Very simple test case with PathPrefix does not work with SSL

Tried many many different options, and nothing works.

Goal:

xyz.com/traefik ---> loads traefik dashboard
xyz.com/whoami ---> loads whoami
xyz.com/anotherapp ---> loads another docker service/app
xyz.com/... ---> loads another ...

and all with SSL 

docker-compose.yml

version: "3.7"

services:
  traefik:
    image: traefik:v2.9.6
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --api.insecure=true

      - --api
      - --certificatesresolvers.le.acme.email=email@email.com
      - --certificatesresolvers.le.acme.storage=./acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true      
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./acme.json:/acme.json

    labels:

      - traefik.enable=true

      # Dashboard

      # THIS WORKS (without path) If I visit x.example.com I get the dashboard
      # - traefik.http.routers.traefik.rule=Host(`x.example.com`) 

      # THIS DOES NOT WORK (with path)
      - traefik.http.routers.dashboard.rule=Host(`x.example.com`) && (Path(`/traefik`) || PathPrefix(`/traefik`) || HeadersRegexp(`Referer`, `.*/traefik/.*`))

      # configure stripprefix rule for the dashboard
      - traefik.http.routers.dashboard.middlewares=dashboard-stripprefix
      - traefik.http.middlewares.dashboard-stripprefix.stripprefix.prefixes=/traefik

      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=le
      - traefik.http.routers.traefik.entrypoints=websecure

      # auth
      - traefik.http.routers.traefik.middlewares=authtraefik
      - traefik.http.middlewares.authtraefik.basicauth.users=${TRAEFIK_USERNAME}:${TRAEFIK_PASSWORD}

      # global redirect to https
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https

      # middleware redirect
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

    networks:
      - traefik

  whoami:
    image: containous/whoami
    labels:
      - traefik.http.routers.whoami.rule=Host(`x.example.com`) && PathPrefix(`/whoami`) 
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.tls=true
    networks:
      - traefik:

networks:
  traefik:
    external: true

Tried many permutations, but still does not work. So far, if I add the PathPrefix for the dashboard, I get unable to generate a certificate for the domains because Domain name needs at least one dot.

Questions I have:

• Do I need the external true networks? I see configs with or without
• Why am I getting the Domain name needs at least one dot error?
• If I use AWS Certificate Manager to get certificate for the subdomain, do I still need Let's Encrypt again?
• Do I need stripprefix if I use PathPrefix?

Thank you!

Dashboard routing according to docs:

# Dynamic Configuration
labels:
  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
  - "traefik.http.routers.dashboard.service=api@internal"
  - "traefik.http.routers.dashboard.middlewares=auth"
  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

Note the additional use of /api. No, this can’t be changed, you can’t use PathPrefix for this, rather use a different sub-domain.

Also note that with api.insecure it will automatically be set up on port 8080, in that case everything is different. Docs.

External network means it was created outside of compose.

LetsEncrypt will create certificates for you. If you have a different service for that, you need to load the TLS certs via dynamic config file.

Note that all the PathPrefix and StripPrefix won’t work with most web-apps as they are mostly not "path-aware“. They will respond with fixed links like /login or /js/xyz.js and that will break the PathPrefix setup.

It is best practice to use individual sub-domains for web-apps.