Remove all of this. Caddy sets the appropriate headers automatically. See the docs:
You should use the header directive instead for this. The difference is that the header_down subdirective will only apply for requests that actually get proxied to your PHP app, whereas header will apply for all requests, including ones handled by file_server.
I don’t think you need to generate your certs outside of Caddy. You can use Caddy’s tls internal to have it use a local CA, then you can grab the root CA cert from ./caddy/data/caddy/pki/authorities/local/root.crt and install it in your browser/system’s trust store.
How are you making the request? Show us with curl -v what you’re trying and what you get.
If the domain you’re using doesn’t exist in public DNS, then you need to make your system resolve that domain to some IP address. So yes, possibly. But you could just use something like backend.localhost and frontend.localhost instead, since *.localhost should always resolve to ::1 or 127.0.0.1 on most machines (maybe Macs don’t, idk if they do that or not).