You don’t need this line, it’s redundant. Caddy passes through the Host header automatically by default.
handle_path isn’t fool-proof. The problem is that if the upstream app uses paths relative to the root in the HTML (for JS/CSS) then there’s not much that can be done to fix it reliably.
This article explains in depth:
I strongly recommend using a subdomain for that service, like pki-ecc.gateway.unb0rnet.tk for example.