Web Proxy and apt-get

Networking Web Proxy
1

Not sure why the web proxy is blocking services like “apt”
Web Proxy is enabled on Green, Transparent proxy is disabled.

Can’t update a linux box doing sudo apt updateget blocked

- connect (111: Connection refused) Cannot initiate the connection

Could not connect to archive.raspberrypi.org:80 (46.235.231.151). - connect (111: Connection refused) Cannot initiate the connection to archive.raspberrypi.org:80

When I shutdown Web proxy service, issues resolve immediately.,
URL Filter Log is completely empty so not sure why this happens

2

Hi,

apparently, apt continues to try to establish direct internet connections (though I am surprised to see these attempts ending in an ICMP reject rather than being silently dropped - did you configure your IPFire according to that?).

Please double-check that apt is really using the configured proxy. :slight_smile:

Thanks, and best regards,
Peter Müller

2 Likes
3

I haven’t configured the proxy for “apt” but I have allowed all standartd
ports

80 # http
21 # ftp
443 # https
1025-65535 # unregistered ports
280 # http-mgmt
488 # gss-http
591 # filemaker
777 # multiling http
800 # Squids port (for icons)

I even tried using a browser and got refused as well.
Once I shutdown proxy all is good. :face_exhaling:

4

I think you have a rule that blocks all the traffic on the red interface that is not directed to the proxy. Setting squid to cache traffic on other ports has no effect on that rule. Hence when APT try to connect directly (because it was not being configured to use the proxy) your firewall intercept that traffic and rejects it. You either configure apt to use the proxy, or you need to create an allow rule in your firewall for the debian machine, coming before the deny rule.

EDIT: on a second thought, my hypothesis is not supported by the fact that shutting down the proxy is sufficient to remove the problem. If APT tries to connect directly, why shutting down the proxy alone would fix the problem? Are you sure the transparent option is not active?

2 Likes
5

As he wrote this is also with webbrowsers.

Set up the webbrowser to communicate with the proxy directly to see that it works (don’t use global / system settings). As already mentioned, it looks like you haven’t configured your system to use the proxy. Is this Raspberry OS? https://raspberrypi.stackexchange.com/questions/68580/how-do-i-set-proxy-in-raspberry-pi-raspbian-os-or-any-linux-using-command-li

1 Like
6

Hi,

I have several “Devels” running here - and had similar problems. Perhaps this helps:

Check your apt configuration. In my case I had to edit /etc/apt/apt.conf (Ubuntu 20.04.4 LTS) to read:

Acquire::http::Proxy "http://[PROXY_IP]:[PROXY_PORT]/";
Acquire::https::Proxy "https://[PROXY_IP]:[PROXY_PORT]/";
Acquire::ftp::proxy "ftp://[PROXY_IP]:[PROXY_PORT]/";

Do you have IPS running?
I ran ET emerging-policy rules and had to deactivate "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management" which showed up in IPS logs.

HTH,
Matthias

6 Likes
7

This stopped APT for me also!

2 Likes
8

Thank you , a lot of great comments.

That was my suspicion too, In Firewall options, but I don’t think it will apply on Green.

Firewall options for BLUE interface
Drop all packets not addressed to proxy

Transparent on Green is Unchecked. So I assume it was not active.

I tried that but no luck.

Yes, IPS is running, but I disabled that rule long time ago. Good point.

At the end I think it was the Proxy service blocking APT, I tried changing to a different mirror, but got blocked too.
I shutdown the proxy and have no issues anymore.

9

This is what I do not understand, if your Debian machine is not set to use the proxy, and there is no transparent proxy, it should connect directly to the Debian repository. Then, if all these premises are correct, why shutting down the proxy solves the problem?

1 Like
10

Yes, I agree, not just a single Debian machine but all the machines that I tried were doing it, which were Raspberry OS, and a few Ubuntu…
When I get time, I will turn the Proxy back and try more ideas.

11

I just installed MX and have the same issue. I’ve set DNS query to TLS, so I’ve added http(s) on the repo mirrors and it connects fine now.