Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/jalmargyyk/ripe-updater/llms.txt

Use this file to discover all available pages before exploring further.

Running RIPE Updater in production requires more than starting the container — you need to protect the webhook endpoint, terminate TLS, point the service at the live RIPE database, and ensure operational visibility through backups and alerting. This page covers the key steps to make your deployment production-ready.
Always test your full configuration against RIPE_DB=TEST before switching to RIPE_DB=RIPE. Changes written to the live RIPE database cannot be automatically undone.

Reverse proxy and TLS

RIPE Updater’s gunicorn server is not designed to be exposed directly to the internet. Place a reverse proxy such as Nginx in front of it and terminate TLS there. A minimal Nginx configuration that proxies to a locally running RIPE Updater on port 8000: 
server {
    listen 80;
    server_name ripe-updater.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name ripe-updater.example.com;

    ssl_certificate     /etc/letsencrypt/live/ripe-updater.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ripe-updater.example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
Obtain a free TLS certificate with Certbot and Let’s Encrypt: 
sudo certbot --nginx -d ripe-updater.example.com
Once TLS is in place, enable SSL verification on the NetBox webhook so NetBox validates RIPE Updater’s certificate before sending events.

Webhook authentication with UPDATE_TOKEN

Anyone who can reach the /update endpoint can trigger RIPE database writes. Protect it by setting the UPDATE_TOKEN environment variable: 
UPDATE_TOKEN=Token your-long-random-secret
Generate a strong token with openssl rand -hex 32. Use the same value in the NetBox webhook’s Additional Headers field as Authorisation: Token your-long-random-secret.
When UPDATE_TOKEN is set, RIPE Updater rejects any incoming webhook request that does not present a matching Authorisation header. Configure the matching header in NetBox under Webhooks → Additional Headers: 
Authorisation: Token your-long-random-secret

Switching to the live RIPE database

During testing, RIPE_DB=TEST routes all writes to the RIPE TEST database, which uses substitute maintainer, organisation, and person objects. When you are confident your templates and configuration are correct, switch to the production database: 
RIPE_DB=RIPE
At the same time, ensure RIPE_MNT_PASSWORD holds the real maintainer password with write access to your INETNUM and INET6NUM objects. The RIPE_TEST_* variables (RIPE_TEST_MNT, RIPE_TEST_ORG, RIPE_TEST_PERSON, RIPE_TEST_STATUS_V4, RIPE_TEST_STATUS_V6) are ignored when RIPE_DB=RIPE.

Gunicorn worker count

The default image starts gunicorn with 2 workers (-w 2). A common rule of thumb is (2 × CPU cores) + 1. For a 2-core host, 5 workers is a reasonable starting point: 
python -m gunicorn -b :80 -w 5 ripeupdater.main:app
When using Docker, override the default command in your docker-compose.override.yml: 
services:
  ripe-updater:
    command: python -m gunicorn -b :80 -w 5 ripeupdater.main:app

Health check for load balancer monitoring

RIPE Updater exposes a /health endpoint that returns 200 OK when the service is running. Configure your load balancer or container orchestrator to poll it: 
curl http://localhost:8000/health
For Docker, add a HEALTHCHECK instruction in your compose override: 
services:
  ripe-updater:
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:80/health"]
      interval: 30s
      timeout: 5s
      retries: 3

S3 backups for disaster recovery

Enable S3 backups so that every RIPE object overwritten or deleted by RIPE Updater is preserved as a JSON snapshot. Configure the following variables: 
S3_BACKUP=yes
S3_ENDPOINT_URL=https://s3.example.com
S3_ACCESS_KEY=your-access-key
S3_SECRET_ACCESS_KEY=your-secret-key
S3_BUCKET=ripe-updater-backups
Saved backups are accessible at https://your-ripe-updater-host/backups. To restore an object manually, post its JSON file directly to the RIPE REST API: 
curl -X POST \
  -H 'Content-Type: application/json' \
  --data @prefix.json \
  'https://rest.db.ripe.net/ripe/inetnum?password=RIPE_MNT_PASSWORD'

Email reporting for operational alerting

RIPE Updater can send an email report for every update it processes. Enable it with: 
MAIL_REPORT=yes
SMTP=smtp.example.com:587
SMTP_STARTTLS=yes
SENDER_MAIL=ripe-updater@example.com
RECIPIENT_MAIL=noc@example.com
Email reports give your NOC team visibility into every RIPE database change without having to inspect logs manually.

Build docs developers (and LLMs) love

Get started for freeTalk to us