reverseproxy: Set Host to {upstream_hostport} automatically if TLS

[francislavoie]

For almost the entire life of Caddy v2, we've had a recommendation to set header_up Host {upstream_hostport} when configuring reverse_proxy for HTTPS.

I think it's time that we make this the default. It's sensible to make the Host header match the upstream address when we know the server is configured with TLS. If the user needs something different, it's fine, their own header_up rules will be applied afterwards and take priority, e.g. with header_up Host {host} to reset it to the default host. This is so rare to be correct though, in our experience.

This also fixes some major footguns when you forget to set header_up Host {upstream_hostport} which can cause tricky misbehaviour depending on the upstream's handling of the Host header.

Assistance Disclosure

I used Copilot to iterate on the changes, but finished and tested it by hand.

[mholt]

It probably is a good idea as part of a "well-behaved proxy" for the SNI and Host header to be in agreement by default.

For context for other visitors: we do know of at least one situation where it's too easy to misconfigure in a way that causes a security issue, without this patch. It's not a security fix in and of itself, but the goal is to prevent misconfigurations that are too easy, and which do cause security issues.