APT-CACHER-NG - Advanced Config

From IT-Arts.net
Revision as of 15:29, 20 December 2025 by Admin (talk | contribs) (Created page with "Category:Wiki == Architecture and Internal Design == APT-Cacher-NG (ACNG) acts as a specialized HTTP proxy optimized for package managers such as APT. Unlike generic proxies, it understands repository layouts and package metadata patterns. === Request Flow === # Client sends HTTP request for a package or index file # ACNG checks its local cache directory # If present and valid, the cached object is served # If missing or expired, ACNG fetches it from the upstrea...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Architecture and Internal Design

APT-Cacher-NG (ACNG) acts as a specialized HTTP proxy optimized for package managers such as APT. Unlike generic proxies, it understands repository layouts and package metadata patterns.

Request Flow

  1. Client sends HTTP request for a package or index file
  2. ACNG checks its local cache directory
  3. If present and valid, the cached object is served
  4. If missing or expired, ACNG fetches it from the upstream repository
  5. The fetched object is stored and indexed locally

Cache Storage Model

  • Cache root usually located in /var/cache/apt-cacher-ng
  • Files are stored using a hashed directory structure
  • Metadata files (.db, .head) are maintained for validation and expiration
  • Index files are cached separately from binary packages

Protocol Support

  • HTTP (native)
  • HTTPS via CONNECT tunneling (limited inspection)
  • IPv4 and IPv6

Performance Characteristics

  • Optimized for many small files (package indexes)
  • Handles concurrent clients efficiently
  • Reduces bandwidth and mirror load significantly in multi-host environments

Configuration Directives (Advanced)

Configuration files are typically located in /etc/apt-cacher-ng.

Important Configuration Files

  • acng.conf – main configuration
  • security.conf – access control rules
  • backends_*.conf – repository mappings

Cache Behavior Tuning

CacheDir: /var/cache/apt-cacher-ng ExTreshold: 4 MaxSpareThreadCount: 20 MaxThreads: 100

  • ExTreshold: expiration sensitivity for index files
  • MaxThreads: controls parallel client handling
  • MaxSpareThreadCount: idle worker threads kept alive

Repository Remapping

ACNG can remap repository URLs to alternative mirrors:

Remap-debian: file:deb_mirror*.conf Remap-ubuntu: file:ubuntu_mirror*.conf

This allows transparent redirection without client-side changes.

Client Configuration and Usage Examples

System-Wide APT Proxy Configuration

Acquire::http::Proxy "http://proxy-server:3142"; Acquire::https::Proxy "http://proxy-server:3142";

Per-Command Proxy Usage

apt-get -o Acquire::http::Proxy="http://proxy-server:3142" update

Verifying Proxy Usage

apt-get -o Debug::Acquire::http=true update

Logs should show requests routed through the ACNG proxy.

Cache Management and Maintenance

Manual Cache Cleanup

apt-cacher-ng -c /etc/apt-cacher-ng -s

  • Removes expired and orphaned files
  • Rebuilds internal metadata databases

Cache Statistics

curl http://localhost:3142/acng-report.html

Provides:

  • Cache hit ratio
  • Disk usage
  • Traffic savings
  • Active connections

Pre-Fetching Packages

apt-get --download-only install linux-image-amd64

Used on one client to populate cache for others.

Security Concepts

Access Control

Access rules are defined in security.conf:

Allow: 192.168.1.0/24 Deny: all

  • Supports CIDR notation
  • First-match rule evaluation
  • Deny rules should always be explicit

Authentication Limitations

  • ACNG does not natively support user authentication
  • Intended for trusted networks
  • Authentication must be enforced externally (firewall, VPN)

HTTPS Considerations

  • HTTPS repositories are tunneled, not cached at object level
  • Index files may still be cached depending on client behavior
  • Full HTTPS caching requires repository-specific configuration

Network-Level Hardening

  • Bind to specific interface:

BindAddress: 192.168.1.10

  • Use firewall rules to restrict access to port 3142
  • Recommended to run behind NAT or internal VLAN

Privilege Model

  • Runs as unprivileged user
  • No need for root access during normal operation
  • Writes only to cache and log directories

Logging and Monitoring

Log Files

  • /var/log/apt-cacher-ng/access.log
  • /var/log/apt-cacher-ng/error.log

Log Verbosity

VerboseLog: 1 Debug: 7

Higher debug levels significantly increase log volume.

Common Log Patterns

  • HIT – served from cache
  • MISS – fetched from upstream
  • EXPIRED – revalidated content

Troubleshooting

Clients Bypass the Cache

  • Verify proxy settings on client
  • Ensure no conflicting proxy definitions
  • Check access.log for incoming requests

grep MISS /var/log/apt-cacher-ng/access.log

Permission Errors in Cache Directory

  • Check ownership of cache directory
  • Ensure sufficient disk space

chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng

Slow Package Downloads

  • Check upstream mirror responsiveness
  • Increase thread limits
  • Verify DNS resolution

Repository Not Cached

  • Ensure repository uses HTTP
  • Verify remap configuration
  • Some third-party repositories disable caching headers

Service Fails to Start

  • Check error.log for syntax errors
  • Validate configuration files

apt-cacher-ng -c /etc/apt-cacher-ng -t

  • Official APT-Cacher-NG Homepage
 https://www.unix-ag.uni-kl.de/~bloch/acng/
  • APT-Cacher-NG Git Repository
 https://salsa.debian.org/blade/apt-cacher-ng
  • Debian Wiki – APT-Cacher-NG
 https://wiki.debian.org/AptCacherNg
  • Ubuntu Documentation – Package Caching
 https://help.ubuntu.com/community/Apt-Cacher%20NG
  • APT Configuration Manual
 https://manpages.debian.org/apt.conf
Retrieved from "https://it-arts.net/index.php?title=APT-CACHER-NG_-_Advanced_Config&oldid=716"