I think this is related to the fact I'm using NAT to match the 80 port to the web server. It means, for me, that even there's a rule which restrict WAN traffic going to DMZ, the NAT is applied first.
This premise is incorrect. Both a NAT rule and a matching firewall rule that allows access are required for a host on an internal interface to be reached from the WAN. Not one or the other, but both.
Without seeing your entire rules set it's not possible to diagnose your problem. As rules are applied in sequence, you may have the correct rule but not in the correct place.
Post screenshots of your NATs and WAN interface Firewall Rules.