fix(npm): proxy outpost directly to internal Authentik IP

- Replace https://auth.hetherman.cloud with http://192.168.50.224:30140
  to avoid NPM loopback and SSL SNI mismatch (alert 112)
- Add port_in_redirect off
- Fix sign-in redirect to include full scheme+host in rd= param

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/npm-advanced.conf

@@ -6,6 +6,7 @@
 # Requires an Authentik Proxy Provider of type "Forward auth (single
 # application)" with external host https://stream.hetherman.cloud and an
 # Application bound to the `stream-viewers` group.
+port_in_redirect off;
 
 # Forward every incoming request to the Authentik outpost for validation.
 auth_request                 /outpost.goauthentik.io/auth/nginx;
@@ -24,7 +25,9 @@ auth_request_set $authentik_email    $upstream_http_x_authentik_email;
 location /outpost.goauthentik.io {
     # All traffic to /outpost.goauthentik.io is proxied to the Authentik host.
     # Point this at your Authentik outpost URL.
-    proxy_pass              https://auth.hetherman.cloud/outpost.goauthentik.io;
+    # Use the internal Authentik address directly (HTTP, no TLS) to avoid
+    # routing back through NPM and the SSL SNI issues that come with it.
+    proxy_pass              http://192.168.50.224:30140/outpost.goauthentik.io;
     proxy_set_header        Host                  $host;
     proxy_set_header        X-Original-URL        $scheme://$http_host$request_uri;
     proxy_set_header        X-Forwarded-For       $proxy_add_x_forwarded_for;
@@ -43,5 +46,5 @@ location /outpost.goauthentik.io {
 location @goauthentik_proxy_signin {
     internal;
     add_header Set-Cookie $auth_cookie;
-    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
 }