Skip to main content

Passwords and Secrets

Use the following syntax to avoid plaintext passwords or secrets in the web.xml file or for the indicated variables in the navajo.xml file:

${<type>:<parameters>}

Where

  • <type>: is either "exec" or "env"
  • <parameters>:
    • Type env: The <parameters> part is a string with the environment variable to look for. This env variable is usually configured in the configuration file env.conf.
    • Type exec: The <parameters> part is the command to execute. The resulting value should be written into the standard output (stdout) by the executing program. For example:
 ${exec: cat /var/opt/nevisproxy/default/mySecret.txt}

Be aware of the following:

  • No newline character is allowed in a password using the exec syntax because the output of the exec command is read up to the first newline (if any). The newline itself and everything after it is ignored.
  • The called exec command should not be a blocking command, or you risk to block the proxy itself.
  • You can use the timeout command to set a limit to the execution of a command. Keep in mind: This only works on systems that support the timeout command. The duration is set in seconds. As soon as the execution of the command exceeds the defined <DURATION>, the system aborts the execution. The syntax is:
${exec: timeout <DURATION> <COMMAND>}

nevisProxy provides a variable replacement mechanism in its configuration files, so that secret values can be stored separately. This variable replacement mechanism is supported in the web.xml and partly in the navajo.xml. The attributes that support the variable replacement mechanism are labeled accordingly in the attribute's description in this reference guide.