Fix upstream keepalive: set proxy_ssl_name for correct SNI

With upstream blocks, nginx sends the block name as SNI instead of
the actual hostname. The Tailscale Ingress proxy needs the correct
SNI to route TLS connections. Add explicit proxy_ssl_name for each
upstream, and set Host header for docs/cv backends.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fly/nginx.conf

@@ -93,6 +93,8 @@ http {
             proxy_pass https://docs_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name docs.tail8d86e.ts.net;
+            proxy_set_header Host docs.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_http_version 1.1;
@@ -135,6 +137,8 @@ http {
             proxy_pass https://cv_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name cv.tail8d86e.ts.net;
+            proxy_set_header Host cv.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_http_version 1.1;
@@ -208,6 +212,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             proxy_set_header Host $host;
@@ -226,6 +231,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
 
             proxy_http_version 1.1;
             proxy_set_header Connection $connection_upgrade;
@@ -248,6 +254,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
 
             proxy_http_version 1.1;
             proxy_set_header Connection $connection_upgrade;
@@ -264,6 +271,7 @@ http {
             proxy_pass https://forge_backend$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;
+            proxy_ssl_name forge.tail8d86e.ts.net;
             proxy_intercept_errors on;
 
             # NO proxy_cache — dynamic content with sessions