Can’t display the traefik dashboard by using PathPrefix

There is something which I don't understand and I would appreciate some directions/explanation.

Basically I'm trying to set a wildcard certificate for my domain and position a couple of administrative services under a subdomain using different paths for each one. For example:

I was able to obtain the certificates successfully, the global redirection from http to https works as well. In fact the "admin.MASKED.com/whoami" works perfectly.

But for some reason "admin.MASKED.com/traefik" is not. My label is:
"traefik.http.routers.proxy.rule=Host(admin.MASKED.com) && PathPrefix(/traefik)"

But it does work totally fine If I change the Host to be just a domain:
"traefik.http.routers.proxy.rule=Host(admin.MASKED.com)"

What am I missing / not understanding?


docker-compose.yml


version: '3.9'

secrets:
  cloudflare-token:
    file: "./secrets/cloudflare-token.secret"
  cloudflare-email:
    file: "./secrets/cloudflare-email.secret"

networks:
  public:
    # Use a custom driver
    driver: bridge

services:
  reverse-proxy:
    container_name: traefik
    image: traefik
    security_opt:
      - no-new-privileges:true
    secrets:
      - "cloudflare-token"
      - "cloudflare-email"
    environment:
      - "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token"
      - "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email"
    ports:
      - "80:80" # The HTTP port
      - "443:443" # The HTTPS port
    networks:
      - public
    volumes:
      - "./letsencrypt:/letsencrypt" # A place to store the certificates
      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
    command: 
      # Some Default settings
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

      # Enable the 'api@internal' service
      - --api.dashboard=true

      # Define Entry points
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443

      # Set HTTP -> HTTPS redirection
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      # Set up LetsEncrypt DNS certificate resolver
      - --certificatesresolvers.letsencrypt-dns.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt-dns.acme.dnschallenge.provider=cloudflare
      - --certificatesResolvers.letsencrypt-dns.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.letsencrypt-dns.acme.dnschallenge.delayBeforeCheck=20
      - --certificatesresolvers.letsencrypt-dns.acme.email=MASKED
      - --certificatesresolvers.letsencrypt-dns.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt-dns.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt-dns
      - --entrypoints.websecure.http.tls.domains[0].main=MASKED.com
      - --entrypoints.websecure.http.tls.domains[0].sans=*.MASKED.com
    labels:
      # The labels are usefull for Traefik only
      - "traefik.enable=true"

      # Specify the routers 
      - "traefik.http.routers.proxy.rule=Host(`admin.MASKED.com`) && PathPrefix(`/traefik`)"
      - "traefik.http.routers.proxy.entrypoints=websecure"
      - "traefik.http.routers.proxy.service=api@internal"

      # # Specify the TLS Resolver
      # - "traefik.http.routers.proxy.tls.certresolver=letsencrypt-dns"     

      # Add authentification
      - "traefik.http.routers.proxy.middlewares=proxy-auth"
      - "traefik.http.middlewares.proxy-auth.basicauth.users=admin:MASKED"


  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
    networks:
      - public
    labels:
      # The labels are usefull for Traefik only
      - "traefik.enable=true"
      - "traefik.docker.network=public"

      # Get the routes from http
      - "traefik.http.routers.whoami.rule=Host(`admin.MASKED.com`) && PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"

      # # Specify the TLS Resolver
      # - "traefik.http.routers.whoami.tls.certresolver=letsencrypt-dns"

You can’t. Traefik has a fixed prefix for /dashboard/ and also needs /api/.

That’s why a dedicated sub-domain is best practice.