Please run caddy fmt -w on your config to clean up the indentation. It’s really difficult to follow as-is.
Keep in mind that this matches only / exactly, so it would only apply auth to requests to the root of your site and no other paths, which kinda defeats the purpose.
Are you sure your app is serving HTTPS? It’s simpler and more performant to proxy over HTTP instead.
There’s no benefit to proxying over HTTPS when the upstream app is in the same network, because the part of the connection that needs to be encrypted is the part going over public networks, not the part within your private network. You’re also throwing all the actual security that HTTPS would provide by setting tls_insecure_skip_verify.
Regarding subpath routing, see this article:
You’d be better off using a subdomain per app, unless each app has somekind of “base path” configuration that it uses to build paths in its HTML responses.