Re: [squid-users] Transparent squid and apt-cacher on the same box

From: Amos Jeffries <>
Date: Thu, 12 Aug 2010 22:27:37 +1200

Dayo Adewunmi wrote:
> Hi all
> I've got squid 2.6.18-1ubuntu3 on an ubuntu hardy box. This box is the
> firewall and squid's on there too, running as transparent proxy. I have
> apt-cacher-ng on a separate box behind the firewall serving package
> management on the LAN. by streaming from the internet. This works fine.
> Previously, I was using apt-cacher (not -ng) on the firewall itself,
> serving the LAN. This worked fine, too, until I turned squid into
> transparent. Now I'm getting 403s whenever I try to run `aptitude
> update` on the firewall. Does anyone have any experience with getting
> apt-cacher (not -ng) to work on top of a transparent squid box?

FWIW; I advise upgrading to a newer Ubuntu release. The more recent
releases bundle with squid3 and apt packages which use persistence and
pipelining connections better. Between them they can avoid the need for
a separate apt-cacher proxy.

Now, which "transparent" is being discussed I wonder?

transparent (aka NAT interception):
   Rule #1 in the firewall config of a working interception proxy is to
prevent the box IP itself being caught into the proxy by rule #2:
  This rule can be duplicated for as many exceptions as required for
bypassing machines past the proxy.

transparent (aka environment auto-configuration):
   run "echo $http_proxy" and see if the proxy is specified there. This
is the main way local machine software can be silently pulled into the

transparent (aka WPAD auto-configuration):
   if this is catching it you will have to find the apt-catcher-ng
config and turn off where it is set to lookup the proxy.

transparent (aka spoofing / TPROXY):
   ditto for correct firewall configuration like NAT bypassing the proxy
IP. This time marking packets IIRC.

transparent (aka invisible):
   the system and apt-cacher config need to be checked that its not
configured to use the proxy. Similar but different settings to WPAD.

transparent (aka silent authentication):
   if this is the case apt-catcher will nee to be configured with the
credentials to hand over. Or squid configured to permit its requests
without auth.

transparent (aka tunnelling):
   should not have seen any change. though maybe if you were doing this
and now have added interception they are non-compatible on the one port.

[yes, I dislike the term "transparent". For what should now be an
obvious reason.]


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.6
   Beta testers wanted for
Received on Thu Aug 12 2010 - 10:27:46 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 12 2010 - 12:00:03 MDT