Sorry, was out at a conference last week. If you're getting "Tunnel Forbidden" it means a `CONNECT` request is going through ATS and getting blocked because `proxy.config.http.connect_ports` [1] doesn't allow the remote port. This may have changed between 5 and 8. I suspect that the HTTPS change is related, because that may be causing the `CONNECT` request. I suspect the 502 is due to confusion about whether the connection is HTTP or HTTPs, where an HTTP request is treated as an TLS Client Hello or vice versa. The first step I would take is finding where the `CONNECT` is happening.
[1] https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-http-connect-port
