aboutsummaryrefslogtreecommitdiff

squid-debproxy-conf

Overview

This package provides a squid proxy config optimized for caching deb packages for Debian systems. It features:

  • caching rules for corresponding filetypes
  • mirror awareness: same cache is used for same file even if requested on a different mirror

Mirroring-aware caching

Caching complexity for Debian mirrors comes from the need to gracefully handle both mobile devices such as laptops and static machines with the same apt sources configuration (no complicated client-side setup) while taking advantage of the deb.debian.org transparent mirror serve when on the move.

The following implementations appear as good candidates to handle this in a squid instance:

  1. Let deb.debian.org handle transparently for us serving from a good mirror.

    This is the simplest and recommended option. This is also the default.

  2. Redirect all deb.debian.org request to the mirror chosen by the administrator (Squid option url_rewrite_program).

    While this drops the failover nature of the mirror service, this is an option in case usage of a specific mirror is to be forced on a network.

  3. Allow all mirrors and ensure caching of the same files downloaded on different mirrors (Squid Store ID)

    This solution is interesting but requires the administrator to either build up some rule to identify a Debian mirror or maintain a list of Debian mirrors.

Quick Start

In a simple setup all you need to do is to install squid-debproxy-conf on your server and configure your clients. You can verify caching by looking at the logs in /var/log/squid/access.log on your server.

Client setup

You can configure the client manually. The sources.list should point to your prefered mirror (no change needed usually). Then add Acquire::http::Proxy to your apt configuration, e.g. via:

# echo 'Acquire::http::Proxy "http://proxy-server-hostname:3128/";' >
     /etc/apt/apt.conf.d/proxy.conf

For machines changing networks (e.g. laptops), auto-apt-proxy is a better option.

Server setup

It should work out of the box on port 3128 for most users.

First install would need the administrator to issue the following command:

# systemctl daemon-reload && systemctl restart squid

The default config will only allow fetching official Debian or Ubuntu/Canonical packages (Ubuntu destinations on a Ubuntu server, Debian destinations on a Debian server).

You can add more repositories either via the whitelist files in /etc/squid/debproxy/mirror-dstdomain.acl.d.

By default from any request from a private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) network is granted, everything else is denied. You can add more networks by dropping a file in /etc/squid/debproxy/allowed-networks.acl.d. You may want to add your ipv6 subnets in there.

If you have a local package repository and do not want to waste your cache with those packages, drop a file with the domain list in /etc/squid/debproxy/mirror-nocache.acl.d. It will also be automatically added to the mirror whitelist.

History

This configuration improves on the work done on squid-deb-proxy.

One fondamental difference is that it is not built as a separate squid instance listening on a different port, but rather on a configuration snippet for the squid instance installed on the server host by the squid package.

Also, compared to squid-deb-proxy, it does not provide Zeroconf discovery.

generated by cgit v1.2.3 (git 2.46.0) at 2026-04-16 14:01:55 +0000