[Bug 1952720] Re: apt uses proxy in order to access local resources
David Kalnischkies
1952720 at bugs.launchpad.net
Tue Nov 30 11:43:16 UTC 2021
apt contacts the squid proxy (which is on your local machine) hence the ipv6 from your machine. The "Forbidden" is the reply from the proxy for the request. squid-deb-proxy hardcodes an allowlist for mirrors and sources to contact and ips that can contact the proxy. I would presume that either (or both) does not match with your reality (anymore) and hence denies the request. You actually confirmed this already by disabling the checks in the config which resulted in it working (again).
As apt works as it should be here, reassign to the suqid-proxy package.
** Package changed: apt (Ubuntu) => squid-deb-proxy (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1952720
Title:
apt uses proxy in order to access local resources
Status in squid-deb-proxy package in Ubuntu:
New
Bug description:
apt uses proxy in order to access local resources. This leads to
errors when the proxy is configured to allow only access to the
resources that apt is actually expected to be trying to reach.
Steps to reproduce:
- In VirtualBox install Ubuntu 21.10, Minimal installation.
- In Terminal run:
sudo apt install squid-deb-proxy squid-deb-proxy-client
sudo apt update
After the last step, apt is trying to use the installed squid-deb-
proxy, but it fails, because the proxy is configured to allow access
only to the mirrors, but apt is trying to use it also to access the
locally available keys.
As a workaround, the proxy configuration can be changed to accept any connection:
in /etc/squid-deb-proxy/squid-deb-proxy.conf replace the line:
'http_access deny !to_archive_mirrors'
with
'http_access allow all'
run 'sudo systemctl restart squid-deb-proxy'
Now, 'sudo apt update' will succeed.
While what I managed to "correct" the issue by amending squid-deb-
proxy configuration, I believe that it is a bug in apt that uses the
proxy when not appropriate.
The output of the failing sudo apt update (with IP addresses "anonymized"; the address 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 is supposed to be the IP assigned to the machine where the apt client is running):
Err:1 http://lu.archive.ubuntu.com/ubuntu impish InRelease
403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Err:2 http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease
403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Err:3 http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease
403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Err:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Connection failed [IP: 127.0.0.1 8000]
Reading package lists... Done
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish InRelease' is no longer signed.
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-updates/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-backports/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1952720/+subscriptions
More information about the foundations-bugs
mailing list