>Even with something simple, like just debian.org in the regexp, I was >able to connect to deb.debian.org but not even to
Unlike -NG, -Ultra has a lot of knobs for hardening the cache, as you've seen. I'm leaning towards the default being more permissive (like -NG), because the expected primary use case is inside a trusted network. Then the knobs become available for hardening it in environments where that is necessary, but the Quickstart becomes much easier. I believe what you're running into is two things: The allowed regex and the MITM Cert. The MITM cert also limits the names it will give out in the default config. So allows need to be done in both places. **BUT** the CA cert also needs to be regenerated after changing the MITM allow. It does warn about this on start up, but you have to go look at the logs to surface that. I'm going to change that so that it loudly complains and aborts in that case. I'm going to push some changes to the default config that open it up. You should be able to get the new config, and then remove `/var/cache/apt-cacher-ultra/ca/*` and restart apt-cacher-ultra. It should then generate a new CA, and you will need to copy that ca.crt to the client machine to continue testing. At that point it should work for you. In my environment I started with things wide open and then looked at the logs after a few days and used actual usage to create the allow lists. However, I've since come to the mind that because of signing of remote packages, the CA being limited to apt use only, and typical use inside a trusted network that has public Internet access anyway, that a more open default is probably better. Sean On Fri, May 22, 2026 at 12:55 PM Anssi Saari < [email protected]> wrote: > Sean Reifschneider <[email protected]> writes: > > > I've been working on a new apt cacher I'm calling "apt-cacher-ultra", > with two goals in mind: > > With a quick look, it seems to work nicely. Then again, so does > apt-cacher-ng, it's just that later when you try to use it, it won't > respond or responds with error and needs a restart. > > > * MITM https proxy so you don't need to do the "http://HTTPS///"; > kludge, but you can also get the benefit of the cache > > (-ng does a binary passthrough which bypasses the cache). > > This feature might need some looking into or at least a little > documentation on how to use it, e.g. how to specify the regexp? The > example config in readme doesn't seem to work, as in the regexp isn't > accepted. > > Even with something simple, like just debian.org in the regexp, I was > able to connect to deb.debian.org but not even to > security.debian.org. Let alone the repos I actually want to connect, > mega, nvidia, spideroak, spotify... Everything but deb.debian.org came > back with a certificate error. So, documentation, a working example, or > explanation? Or maybe I did something wrong. And, to be honest, those > non-Debian repos I use so little the caching doesn't much matter. But > how do you use apt-cacher-ultra for https without caching? > >
