[Bug 1952720] Re: apt uses proxy in order to access local resources

David Kalnischkies 1952720 at bugs.launchpad.net
Tue Nov 30 11:43:16 UTC 2021 

apt contacts the squid proxy (which is on your local machine) hence the ipv6 from your machine. The "Forbidden" is the reply from the proxy for the request. squid-deb-proxy hardcodes an allowlist for mirrors and sources to contact and ips that can contact the proxy. I would presume that either (or both) does not match with your reality (anymore) and hence denies the request. You actually confirmed this already by disabling the checks in the config which resulted in it working (again).
As apt works as it should be here, reassign to the suqid-proxy package.

** Package changed: apt (Ubuntu) => squid-deb-proxy (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1952720

Title:
  apt uses proxy in order to access local resources

Status in squid-deb-proxy package in Ubuntu:
  New

Bug description:
  apt uses proxy in order to access local resources. This leads to
  errors when the proxy is configured to allow only access to the
  resources that apt is actually expected to be trying to reach.

  Steps to reproduce:

  - In VirtualBox install Ubuntu 21.10, Minimal installation.
  - In Terminal run:
    sudo apt install squid-deb-proxy squid-deb-proxy-client
    sudo apt update

  After the last step, apt is trying to use the installed squid-deb-
  proxy, but it fails, because the proxy is configured to allow access
  only to the mirrors, but apt is trying to use it also to access the
  locally available keys.

  As a workaround, the proxy configuration can be changed to accept any connection:
  in /etc/squid-deb-proxy/squid-deb-proxy.conf replace the line:
  'http_access deny !to_archive_mirrors'
  with
  'http_access allow all'
  run 'sudo systemctl restart squid-deb-proxy'
  Now, 'sudo apt update' will succeed.

  While what I managed to "correct" the issue by amending squid-deb-
  proxy configuration, I believe that it is a bug in apt that uses the
  proxy when not appropriate.

  The output of the failing sudo apt update (with IP addresses "anonymized"; the address 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 is supposed to be the IP assigned to the machine where the apt client is running):
  Err:1 http://lu.archive.ubuntu.com/ubuntu impish InRelease
    403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  Err:2 http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease
    403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  Err:3 http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease
    403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
  Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
  Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
  Err:4 http://security.ubuntu.com/ubuntu impish-security InRelease
    Connection failed [IP: 127.0.0.1 8000]
  Reading package lists... Done
  N: See apt-secure(8) manpage for repository creation and user configuration details.
  N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish InRelease' is no longer signed.
  E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish/InRelease  403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-updates/InRelease  403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease' is no longer signed.
  N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  N: See apt-secure(8) manpage for repository creation and user configuration details.
  E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-backports/InRelease  403  Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
  E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease' is no longer signed.
  N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  N: See apt-secure(8) manpage for repository creation and user configuration details.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1952720/+subscriptions

More information about the foundations-bugs mailing list