feat: add support for public DNS target IP and private DNS allowance in Cloudflare setup

phase7_5_nginx_to_caddy.sh

@@ -513,12 +513,52 @@ if ! ssh_exec UNRAID "docker exec caddy caddy reload --config /etc/caddy/Caddyfi
 fi
 log_success "Caddy container is running with new config"
 
+probe_http_code_ok() {
+  local code="$1" role="$2"
+  if [[ "$role" == "gitea_api" ]]; then
+    [[ "$code" == "200" ]]
+    return
+  fi
+  [[ "$code" =~ ^(2|3)[0-9][0-9]$ || "$code" == "401" || "$code" == "403" ]]
+}
+
+probe_host_via_caddy() {
+  local host="$1" upstream="$2" role="$3"
+  local path="/"
+  if [[ "$role" == "gitea_api" ]]; then
+    path="/api/v1/version"
+  fi
+
+  local tmp_body http_code
+  tmp_body=$(mktemp)
+  http_code=$(curl -sk --resolve "${host}:443:${UNRAID_CADDY_IP}" \
+    -o "$tmp_body" -w "%{http_code}" "https://${host}${path}" 2>/dev/null || echo "000")
+
+  if probe_http_code_ok "$http_code" "$role"; then
+    log_success "Probe passed: ${host} (HTTP ${http_code})"
+    rm -f "$tmp_body"
+    return 0
+  fi
+
+  log_error "Probe failed: ${host} (HTTP ${http_code})"
+  if [[ "$http_code" == "502" || "$http_code" == "503" || "$http_code" == "504" || "$http_code" == "000" ]]; then
+    local upstream_probe_raw upstream_code
+    upstream_probe_raw=$(ssh_exec UNRAID "curl -sk -o /dev/null -w '%{http_code}' '${upstream}' || true" 2>/dev/null || true)
+    upstream_code=$(printf '%s' "$upstream_probe_raw" | tr -cd '0-9')
+    if [[ -z "$upstream_code" ]]; then
+      upstream_code="000"
+    elif [[ ${#upstream_code} -gt 3 ]]; then
+      upstream_code="${upstream_code:$((${#upstream_code} - 3))}"
+    fi
+    log_warn "Upstream check from Unraid: ${upstream} -> HTTP ${upstream_code}"
+  fi
+  rm -f "$tmp_body"
+  return 1
+}
+
 if [[ "$MODE" == "canary" ]]; then
   if confirm_action "Run canary HTTPS probe for tower.sintheus.com via Caddy IP now? [y/N] "; then
-    if curl -skf --resolve "tower.sintheus.com:443:${UNRAID_CADDY_IP}" \
-      "https://tower.sintheus.com/" >/dev/null; then
-      log_success "Canary probe passed: tower.sintheus.com via ${UNRAID_CADDY_IP}"
-    else
+    if ! probe_host_via_caddy "tower.sintheus.com" "https://192.168.1.82:443" "generic"; then
       log_error "Canary probe failed for tower.sintheus.com via ${UNRAID_CADDY_IP}"
       exit 1
     fi
@@ -527,11 +567,12 @@ else
   log_step 5 "Probing all configured hosts via Caddy IP..."
   PROBE_FAILS=0
   for entry in "${SELECTED_HOST_MAP[@]}"; do
-    IFS='|' read -r host _ <<< "$entry"
-    if curl -skf --resolve "${host}:443:${UNRAID_CADDY_IP}" "https://${host}/" >/dev/null; then
-      log_success "Probe passed: ${host}"
-    else
-      log_error "Probe failed: ${host}"
+    IFS='|' read -r host upstream _ <<< "$entry"
+    role="generic"
+    if [[ "$host" == "$GITEA_DOMAIN" ]]; then
+      role="gitea_api"
+    fi
+    if ! probe_host_via_caddy "$host" "$upstream" "$role"; then
       PROBE_FAILS=$((PROBE_FAILS + 1))
     fi
   done