Inconsistent TLS issues when connecting to domain from the server its hosted on

1. The problem I’m having:

when connecting to a domain from the machine the domain is hosted on, or the machine the caddy reverse proxy is hosted on, i inconsistently get issues with tls. this mainly crops up with my authentik instance, which often struggles to properly authorize accounts due to this

2. Error messages and/or full log output:

here i use curl as an example. in my experience i get this error maybe 75% of the time, with the other 25% actually working

 > wget https://auth.bunnieslove.me/application/o/vaultwarden/
--2026-07-08 12:34:31--  https://auth.bunnieslove.me/application/o/vaultwarden/
Resolving auth.bunnieslove.me (auth.bunnieslove.me)... 65.245.181.41
Connecting to auth.bunnieslove.me (auth.bunnieslove.me)|65.245.181.41|:443... connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.

3. Caddy version:

v2.11.4

4. How I installed and ran Caddy:

i installed caddy as a podman quadlet file, running through systemd

a. System environment:

OS: AlmaLinux 10.2 (Lavender Lion) x86_64

Podman version: 5.8.2

i connect to my backend servers over tailscale, if thats important?

b. Command:

n/a?

c. Service/unit/compose file:

[Container]
AddCapability=NET_ADMIN
EnvironmentFile=./caddy/.env
Image=caddy:latest
Volume=./caddy:/etc/caddy
Volume=./caddy/data:/data
Volume=./caddy/config:/config
PublishPort=80:80
PublishPort=443:443
Network=host
[Service]
Restart=always

[Install]
WantedBy=multi-user.target default.target

d. My complete Caddy config:

# jellyfin
https://jellyfin.emiii.ca {
   reverse_proxy 100.69.33.4:8096
}
# copyparty
https://copyparty.emiii.ca {
   reverse_proxy 100.69.33.4:3923
}
# immich
https://immich.emiii.ca {
   reverse_proxy 100.69.33.4:2283
}

# cobalt api
https://api.cobalt.emiii.ca {
   reverse_proxy 100.69.33.4:9003
}
# cobalt web
cobalt.emiii.ca {
   route {
      reverse_proxy /outpost.goauthentik.io/* http://100.69.33.4:9000
      #   header_up Host {http.reverse_proxy.upstream.host}
      #}
      
      forward_auth https://auth.bunnieslove.me {
         uri /outpost.goauthentik.io/auth/caddy
         copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
         trusted_proxies private_ranges
     }     

      reverse_proxy 100.69.33.4:8787
   }
}

# proxytest
https://statustest.emiii.ca {
   respond 200
}

# fluxer
https://bunnieslove.me {
   header * {
      -Content-Security-Policy
      Content-Security-Policy "connect-src 'self' data: https://*.fluxer.app wss://*.fluxer.app https://*.fluxer.media wss://*.fluxer.media https://fluxer-uploads.ewr1.vultrobjects.com https://hcaptcha.com https://*.hcaptcha.com https://fluxerstatus.com https://fluxer.media http://127.0.0.1:21863 http://127.0.0.1:21864 https://bunnieslove.me https://bunnieslove.me/media wss://livekit.gaycatgirl.sex wss://turn.gaycatgirl.sex wss://voice.bunnieslove.me wss://turn.bunnieslove.me" 
   }

   log

   handle /livekit/* {
      reverse_proxy localhost:7880
   }

   reverse_proxy 100.69.33.4:3993
}


https://voice.bunnieslove.me {
   reverse_proxy localhost:7880
}

# authentik
https://auth.bunnieslove.me {
   reverse_proxy 100.69.33.4:9000
}

# kutt
https://s.emiii.ca {
   reverse_proxy localhost:3000
}

# vaultwarden
https://vw.bunnieslove.me {
   reverse_proxy 127.0.0.1:8899 {
      header_up X-Real-IP {remote_host}
   }
}

5. Links to relevant resources:

Type here