Middleware for redirecting service basepath to PathPrefix

Backgroud:
We have a docker server running Traefik V2. We get a let's encrypt cert for domain.com and SANS *.domain.com
We deploy a docker stack (Grafana, Nodered, MQTT and Influxdb) per customer. We are doing this as customer.domain.com
Due to wanting to avoid LE cert limits, I don't want to use service.customer.domain.com as I'd need a cert per customer. I want to use the 1 existing cert for the whole server.
To do this I want to use customer.domain.com/service with Host(${CUSTOMER}.domain.com) && PathPrefix(/whoami) for example.

Problem:
When I go to customer.domain.com/grafana grafana redirects to customer.domain.com/login, which doesn't match the PathPrefix rule and so I get a Bad Gateway error. Ideally I'd set a customer basepath in the config of each service however not all my services allow this.

Solution:
I'm wanting to configure, probably a middleware, to handle redirecting the service basepath to customer.domain.com/service . Then I don't have to worry about configuring each service and I can manage it with Traefik.
Ideally, if I could set this up in my dynamic config.yml file and then just apply it to all service that need it with docker labels that would be great.

If I'm going about this the completely wrong way I'm open to suggestions
Thanks

This does not work, as stated before.

GUI web apps usually send links for redirects, scripts, images with absolute paths (/login, /scripts/, /img/). Removing a prefix is easy, but adding a prefix for an unknown target is impossible. (How should middleware know if /login should be /graf/login or /node/login)

This only works if all those apps allow to configure some kind of "base path".


Alternative approach to avoid LE limits: switch the order of the sub-domains:

customer123.grafana.example.com
customer123.nodered.example.com
customer123.mqtt.example.com
customer123.influxdb.example.com

Then you only need 4 wildcard TLS certificates.

Thanks,
I was just seeing if there was a different way around the problem.

I'll see if my company will pay the $10/month for Cloudflare ACM, then I can get sub-subdomain certs. Looks like they have a 100 edge certs limit per domain. I can't see us having 100 customers any time soon. Then I'll need to figure out how to use Cloudflares provider in Traefik for that.

If not I'll use your method of customer.service.domain.com

Cheers,

Edit:
Out of curiosity, do you know how Traefik handles renewals if it hits the 50 per week LE limit? I know Traefik goes out for renewals 30 days before expiry. If the limit is hit does the renewal just fail or is it requested again? Next day, next week? ect.
The odds of us hitting the 50 per week are slim for now. I can't see us hitting the 50 limit multiple weeks in a row