Basic auth not working from .env docker-compose setup - only if hardcoded

How can I get traefik to support basic auth in docker compose (when loading from a .env file)?

When hardcoding the credentials for user foo password is bar:

- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=foo:$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"

traefik loads the password configuration just fine.http

However, when instead loading from the .env file with environment variables:

- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=${APP_USER}:${APP_PASSWORD}"

I get a 401 denied error with the exact same credentials.

What is going wrong?

NOTICE: echo $(htpasswd -nb foo bar) | sed -e s/\\$/\\$\\$/g was used when creating the credentials

The .env file would look like:

APP_USER=foo
APP_PASSWORD="$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"

and the full compose

---
version: "3.9"

services:
  proxy:
    image: traefik:v2.10.5
    container_name: proxy
    hostname: proxy
    command:
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--api.dashboard=true"
      
    ports:
      - "80:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.service=api@internal"

      # Basic Auth for dashboard
      - "traefik.http.routers.traefik.middlewares=auth_traefik_dashboard"
      # when feeding the auth from a .env file traefik no longer accepts the 
      # echo $(htpasswd -nb foo bar) | sed -e s/\\$/\\$\\$/g
      # APP_USER=foo
      # APP_PASSWORD="$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"
      - "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=${APP_USER}:${APP_PASSWORD}"
      # foo / bar
      #- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=foo:$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"

I observe also others seem to have issues:

• Docker Compose Template for Traefik Has Issues · Issue #59 · tiangolo/dockerswarm.rocks · GitHub
• How to use an environment variable for the basicauth.users label in the docker compose file?

The suggestion mentioned there:

The problem is that in the .env file you don't need to double the $ in the hashed password as is needed when directly putting the hashed password in the docker compose file.

did not solve the problem for me.

When looking at the dashboard instead of:

$$apr1$$e/NJoiAd$$5s5EJk2fxdTJHEJdlUSGx0

11180apr111180e/NJoiAd111805s5EJk2fxdTJHEJdlUSGx0

is visible as the basic auth password hash.

This is the same value I get inside zsh when executing echo $$apr1$$e/NJoiAd$$5s5EJk2fxdTJHEJdlUSGx0.

FYI: the dotenv plugin is loading the .env file

When feeding the env variables like:

APP_PASSWORD='$$apr1$$zIo2lozg$$AN0OEI1XclvWrAA19SVMk.'

I am one step further - as the same hash I would expect is now registered for both the shell and treafik
still traefik will not let me in. And still if I hardcode the hash:

- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=${APP_USER}:$$apr1$$zIo2lozg$$AN0OEI1XclvWrAA19SVMk."

again I get an error 401 denied

it looks like not using the SED (when using .env to load the secrets) works