Package: mirrors We have an ssh tunnel forwarding traffic via a Debian Stretch server to ftp.uk.debian.org<ftp://ftp.uk.debian.org>. This is because the requesting client (also Debian Stretch) only has outbound ssh access (no other ports open). The tunnel is as follows: ssh client@server -L 127.0.0.1:2081:ftp.uk.debian.org:80 And we then have the following line amongst others in the apt sources list: deb http://127.0.0.1:2081/debian/ stretch main contrib non-free For a few years now, whenever we run apt-get update, it works. But today it seems the above address is being redirected to HTTPS, e.g.: Answer for: http://127.0.0.1:2081/debian/dists/stretch-backports/contrib/Contents-armhf.lzma HTTP/1.1 302 Moved Temporarily Server: nginx/1.18.0 Date: Thu, 27 Jan 2022 16:25:20 GMT Content-Type: text/html Content-Length: 145 Connection: keep-alive Location: https://127.0.0.1/debian/dists/stretch-backports/contrib/Contents-armhf.lzma Also, the port specified in the initial request doesn’t appear to be honoured, according to the last line above. We then get: Err:5 https://127.0.0.1/debian stretch/main armhf Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
If we change the ssh port forward to instead use ftp.de.debian.org<ftp://ftp.de.debian.org>, it works fine, just as the UK version used to, with no 302 redirect (different package extracted from earlier logs, but otherwise comparable): Answer for: http://127.0.0.1:2081/debian/dists/stretch-backports/non-free/i18n/by-hash/SHA256/ecdde85fe38ffd2be1ba30e194d7e380cd5d18a0ae21c994bda09a4246ccaacb HTTP/1.1 200 OK Date: Thu, 27 Jan 2022 16:35:23 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Mon, 13 Jul 2020 13:57:07 GMT ETag: "9676-5aa5310fc3ad2" Accept-Ranges: bytes Content-Length: 38518 More interestingly, if I temporarily make it so that the client has HTTP access, and point apt directly at “deb http://ftp.uk.debian.org/debian/ stretch main contrib non-free”, then it works fine over HTTP as before, so it’s not an indiscriminately applied redirect. It’s as though the Nginx instance at the other end is now behaving differently depending on request hostname or perhaps port number. I should add that there’s nothing in the chain that isn’t apparent from the ssh options “-L 127.0.0.1:2081:ftp.uk.debian.org:80”, it’s just a simple forward to the outside world. We have a lot of kit in the field with this symptom, and would be nice to know if this can/will be fixed so that we can act accordingly. I am using apt 1.4.6 (armhf) on Debian GNU/Linux 9 Regards, [cid:image716390.png@3185E099.A4D73DB5] MATTHEW JONES CLOUD SOLUTIONS ARCHITECT RAMTECHGLOBAL.COM<https://www.ramtechglobal.com/> SOCIAL MEDIA LINKEDIN <https://www.linkedin.com/company/ramtech-electronics-limited/> | YOUTUBE <https://www.youtube.com/channel/UCiLOcTLTQ1I5PPpA7ytgVrw> | TWITTER<https://twitter.com/RamtechGlobal> EMAIL matthew.jo...@ramtechglobal.com<mailto:matthew.jo...@ramtechglobal.com> OFFICE +44 (0)115 957 8282 This email has been sent by and on behalf of one or more of Ramtech Electronics Limited, Ramtech Overseas Limited, Ramtech North America Inc or Ashton Lister Investments Limited, (together, ‘Ramtech’). This e-mail, including attachments, is private and may be confidential and is for the intended recipient only. If you are not the intended addressee, please notify us by telephone (+44 (0)115 957 8282) or by email (priv...@ramtechglobal.com) and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. Ramtech use reasonable endeavours to virus scan all e-mails leaving the firms but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our networks is reserved by us. Each of Ramtech Electronics Limited (registered no. 02538255), Ramtech Overseas Limited (registered no. 10162495) and Ashton Lister Investments Limited (registered no. 05617735) are companies registered in England and Wales and whose registered office is at: Ramtech House, Castlebridge Office Village, Castle Marina Rd, Nottingham NG7 1TN. Ramtech North America Inc principle place of business is 5126 South Royal Atlanta Dr. Tucker, GA 30084, USA. To understand how we respect and protect your personal data, please see our privacy statement at https://ramtechglobal.com/privacy-statement