HTTPS Content from internal Docker network

Hey,

Im running some containers behind Traefik. HTTPS is working fine, and the subdomains are working properly.
Im running Traefik in front of Organizrv2 behind that tautulli and ombi.

The Question is: How can I run maybe sonarr or radarr behind Traefik, that I can only access them via my Traefik + Organizr and still have https and also nobody without a log in via Organizr can access them?

I read something about an internal Docker Network, but I didnt find anything, that explains the fix in enough depth.

Configuration until now:

version: '2'

networks:
    web:
        external: true

services:
    traefik:
        image: traefik:v2.0.0
        container_name: traefik
        networks:
            - web
        command:
            - "--log.level=DEBUG"
            - "--api.insecure=true"
            - "--providers.docker=true"
            - "--providers.docker.network=web"
            - "--entrypoints.websecure.address=:443"
            - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
            - "--certificatesresolvers.mytlschallenge.acme.email=something@googlemail.com"
            - "--certificatesresolvers.mytlschallenge.acme.storage=/acme.json"
            - "--providers.docker.defaultRule='Host('{{ .Name }}.{{ index .Labels \"customLabel\"}}')'"
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - /volume1/docker/Traefik/acme.json:/acme.json
        ports:
          - "81:80"
          - "444:443"
          - "8081:8080"
        environment:
            - "DUCKDNS_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxx"
# whoami ##########################################################
    whoami:
        image: containous/whoami
        container_name: whoami
        networks:
          - web
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.whoami.rule=Host(`whoami.domainName`)"
            - "traefik.whoami.port=81"
            - "traefik.http.routers.whoami.entrypoints=websecure"
            - "traefik.http.routers.whoami.tls.certresolver=mytlschallenge"
        depends_on:
            - traefik
# Organizr ##########################################################
    organizr:
        image: organizrtools/organizr-v2:latest
        container_name: organizrv2
        volumes:
            - /volume1/docker/Organizr:/config
        environment:
            - TZ=${TZ}
            - PUID=${USER_UID}
            - PGID=${USER_GID}
        networks:
            - web
        ports:
            - "9985:443"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.organizr.rule=Host(`domainName`)"
            - "traefik.organizr.port=9985"
            - "traefik.http.routers.organizr.entrypoints=websecure"
            - "traefik.http.routers.organizr.tls.certresolver=mytlschallenge"
        depends_on:
            - traefik
# Tautulli ##########################################################
    tautulli:
        image: tautulli/tautulli:latest
        container_name: tautulli
        networks:
            - web
        environment:
            - TZ=${TZ}
            - PUID=${USER_UID}
            - PGID=${USER_GID}
        ports:
            - "8182:8181"
        volumes:
            - /volume1/Plex/Library/Application Support/Plex Media Server/Logs:/plex_logs
            - /volume1/docker/Tautulli:/config
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.tautulli.rule=Host(`tautulli.domainName`)"
            - "traefik.tautulli.port=8182"
            - "traefik.http.routers.tautulli.entrypoints=websecure"
            - "traefik.http.routers.tautulli.tls.certresolver=mytlschallenge"
        depends_on:
            - traefik
            - organizr
# Ombi ##########################################################
    ombi:
        image: linuxserver/ombi:latest
        container_name: ombi
        networks:
            - web
        environment:
          - TZ=${TZ}
          - PUID=${USER_UID}
          - PGID=${USER_GID}
          - BASE_URL=/ombi #optional
        volumes:
          - /volume1/docker/Ombi:/config
        ports:
          - "8500:3579"
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.ombi.rule=Host(`ombi.domainName`)"
            - "traefik.ombi.port=8500"
            - "traefik.http.routers.ombi.entrypoints=websecure"
            - "traefik.http.routers.ombi.tls.certresolver=mytlschallenge"
        depends_on:
            - traefik
            - organizr

Can I achive this with just labels or do I need to create a toml/yaml file?