apt config to acquire http but not https proxy?
Hi, Google is failing me. I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic. Any suggestions? (Things not to say: * Use iptables to transparently proxy port 80 * Get a better HTTP proxy that support SSL ) Toby
On Tue, 16 Jun 2015, Toby Corkindale wrote:
Hi, Google is failing me.
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Any suggestions?
(Things not to say: * Use iptables to transparently proxy port 80 * Get a better HTTP proxy that support SSL )
Don't know about https itself, but does limiting hosts help you? //Acquire::http::Proxy "http://localhost:3142/"; Proxy::bugs.debian.org "http://localhost:8080"; // bug 493980: Proxy::packages.debian.org "http://localhost:8080"; -- Tim Connors
I was wondering Is there a way to specify Acquire::HTTPS::Proxy in a negative way? (Since setting acquire::http::proxy seems to set it up for https too without me wanting it) On Tue, 16 Jun 2015 at 16:48 Tim Connors <tim.w.connors@gmail.com> wrote:
On Tue, 16 Jun 2015, Toby Corkindale wrote:
Hi, Google is failing me.
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Any suggestions?
(Things not to say: * Use iptables to transparently proxy port 80 * Get a better HTTP proxy that support SSL )
Don't know about https itself, but does limiting hosts help you?
//Acquire::http::Proxy "http://localhost:3142/"; Proxy::bugs.debian.org "http://localhost:8080"; // bug 493980: Proxy::packages.debian.org "http://localhost:8080";
-- Tim Connors
This seems to do the trick! Note that the space between the quote marks is required.. otherwise it doesn't help. Acquire::HTTPS::Proxy " "; On Tue, 16 Jun 2015 at 17:40 Toby Corkindale <toby@dryft.net> wrote:
I was wondering Is there a way to specify Acquire::HTTPS::Proxy in a negative way? (Since setting acquire::http::proxy seems to set it up for https too without me wanting it)
On Tue, 16 Jun 2015 at 16:48 Tim Connors <tim.w.connors@gmail.com> wrote:
On Tue, 16 Jun 2015, Toby Corkindale wrote:
Hi, Google is failing me.
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Any suggestions?
(Things not to say: * Use iptables to transparently proxy port 80 * Get a better HTTP proxy that support SSL )
Don't know about https itself, but does limiting hosts help you?
//Acquire::http::Proxy "http://localhost:3142/"; Proxy::bugs.debian.org "http://localhost:8080"; // bug 493980: Proxy::packages.debian.org "http://localhost:8080";
-- Tim Connors
Toby Corkindale <toby@dryft.net> writes:
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Probably not helpful, but: Just don't use TLS for apt repos? What's the threat model that you're trying to address by using apt-transport-https ? apt's "is this package haxxed?" relies entirely on the Release file being signed by a GPG key in apt-key's keyring (plus a chain of md5/sha1/sha2-sums). So AFAICT the only gain from TLS is the ability to conceal (from your ISP) which packages you've downloaded. What am I missing?
Way to make assumptions, Trent. I can't control the fact that some repositories are SSL only. That's out of my control. Choosing not to use software just because the authors believe in SSL-everywhere would be ridiculous. Even though I agree, it's not adding any actual security. -Toby On Thu, 18 Jun 2015 at 11:36 Trent W. Buck <trentbuck@gmail.com> wrote:
Toby Corkindale <toby@dryft.net> writes:
I know I can use acquire::http::proxy in apt.conf.d to set a proxy server, but this seems to make it used for both HTTPS and HTTP traffic -- however I only want to use it for HTTP traffic.
Probably not helpful, but:
Just don't use TLS for apt repos?
What's the threat model that you're trying to address by using apt-transport-https ?
apt's "is this package haxxed?" relies entirely on the Release file being signed by a GPG key in apt-key's keyring (plus a chain of md5/sha1/sha2-sums). So AFAICT the only gain from TLS is the ability to conceal (from your ISP) which packages you've downloaded. What am I missing?
On Wed, 19 Aug 2015 at 14:53 Toby Corkindale <toby@dryft.net> wrote:
Choosing not to use software just because the authors believe in SSL-everywhere would be ridiculous. Even though I agree, it's not adding any actual security.
Telling apt-get to use https adds privacy - people monitoring your network traffic cannot see what packages you are downloading.
participants (4)
-
Brian May -
Tim Connors -
Toby Corkindale -
trentbuck@gmail.com