Nginx Proxy Manager with Authentik IdP

[m-akrami]

I'm here as I have a few questions about the functionality of NPM and I can't seem to find answers online for them, but I'm looking for a flow like this:

1. service.example.com is accessed externally, and NPM is listening on ports 80 and 443
2. service.example.com forwards to auth.example.com running Authentik, which securely authenticates the user on its own login page for the relevant service
3. Once the user is authenticated, NPM proxies the end application to the user, with the SSO cookies saved in the browser so that other services can be accessed without re-authentication (Authentik handles IP blacklisting and account lockouts through a SIEM system linked with the FW, NPM just focuses on authentication and security)

I'm looking for automated HPKP functionality using a wildcard certificate on the network edge to prevent enumeration of services running on the domain along with preventing a MiTM attack with a forged certificate. I also wanted to know if this service is hardened against common attack vectors.

I'm new to reverse proxying, sorry if I'm thinking about this wrong. TIA