Ubuntu
squid-deb-proxy package

squid-deb-proxy squid-deb-proxy-client do not work out of the box

Bug #1952720 reported by David Laštovička
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid-deb-proxy (Ubuntu)
New
Undecided
Unassigned

Bug Description

In my understanding, squid-deb-proxy and squid-deb-proxy-client are supposed to be fully autoconfigured. Yet, their installation on a plain Ubuntu produces errors when apt is launched.

Steps to reproduce:

- In VirtualBox install Ubuntu 21.10, Minimal installation.
- In Terminal run:
  sudo apt install squid-deb-proxy squid-deb-proxy-client
  sudo apt update

After the last step, apt is trying to use the installed squid-deb-proxy, but it fails. This behaviour I confirmed also in a local network on distinct computers (squid-deb-proxy on one computer, squid-deb-proxy-client another).

As a workaround, the proxy configuration can be changed to accept any connection:
in /etc/squid-deb-proxy/squid-deb-proxy.conf replace the line:
'http_access deny !to_archive_mirrors'
with
'http_access allow all'
run 'sudo systemctl restart squid-deb-proxy'
Now, 'sudo apt update' will succeed, but obviously my "solution" is not correct.

The output of the failing sudo apt update (with IP addresses "anonymized"; the address 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 is supposed to be the IP assigned to the machine where the squid-deb-proxy is running):
Err:1 http://lu.archive.ubuntu.com/ubuntu impish InRelease
  403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Err:2 http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease
  403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Err:3 http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease
  403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Ign:4 http://security.ubuntu.com/ubuntu impish-security InRelease
Err:4 http://security.ubuntu.com/ubuntu impish-security InRelease
  Connection failed [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
Reading package lists... Done
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish InRelease' is no longer signed.
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-updates/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-updates InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://lu.archive.ubuntu.com/ubuntu/dists/impish-backports/InRelease 403 Forbidden [IP: 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 8000]
E: The repository 'http://lu.archive.ubuntu.com/ubuntu impish-backports InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

See original description
Revision history for this message
Julian Andres Klode (juliank) wrote :

This is a local configuration issue and not a bug in apt. APT does not know how your proxy configuration will interact with your sources.list.

Changed in apt (Ubuntu):
status: New → Invalid
Revision history for this message
David Laštovička (david-lastovicka) wrote :

This is not a local configuration issue. Please see the steps to reproduce: besides the 'sudo apt install squid-deb-proxy squid-deb-proxy-client' there is no additional configuration present.

The issue is not in "how your proxy configuration will interact with your sources.list" but in "apt using proxy in order to access local resources on the machine where apt is installed", it is not an access to whatever in sources.list that triggers the errors, but an attempt to access localhost through the proxy.

Revision history for this message
David Laštovička (david-lastovicka) wrote (last edit ):

For reference, see below the content of the sources.list (comments stripped, source.list.d is empty; you can see that it does not contain neither 127.0.0.1 nor 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 mentioned in the error messages; the 2a03:687:4ea:4900:fe9f:937c:3487:4cd3 is IP assigned by DHCP to the apt's localhost):
deb http://lu.archive.ubuntu.com/ubuntu/ impish main restricted
deb http://lu.archive.ubuntu.com/ubuntu/ impish-updates main restricted
deb http://lu.archive.ubuntu.com/ubuntu/ impish universe
deb http://lu.archive.ubuntu.com/ubuntu/ impish-updates universe
deb http://lu.archive.ubuntu.com/ubuntu/ impish multiverse
deb http://lu.archive.ubuntu.com/ubuntu/ impish-updates multiverse
deb http://lu.archive.ubuntu.com/ubuntu/ impish-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu impish-security main restricted
deb http://security.ubuntu.com/ubuntu impish-security universe
deb http://security.ubuntu.com/ubuntu impish-security multiverse

Revision history for this message
David Laštovička (david-lastovicka) wrote :

After having provided additional explanation and information, I've changed the status to New again. If you are still persuaded that it is not a bug, please, feel free to close it somehow definitely.

Changed in apt (Ubuntu):
status: Invalid → New
Revision history for this message
David Kalnischkies (donkult) wrote :

apt contacts the squid proxy (which is on your local machine) hence the ipv6 from your machine. The "Forbidden" is the reply from the proxy for the request. squid-deb-proxy hardcodes an allowlist for mirrors and sources to contact and ips that can contact the proxy. I would presume that either (or both) does not match with your reality (anymore) and hence denies the request. You actually confirmed this already by disabling the checks in the config which resulted in it working (again).
As apt works as it should be here, reassign to the suqid-proxy package.

affects: apt (Ubuntu) → squid-deb-proxy (Ubuntu)
Revision history for this message
David Laštovička (david-lastovicka) wrote :

I attach my /etc/squid-deb-proxy folder which might be relevant for the squid-deb-proxy team (although I didn't change these configuration files, it is just as it is after installing the squid-deb-proxy package).

In my opinion, the relevant part of the configuration is in: autogenerated/mirror-dstdomain.acl file containing lines:
.archive.ubuntu.com
security.ubuntu.com

That in my opinion covers the lu.archive.ubuntu.com as well as security.ubuntu.com in my sources.list, and I still consider it as a problem in apt. Yet, thank you for looking into that.

Revision history for this message
David Laštovička (david-lastovicka) wrote :

David Kalnischkies: I confirm this statement: "apt contacts the squid proxy (which is on your local machine) hence the ipv6 from your machine".

After testing it in a real network on distinct computers, the IP address is indeed not apt's address but squid-deb-proxy's address.

David Laštovička (david-lastovicka)
summary: - apt uses proxy in order to access local resources
+ squid-deb-proxy squid-deb-proxy-client do not work out of the box
Revision history for this message
David Laštovička (david-lastovicka) wrote :

I have amended issues' subject and description by removing possibly wrong assumptions about apt, and incorrect description of the IP address.

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.