Traefik won't redirect after authelia

Traefik can redirect services to authelia,but will not redirect to the right pages after successful 1FA authentication.The only working thing is only authelia page can be redirected to default_redirection_url.
I can go to services by ip:port,so services are working fine.I don't know where goes wrong.
traefik docker compose

Summary
version: "3"
 services:
   traefik:
     image: traefik:latest
     container_name: traefik
     restart: unless-stopped
     networks: 
       - "traefik_proxy"
     ports:
       - 80:80
       - 443:443
     environment:
     - 'DUCKDNS_TOKEN=token'
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /etc/localtime:/etc/localtime:ro
       - /home/me/docker/traefik:/etc/traefik
       - /home/me/docker/traefik/config.yml:/config.yml
       - /home/me/docker/traefik/logs:/etc/traefik/logs
 networks:
   traefik_proxy:
     external: true

traefik.yml

Summary
global:
  checkNewVersion: true
  sendAnonymousUsage: false
log:
  level: DEBUG
  filePath: /etc/traefik/logs/traefik.log
accessLog:
  filePath: /etc/traefik/logs/traefik-access.log
api:
  dashboard: true
  debug: true
serversTransport:
  insecureSkipVerify: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
certificatesResolvers:
   staging:
     acme:
       email: myemail
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       dnsChallenge:
         provider: duckdns
   production:
     acme:
       email: myemail
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
       dnsChallenge:
        provider: duckdns
providers:
  docker:
    exposedByDefault: false
    network: traefik_proxy
    watch: true
  file:
    filename: /config.yml
    directory: /etc/traefik
    watch: true

config.yml

Summary
http:
  routers:
    traefik:
      entryPoints:
        - "web"
      rule: "Host(`subdomain1.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: api@internal
    traefik-secure:
      entryPoints:
        - "websecure"
      rule: "Host(`subdomain1.duckdns.org`)"
      tls: 
        certResolver: production
      service: api@internal
    authelia:
      entryPoints:
        - web
      rule: "Host(`subdomain2.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: authelia
    authelia-secure:
      entryPoints:
        - websecure
      rule: "Host(`subdomain2.duckdns.org`)"
      tls: 
        certResolver: production
      service: authelia
    app:
      entryPoints:
        - web
      rule: "Host(`subdomain3.duckdns.org`)"
      middlewares:
        - https-redirectscheme
      service: app
    app-secure:
      entryPoints:
        - websecure
      rule: "Host(`subdomain3.duckdns.org`)"
      middlewares:
        - authelia-auth
        - default-headers
      tls: 
        certResolver: production
      service: app
  services:
    authelia:
      loadBalancer:
        servers:
          - url: "http://192.168.0.130:9091"
    app:
      loadBalancer:
        servers:
          - url: "http://192.168.0.130:180"
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
    authelia-auth:
      forwardAuth:
        address: https://authelia:9091/api/verify?rd=https%3A%2F%2Fsubdomain2.duckdns.org%2F
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"

authelia docker compose

Summary
version: '3'

services:

  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - /home/me/docker/authelia/config:/config
    networks: 
       - "traefik_proxy"
    ports:
      - "9091:9091"
    restart: unless-stopped

configuration.yml

Summary
###############################################################################
#                           Authelia Configuration                            #
###############################################################################

theme: dark
jwt_secret: ""
default_redirection_url: https://subdomain1.duckdns.org/

server:
  host: 0.0.0.0
  port: 9091
  path: ""
  read_buffer_size: 4096
  write_buffer_size: 4096
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: true

log:
  level: trace
  format: json
  file_path: /config/authelia.log
  keep_stdout: true

totp:
  issuer: subdomain2.duckdns.org
  period: 30
  skew: 1

authentication_backend:
  disable_reset_password: true
  refresh_interval: 5m
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      salt_length: 16
      parallelism: 8
      memory: 64

access_control:
  default_policy: deny
  networks:
  - name: internal
    networks:
    - 192.168.0.0/18
  rules:
    ## bypass rule
    - domain: 
        - "subdomain1.duckdns.org" 
        - "subdomain2.duckdns.org"
      policy: bypass
    ## catch-all
    - domain:
        - "subdomain3.duckdns.org"
      policy: one_factor

session:
  name: authelia_session
  domain: duckdns.org
  same_site: lax
  secret: ""
  expiration: 1h
  inactivity: 5m
  remember_me_duration: 2M

regulation:
  max_retries: 5
  find_time: 10m
  ban_time: 15m

storage:
  encryption_key: ""
    path: /config/db.sqlite3
  
notifier:
  filesystem:
    filename: /config/notification.txt

traefik-access.log.txt
authelia.log.txt