Hi, when I dump apt cacher ng on port I see GET http://ports.ubuntu.com/dist/jammy/InRelease
When I try get from nginx with proxy_pass http://localhost:3142/; I GET /dist/jammy/InRelease I think it’s why apt cacher ng refuse it. I put proxy_http_version 1.1 (but I remain see header connexion close)
I wish keep nginx as frontend to have easy certbot integration.
Hi @BRULE_Herman!
Can you share your NGINX config? I assume apt-cacher-ng is running on port 3142? What error are you seeing?
user nginx;
worker_processes auto;
pid /run/nginx.pid;events {
worker_connections 5000;
multi_accept on;
}http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 16M;server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; access_log off;# access_log /dev/null; error_log /var/log/nginx/error.log; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 9; gzip_buffers 64 32k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/x-javascript;server {
listen 80;
listen [::];server_name example.com; location / { proxy_pass http://localhost:3142/; proxy_set_header Host $host; }}
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cache-gentoo-dc1.confiared.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cache-gentoo-dc1.confiared.com/privkey.pem;server_name cache-debian-dc1.confiared.com; location / { proxy_pass http://localhost:3142/; proxy_set_header Host $host; }}
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cache-gentoo-dc3.confiared.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cache-gentoo-dc3.confiared.com/privkey.pem;server_name cache-debian-dc3.confiared.com; location / { proxy_pass http://localhost:3142/; proxy_set_header Host $host; }}
}
configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/avif avif; image/png png; image/svg+xml svg svgz; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/webp webp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; font/woff woff; font/woff2 woff2; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.oasis.opendocument.graphics odg; application/vnd.oasis.opendocument.presentation odp; application/vnd.oasis.opendocument.spreadsheet ods; application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.wap.wmlc wmlc; application/wasm wasm; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi;}
Error 504
Error 504 means something is timing out. If you try to access http://localhost:3142 directly, does apt-cacher-ng work as expected?
curl http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease working
curl -x http://localhost:3142 http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease working
So there is nothing actually listening on http://localhost:3142 right? Your NGINX config is telling NGINX to proxy to http://localhost:3142. If there is nothing listening on that port then NGINX is proxying to an invalid endpoint. Try changing proxy_pass http://localhost:3142/; to something along the lines of proxy_pass http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease;.
curl http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease working
curl -x http://localhost:3142 http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease working
apt-cacher-ng is listening on 3142 and perfectly functional.
Here the problem seam the protocol
Okay, so apt-cacher-ng is on port 3142, but if you query port 3142 without specifying the Ubuntu repos, what happens? By using proxy_pass ...:3142 you are proxying to apt-cacher-ng, but if the cacher isn’t then proxying to the Ubuntu repos, nothing will really happen.
I found a blog post that might be useful Fronting apt-cacher-ng with nginx · community.riocities.com. You should probably also look into configuring the apt-cacher-ng proxy Apt-Cacher NG - Community Help Wiki
apt-acher-ng is http proxy, need destination url.
curl -x http://localhost:80 http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease
503 Host not foundcurl -x http://localhost:3142 http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease
give the right content.
Forget about running curl -x for the time being. As far as I know (and I could be wrong here) that exact behaviour cannot be replicated within NGINX. At a very simple level, if apt-cacher-ng is an http proxy, running curl http://localhost:3142 should redirect you to http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease. If that is the case, you could then configure NGINX the way you have to run curl http://localhost:80 instead and still reach the Ubuntu repo.
As far as I can tell, the issue lies in your apt-cacher-ng config, but I am not familiar with the tool. If the docs above don’t help, then hopefully someone else can lend a hand here.
curl http://localhost:3142/ubuntu-ports/dists/jammy/InRelease
503 Host not found Server: Apt-Cacher-NG/3.7.4
Why? apt-cacher-ng it’s http proxy, mean don’t have content, don’t have destination defined. It’s exactly the http_proxy you configure into firefox/curl, this kind of proxy need the real destination. And then apt-cacher-ng work exactly as excepted, as http_proxy. (I have do multiple proxy in my life, include socks5 and specific protocol proxy.) And I don’t wish do a wrapper just for this.
In that case, you might not be able to use NGINX like you intend to do per my previous comment. NGINX can only act as a reverse proxy, which means it has to reach the target server/destination for it to work. You cannot natively use an intermediary proxy between the NGINX proxy and your endpoint.
There might be some third party custom modules out there that let you do this, but I do not know for sure. Best of luck!
As an aside, the following LWN article discussed reasons why tools like apt-cacher-ng exist and many prefer them to using generic web proxies for this purpose (which does also work, at least “mostly”).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
