Apt-Cache-ng is A caching proxy. Specialized for package files from Linux distributors, primarily for Debian (and Debian based) distributions but not limited to those.

A caching proxy have the following benefits:

  • Lower latency
  • Reduce WAN traffic
  • Higher speed for cached contents

Source: Debian Salsa Git Repository homepage: unix-ag.uni-kl.de

+--------------+         +-------------+        +------------+
|              |         |             |        |            |
| Apt Client   |  <------+ Apt Cache   | <------+ Apt Mirror |
|              |         |             |        |            |
|              |         |             |        |            |
+--------------+         +-------------+        +------------+

Install package

sudo apt-get install apt-cacher-ng

Server configuration

After installation completes, the apt-cacher-ng will start automatically. Now open and edit the cache-ng configuration file located under /etc/apt-cacher-ng directory.

sudo vim /etc/apt-cacher-ng/acng.conf

Set Username and password for webpage

    ReportPage: acng-report.html ### Web managment
    AdminAuth: myuser:mypassword123 ### set Username and password for Web managment

Web server

  • Default enabled for docs

 LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng ## LocalDirs: "sub-direct for url" "Folder path on disk"


  • Default Enabled

Change path to where you like it to store it.

CacheDir: /var/cache/apt-cacher-ng

APT-cache-ng will store the files under diffrent repos:

├── archive.raspberrypi.org
│   └── debian
│       └── dists
│           └── buster
│               ├── InRelease
│               ├── InRelease.head
│               └── main
│                   └── binary-armhf
│                       ├── Packages.gz
│                       └── Packages.gz.head
├── deb.playonlinux.com
│   └── dists
│       └── trusty
│           ├── InRelease
│           ├── InRelease.head
│           └── main
│               ├── binary-amd64
│               │   ├── Packages.gz
│               │   └── Packages.gz.head
│               └── binary-i386
│                   ├── Packages.gz
│                   └── Packages.gz.head
├── debrep
│   └── dists
│       └── buster-backports
│           ├── InRelease
│           ├── InRelease.head
│           └── main
│               ├── binary-armhf

Take not of the debrep, if defined it will merge diffrent Repository that matches Remap-debrep, and merge them together.

Tuning cache

ExThreshold: 4 # days before purgeing
ExStartTradeOff: 500m # Size of local cache, expiration run is suppressed, until limited is surpaced.

Repository remapping

Repository remapping is a way to merge together all urls to the same repository.

On some restricted networks, it may be needed to enforce the use of predefined mirrors. If the ForceManaged option is set, only requests to URL matched in some Remap-... config is allowed.

If multiple Remap- lines for the same Repository are specified, the contents of both URL lists are merged.


Remap-RepositoryName: MergingURLs ; TargetURLs ; OptionalFlags

Example with ubuntu, where a seperate file holds the upstream URLS, and all urls in file:ubuntu_mirrors or/ubuntu are using the TargetURLs

Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu 

Pre caching

  • Default off

PrecacheFor: {uburep,secdeb,debrep}/*/*{Packages,InRelease,Packages.xz,Translation,Commands}* 

log setting

  • Default Enabled

Change path to where you like it to store it.

LogDir: /var/log/apt-cacher-ng

Address and Port

  • Default Port:3142

  • Default: listens on all interfaces and protocols

To change port or hostname, uncomment. BindAddress can be multiple address that are resolved at start.

BindAddress: localhost publicNameOnMainInterface

Upstream proxy

  • Default No proxy

To use proxy uncomment and set your upstream proxy.

Proxy: http://www-proxy.example.net:3128 # or 
Proxy: https://username:proxypassword@proxy.example.net:3129

Client setup

There is multiple ways to set proxy for use:

  • Hardcoded
  • via DNS
  • via multicast DNS
  • via list

To force the client to use the proxy we can hardcodes the server name in the APT configuration and may not be appropriate if you change networks often.

echo 'Acquire::http { Proxy "http://${proxy_server}:3142"; }' | sudo tee -a /etc/apt/apt.conf.d/proxy

Dynamic usage of proxy using DNS, and auto-apt-proxy

It is posible to use the local DNS server to lookup apt proxy server

DNS server setting

The DNS server needs to have a SRV record of _apt_proxy._tcp.${domain}.

