server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.domain.tld;

    ssl_certificate     /etc/ssl/mail/cert.pem;
    ssl_certificate_key /etc/ssl/mail/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # HTTP → HTTPS
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

    location / {
        proxy_pass https://cloud.domain.tld;

        # Hostname & Forwarded-Header sauber durchreichen
        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
        proxy_set_header Referrer-Policy "no-referrer";

        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;
        client_max_body_size 10G;
    }

    # CalDAV/CardDAV Redirects
    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
}