1

I would like to use apt-cacher as my package proxy locally. Especially when I rebuilding my Docker image several times in a row. I have apt-cacher installed and running on my system.

I set my proxy address to: http://melroy-pc:3142 (melroy-pc is my hostname). In my case I create a /etc/apt/apt.conf.d/02proxy file:

Acquire::http::proxy "http://melroy-pc:3142";
Acquire::https::proxy "http://melroy-pc:3142";

(I already tried to only define http::proxy (without https), I also tried to add APT::Get::AllowUnauthenticated "true";, all WITHOUT any luck)

After which I just run my apt commands (apt update & apt install). Which causes issues now:

Step 9/41 : RUN apt-get update && apt-get install -y --no-install-recommends     dirmngr gnupg gnupg-l10n     gnupg-utils gpg gpg-agent     gpg-wks-client gpg-wks-server gpgconf     gpgsm libassuan0 libksba8     libldap-2.4-2 libldap-common libnpth0     libreadline8 libsasl2-2 libsasl2-modules     libsasl2-modules-db libsqlite3-0 libssl1.1     lsb-base pinentry-curses readline-common     apt-transport-https ca-certificates curl     software-properties-common apt-utils net-tools
 ---> Running in af278cee1d52
Err:1 http://deb.debian.org/debian bullseye InRelease
  403  Access to cache prohibited [IP: 192.168.2.166 3142]
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  403  Access to cache prohibited [IP: 192.168.2.166 3142]
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  403  Access to cache prohibited [IP: 192.168.2.166 3142]
Reading package lists...
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
E: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  403  Access to cache prohibited [IP: 192.168.2.166 3142]
E: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease  403  Access to cache prohibited [IP: 192.168.2.166 3142]
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
E: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease  403  Access to cache prohibited [IP: 192.168.2.166 3142]
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.

Important note: My packages are all getting successfully installed, without any issues, when I do NOT use the proxy.

This approach used to work in the past, when I was using apt-key instead of gpg (I don't know if it's related, see my other question).

Melroy van den Berg
  • 173
  • 9
  • 1
    That 403 (access denied) code is coming from apt-cacher. What do your apt-cacher logs say? Is apt-cacher configured to allow the docker build host or the build containers (which typically have [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918) private IP addresses, IIRC in 172.16/12 by default docker config, to access it? Search for `allowed_hosts` in `/etc/apt-cacher/apt-cacher.conf ` – cas Dec 28 '21 at 02:37
  • Logging says: `Mon Dec 27 15:40:56 2021|info [914]: Forked listener 1050 Tue Dec 28 02:01:30 2021|127.0.0.1|--- /usr/sbin/apt-cacher: Usage error Tue Dec 28 02:01:31 2021|127.0.0.1|--- /usr/sbin/apt-cacher: Usage error` – Melroy van den Berg Dec 28 '21 at 02:48
  • Interesting, docs says" `# .. Setting allowed_hosts to "*" means "allow all" # (which was the default before version 1.7.0). The default is now ''.`. Unclear what '' empty string means as default value. Let's try to set it to `*`. **EDIT:** `allowed_hosts = *` fixed my problem! – Melroy van den Berg Dec 28 '21 at 02:52
  • 1
    Great! I thought it would. Can you write up what you did as an answer, and then select it as the accepted answer in a day or so if nobody comes up with an answer you like more? – cas Dec 28 '21 at 03:02
  • Thanks! Still not fully sure what `''` (empty string) does by default. It that only localhost? I dunno. – Melroy van den Berg Dec 28 '21 at 03:05

1 Answers1

1

As @cas pointed out, Docker host is typically using a private IP address in another local IP block. And by default apt-cacher after version 1.7.0 is using allowed_hosts = '' as default value instead of *.

Solution for me: uncomment allowed_hosts setting and put the value to * in /etc/apt-cacher/apt-cacher.conf file:

allowed_hosts = *

This will allow all IP addresses (including the Docker IPs). Of course you can also specify a specific range.

Melroy van den Berg
  • 173
  • 9
  • +1. Personally, I'd use an `allowed_hosts` setting that restricted access to only my LAN, VMs, docker containers, etc but `*` works (and is safe enough if apt-cacher is behind some kind of firewall, or has only private addresses) – cas Dec 28 '21 at 03:06
  • I understand. In my case it's indeed behind a firewall. So `*` is the easiest solution for most people, but maybe not the safest I agree. **EDIT:** are you willing to share your `allowed_hosts` syntax with us? – Melroy van den Berg Dec 29 '21 at 01:54
  • I don't actually use apt-cacher at the moment. I just mirror debian. – cas Dec 29 '21 at 02:23