Fix Caddy v2.11 Host header rewrite breaking proxied services

Caddy v2.11 (#7454) auto-rewrites the Host header to match the
upstream address for HTTPS backends. This causes services behind
Tailscale Ingress to see *.tail8d86e.ts.net instead of *.ops.eblu.me,
breaking Authentik OAuth flows, Homepage host validation, and other
services that check the Host header.

Only apply header_up for HTTPS backends (Tailscale Ingress); HTTP
backends (forge, registry, jellyfin, sifaka) are unaffected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/changelog.d/+caddy-v2.11-host-header.bugfix.md

@@ -0,0 +1 @@
+Fix Caddy v2.11 breaking change: preserve original Host header for HTTPS upstreams.