In this implementation, the backend api is public by default?

[BobbyTumur]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched in the documentation/README.
• I already searched in Google "How to do X" and didn't find any information.
• I already read and followed all the tutorial in the docs/README and didn't find an answer.

Commit to Help

• I commit to help with one of those options 👆

Example Code

- traefik.http.services.${STACK_NAME?Variable not set}-backend.loadbalancer.server.port=8000
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.rule=Host(`api.${DOMAIN?Variable not set}`)
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.entrypoints=http
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-http.middlewares=https-redirect
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.rule=Host(`api.${DOMAIN?Variable not set}`)
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.entrypoints=https
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls=true
- traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.tls.certresolver=myresolver

Description

First of all, thank you for the project, I learned so much from it as this was my first web project I've worked on.
Now I am not sure of the best practices about web implementation but there is something inside tells me backend normally sits hidden from the public. Maybe because I hear a lot that "this" and "that" made their api public bla bla.

So far I have inspected docker networks, traefik logs, browser developer tools etc, what I've got was browser or curl was directly making a request to api.example.com, as it was confirmed on the traefik logs where there was no ip address of docker thats running frontend in between.

Tried deleting labels on the backend service and directly used the docker network on the frontend as:
frontend:
build:
context: ./frontend
args:
- VITE_API_URL=http://backend:8000

then the browser started yelling me it is not using HTTPS and hence the TLS/SSL certificate is served by traefik and also I am using HttpOnly Secure cookie on the refresh token, so using - VITE_API_URL=http://backend:8000 was not much of a help.

Is this normal for FastAPI&React combination to have a public api by default? or it's just a template after all that does things that way and there is shit tons other ways/workarounds to make api hidden.
Sorry if it's a noob question but if anyone has any thoughts/implementation, would be really appreciated if you answer.

Operating System

Linux

Operating System Details

Not relevant

Python Version

Not relevant

Additional Context

No response