1# 2# IMPORTANT NOTE: 3# 4# THIS FILE IS MAYBE JUST ONE OF MANY CONFIGURATION FILES IN THIS DIRECTORY. 5# SETTINGS MADE IN OTHER FILES CAN OVERRIDE VALUES THAT YOU CHANGE HERE. GO 6# LOOK FOR OTHER CONFIGURATION FILES! CHECK THE MANUAL AND INSTALLATION NOTES 7# (like README.Debian) FOR MORE DETAILS! 8# 9 10# This is a configuration file for apt-cacher-ng, a smart caching proxy for 11# software package downloads. It's supposed to be in a directory specified by 12# the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details. 13# RULES: 14# Letter case in variable names does not matter, names and values should be 15# separated with colons. For boolean variables, zero number is considered false, 16# non-zero considered true. If a default value is not explicitly mentioned in 17# the description, the commented value assignments mostly represent the default 18# values of the particular variables. 19 20# Storage directory for downloaded data and related maintenance activity. 21# 22CacheDir: /var/cache/apt-cacher-ng 23 24# Log file directory, can be set empty to disable logging 25# 26LogDir: /var/log/apt-cacher-ng 27 28# A place to look for additional configuration and resource files if they are not 29# found in the configuration directory 30# 31SupportDir: @LIBDIR@ 32 33# TCP server port for incoming http (or HTTP proxy) connections. 34# Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server 35# (SocketPath must be set in this case). 36# 37# Port:3142 38 39# Addresses or hostnames to listen on. Multiple addresses must be separated by 40# spaces. Each entry must be an exact local address which is associated with a 41# local interface. DNS resolution is performed using getaddrinfo(3) for all 42# available protocols (IPv4, IPv6, ...). Using a protocol specific format will 43# create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will 44# listen only to IPv4. 45# 46# Default: listens on all interfaces and protocols 47# 48# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface 49 50# The specification of another HTTP proxy which shall be used for downloads. 51# It can include user name and password but see the manual for limitations. 52# 53# Default: uses direct connection 54# 55# Proxy: http://www-proxy.example.net:3128 56# Proxy: https://username:proxypassword@proxy.example.net:3129 57 58# Repository remapping. See manual for details. 59# In this example, some backends files might be generated during package 60# installation using information collected on the system. 61# Examples: 62Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives 63Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives 64Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here 65Remap-sfnet: file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here 66Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux 67Remap-fedora: file:fedora_mirrors # Fedora Linux 68Remap-epel: file:epel_mirrors # Fedora EPEL 69Remap-slrep: file:sl_mirrors # Scientific Linux 70Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives 71Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security 72Remap-FreeBSD: file:freebsd_mirrors ; file:backends_freebsd # FreeBSD Archives 73 74# Virtual page accessible in a web browser to see statistics and status 75# information, i.e. under http://localhost:3142/acng-report.html 76# NOTE: This option must be configured to run maintenance jobs (even when used 77# via acngtool in cron scripts). The AdminAuth option can be used to restrict 78# access to sensitive areas on that page. 79# 80# Default: not set, should be set by the system administrator 81# 82ReportPage: acng-report.html 83 84# Socket file for accessing through local UNIX socket instead of TCP/IP. Can be 85# used with inetd (via bridge tool in.acng from apt-cacher-ng package). 86# 87# Default: not set, UNIX socket bridge is disabled. 88# 89# SocketPath:/var/run/apt-cacher-ng/socket 90 91# If set to 1, makes log files be written to disk on every new line. Default 92# is 0, buffers are flushed after the client disconnects. Technically, 93# it's a convenience alias for the Debug option, see below for details. 94# 95# UnbufferLogs: 0 96 97# Enables extended client information in log entries. When set to 0, only 98# activity type, time and transfer sizes are logged. 99# 100# VerboseLog: 1 101 102# Don't detach from the starting console. 103# 104# ForeGround: 0 105 106# Store the pid of the daemon process in the specified text file. 107# Default: disabled 108# 109# PidFile: /var/run/apt-cacher-ng/pid 110 111# Forbid outgoing connections and work without an internet connection or 112# respond with 503 error where it's not possible. 113# 114# Offlinemode: 0 115 116# Forbid downloads from locations that are directly specified in the user 117# request, i.e. all downloads must be processed by the preconfigured remapping 118# backends (see above). 119# 120# ForceManaged: 0 121 122# Days before considering an unreferenced file expired (to be deleted). 123# WARNING: if the value is set too low and particular index files are not 124# available for some days (mirror downtime) then there is a risk of removal of 125# still useful package files. 