Issue Details

From the docs:

Special cases:

Domains ending in .ts.net will not be managed by Caddy. Instead, Caddy will automatically attempt to get these certificates at handshake-time from the locally-running Tailscale instance. This requires that HTTPS is enabled in your Tailscale account and the Caddy process must either be running as root, or you must configure tailscaled to give your Caddy user permission to fetch certificates.

This does not mention how to disable this behavior. Attempting to turn off auto_https does not appear to work.

There should probably also be a discussion around whether or not this special case default makes sense- it means that configurations that work perfectly well on one domain unexpectedly break on another, which is surprising and quite frustrating.

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response