APT-CACHER-NG - Advanced Config: Difference between revisions
Created page with "Category:Wiki == Architecture and Internal Design == APT-Cacher-NG (ACNG) acts as a specialized HTTP proxy optimized for package managers such as APT. Unlike generic proxies, it understands repository layouts and package metadata patterns. === Request Flow === # Client sends HTTP request for a package or index file # ACNG checks its local cache directory # If present and valid, the cached object is served # If missing or expired, ACNG fetches it from the upstrea..." |
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' " |
||
| Line 1: | Line 1: | ||
[[Category:Wiki]] | [[Category:Wiki]] | ||
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' | |||
== Architecture and Internal Design == | == Architecture and Internal Design == | ||
Latest revision as of 06:51, 17 January 2026
Architecture and Internal Design
APT-Cacher-NG (ACNG) acts as a specialized HTTP proxy optimized for package managers such as APT. Unlike generic proxies, it understands repository layouts and package metadata patterns.
Request Flow
- Client sends HTTP request for a package or index file
- ACNG checks its local cache directory
- If present and valid, the cached object is served
- If missing or expired, ACNG fetches it from the upstream repository
- The fetched object is stored and indexed locally
Cache Storage Model
- Cache root usually located in
/var/cache/apt-cacher-ng - Files are stored using a hashed directory structure
- Metadata files (.db, .head) are maintained for validation and expiration
- Index files are cached separately from binary packages
Protocol Support
- HTTP (native)
- HTTPS via CONNECT tunneling (limited inspection)
- IPv4 and IPv6
Performance Characteristics
- Optimized for many small files (package indexes)
- Handles concurrent clients efficiently
- Reduces bandwidth and mirror load significantly in multi-host environments
Configuration Directives (Advanced)
Configuration files are typically located in /etc/apt-cacher-ng.
Important Configuration Files
acng.conf– main configurationsecurity.conf– access control rulesbackends_*.conf– repository mappings
Cache Behavior Tuning
CacheDir: /var/cache/apt-cacher-ng ExTreshold: 4 MaxSpareThreadCount: 20 MaxThreads: 100
ExTreshold: expiration sensitivity for index filesMaxThreads: controls parallel client handlingMaxSpareThreadCount: idle worker threads kept alive
Repository Remapping
ACNG can remap repository URLs to alternative mirrors:
Remap-debian: file:deb_mirror*.conf Remap-ubuntu: file:ubuntu_mirror*.conf
This allows transparent redirection without client-side changes.
Client Configuration and Usage Examples
System-Wide APT Proxy Configuration
Acquire::http::Proxy "http://proxy-server:3142"; Acquire::https::Proxy "http://proxy-server:3142";
Per-Command Proxy Usage
apt-get -o Acquire::http::Proxy="http://proxy-server:3142" update
Verifying Proxy Usage
apt-get -o Debug::Acquire::http=true update
Logs should show requests routed through the ACNG proxy.
Cache Management and Maintenance
Manual Cache Cleanup
apt-cacher-ng -c /etc/apt-cacher-ng -s
- Removes expired and orphaned files
- Rebuilds internal metadata databases
Cache Statistics
curl http://localhost:3142/acng-report.html
Provides:
- Cache hit ratio
- Disk usage
- Traffic savings
- Active connections
Pre-Fetching Packages
apt-get --download-only install linux-image-amd64
Used on one client to populate cache for others.
Security Concepts
Access Control
Access rules are defined in security.conf:
Allow: 192.168.1.0/24 Deny: all
- Supports CIDR notation
- First-match rule evaluation
- Deny rules should always be explicit
Authentication Limitations
- ACNG does not natively support user authentication
- Intended for trusted networks
- Authentication must be enforced externally (firewall, VPN)
HTTPS Considerations
- HTTPS repositories are tunneled, not cached at object level
- Index files may still be cached depending on client behavior
- Full HTTPS caching requires repository-specific configuration
Network-Level Hardening
- Bind to specific interface:
BindAddress: 192.168.1.10
- Use firewall rules to restrict access to port 3142
- Recommended to run behind NAT or internal VLAN
Privilege Model
- Runs as unprivileged user
- No need for root access during normal operation
- Writes only to cache and log directories
Logging and Monitoring
Log Files
/var/log/apt-cacher-ng/access.log/var/log/apt-cacher-ng/error.log
Log Verbosity
VerboseLog: 1 Debug: 7
Higher debug levels significantly increase log volume.
Common Log Patterns
HIT– served from cacheMISS– fetched from upstreamEXPIRED– revalidated content
Troubleshooting
Clients Bypass the Cache
- Verify proxy settings on client
- Ensure no conflicting proxy definitions
- Check access.log for incoming requests
grep MISS /var/log/apt-cacher-ng/access.log
Permission Errors in Cache Directory
- Check ownership of cache directory
- Ensure sufficient disk space
chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
Slow Package Downloads
- Check upstream mirror responsiveness
- Increase thread limits
- Verify DNS resolution
Repository Not Cached
- Ensure repository uses HTTP
- Verify remap configuration
- Some third-party repositories disable caching headers
Service Fails to Start
- Check error.log for syntax errors
- Validate configuration files
apt-cacher-ng -c /etc/apt-cacher-ng -t
Useful Links
- Official APT-Cacher-NG Homepage
https://www.unix-ag.uni-kl.de/~bloch/acng/
- APT-Cacher-NG Git Repository
https://salsa.debian.org/blade/apt-cacher-ng
- Debian Wiki – APT-Cacher-NG
https://wiki.debian.org/AptCacherNg
- Ubuntu Documentation – Package Caching
https://help.ubuntu.com/community/Apt-Cacher%20NG
- APT Configuration Manual
https://manpages.debian.org/apt.conf
