Setting up main Traefik (http, https, tls) and multiple others (per project)

So I recently discovered Traefik, and I am loving the idea of it, but I am struggling to set it up to my needs.

I have one VPS, where multiple domains are pointing to it.

Firstly, I need to set up the app docker-compose correctly, and set it's own traefik acting as reverse proxy. What I have so far is this:

name: "myapp1"
services:
  backend:
    container_name: ${COMPOSE_PROJECT_NAME}-backend
    image: mybackend:latest
    restart: always
    env_file:
      - stack.env
    networks:
      - ${COMPOSE_PROJECT_NAME}-network
    labels:
      - "traefik.http.routers.backend.rule=PathPrefix(`/api`)"
      - "traefik.http.services.backend.loadbalancer.server.port=3000"
      - "${COMPOSE_PROJECT_NAME}.traefik=true"

  cms:
    container_name: ${COMPOSE_PROJECT_NAME}-cms
    image: mycms:latest
    restart: always
    networks:
      - ${COMPOSE_PROJECT_NAME}-network
    labels:
      - "traefik.http.routers.cms.rule=PathPrefix(`/admin`)"
      - "traefik.http.services.cms.loadbalancer.server.port=3000"
      - "${COMPOSE_PROJECT_NAME}.traefik=true"

  frontend:
    container_name: ${COMPOSE_PROJECT_NAME}-frontend
    image: myfrontend:latest
    restart: always
    networks:
      - ${COMPOSE_PROJECT_NAME}-network
    labels:
      - "traefik.http.routers.frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.frontend.loadbalancer.server.port=3000"
      - "${COMPOSE_PROJECT_NAME}.traefik=true"
  mongo:
    container_name: ${COMPOSE_PROJECT_NAME}-mongo
    image: mongo:latest
    restart: always
    networks:
      - ${COMPOSE_PROJECT_NAME}-network
    volumes:
      - mongo-data:/data/db

  traefik:
    container_name: ${COMPOSE_PROJECT_NAME}-traefik
    image: traefik:latest
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.constraints=Label(`${COMPOSE_PROJECT_NAME}.traefik`,`true`)"
    ports:
      - 3005:80
      - 3006:8080
    networks:
      - ${COMPOSE_PROJECT_NAME}-network
      - main-network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"


volumes:
  mongo-data:

networks:
  myapp1-network:
    name: ${COMPOSE_PROJECT_NAME}-network
    driver: bridge
  main-network:
    external: true

So this traefik should only act as reverse proxy, worrying about the containers specified in this docker compose. As I investigated a bit, the only way I could restrict it to see the apps it needs (and not everything from docker) is via constraints. This part is working OK so far, and when I access IP:3005, I am getting that application (firewall is turned off for testing, that's why I can access that port)

Then, the problem is at system level traefik, which I would like to handle all incoming traffic, and reverse proxy it to specific port, depending on hostname...
What I have so far is this:

name: 'main'
services:
  traefik:
    image: traefik:latest
    container_name: main-traefik
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"

      - "--entrypoints.web.address=:80"
      
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "traefik_letsencrypt:/letsencrypt"
    networks:
      - main-network
    labels:
      - "traefik.http.routers.myapp1.rule=Host(`myapp1.example.com`)"
      - "traefik.http.services.myapp1.loadbalancer.server.port=3005"

volumes:
  traefik_letsencrypt:

networks:
  main-network:
    external: true

But when I visit the app from specified domain, I am getting 404 not found...

I hope you get the idea of what I am trying to achieve... Also, I need to set up TLS, but lets worry about that in follow up discussion...

I am probably missing some labels, but I am not sure which ones should I set up more...

Anyone know or have example how to set this up correctly?

Traefik dynamic config (routers, middlewares, services) is usually read from dynamic config file or Docker labels for automatic configuration. The labels always need to be on the Traefik target service Docker service/container.

Compare to simple Traefik example.