diff --git a/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
index be59cd9b1..c16f3afca 100644
--- a/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/infra/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -199,11 +199,17 @@ backend {{ env }}_web_pool
 
 {% if haproxy_forgejo_host %}
 # --- Forgejo (managed outside the deploy pipeline) --------------------
+# The existing forgejo container exposes HTTPS on :3000 with a
+# self-signed cert. We re-encrypt to it (ssl verify none) ; the
+# operator's WireGuard mesh is the trust boundary, the cert chain
+# is irrelevant. Healthcheck adapted to send a Host: header so
+# Forgejo's reverse-proxy validation accepts the request.
 backend forgejo_backend
-    option httpchk GET /
-    http-check expect status 200
+    option httpchk
+    http-check send meth GET uri / ver HTTP/1.1 hdr Host {{ haproxy_forgejo_host }}
+    http-check expect rstatus ^[23]
     default-server check inter 10s fall 3 rise 2
-    server forgejo {{ haproxy_forgejo_backend }}
+    server forgejo {{ haproxy_forgejo_backend }} ssl verify none sni str({{ haproxy_forgejo_host }})
 {% endif %}
 
 {% if haproxy_talas_hosts %}