Cannot Get Cal/CardDAV Working with Nextcloud AIO even With Regex Rewrites

Hi, I am running Nextcloud AIO on a local Unraid server of mine. Everything except the Cal/CardDAV function seems to work great.

A little precursor on my setup. The Nextcloud AIO instance is running with docker, but my reverse proxy I am using to access it is Traefik in a local K3S Kubernetes cluster. (I like having Traefik run in HA.)

For the life of me, I cannot get the Cal/CardDAV to work at all. I have tried just about everything. Also, am running into hiccups as some of the documentation around properly configuring service discover behind a reverse proxy isn’t 1:1 with Nextcloud AIO. As AIO has a separate file structure.

Okay, here is my configuration. I have an IngressRoute to my Nextcloud’s Apache container here:

kind: IngressRoute
name: nextcloud
namespace: default
annotations: traefik-external
- websecure
- match: Host(
kind: Rule
- name: default-headers
- name: nextcloud-redirectregex
- name: nas-external (this points to the IP address of the Unraid server my Nextcloud is on)
port: 11000
secretName: secret-xyz-tls

This allows me to connect to the webpage and pretty much use Nextcloud perfectly. Now, because I want to use and expose Cal/CardDAV, the documentation stated we need redirect labels for service discovery with Traefik. Instead of using docker labels, I created a kubernetes middleware to do the same thing here:

kind: Middleware
name: nextcloud-redirectregex
namespace: default
permanent: true
regex: https://(.*)/.well-known/(?:card|cal)dav
replacement: https://${1}/remote.php/dav

Now my other middleware of “default-headers” doesn’t seem to make a difference. Even with disabling the default-headers being disabled on the ingressroute, it doesn’t make a difference. Thus, it doesn’t interfere with the function of Nextcloud.

Now, I tried editing specific Apache configuration files (outside of config.php, which I already configured the usual trusted proxies and https domain stuff) I simply was denied access. My guess is that AIO is immutable for security reasons, thus I am not able to actually edit the configuration files in the container.

I am totally lost here in how to proceed. In my mind everything should be setup correctly, and the Regex rewrite should work, as the Apache container is setup on the port of 11000 (and thus, Cal/CardDAV is also tied to it) and my ingressroute allows the webpage to be reverse proxied and exposed. When I try to connect via iOS I either get an error saying it cannot establish an SSL connection or verification failed. Similar errors pop up when looking to sync with KConnect on Linux as well.

Could anyone be of help? I am truly stumped.