I use Nextcloud behind Traefik. You need to configure you entrypoint to trust X-Forwarded-* headers from ip address ranges e.g.
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32" # localhost
- "10.0.0.0/8" # swarm mode ip range
- "192.168.0.0/16" # stand-alone after 172.16.0.0/12 is exhausted
- "172.16.0.0/12" # stand-alone
The problem is that OP did not trust 172.16.0.0/12, the range the traefik proxy and nextcloud server's ips will be assigned from, therefore the X-Forwarded-For header was not trusted