Starting with version 3.8.0, you can store Rublon Authentication Proxy secrets in OS environment variables by setting the secret_source option to env in the global section of the config.
When secret_source is set to env, each secret’s value in the config file becomes the name of an environment variable, and Auth Proxy reads the actual secret value from that variable.
The Rublon Authentication Proxy secrets are:
- rublon section:
- system_token
- secret_key
- proxy_servers section:
- RADIUS:
- radius_secret
- LDAP:
- pkey_password (if used)
- RADIUS:
- auth_sources section:
- RADIUS:
- radius_secret
- LDAP:
- access_user_password
- RADIUS:
Configuration Example
log:
debug: false
global:
secret_source: env
rublon:
api_server: https://core.rublon.net
system_token: SYSTEM_TOKEN
secret_key: SECRET_KEY
proxy_servers:
- name: RADIUS-Proxy
type: RADIUS
radius_secret: RADIUS_SECRET
ip: 0.0.0.0
port: 1812
mode: standard
auth_source: LDAP_SOURCE_1
auth_method: email
- name: LDAP-Proxy
type: LDAP
ip: 0.0.0.0
port: 389
auth_source: LDAP_SOURCE_1
auth_method: email
auth_sources:
- name: LDAP_SOURCE_1
type: LDAP
ip: 127.0.2.0
port: 389
transport_type: plain
search_dn: OU=Organization,DC=org,DC=com
access_user_dn: CN=AccessUser,OU=Organization,DC=org,DC=com
access_user_password: ACCESS_USER_PW
- name: RADIUS_SOURCE_1
type: RADIUS
ip: 127.0.1.0
port: 1812
radius_secret: RADIUS_SECRET
The preceding example sets secret_source to env. This means that the Rublon Auth Proxy will now treat the config file’s secret values as names of the environment variables to retrieve the actual secrets from the system. In this example, the Auth Proxy expects to find four variables defined in the system:
- SYSTEM_TOKEN
- SECRET_KEY
- RADIUS_SECRET (used twice)
- ACCESS_USER_PW
Setting Environment Variables (Windows)
After the installation of the Rublon Authentication Proxy on your Windows machine:
1. Open the Registry Editor.
2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RublonAuthProxy.
3. Add a new Multi-String Value (REG_MULTI_SZ) named Environment and add these lines in value data:
SYSTEM_TOKEN=token_value_here
SECRET_KEY=secret_value_here
RADIUS_SECRET=radius_secret_here
ACCESS_USER_PW=access_user_password_here

4. Restart the Rublon Authentication Proxy service.
Setting Environment Variables (Linux)
After the installation of Rublon Authentication Proxy on your Linux machine:
1. Run:
systemctl edit rublon
2. Modify the service file by setting environment variables like this:
[Service]
Environment="SYSTEM_TOKEN=token_value_here"
Environment="SECRET_KEY=secret_value_here"
Environment="RADIUS_SECRET=radius_secret_here"
Environment="ACCESS_USER_PW=access_user_password_here"

3. Save the file and restart the proxy service:
systemctl restart rublon
Updating Environment Variables
Every time you change the environment variables used by the Rublon Authentication Proxy, you must restart the Auth Proxy service to apply the new values. The Auth Proxy reads environment variables at start-up and does not automatically update them later.
Benefits of Setting Secrets in Environment Variables
- No Plaintext Secrets in Config File. The Auth Proxy config file contains environment variable names, not secret values. You do not have to redact anything before sharing the config file with the Rublon Support.
- Simpler Update. Update the environment variables without touching the Auth Proxy config file. Simply restart the proxy after the update.
- Separation of Duties. One admin can manage secret values in environment variables, while another admin can maintain the Auth Proxy config file.
- Works with Standard Tooling. Systemd, Windows Services, containers, and CI/CD all support injecting environment variables.
Summary
Switching secret_source to env keeps sensitive values out of the Auth Proxy config file and loads them from the operating system instead. Define the required environment variables, update the proxy config to reference their names, and restart the proxy service to apply changes. This approach yields cleaner configs and reduces accidental secret exposure in files.