From 2dd457670a0bdbdc26af5e8139128b596b2b1e6e Mon Sep 17 00:00:00 2001
From: "mike.reiche" <mike@reiche.world>
Date: Wed, 17 Dec 2025 23:43:36 +0100
Subject: [PATCH 1/4] Forward to correct scheme

Signed-off-by: mike.reiche <mike@reiche.world>
---
 charts/nextcloud/files/nginx.config.tpl | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl
index 768c4c2f..40e5ca75 100644
--- a/charts/nextcloud/files/nginx.config.tpl
+++ b/charts/nextcloud/files/nginx.config.tpl
@@ -4,6 +4,11 @@ upstream php-handler {
     server 127.0.0.1:9000;
 }
 
+map $http_x_forwarded_proto $real_scheme {
+	default http;
+	https https;
+}
+
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
@@ -87,7 +92,7 @@ server {
     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
     location = / {
         if ( $http_user_agent ~ ^DavClnt ) {
-            return 302 /remote.php/webdav/$is_args$args;
+            return 302 $real_scheme://$host/remote.php/webdav/$is_args$args;
         }
     }
 
@@ -104,12 +109,12 @@ server {
     location ^~ /.well-known {
         # The following 6 rules are borrowed from `.htaccess`
 
-        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
-        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+        location = /.well-known/carddav     { return 301 $real_scheme://$host/remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 $real_scheme://$host/remote.php/dav/; }
 
         # Let Nextcloud's API for `/.well-known` URIs handle all other
         # requests by passing them to the front-end controller.
-        return 301 /index.php$request_uri;
+        return 301 $real_scheme://$host/index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -122,7 +127,7 @@ server {
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
     # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) $real_scheme://$host/index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -158,10 +163,10 @@ server {
 
     # Rule borrowed from `.htaccess`
     location /remote {
-        return 301 /remote.php$request_uri;
+        return 301 $real_scheme://$host/remote.php$request_uri;
     }
 
     location / {
-        try_files $uri $uri/ /index.php$request_uri;
+        try_files $uri $uri/ $real_scheme://$host/index.php$request_uri;
     }
 }

From b5ac79910513f722ea2c9c185679525ec8326674 Mon Sep 17 00:00:00 2001
From: "mike.reiche" <mike@reiche.world>
Date: Wed, 17 Dec 2025 23:54:51 +0100
Subject: [PATCH 2/4] Do not rewrite try_files

Signed-off-by: mike.reiche <mike@reiche.world>
---
 charts/nextcloud/files/nginx.config.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl
index 40e5ca75..9512f109 100644
--- a/charts/nextcloud/files/nginx.config.tpl
+++ b/charts/nextcloud/files/nginx.config.tpl
@@ -127,7 +127,7 @@ server {
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
     # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) $real_scheme://$host/index.php$request_uri;
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -167,6 +167,6 @@ server {
     }
 
     location / {
-        try_files $uri $uri/ $real_scheme://$host/index.php$request_uri;
+        try_files $uri $uri/ /index.php$request_uri;
     }
 }

From 1095b46de4116fdeaef70527b6bdabf6d151af30 Mon Sep 17 00:00:00 2001
From: "mike.reiche" <mike@reiche.world>
Date: Thu, 18 Dec 2025 08:34:41 +0100
Subject: [PATCH 3/4] Respect X-Forwarded-Port

Signed-off-by: mike.reiche <mike@reiche.world>
---
 charts/nextcloud/files/nginx.config.tpl | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl
index 9512f109..89009ca4 100644
--- a/charts/nextcloud/files/nginx.config.tpl
+++ b/charts/nextcloud/files/nginx.config.tpl
@@ -5,10 +5,15 @@ upstream php-handler {
 }
 
 map $http_x_forwarded_proto $real_scheme {
-	default http;
+	default $scheme;
 	https https;
 }
 
+map $http_x_forwarded_port $real_port {
+	default $server_port;
+	443     443;
+}
+
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
@@ -92,7 +97,7 @@ server {
     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
     location = / {
         if ( $http_user_agent ~ ^DavClnt ) {
-            return 302 $real_scheme://$host/remote.php/webdav/$is_args$args;
+            return 302 $real_scheme://$host:$real_port/remote.php/webdav/$is_args$args;
         }
     }
 
@@ -109,12 +114,12 @@ server {
     location ^~ /.well-known {
         # The following 6 rules are borrowed from `.htaccess`
 
-        location = /.well-known/carddav     { return 301 $real_scheme://$host/remote.php/dav/; }
-        location = /.well-known/caldav      { return 301 $real_scheme://$host/remote.php/dav/; }
+        location = /.well-known/carddav     { return 301 $real_scheme://$host:$real_port/remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 $real_scheme://$host:$real_port/remote.php/dav/; }
 
         # Let Nextcloud's API for `/.well-known` URIs handle all other
         # requests by passing them to the front-end controller.
-        return 301 $real_scheme://$host/index.php$request_uri;
+        return 301 $real_scheme://$host:$real_port/index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -163,7 +168,7 @@ server {
 
     # Rule borrowed from `.htaccess`
     location /remote {
-        return 301 $real_scheme://$host/remote.php$request_uri;
+        return 301 $real_scheme://$host:$real_port/remote.php$request_uri;
     }
 
     location / {

From 400eb264dc7cf240f4d09026a21eb61135ccac08 Mon Sep 17 00:00:00 2001
From: "mike.reiche" <mike@reiche.world>
Date: Thu, 18 Dec 2025 08:42:49 +0100
Subject: [PATCH 4/4] Bump Chart version

Signed-off-by: mike.reiche <mike@reiche.world>
---
 charts/nextcloud/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
index 15c16f6d..7a5f810b 100644
--- a/charts/nextcloud/Chart.yaml
+++ b/charts/nextcloud/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nextcloud
-version: 8.7.0
+version: 8.7.1
 # renovate: image=docker.io/library/nextcloud
 appVersion: 32.0.3
 description: A file sharing server that puts the control and security of your own data back into your hands.