diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index 5faacc6f..542507aa 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -368,11 +368,13 @@ function buildProxyRoutes(
         ]
       };
 
+      // For the outpost route (callbacks), always preserve the original Host header
+      // so Authentik knows which domain to redirect back to after authentication
       if (authentik.setOutpostHostHeader) {
         outpostHandler.headers = {
           request: {
             set: {
-              Host: ["{http.reverse_proxy.upstream.host}"]
+              Host: ["{http.request.host}"]
             }
           }
         };