On your main server, use this (as you already have):
cloud.mydomain.com {
reverse_proxy http://192.168.11.97
}
On your backend/upstream, use this:
http://cloud.mydomain.com {
root * /usr/share/caddy
encode zstd gzip
templates
file_server browse
}
Your backend will not fetch a certificate from Let’s Encrypt, because it doesn’t need one, since your first one will be doing it. Specifying http:// will tell Caddy not to manage a TLS certificate for that domain, and will make sure it’s serving the site over port 80 instead of 443 (your first one will try to proxy on port 80 because you specified http:// on the upstream address).