Force APT/Software installation to use HTTP instead of HTTPS

dUCK · January 6, 2021, 6:04am

Is there a setting to toggle utilizing HTTP instead of HTTPS for APT?

Everything added in /etc/apt/sources.list and /etc/apt/sources.list.d/* are HTTPS and I would like them to be HTTP so the APT caching proxy I use (apt-cacher-ng) will cache them.

As it stands right now if I install software from the menu, repositories are added as HTTPS.

Joulinar · January 6, 2021, 9:34am

Hi,

many thanks for your message. Simply change all source files in /etc/apt/sources.list and /etc/apt/sources.list.d/* to HTTP. There is no tool or global setting to do this.

dUCK · January 6, 2021, 2:09pm

This isn’t a solution when installing software through the dietpi-software menu because the scripts automatically overwrite any changes made.

For example, if I install something that adds the mono-xamarin.list file, it will be added as HTTPS and begin downloading, giving me no time to change the file.

If I install any other software that utilizes this repository, mono-xamarin.list will be overwritten attempting to install it.

Joulinar · January 6, 2021, 2:15pm

source files created by dietpi-software are hardcoded into the script

dUCK · January 6, 2021, 2:23pm

Thank you. Maybe I can write a script to parse this file and replace instaces of HTTPS with HTTP.

Joulinar · January 6, 2021, 2:37pm

dietpi-software will be replaced an each dietpi-update

Did you had a look to Debian Wiki? https://wiki.debian.org/AptCacherNg
Last point is talking about how to deal with https repositories and is providing a simple solution to tunnel HTTPS connections directly on the proxy

dUCK · January 6, 2021, 2:42pm

Yes, but tunneling HTTPS does not allow files to be cached as HTTPS cannot be understood.

The downside is that HTTPS content is not cached.

dUCK · January 6, 2021, 2:52pm

HTTPS can be utilized, but HTTP must be defined prior in the sources.list.

https://blog.packagecloud.io/eng/2015/05/05/using-apt-cacher-ng-with-ssl-tls/

Caching objects

To cache packages and indexes retrieved via SSL/TLS repositories, we will have to configure apt-cacher-ng to remap a chosen non-https repository url to the actual https url.

Create a file named backends_packagecloud in /etc/apt-cacher-ng that looks like:

https://packagecloud.io/julio/test_repo/ubuntu

Now, in apt-cacher-ng /etc/apt-cacher-ng/acng.conf we can specify a mapping like:

Remap-pcloud: > http://fakedomain.example > ; file:backends_pcloud

Finally, we can now configure all our clients to use > http://fakedomain.example > instead of > https://packagecloud.io/julio/test_repo/ubuntu> , and apt-cacher-ng will transparently proxy, and more importantly, cache, objects from > https://packagecloud.io/julio/test_repo/ubuntu> .

Joulinar · January 6, 2021, 3:00pm

this might be an easier solution than adjusting dietpi-software every time you update DietPi scripts. Especially in combination with PassThroughPattern: ^(.*):443$ setting, your system will continue working even if a new source file was added. You would need to adjust mapping only in this case.

dUCK · January 6, 2021, 3:10pm

The clients still require sources.list to be in HTTP format (apt-cacher-ng cannot understand HTTPS,) so it will have to be modified every time dietpi-sofware updates.

Although, it will allow me to utilize HTTPS after HTTP traffic hits the apt-cacher-ng proxy.

Joulinar · January 6, 2021, 3:36pm

Ok looks I misunderstood it