Squid Deb Caching

From The Opensource Knowledgebase
Jump to navigation Jump to search

Squid deb Caching

It is common in secure environments for internal hosts to be forced to go through a reverse proxy (e.g. Squid) for public internet access.  The same concept is applied to apt package management, where setting up a centralized package proxy enables caching as well as security controls. Servers that need the same package/kernel/security patch, having a cache of packages inside your network can save a significant amount of network bandwidth and operator time. And just like an internet proxy that whitelists only specific domains, a package proxy can have a whitelist of apt repositories, as well as a blacklist of specific packages.

This howto explains installation and configuration of squid-deb-proxy, which is just a packaging of Squid3 with specific tunings for package caching.  Since most Security and Operations teams are familiar with Squid already, this makes it easier to get deployment approval versus other package caching solutions.

Installing Squid Deb Caching Server

  • Squid Deb Proxy is available in Ubuntu Repositories and can be installed using apt package manager
$ sudo apt-get update
$ sudo ufw allow 8000/tcp
$ sudo apt-get install squid-deb-proxy -y
  • Cached files are stored under a hierarchy in “/var/cache/squid-deb-proxy” as verified by the following
$ grep cache_dir /etc/squid-deb-proxy/squid-deb-proxy.conf
cache_dir aufs /var/cache/squid-deb-proxy 40000 16 256

Installing client on hosts

  • From the squid-deb-proxy host, first tail the logs so you can see the client actions that will be taking place
$ sudo tail -f /var/log/squid-deb-proxy/access.log
  • On another host (host 1) which needs to use the squid deb proxy, install the client
$ sudo apt install squid-deb-proxy-client
  • On the Proxy, the logs will show host 1 reaching the proxy server to get the packages.

Conclusion

  • All hosts which have the client installed will check for the packages on the proxy server. If the package is available, it will be downloaded from the proxy server
  • If the proxy server does not have the package, a new package will be downloaded on the proxy server and served to the requesting host
  • As new packages will be downloaded, old packages will be purged

References

Retrieved from "https://infrastructure-advisory.org/index.php?title=Squid_Deb_Caching&oldid=330"