Bug#929224: apt-cacher-ng, debootstrap and deb.debian.org combination fails

2019-06-05 Thread Sean Whitton 
Hello Eduard,

On Tue 04 Jun 2019 at 08:30AM +02, Eduard Bloch wrote:

> Sure you do, guess what "URL transformed to HTTPS due to an HSTS policy" 
> is supposed to mean.
>
>
>--no-hsts
>Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by 
> default.  Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a 
> consequence, Wget would
>ignore all the "Strict-Transport-Security" headers, and would not 
> enforce any existing HSTS policy.

So are you saying you think the bug is in debootstrap, i.e., debootstrap
should start passing --no-hsts to wget?

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#929224: apt-cacher-ng, debootstrap and deb.debian.org combination fails

2019-06-04 Thread Eduard Bloch 
Hallo,
* Sean Whitton [Wed, May 22 2019, 06:02:15PM]:
> Hello Eduard,
>
> On Wed 22 May 2019 at 09:24PM +02, Eduard Bloch wrote:
>
> > Uhm, I suggest you do what it says and read the manual?
>
> I am not trying to use an https mirror.
>
> I don't know what's responsible for the attempt to use https, but I want
> to use http://deb.debian.org/debian, and one of apt-cacher-ng,
> debootstrap or the deb.debian.org service is blocking doing that.

Sure you do, guess what "URL transformed to HTTPS due to an HSTS policy" is 
supposed to mean.


   --no-hsts
   Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by 
default.  Use --no-hsts to make Wget act as a non-HSTS-compliant UA. As a 
consequence, Wget would
   ignore all the "Strict-Transport-Security" headers, and would not 
enforce any existing HSTS policy.


Best regards,
Eduard.

--
 Was gibt es denn für Alternativen zu file-roller?
 100er Block Kästchenpapier und weicher Bleistift?
 frobnic: Ich wollte eigentlich keine Hardware-Lösung

Bug#929224: apt-cacher-ng, debootstrap and deb.debian.org combination fails

2019-05-22 Thread Sean Whitton 
Hello Eduard,

On Wed 22 May 2019 at 09:24PM +02, Eduard Bloch wrote:

> Uhm, I suggest you do what it says and read the manual?

I am not trying to use an https mirror.

I don't know what's responsible for the attempt to use https, but I want
to use http://deb.debian.org/debian, and one of apt-cacher-ng,
debootstrap or the deb.debian.org service is blocking doing that.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#929224: apt-cacher-ng, debootstrap and deb.debian.org combination fails

2019-05-22 Thread Eduard Bloch 
Hallo,
* Sean Whitton [Sun, May 19 2019, 08:08:07AM]:

> I thought that the problem is that apt-cacher-ng is not able to resolve
> SRV records.  However, I'm not so sure about that now.  debootstrap uses
> wget to download stuff, so I tried this:
>
> root@iris:/srv/chroot>http_proxy=http://localhost:3142 wget 
> http://deb.debian.org/debian/dists/sid/Release
> URL transformed to HTTPS due to an HSTS policy
> --2019-05-19 07:54:37--  https://deb.debian.org/debian/dists/sid/Release
> Resolving localhost (localhost)... ::1, 127.0.0.1
> Connecting to localhost (localhost)|::1|:3142... connected.
> Proxy tunneling failed: CONNECT denied (ask the admin to allow HTTPS 
> tunnels)Unable to establish SSL connection.

Uhm, I suggest you do what it says and read the manual?

https://www.unix-ag.uni-kl.de/~bloch/acng/html/howtos.html#ssluse

The "laissez-faire method": in acng.conf (or related) configure the 
PassThroughPattern option to contain a regex like .* and configure the clients 
to use apt-cacher-ng as HTTP proxy and let the clients connect to https URLs 
"as usual". Some limited access control can be achieved through adjustment of 
the regular expression (.* permits access to any host and any port, including 
443 for https). Data is not cached on the server.

Also modified by debconf: dpkg-reconfigure -plow apt-cacher-ng

Best regards,
Eduard.

Bug#929224: apt-cacher-ng, debootstrap and deb.debian.org combination fails

2019-05-19 Thread Sean Whitton 
Package: apt-cacher-ng, debootstrap
Version: 3.2-1, 1.0.114
X-debbugs-cc: debian-ad...@lists.debian.org

Dear maintainers and DSA,

The combination of apt-cacher-ng, debootstrap and the deb.debian.org
service fails:

root@iris:/srv/chroot>http_proxy=http://localhost:3142 debootstrap sid chr/ 
http://deb.debian.org/debian
I: Target architecture can be executed
I: Retrieving InRelease
I: Retrieving Release
E: Failed getting release file 
http://deb.debian.org/debian/dists/sid/Release

However, replacing deb.debian.org with cdn-fastly.deb.debian.org
succeeds.  And note that apt can happily use the combination of
apt-cacher-ng and .

I thought that the problem is that apt-cacher-ng is not able to resolve
SRV records.  However, I'm not so sure about that now.  debootstrap uses
wget to download stuff, so I tried this:

root@iris:/srv/chroot>http_proxy=http://localhost:3142 wget 
http://deb.debian.org/debian/dists/sid/Release
URL transformed to HTTPS due to an HSTS policy
--2019-05-19 07:54:37--  https://deb.debian.org/debian/dists/sid/Release
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3142... connected.
Proxy tunneling failed: CONNECT denied (ask the admin to allow HTTPS 
tunnels)Unable to establish SSL connection.

I then tried passing --no-hsts to wget, which allowed the download to
succeed, and after that the file was cached by apt-cacher-ng so
--no-hsts was no longer needed.

I don't know whether debootstrap needs to start passing --no-hsts to
wget, or apt-cacher-ng should be fixed, or there is a configuration
problem with the deb.debian.org service.  But since this is our main
CDN, it seems like it ought to be possible to use the combination of
apt-cacher-ng, deb.debian.org and debootstrap.

-- 
Sean Whitton


signature.asc
Description: PGP signature