Does anyone deploy authentik as a forwardauth?

Traefik Traefik v2
,
6

@ moutoum,I failed again.I configured an outpost and put app in it.But when I visit app,firefox will show :

The page isn’t redirecting properly
An error occurred during a connection to app.mydomain.duckdns.org.

I have changed my configs for easy reading.
config-traefik.yml

Summary 
http:
  routers:
    traefik:
      entryPoints:
        - web
      rule: "Host(`traefik.mydomain.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: api@internal
    traefik-secure:
      entryPoints:
        - websecure
      rule: "Host(`traefik.mydomain.duckdns.org`)"
      tls: 
        certResolver: production
        domains:
          - main: "mydomain.duckdns.org"
            sans:
              - "*.mydomain.duckdns.org"
      service: api@internal
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

config-authentik.yml

Summary 
http:
  routers:
    authentik:
      entryPoints:
        - web
      rule: "Host(`authentik.mydomain.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: authentik
    authentik-secure:
      entryPoints:
        - websecure
      rule: "Host(`authentik.mydomain.duckdns.org`)"
        #- authentik-auth
      tls: {}
      service: authentik
  services:
    authentik:
      loadBalancer:
        servers:
          - url: "http://192.168.0.130:9080"
  middlewares:
    authentik-auth:
      forwardAuth:
        address: http://192.168.0.130:9080/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

config-app.yml

Summary 
http:
  routers:
    app:
      entryPoints:
        - web
      rule: "Host(`app.mydomain.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: app
    app-secure:
      entryPoints:
        - websecure
      rule: "Host(`app.mydomain.duckdns.org`)"
        - authentik-auth
      tls: {}
      service: app
  services:
    app:
      loadBalancer:
        servers:
          - url: "http://192.168.0.130:180"

Here are configs about authentik:

Summary 
Provider:
type: Proxy (forward auth)
name: authentik
authentication URL: `https://authentik.mydomain.duckdns.org` 
cookie domain: `mydomain.duckdns.org`

type: Proxy (proxy)
name: app
external host: `https://app.mydomain.duckdns.org` 
internal: `http://192.168.0.130:180`

Application:
name: authentik
slug: authentik
provider: authentik

name: app
slug: app
provider: app

Outpost:
type: Proxy
application: authentik,app
configuration: `authentik_host: https://authentik.mydomain.duckdns.org`

I can visit https://authentik.mydomain.duckdns.org/outpost.goauthentik.io/callback and got redirected.But after remove # in config-authentik.yml,this will happen:

The page isn’t redirecting properly
An error occurred during a connection to authentik.mydomain.duckdns.org.

I can't visit https://app.mydomain.duckdns.org/outpost.goauthentik.io/callback with or without # .
Does it mean I need to add a new Host for authentik?Because when I visit app,the url will show this:
https://app.mydomain.duckdns.org/outpost.goauthentik.io/start?rd=https%3A%2F%2Fapp.mydomain.duckdns.org%2Foutpost.goauthentik.io%2Fauth%2Ftraefik
As far as I know,the path outpost.goauthentik.io belongs to authentik.
So this?

    authentik-app:
      entryPoints:
        - websecure
      rule: "Host(`app.mydomain.duckdns.org`) && PathPrefix(`/outpost.goauthentik.io`)"
      tls: {}
      service: authentik

But from my experience,there must be a middleware exist,but what type?RedirectRegex? StripPrefixRegex?