Note: Current v13 auto-apt-proxy needs the ${domain} to set via in hostname. sudo hostnamectl set-hostname client.example.com  

The appropriate SRV record in dnsmasq.conf would look like this:

  • _apt_proxy._tcp.${domain} is the URL getting reqestetd.

  • apt-cacher-ng.example.com is the URL being returned, can be any valid URL

  • 3142 is the port used, on the server being returned.


Current v13 of auto-apt-proxy needs the ${domain} to set via in hostname. sudo hostnamectl set-hostname client.${domain}  , and hostname need to reflect in /etc/hosts: client.${domain} client
  • The order is important, FQDN, then short.
  • client.${domain}, FQDN.

  • client, short hostname.

alternativt a host named apt-proxy can be defined in /etc/hosts.

Install auto-apt-proxy:

  sudo apt install auto-apt-proxy

This will add the following to /etc/apt/apt.conf.d/auto-apt-proxy.conf:

   Acquire::http::Proxy-Auto-Detect "/usr/bin/auto-apt-proxy";

Dynamic usage of proxy using multicast DNS

With the use of Zero-configuration networking, it is posible for clients dynamicly use the local proxy server. This is useful for laptops but could be a security issue as anyone can then become a proxy for you and serve any content they wish (although SecureApt should still ensure a proper trust chain).


To announce the service to the network, you install Avahi:

  sudo apt install avahi-daemon


On the client side we need squid-deb-proxy-client

  sudo apt install squid-deb-proxy-client

This will add the following to /etc/apt/apt.conf.d/30autoproxy:

   Acquire::http::ProxyAutoDetect "/usr/share/squid-deb-proxy-client/apt-avahi-discover";

Verfie it is working


"--debug" flag can be used for more info.

Dynamic usage a list

If you have a list of server you like the client to try you can use.

There setting calls Acquire::http::ProxyAutoDetect.

This setting should contains the full path to the binary and cannot have arguments. The command should output the proxy to be used (example:

Given the above information, a script could be created that tries a proxy before setting it. If no ProxyAutoDetecto proxy is available, a direct connection should be used.

Below is such a proxy detection script which tries the and proxies.

Put the code in /etc/apt/detect-http-proxy:

  # detect-http-proxy - Returns a HTTP proxy which is available for use

  # Author: Lekensteyn <lekensteyn@gmail.com>

  # Supported since APT (Lucid) and 0.7.26~exp1 (Debian Squeeze)
  # Unsupported: Ubuntu Karmic and before, Debian Lenny and before

  # Put this file in /etc/apt/detect-http-proxy and create and add the below
  # configuration in /etc/apt/apt.conf.d/30detectproxy
  #    Acquire::http::ProxyAutoDetect "/etc/apt/detect-http-proxy";

  # APT calls this script for each host that should be connected to. Therefore
  # you may see the proxy messages multiple times (LP 814130). If you find this
  # annoying and wish to disable these messages, set show_proxy_messages to 0

  # on or more proxies can be specified. Note that each will introduce a routing
  # delay and therefore its recommended to put the proxy which is most likely to
  # be available on the top. If no proxy is available, a direct connection will
  # be used

  print_msg() {
      # \x0d clears the line so [Working] is hidden
      [ "$show_proxy_messages" = 1 ] && printf '\x0d%s\n' "$1" >&2

  for proxy in "${try_proxies[@]}"; do
      # if the host machine / proxy is reachable...
      if nc -z ${proxy/:/ }; then
          print_msg "Proxy that will be used: $proxy"
          echo "$proxy"
  print_msg "No proxy will be used"

  # Workaround for Launchpad bug 654393 so it works with Debian Squeeze (<0.8.11)
  echo DIRECT

in /etc/apt/apt.conf.d/30detectproxy set:

# Fail immediately if a file could not be retrieved. Comment if you have a bad
# Internet connection
Acquire::Retries 0;

# It should be an absolute path to the program, no arguments are allowed. stdout contains the proxy
# server, stderr is shown (in stderr) but ignored by APT
Acquire::http::ProxyAutoDetect "/etc/apt/detect-http-proxy";

Apt-Cacher NG (last edited 2021-08-07 20:24:49 by eiden)