diff --git a/config/nginx/templates/default.conf.template b/config/nginx/templates/default.conf.template
index fe2b6cf7cc6f982340cf7a25c271929debf85022..034d8e3d5ba0def78d4180e35a9d8631ce915820 100644
--- a/config/nginx/templates/default.conf.template
+++ b/config/nginx/templates/default.conf.template
@@ -4,6 +4,11 @@ map $arg_v $asset_immutable {
     default ", immutable";
 }
 
+map $http_x_forwarded_proto $real_scheme {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
 # use docker DNS resolver with limited cache value for nc update or scaling
 resolver 127.0.0.11 valid=5s;
 
@@ -106,15 +111,15 @@ server {
         # The rules in this block are an adaptation of the rules
         # in `.htaccess` that concern `/.well-known`.
 
-        location = /.well-known/carddav { return 301 $scheme://$http_host/remote.php/dav/; }
-        location = /.well-known/caldav  { return 301 $scheme://$http_host/remote.php/dav/; }
+        location = /.well-known/carddav { return 301 $real_scheme://$http_host/remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 $real_scheme://$http_host/remote.php/dav/; }
 
         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
         location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
 
         # Let Nextcloud's API for `/.well-known` URIs handle all other
         # requests by passing them to the front-end controller.
-        return 301 $scheme://$http_host/index.php$request_uri;
+        return 301 $real_scheme://$http_host/index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -171,7 +176,7 @@ server {
 
     # Rule borrowed from `.htaccess`
     location /remote {
-        return 301 $scheme://$http_host/remote.php$request_uri;
+        return 301 $real_scheme://$http_host/remote.php$request_uri;
     }
 
     location / {
diff --git a/docker-compose.yml b/docker-compose.yml
index 5afbcf51c480bfa576fd0601113d2c9cc0b336ce..a93cfb60bab343008188653e4528aa9429b46806 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,6 +75,7 @@ services:
         - "traefik.enable=true"
         - "traefik.http.routers.${DB_USER}-nextcloud.rule=Host(`${DOMAIN}`)"
         - "traefik.http.services.${DB_USER}-nextcloud.loadbalancer.server.port=80"
+        - "traefik.http.middlewares.${DB_USER}-nextcloud.headers.customrequestheaders.X-Forwarded-Proto=https"
 
 networks:
   proxy-network: