From fc1f61397b80fef0b7df883269a0ba8344e3c5c8 Mon Sep 17 00:00:00 2001
From: Nicolas Gelot <nicolas.gelot@e.email>
Date: Thu, 6 Nov 2025 17:32:39 +0100
Subject: [PATCH] fix(nginx): add http_x_forwarded_proto to manage nginx
 redirect properly

---
 config/nginx/templates/default.conf.template | 13 +++++++++----
 docker-compose.yml                           |  1 +
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/config/nginx/templates/default.conf.template b/config/nginx/templates/default.conf.template
index fe2b6cf..034d8e3 100644
--- a/config/nginx/templates/default.conf.template
+++ b/config/nginx/templates/default.conf.template
@@ -4,6 +4,11 @@ map $arg_v $asset_immutable {
     default ", immutable";
 }
 
+map $http_x_forwarded_proto $real_scheme {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
 # use docker DNS resolver with limited cache value for nc update or scaling
 resolver 127.0.0.11 valid=5s;
 
@@ -106,15 +111,15 @@ server {
         # The rules in this block are an adaptation of the rules
         # in `.htaccess` that concern `/.well-known`.
 
-        location = /.well-known/carddav { return 301 $scheme://$http_host/remote.php/dav/; }
-        location = /.well-known/caldav  { return 301 $scheme://$http_host/remote.php/dav/; }
+        location = /.well-known/carddav { return 301 $real_scheme://$http_host/remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 $real_scheme://$http_host/remote.php/dav/; }
 
         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
         location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
 
         # Let Nextcloud's API for `/.well-known` URIs handle all other
         # requests by passing them to the front-end controller.
-        return 301 $scheme://$http_host/index.php$request_uri;
+        return 301 $real_scheme://$http_host/index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -171,7 +176,7 @@ server {
 
     # Rule borrowed from `.htaccess`
     location /remote {
-        return 301 $scheme://$http_host/remote.php$request_uri;
+        return 301 $real_scheme://$http_host/remote.php$request_uri;
     }
 
     location / {
diff --git a/docker-compose.yml b/docker-compose.yml
index 5afbcf5..a93cfb6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,6 +75,7 @@ services:
         - "traefik.enable=true"
         - "traefik.http.routers.${DB_USER}-nextcloud.rule=Host(`${DOMAIN}`)"
         - "traefik.http.services.${DB_USER}-nextcloud.loadbalancer.server.port=80"
+        - "traefik.http.middlewares.${DB_USER}-nextcloud.headers.customrequestheaders.X-Forwarded-Proto=https"
 
 networks:
   proxy-network:
-- 
GitLab