Caching packages on the network using apt-cacher-ng

If you've got multiple Ubuntu/Debian computers in your home, office or virtual network, you can greatly speed up software installations, upgrades and external bandwidth by designating one of them as a "cache" server.

Using apt-cacher-ng, any apt operations will proxy through that computer, so packages are only downloaded once from the Internet.

:warning: Note that the computer running the cache server must be online for apt operations to work.

Setting up

There are two approaches:

Method Recommendation
Automatic The server announces the service to the network. Clients discover the proxy. Trusted networks
Manual Server runs at a fixed IP address, clients connect directly Reliability

I personally went with Manual on a Raspberry Pi 4 computer which runs 24/7.

To avoid repeating instructions, take a look here on how to set up the server and clients:

https://wiki.debian.org/AptCacherNg

Server Tips

  • When installing the server, you'll be prompted if you'd like to enable the HTTP proxy. Choose [Yes] since this will allow HTTPS connections to work, even though they won't be cached. This should only be enabled on trusted networks.

  • To automatically start the service at boot:

    sudo systemctl enable apt-cacher-ng
    sudo systemctl start apt-cacher-ng
    
  • You can change where the cache is located by editing /etc/apt-cacher-ng/acng.conf (as root). For example, to use the cache on a different drive/partition:

    CacheDir: /media/example/

    :warning: The directory needs to be owned by apt-cacher-ng, otherwise the service will not start.

    sudo chown apt-cacher-ng /media/example/
    

    Make sure to restart the service:

    sudo systemctl restart apt-cacher-ng
    

Note on HTTPS

Repositories that connect over HTTPS cannot be cached. Despite the contrary, a simple solution is to switch those repository URLs to HTTP via :package: Software & Updates if the external source supports HTTP connections.

If you're interested to know why, read up on how the chain of trust works with Apt.

TL;DR: Your system already has the signing key to verify the integrity of packages, so downloading from repositories over HTTP is no more or less secure then HTTPS. Tampered or corrupt packages void the digital signature are refused installation.

Statistics

The service also runs a web page to view statistics.

http://<proxy>:3142/acng-report.html

Replace <proxy> with the IP address or hostname of the cache server, or use localhost if the computer running is the cache server.

Removal

If you later no longer need the cache, do the reverse and uninstall the packages. If you followed the manual steps, delete /etc/apt/apt.conf.d/proxy too.

4 Likes