Expose Netbox RIPE Updater behind a TLS reverse proxy

The updater binds to 127.0.0.1:9000 by default, which means it is only reachable from the local machine over plain HTTP. Placing a reverse proxy in front of it gives you TLS termination, a stable public URL, and the ability to integrate the updater’s path into an existing web server — important because NetBox webhooks must be able to reach the /update endpoint, and sending credentials over unencrypted HTTP is a security risk in production.

Keep the Minio console (port 9001) unexposed to the public internet. It is only needed for direct bucket management and should remain accessible solely within the Docker network or over a trusted internal connection.

Choosing your setup

Same machine as NetBox
Different machine

If the updater runs on the same host as NetBox, the simplest approach is to add a location block to your existing Nginx configuration. NetBox is typically already served over HTTPS, so you get TLS for free.Add the following block inside your existing server {} context:

location /ripe-updater/ {
    proxy_pass http://127.0.0.1:9000/;
}

With this configuration:

The updater is reachable at https://your-netbox-host/ripe-updater/
NetBox webhooks should point to https://your-netbox-host/ripe-updater/update
The backup UI is at https://your-netbox-host/ripe-updater/backups

No changes to docker-compose.yml are required. UPDATER_HTTP_PORT must remain bound to 127.0.0.1:9000 (the default) for this to work.

When the updater runs on a dedicated host, you need a standalone HTTPS server. Caddy is a good choice because it handles TLS certificate provisioning automatically via Let’s Encrypt.Step 1: Remove the host port binding

When using a separate HTTPS proxy, remove the UPDATER_HTTP_PORT host binding from docker-compose.yml so the updater is not exposed directly on the host. Let the proxy be the only ingress point.

Use a docker-compose.override.yml file to override the port binding without editing the base docker-compose.yml:

docker-compose.override.yml

services:
  ripe-updater:
    ports: []

Use docker-compose.override.yml for any local customizations to the base docker-compose.yml. Docker Compose merges override files automatically — you keep your changes separate from the upstream file, making future updates easier to apply.

Step 2: Add Caddy for automatic TLSCreate a Caddyfile in the project root:

Caddyfile

ripe-updater.example.com {
    reverse_proxy ripe-updater:80
}

Then add the Caddy service to your docker-compose.override.yml:

docker-compose.override.yml

services:
  ripe-updater:
    ports: []

  caddy:
    image: caddy:latest
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    networks:
      - ripe-updater

volumes:
  caddy-data:
  caddy-config:

With this setup:

Caddy terminates TLS and forwards traffic to the ripe-updater container over the internal Docker network
The updater is not exposed directly on any host port
NetBox webhooks should point to https://ripe-updater.example.com/update
The backup UI is at https://ripe-updater.example.com/backups

Replace ripe-updater.example.com with your actual domain name. Caddy obtains and renews a certificate automatically.

Deployment

Review port bindings and Docker network configuration

Backups

Browse and restore RIPE object backups through the web UI

Get Started

Configuration

Operations

Reference

Expose Netbox RIPE Updater behind a TLS reverse proxy

Choosing your setup

Deployment

Backups

Build docs developers (and LLMs) love

Get Started

Configuration

Operations

Reference

Documentation Index

​Choosing your setup

Deployment

Backups

Build docs developers (and LLMs) love

Choosing your setup