diff --git a/.gitignore b/.gitignore
index 1c221d0..fd3c218 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /grafanauth
 /result
+.direnv
diff --git a/grafanauth.go b/grafanauth.go
index eeb356e..2a686a2 100644
--- a/grafanauth.go
+++ b/grafanauth.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"fmt"
@@ -14,13 +15,13 @@ import (
 )
 
 var (
-	target          = flag.String("target", "http://127.0.0.1:3000", "target HTTP server for Grafana")
-	httpsDomainName = flag.String("https-domain-name", "", "your Tailscale HTTPS domain name (tails-scales.ts.net)")
-	hostname        = flag.String("hostname", "grafana", "the hostname to use on the tailnet")
+	target   = flag.String("target", "http://127.0.0.1:3000", "target HTTP server for Grafana")
+	hostname = flag.String("hostname", "grafana", "the hostname to use on the tailnet")
 )
 
 func main() {
 	flag.Parse()
+	ctx := context.Background()
 
 	u, err := url.Parse(*target)
 	if err != nil {
@@ -36,6 +37,11 @@ func main() {
 		Logf:     log.Printf,
 	}
 
+	selfFQDN, ok := tailscale.ExpandSNIName(ctx, *hostname)
+	if !ok {
+		log.Fatal("could not get sni name")
+	}
+
 	l, err := srv.Listen("tcp", ":443")
 	if err != nil {
 		log.Fatal(err)
@@ -43,8 +49,8 @@ func main() {
 
 	l = tls.NewListener(l, &tls.Config{
 		GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			if wantName := fmt.Sprintf("%s.%s", *hostname, *httpsDomainName); chi.ServerName != wantName {
-				return nil, fmt.Errorf("wanted hostname %s, got: %s", wantName, chi.ServerName)
+			if chi.ServerName != selfFQDN {
+				return nil, fmt.Errorf("wanted hostname %s, got: %s", selfFQDN, chi.ServerName)
 			}
 
 			c, err := tailscale.GetCertificate(chi)
@@ -56,7 +62,7 @@ func main() {
 		},
 	})
 
-	log.Printf("listening on https://%s.%s", *hostname, *httpsDomainName)
+	log.Printf("listening on https://%s", selfFQDN)
 	log.Fatal(http.Serve(l, hdlr))
 }
 
@@ -72,8 +78,8 @@ func (t tsAuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	r.Header.Set("X-Webauth-User", userInfo.UserProfile.LoginName)
-	r.Header.Set("X-Webauth-Name", userInfo.UserProfile.DisplayName)
+	r.Header.Set("X-WebAuth-User", userInfo.UserProfile.LoginName)
+	r.Header.Set("X-WebAuth-Name", userInfo.UserProfile.DisplayName)
 
 	t.next.ServeHTTP(w, r)
 }