diff --git a/CHANGES b/CHANGES
index c1e9e52ca..c6faa483e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1909,3 +1909,6 @@
 * Add ECDHE-RSA-AES128-SHA256 to cipher list
 * Fix GPG signature verification
 
+[5.1.5]
+* Check for .well-known routes upstream as fallback. This broke nextcloud's caldav/carddav
+
diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index d7a55f12d..94c1e73fd 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -136,10 +136,20 @@ server {
         internal;
     }
 
+    location @wellknown-upstream {
+<% if ( endpoint === 'admin' ) { %>
+        proxy_pass http://127.0.0.1:3000;
+<% } else if ( endpoint === 'app' ) { %>
+        proxy_pass http://127.0.0.1:<%= port %>;
+<% } else if ( endpoint === 'redirect' ) { %>
+        return 302 https://<%= redirectTo %>$request_uri;
+<% } %>
+    }
+
     # user defined .well-known resources
-    # alias means only the part after matched location is appended (unlike root)
-    location /.well-known/ {
-        alias /home/yellowtent/boxdata/well-known/$host/;
+    location ~ ^/.well-known/(.*)$ {
+        root /home/yellowtent/boxdata/well-known/$host;
+        try_files /$1 @wellknown-upstream;
     }
 
     location / {