installing Ubuntu https PPA's with squid caching
Stuart McGraw
smcg4191 at mtneva.com
Wed Nov 21 21:26:40 UTC 2018
On 11/20/18 1:24 AM, Colin Watson wrote:
> On Sun, Nov 18, 2018 at 10:16:48PM -0700, Stuart McGraw wrote:
>> TL;DR: How to set up apt and a squid proxy so that
>> https urls are cached?
>
> The standard mechanism for proxying HTTPS, and as far as I know the only
> method that apt supports directly for https:// URLs, asks the proxy to
> set up a tunnelled encrypted connection (using the HTTP CONNECT verb)
> and then does end-to-end-encrypted communication with the target host.
> When using this setup, squid can really only shuffle bytes back and
> forward; it doesn't see enough of the request or response to be able to
> cache anything. (Of course this is still sometimes useful in situations
> where the issue is connectivity rather than bandwidth.)
>
> I think your best bet is going to be apt-cacher-ng: you can use its
> "remapping" facility to tell it that a given set of http:// and/or
> https:// mirrors are in fact to be considered identical for the purposes
> of caching, or it has a hack where you can put "HTTPS///" in the URL so
> that apt thinks it's using HTTP but then apt-cacher-ng uses HTTPS to
> talk to the upstream mirror. Either way is going to involve adjusting
> URLs on the client side, but it sounds like that will be worth it for
> you.
>
> Some links:
>
> https://www.unix-ag.uni-kl.de/~bloch/acng/html/config-servquick.html#config-client
> https://www.unix-ag.uni-kl.de/~bloch/acng/html/config-serv.html#repmap
> https://www.unix-ag.uni-kl.de/~bloch/acng/html/howtos.html#ssluse
>
Thanks, I've started looking at acng but it feels like a sub-optimal
solution:
- Project hasn't seen any activity in 5 years
- Caching seems to be a complex business and seems like Squid or some
thing similar is likely more widely used and hence more robust.
- acng is limited to Ubuntu/Debian servers (my current Squid solution
is running on an old Fedora box and I hoped to also cache Fedora rpms.)
However, if that is the only viable option then that's just how things
are. :-(
I guess I remain surprised at the lack of a good general solution since
it seems this is a growing problem with the promotion of https everywhere.
I had hoped that Squid could accept an http connection from a client and
proxy it as a https connection to the destination server (glossing over
how it knows whether to do that or not). But since I have only rudimentary
knowledge of modern http and https, I am probably missing some technical
difficulties.
Thanks for the info.
More information about the ubuntu-users
mailing list