diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
index 32791e90..4588b8fd 100644
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@@ -268,7 +268,7 @@ func (st *ServerType) serversFromPairings(
 			}
 			if _, ok := sblock.pile["tls.off"]; ok {
 				// tls off: disable TLS (and automatic HTTPS) for server block's names
-				if srv.AutoHTTPS == nil {
+				if srv.AutoHTTPS == nil && len(autoHTTPSQualifiedHosts) > 0 {
 					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 				}
 				srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, autoHTTPSQualifiedHosts...)
diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index 9cf52dcc..3eaf48f5 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -112,6 +112,10 @@ func (m MatchHost) Match(r *http.Request) bool {
 	if err != nil {
 		// OK; probably didn't have a port
 		reqHost = r.Host
+
+		// make sure we strip the brackets from IPv6 addresses
+		reqHost = strings.TrimPrefix(reqHost, "[")
+		reqHost = strings.TrimSuffix(reqHost, "]")
 	}
 
 outer: