You should set up your config like this instead – there’s no benefit in your case to set it up with a wildcard:
auth.localhost {
reverse_proxy authelia:9091
}
website.localhost {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.localhost
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
respond "Application: website. User: {header.Remote-User}. Groups: {header.Remote-Groups}. Body: {http.request.body}."
}
That said, it’s unclear what’s going wrong without evidence of the requests from your logs or example curl -v requests which show what happens.