Caddyfile

{
    auto_https disable_redirects

    storage file_system {
        root /data/caddy
    }

    servers {
        trusted_proxies placeholder
    }

    log {
        level ERROR
    }
}

(GEOFILTER) {
    @geofilter {
        not maxmind_geolocation {
            db_path "/data/GeoLite2-Country.mmdb"
            allow_countries
        }
        not remote_ip private_ranges
        # Exclude IP-address of scan.nexcloud.com so that scanning still works
        not remote_ip 95.217.53.149
    }
    respond @geofilter "Access denied" 403 {
		close
	}
}

https://{$NC_DOMAIN}:443 {
    # import GEOFILTER
    reverse_proxy nextcloud-aio-apache:{$APACHE_PORT}

    # TLS options
    tls {
        issuer acme {
            disable_http_challenge
        }
    }
}