Adding the nginx-plus Repository to apt-mirror and Puppet

February 8, 2014Updated on November 18, 2025 JS Morisset Puppet, Ubuntu

Nginx Inc. provides access to the nginx-plus package and repository using SSL certificates. Their instructions include the configuration of apt for Ubuntu, but for people using apt-mirror and Puppet to manage their internal servers, additional custom configurations are required.

The standard apt configuration for nginx-plus might look like this:

$ cat /etc/apt/apt.conf.d/90nginx 
Acquire::https::plus-pkgs.nginx.com::Verify-Peer "true";
Acquire::https::plus-pkgs.nginx.com::Verify-Host "true";
Acquire::https::plus-pkgs.nginx.com::CaInfo      "/etc/ssl/nginx/CA.crt";
Acquire::https::plus-pkgs.nginx.com::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
Acquire::https::plus-pkgs.nginx.com::SslKey      "/etc/ssl/nginx/nginx-repo.key";

The connection to the nginx-plus repository must be made using HTTPS and authentication is handled by client certificates. As provided, apt-mirror is not able to manage SSL certificates, so two sections in the apt-mirror script must be modified. The %config_variables array defines the settings read from its configuration files. We will add the ‘certificate’, ‘private_key’, and ‘ca_certificate’ settings to the array.

Remove MultiArch / i386 in Ubuntu with Puppet

October 29, 2013Updated on October 13, 2025 JS Morisset Puppet, Ubuntu

Here’s a little snippet I use to remove multiarch / i386 support from Ubuntu with Puppet.

if versioncmp( $::lsbdistrelease, "12.04" ) > 0 {
    exec { "remove-architecture i386":
        command => "/usr/bin/dpkg --remove-architecture i386",
        onlyif => "/usr/bin/dpkg --print-foreign-architectures | /bin/grep -q i386",
    }
} else {
    file { "/etc/dpkg/dpkg.cfg.d/multiarch": ensure => absent, }
}

Shell Script to Route Multiple Public/Private Interfaces

June 8, 2013Updated on November 18, 2025 JS Morisset Bash, Linux

If you have a server with multiple interfaces – either public and/or private – your routing table might look something like this:

sh# ip route list
default via 17.10.20.1 dev eth1  metric 100 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.51 
17.10.20.0/23 dev eth1  proto kernel  scope link  src 17.10.20.51 
105.104.72.16/28 dev eth2  proto kernel  scope link  src 105.104.72.23

This example shows one private interface with IP 192.168.0.51, two public interfaces with IPs 17.10.20.51 and 105.104.72.23, and a default route to 17.10.20.1. This means that any traffic to/from an IP outside the interface’s subnets is sent to 17.10.20.1 — and this is where problems occur (and probably why you’re reading this article). ;-)

Autossh Startup Script for Multiple Tunnels

December 10, 2012Updated on November 18, 2025 JS Morisset Bash, CentOS, SSH

When an encrypted VPN is not available, the next best solution is usually port-forwarding one or more port(s) through an SSH tunnel. The down-side of SSH is that by itself it cannot maintain a persistent connection — network issues may force the tunnel to stop responding, or even drop completely. Autossh is a small front-end for SSH that can monitor the connection, and restart the tunnel if it drops or stops responding. I found that the startup scripts available for autossh on the internet were a little too basic for my needs — I wanted autossh to start multiple connections, and to start/stop each one individually if I needed — so I wrote my own.