flowt.com.au/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/apiv1.flowt.com.au/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
# This is the 80 HTTP block
# This block says: if any traffic comes in on port 80 (http:) for
# either ipv4 or ipv6,
# for any of the domain names listed in `server_name` below,
# redirect via the 301 to the `https` server
# which the server block above will handle.
if ($host = www.apiv1.flowt.com.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = apiv1.flowt.com.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name apiv1.flowt.com.au www.apiv1.flowt.com.au;
return 404; # managed by Certbot
}
And it works! Yay!
And⦠it is obvious now! LOL 
Thanks so much to @carehart and @andreas for your help.
Best wishes,
Murray