apt-cacher-ng versus apt-transport-https
The headline sounds pretty technical, and so is the topic. Let’s quickly introduce both antagonists:
-
apt-cacher-ngis a tool to cache packages of the apt ecosystem. As an administrator, you may have multiple Debian-based systems. The overlap of packages that all the systems need is typically huge. That means, hundreds of your systems will require the latest security update forcurlat around the same time. Running anapt-cacher-ngserver in your local environment will take a bit heat off Debian’s infrastructure and improves the download speed of packages. See also the Apt-Cacher NG project page. -
apt-transport-httpsis an apt module to obtain packages over a securehttps://connection. Traditionally, packages are downloaded through plain HTTP or FTP, but as these are unencrypted a third party may observe what you’re doing at a repository (which packages you’re downloading etc..). Please note, thatapt-transport-httpsis already integrated in latest versions of apt - no need to install it separately.
So basically, both apt-cacher-ng and apt-transport-https do a good thing! But… They don’t really like each other.. At least by default. However, I’ll show you how to make them behave ;-)
The Problem
The issue is perfectly obvious: You want apt-cacher-ng to cache TLS encrypted traffic…? That won’t happen.
The Solution
You need to tell the client to create an unencrypted connection to the cache server, and then the cache server can connect to the repository through TLS.
Example
Let me explain that using Docker.
To properly install Docker on a Debian based system, you would add a file /etc/apt/sources.list.d/docker.list containing a repository such as:
deb [arch=amd64] https://download.docker.com/linux/debian stretch stableHowever, when apt is told to use a cache server, it would fail to download Docker’ packages:
# apt-get update
[...]
W: Failed to fetch https://download.docker.com/linux/debian/dists/stretch/InRelease Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels) [IP: 1.2.3.4 3142]
W: Some index files failed to download. They have been ignored, or old ones used instead.Let’s fix that using the following workaround:
0. Assumptions
- There is an
apt-cacher-ngrunning athttp://apt.cache:3142. apt.cacheresolves to1.2.3.4.- There is a client configured to use the cache server, e.g.
/etc/apt/apt.conf.d/02proxysays:
Acquire::http { Proxy "http://apt.cache:3142"; }1. Create a mock DNS for the cache server
You need to create a pseudo domain name that points to the cache server. This name will then tell the cache server which target repository to access.
Let’s say we’re using docker.cache.
You can either create a proper DNS record, or just add a line to the client’s /etc/hosts file:
1.2.3.4 apt.cache docker.cacheNow, both apt.cache and docker.cache will resolve to 1.2.3.4 at the client.
2. Update the client’s repository entry
Instead of contacting the repository directly, the client should now connect to the cache server instead.
You need to change the contents in /etc/apt/sources.list.d/docker.list to:
deb http://docker.cache stretch stableThus, the client now treats the cache server as a proper repository!
3. Inform the cache server
The apt-cacher-ng of course needs to be told what to do, when clients want to access something from docker.cache: It should forward the request to the original repository!
This is called remapping. First create a file /etc/apt-cacher-ng/backends_docker_com at the server containing the link to the original repository:
https://download.docker.com/linux/debianThen, populate the remapping rule in /etc/apt-cacher-ng/acng.conf. You will find a section of Remap entries (see default config of acng.conf). Just append your rule:
Remap-dockercom: http://docker.cache ; file:backends_docker_comThis line reads:
- There is a remap rule called
Remap-dockercom - which remaps requests for
http://docker.cache - to whatever is written in file
backends_docker_com
That’s it. Restart the cache server and give it a try :)
4. Add more Remaps
If you want to use more repositories through https://, just create further mock-DNS-entries and append corresponding remapping rules to the acng.conf. Pretty easy..
The Improvements
This setup of course strips the encryption off apt calls. Granted, it’s just the connections in your own environment, but still not really elegant.. So the goal is to also encrypt the traffic between client and cache server.
There is apparently no support for TLS in apt-cacher-ng, but you can still configure an Nginx proxy (or what ever proxy you find handy) at the cache server, which supports TLS and just forwards requests to the upstream apt-cacher-ng at the same machine. Or you could setup an stunnel.
Supplemental
There are a few other workarounds for this issue available. Most of them just show how to circumvent caching for HTTPS repositories (which somehow reduces the cache server to absurdity). Here, I just documented the (in my eyes) cleanest solution.
- network (68) ,
- security (29) ,
- software (160) ,
- university (46) ,
- administration (43) ,
- debian (27) ,
- linuxunix (24) ,
- howto (27)
- aptitude (13) ,
- config (21) ,
- crypt (4) ,
- debian (39) ,
- dns (2) ,
- docker (17) ,
- fix (13) ,
- ftp (2) ,
- http (6) ,
- job (10) ,
- cache (1) ,
- network (81) ,
- nginx (3) ,
- proxy (7) ,
- remote (22) ,
- security (31) ,
- ssl (10) ,
- ubuntu (10) ,
- update (9) ,
- curl (8)
Martin Scharm
Leave a comment
There are multiple options to leave a comment:
- send me an email
- submit a comment through the feedback page (anonymously via TOR)
- Fork this repo at GitHub, add your comment to the _data/comments directory and send me a pull request
- Fill the following form and Staticman will automagically create a pull request for you:
4 comments
Super helpful. Unfortunately it’s a bit of a manual process as it would be nice to have a little more transparent solution but much better than just circumventing the cache for https which I was currently doing.
Very helpful! One addition: in my case, I did not need the DNS entry on the client, as apt connects to the configured proxy regardless of the hostname from the sources.list. The Remap-rule on the caching proxy then resolves it to the target.
Thanks a lot. I used stunnel instead of a Nginx Forward Proxy to secure the connection between the clients and the server.
Hi,
I still wonder why this is a problem for apt-cacher-ng.
It works like a charm in Nexus. I have an apt cache there for the main Debian repository, which caches “https://deb.debian.org/debian”. sources.list entries look like “deb https://nexus.server/repository/debian bullseye main contrib non-free”. No “Acquire::http” setting needed.
See also: https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/apt-repositories