diff --git a/ansible/roles/caddy/templates/Caddyfile.j2 b/ansible/roles/caddy/templates/Caddyfile.j2
index 2bc4c87..dc3c7ff 100644
--- a/ansible/roles/caddy/templates/Caddyfile.j2
+++ b/ansible/roles/caddy/templates/Caddyfile.j2
@@ -31,7 +31,15 @@
 {% for service in caddy_services %}
 	@{{ service.name }} host {{ service.host }}
 	handle @{{ service.name }} {
+{% if service.backend.startswith('https://') %}
+		reverse_proxy {{ service.backend }} {
+			# Caddy v2.11+ rewrites Host to upstream for HTTPS backends.
+			# Preserve the original Host so services see *.ops.eblu.me.
+			header_up Host {http.request.host}
+		}
+{% else %}
 		reverse_proxy {{ service.backend }}
+{% endif %}
 	}
 
 {% endfor %}
diff --git a/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md b/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md
new file mode 100644
index 0000000..a300bd3
--- /dev/null
+++ b/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md
@@ -0,0 +1 @@
+Fix Caddy v2.11 breaking change: preserve original Host header for HTTPS upstreams.