Does Traefik not handle labels on its own containers?

Hi everyone, my Traefik docker-compose build looks like this:

I found that it doesn't self-sign my domain name and

the dashboard won't open. AI tells me that

Traefik doesn't process labels on its own containers by default.

What are the best practices?

Or is there something wrong with my configuration?

services:
  traefik:
    image: traefik:v3.6.12
    container_name: traefik
    restart: always
    environment:
      - TZ=Asia/Shanghai
    labels:
      traefik.enable: "true"
      traefik.docker.network: "web-services"
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.rule: "Host(`xx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      traefik.http.routers.dashboard.tls: "true"
      traefik.http.routers.dashboard.tls.certresolver: myresolver
      traefik.http.routers.dashboard.service: api@internal
    command:
      - --log.level=DEBUG
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=web-services
      #- --providers.docker.allowEmptyServices=true
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.options=default
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,223.5.5.5:53
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.myresolver.acme.email=${CF_API_EMAIL}
      - --certificatesresolvers.myresolver.acme.storage=/data/ssl/acme.json
    ports:
      - "80:80"
      - "443:443"
      #- "18443:18443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data:/data
    env_file:
      - .env
    networks:
      - web-services
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "3"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  web-services:
    name: web-services
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-web-services

Maybe check simple Traefik example.

Maybe your network re-naming disables functionality.

The AI advice is a bit misleading here. Traefik absolutely can process labels on its own container, but there are a few required pieces missing from your config.

Three things need to be added:

First, entrypoints are never defined. Your labels reference "websecure" but that entrypoint doesn't exist yet because it's not declared in the command section. Add these:

- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443

Second, the certificate resolver "myresolver" is referenced in your TLS labels but never configured. If you just want Traefik to use its self-signed fallback cert for testing, remove the tls.certresolver label entirely and keep only tls: "true". That will get you HTTPS with a self-signed cert without needing ACME config. For a real Let's Encrypt cert you would add an ACME section to the command, but start without it to get the dashboard working first.

Third, your compose file needs the actual port mappings and network defined. Without the ports section, nothing is exposed externally:

ports:
  - "80:80"
  - "443:443"

And the web-services network needs to exist in the compose or be declared as external.

One extra tip: add --api.insecure=true temporarily and check if the dashboard loads on port 8080. That bypasses TLS entirely and will tell you immediately whether your routing is correct before you troubleshoot the certificate side.