Rublon

Secure Remote Access

By

Starting with version 3.8.0, you can store Rublon Authentication Proxy secrets in OS environment variables by setting the secret_source option to env in the global section of the config.

When secret_source is set to env, each secret’s value in the config file becomes the name of an environment variable, and Auth Proxy reads the actual secret value from that variable.

The Rublon Authentication Proxy secrets are:

  • rublon section:
    • system_token
    • secret_key
  • proxy_servers section:
    • RADIUS:
      • radius_secret
    • LDAP:
      • pkey_password (if used)
  • auth_sources section:
    • RADIUS:
      • radius_secret
    • LDAP:
      • access_user_password

Not Using Rublon MFA Yet?

Try our robust multi-factor authentication for 30 days for free and see how simple it is.

Start Free Trial No Credit Card Required

Configuration Example

log:
  debug: false

global:
  secret_source: env

rublon:
  api_server: https://core.rublon.net
  system_token: SYSTEM_TOKEN
  secret_key: SECRET_KEY

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: RADIUS_SECRET
    ip: 0.0.0.0
    port: 1812
    mode: standard
    auth_source: LDAP_SOURCE_1
    auth_method: email

  - name: LDAP-Proxy
    type: LDAP
    ip: 0.0.0.0
    port: 389
    auth_source: LDAP_SOURCE_1
    auth_method: email

auth_sources:
  - name: LDAP_SOURCE_1
    type: LDAP
    ip: 127.0.2.0
    port: 389
    transport_type: plain
    search_dn: OU=Organization,DC=org,DC=com
    access_user_dn: CN=AccessUser,OU=Organization,DC=org,DC=com
    access_user_password: ACCESS_USER_PW

  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip: 127.0.1.0
    port: 1812
    radius_secret: RADIUS_SECRET

The preceding example sets secret_source to env. This means that the Rublon Auth Proxy will now treat the config file’s secret values as names of the environment variables to retrieve the actual secrets from the system. In this example, the Auth Proxy expects to find four variables defined in the system:

  • SYSTEM_TOKEN
  • SECRET_KEY
  • RADIUS_SECRET (used twice)
  • ACCESS_USER_PW

Setting Environment Variables (Windows)

After the installation of the Rublon Authentication Proxy on your Windows machine:

1. Open the Registry Editor.

2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RublonAuthProxy.

3. Add a new Multi-String Value (REG_MULTI_SZ) named Environment and add these lines in value data:

SYSTEM_TOKEN=token_value_here
SECRET_KEY=secret_value_here
RADIUS_SECRET=radius_secret_here
ACCESS_USER_PW=access_user_password_here
Image showing how to set the values of secrets in environment variables in Windows Registry.

4. Restart the Rublon Authentication Proxy service.

Setting Environment Variables (Linux)

After the installation of Rublon Authentication Proxy on your Linux machine:

1. Run:

systemctl edit rublon

2. Modify the service file by setting environment variables like this:

[Service]
Environment="SYSTEM_TOKEN=token_value_here"
Environment="SECRET_KEY=secret_value_here"
Environment="RADIUS_SECRET=radius_secret_here"
Environment="ACCESS_USER_PW=access_user_password_here"
Image showing how to set the values of secrets in environment variables on Linux.

3. Save the file and restart the proxy service:

systemctl restart rublon

Updating Environment Variables

Every time you change the environment variables used by the Rublon Authentication Proxy, you must restart the Auth Proxy service to apply the new values. The Auth Proxy reads environment variables at start-up and does not automatically update them later.

Benefits of Setting Secrets in Environment Variables

  • No Plaintext Secrets in Config File. The Auth Proxy config file contains environment variable names, not secret values. You do not have to redact anything before sharing the config file with the Rublon Support.
  • Simpler Update. Update the environment variables without touching the Auth Proxy config file. Simply restart the proxy after the update.
  • Separation of Duties. One admin can manage secret values in environment variables, while another admin can maintain the Auth Proxy config file.
  • Works with Standard Tooling. Systemd, Windows Services, containers, and CI/CD all support injecting environment variables.

Security Note


Environment variables reduce accidental exposure in shared files, but they are not a silver bullet. OWASP Secrets Management Cheat Sheet advises preferring a proper secrets vault and warns env vars may leak via process inspection, logs, or dumps; treat them as sensitive and limit exposure.

Practical Tips


  • Use a secrets manager as a source of truth.
  • Avoid printing env in logs.
  • Scope OS/service permissions tightly.

Summary

Switching secret_source to env keeps sensitive values out of the Auth Proxy config file and loads them from the operating system instead. Define the required environment variables, update the proxy config to reference their names, and restart the proxy service to apply changes. This approach yields cleaner configs and reduces accidental secret exposure in files.