From 1f0308bbd2e5127900743be94b9725236ba89bbd Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 15 Mar 2026 18:28:18 -0700 Subject: [PATCH] Fix Caddy v2.11 Host header rewrite breaking proxied services Caddy v2.11 (#7454) auto-rewrites the Host header to match the upstream address for HTTPS backends. This causes services behind Tailscale Ingress to see *.tail8d86e.ts.net instead of *.ops.eblu.me, breaking Authentik OAuth flows, Homepage host validation, and other services that check the Host header. Only apply header_up for HTTPS backends (Tailscale Ingress); HTTP backends (forge, registry, jellyfin, sifaka) are unaffected. Co-Authored-By: Claude Opus 4.6 (1M context) --- ansible/roles/caddy/templates/Caddyfile.j2 | 8 ++++++++ docs/changelog.d/+caddy-v2.11-host-header.bugfix.md | 1 + 2 files changed, 9 insertions(+) create mode 100644 docs/changelog.d/+caddy-v2.11-host-header.bugfix.md diff --git a/ansible/roles/caddy/templates/Caddyfile.j2 b/ansible/roles/caddy/templates/Caddyfile.j2 index 2bc4c87..dc3c7ff 100644 --- a/ansible/roles/caddy/templates/Caddyfile.j2 +++ b/ansible/roles/caddy/templates/Caddyfile.j2 @@ -31,7 +31,15 @@ {% for service in caddy_services %} @{{ service.name }} host {{ service.host }} handle @{{ service.name }} { +{% if service.backend.startswith('https://') %} + reverse_proxy {{ service.backend }} { + # Caddy v2.11+ rewrites Host to upstream for HTTPS backends. + # Preserve the original Host so services see *.ops.eblu.me. + header_up Host {http.request.host} + } +{% else %} reverse_proxy {{ service.backend }} +{% endif %} } {% endfor %} diff --git a/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md b/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md new file mode 100644 index 0000000..a300bd3 --- /dev/null +++ b/docs/changelog.d/+caddy-v2.11-host-header.bugfix.md @@ -0,0 +1 @@ +Fix Caddy v2.11 breaking change: preserve original Host header for HTTPS upstreams.