squid-deb-proxy does not allow downloading from arbitrary mirrors of packages

Bug #804267 reported by Clint Byrum on 2011-07-01
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
squid-deb-proxy (Ubuntu)
Undecided
Unassigned

Bug Description

If I install squid-deb-proxy-client I use any discovered proxies for all my apt downloads. But this will break if I have a private hosted apt cache since its hostname and/or path will be disallowed. The proxy should instead restrict to only downloading files named Packages.gz, *.deb, *.dsc, *.orig.tar.gz, etc. etc.

Peter Wu (lekensteyn) wrote :

That would allow other machines in your network to use your proxy to access all sites. You can edit /etc/squid-deb-proxy/mirror-dstdomain.acl and add the hostnames of your private repositories to it.

If you really want to allow access to resources based on the path, comment the following line in /etc/squid-deb-proxy/squid-deb-proxy.conf by adding a hash sign (#) before it:
http_access deny !to_ubuntu_mirrors

Next, add two line after `http_access allow localhost`:

acl Safe_path urlpath_regex (\.deb|Release(\.gpg)?\|(Sources|Packages)\.(bz2|gz)|Contents-(amd64|i386)\.gz)$
http_access deny !Safe_path

The above regex is incomplete, a lot files are still not included but it should be sufficient for regular apt-get update and apt-get installs (not apt-get source).

Related documentation: http://www.squid-cache.org/Versions/v2/2.7/cfgman/acl.html

Peter Wu (lekensteyn) wrote :

The acl Safe_path ... \.gz)$ lines should be put on one line, but due to formatting by Launchpad, it got split up.

Changed in squid-deb-proxy (Ubuntu):
status: New → Confirmed
Clint Byrum (clint-fewbar) wrote :

Lekensteyn, that makes this unsuitable for general use in Ubuntu. PPA's and various other sources are very easy to use, and the failure this causes is very difficult to understand.

Dmitry Andreychuk (and-dmitry) wrote :

Isn't it a duplicate of #545830 ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers