Traefik reverse proxy service into sub folder that doesn't allow BASE URL changing

Question

I recently got into self hosting, I found tailscale to be the best way to access the services that i want on all my devices but typing ports is getting real annoying and I am trying a to enable SSL for some of the important services. Now most guides on reverse hosting say to use subdomains but I don't want to and thus want to make them accessible in sub-folders instead of sub-domains. I have been trying to set up a reverse proxy to do that now I have tried Nginx proxy-manager, Caddy and Traefik out of which I found Traefik being the easiest to understand as noob.

I am trying to reverse proxy stuff using traefik to some success, simple services like the ones which have one page work but for bigger services it doesn't work.

This is my traefik docker-compose.yml

version: "3"

networks:
  # network created for reverse proxy such that all other
  # containers are also on it can communicate with each other
  revProxy-net:
    name: revProxy-net
    driver: bridge

services:
  traefik:
    image: traefik:v3.0.0-beta2
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ./config:/etc/traefik
      - ./logs:/var/log/traefik
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - revProxy-net
    restart: unless-stopped

and this is the traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false # true by default

# (Optional) Log information
# ---
log:
  level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL
  format: common # common, json, logfmt
  filePath: /var/log/traefik/traefik.log

# (Optional) Accesslog
# ---
accesslog:
format: common # common, json, logfmt
filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true # true by default
  insecure: true # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

certificatesResolvers:
  tailsolver:
    tailscale: {}

providers:
  docker:
    exposedByDefault: false # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

Lets take glances a simple (it has only one html and one js file that loads), which works with this configuration, it is accessible on https://lenovo-ideapad-320-15ikb.tail9ece4.ts.net/glances/

version: "3"
services:
  glances:
    image: nicolargo/glances:latest-full
    container_name: glances
    restart: always
    ports:
      - 61208-61209:61208-61209
    environment:
      - GLANCES_OPT=-w
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./glances.conf:/etc/glances.conf
    pid: host
    networks:
      - revProxy-net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.glances.entrypoints=web,websecure"
      - "traefik.http.routers.glances.rule=Host(`lenovo-ideapad-320-15ikb.tail9ece4.ts.net`) && PathPrefix(`/glances`)"
      - "traefik.http.middlewares.strip-glances.stripprefix.prefixes=/glances"
      - "traefik.http.routers.glances.middlewares=strip-glances@docker"
      - "traefik.http.routers.glances.tls=true"
      - "traefik.http.routers.glances.tls.certresolver=tailsolver"
      - "traefik.http.routers.glances.tls.domains[0].main=lenovo-ideapad-320-15ikb.tail9ece4.ts.net"

networks:
  revProxy-net:
    external: true

But when i try to use this same thing on jellyfin, it gives Bad Gateway when going to https://lenovo-ideapad-320-15ikb.tail9ece4.ts.net/jellyfin/ ,Here is the jellyfin docker-compose.yml

version: "2.1"
#name: media-stack
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ_NAME}
      #- JELLYFIN_PublishedServerUrl=192.168.0.25 #optional
      - NVIDIA_VISIBLE_DEVICES=all
      - NVIDIA_DRIVER_CAPABILITIES=all
    volumes:
      - ./jellyfin/config:/config
      - /home/sagnik/Projects/yt-diff/yt-dlp/:/yt-dlp
      # Removed for testing purposes
    ports:
      - ${JELLYFIN_PORT}:8096
      - 8920:8920
      - 7359:7359/udp
      - 1900:1900/udp
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [ gpu ]
    restart: unless-stopped
    labels:
      - 'traefik.enable=true'
      ## HTTP Router
      #### Entry point where Jellyfin is accessible via
      #### Change secure to https in the line below to have accessible without needing to specify a port and change the SSLHost option below
      - 'traefik.http.routers.jellyfin.entryPoints=web,websecure'
      #### Host or Path where Jellyfin is accessible
      #### Remove (or change) this rule if you'd rather have Jellyfin accessible at a PathPrefix URI
      - 'traefik.http.routers.jellyfin.rule=Host(`lenovo-ideapad-320-15ikb.tail9ece4.ts.net`) && PathPrefix(`/jellyfin`)'
      #### Prefix stripper
      - "traefik.http.middlewares.strip-jellyfin.stripprefix.prefixes=/jellyfin"
      - "traefik.http.routers.jellyfin.middlewares=strip-jellyfin@docker"
      #### Using the tailscale ones
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certresolver=tailsolver"
      - "traefik.http.routers.jellyfin.tls.domains[0].main=lenovo-ideapad-320-15ikb.tail9ece4.ts.net"
    networks:
      - revProxy-net

networks:
  revProxy-net:
    external: true

I have tried reading the documentation, and reading the ways to change base url for some services but I don't understand what is happening.

Answer 1

You forgot about the port!

- 'traefik.http.routers.jellyfin.service=jellyfin-svc'
- 'traefik.http.services.jellyfin-svc.loadBalancer.server.port=8096'