126# 127ExThreshold: 4 128 129# If the expiration is run daily, it sometimes does not make much sense to do 130# it because the expected changes (i.e. removal of expired files) don't justify 131# the extra processing time or additional downloads for expiration operation 132# itself. This discrepancy might be especially worse if the local client 133# installations are small or are rarely updated but the daily changes of 134# the remote archive metadata are heavy. 135# 136# The following option enables a possible trade-off: the expiration run is 137# suppressed until a certain amount of data has been downloaded through 138# apt-cacher-ng since the last expiration execution (which might indicate that 139# packages were replaced with newer versions). 140# 141# The number can have a suffix (k,K,m,M for Kb,KiB,Mb,MiB) 142# 143# ExStartTradeOff: 500m 144 145# Stop expiration when a critical problem appears, issue like a failed update 146# of an index file in the preparation step. 147# 148# WARNING: don't set this option to zero or empty without considering possible 149# consequences like a sudden and complete cache data loss. 150# 151# ExAbortOnProblems: 1 152 153# Number of failed nightly expiration runs which are considered acceptable and 154# do not trigger an error notification to the admin (e.g. via daily cron job) 155# before the (day) count is reached. Might be useful with whacky internet 156# connections. 157# 158# Default: a guessed value, 1 if ExThreshold is 5 or more, 0 otherwise. 159# 160# ExSuppressAdminNotification: 1 161 162# Modify file names to work around limitations of some file systems. 163# WARNING: experimental feature, subject to change 164# 165# StupidFs: 0 166 167# Experimental feature for apt-listbugs: pass-through SOAP requests and 168# responses to/from bugs.debian.org. 169# Default: guessed value, true unless ForceManaged is enabled 170# 171# ForwardBtsSoap: 1 172 173# There is a small in-memory cache for DNS resolution data, expired by 174# this timeout (in seconds). Internal caching is disabled if set to a value 175# less than zero. 176# 177# DnsCacheSeconds: 1800 178 179############################################################################### 180# 181# WARNING: don't modify thread and file matching parameters without a clear 182# idea of what is happening behind the scene! 183# 184# Max. count of connection threads kept ready (for faster response in the 185# future). Should be a sane value between 0 and average number of connections, 186# and depend on the amount of spare RAM. 187# MaxStandbyConThreads: 8 188# 189# Hard limit of active thread count for incoming connections, i.e. operation 190# is refused when this value is reached (below zero = unlimited). 191# MaxConThreads: -1 192# 193# Pigeonholing files (like static vs. volatile contents) is done by (extended) 194# regular expressions. 195# 196# The following patterns are available for the purposes detailed, where 197# the latter takes precedence over the former: 198# - «PFilePattern» for static data that doesn't change silently on the server. 199# - «VFilePattern» for volatile data that may change like every hour. Files 200# that match both PFilePattern and VfilePattern will be treated as volatile. 201# - Static data with file names that match VFilePattern may be overriden being 202# treated as volatile by making it match the special static data pattern, 203# «SPfilePattern». 204# - «SVfilePattern» or the "special volatile data" pattern is for the 205# convenience of specifying any exceptions to matches with SPfilePattern, 206# for cases where data must still be treated as volatile. 207# - «WfilePattern» specifies a "whitelist pattern" for the regular expiration 208# job, telling it to keep the files even if they are not referenced by 209# others, like crypto signatures with which clients begin their downloads. 210# 211# There are two versions. The pattern variables mentioned above should not be 212# set without good reason, because they would override the built-in defaults 213# (that might impact updates to future versions of apt-cacher-ng). There are 214# also versions of those patterns ending with Ex, which may be modified by the 215# local administrator. They are evaluated in addition to the regular patterns 216# at runtime. 217# 218# To see examples of the expected syntax, run: apt-cacher-ng -p debug=1 219# 220# PfilePatternEx: 221# VfilePatternEx: 222# SPfilePatternEx: 223# SVfilePatternEx: 224# WfilePatternEx: 225# 226############################################################################### 227 228# A bitmask type value declaring the loging verbosity and behavior of the error 229# log writing. Non-zero value triggers at least faster log file flushing. 230# 231# Some higher bits only working with a special debug build of apt-cacher-ng, 232# see the manual for details. 233# 234# WARNING: this can write significant amount of data into apt-cacher.err logfile. 235# 236# Default: 0 237# 238# Debug:3 239 240# Usually, general purpose proxies like Squid expose the IP address of the 241# client user to the remote server using the X-Forwarded-For HTTP header. This 242# behaviour can be optionally turned on with the Expose-Origin option. 243# 244# ExposeOrigin: 0 245 246# When logging the originating IP address, trust the information supplied by 247# the client in the X-Forwarded-For header. 248# 249# LogSubmittedOrigin: 0 250 251# The version string reported to the peer, to be displayed as HTTP client (and 252# version) in the logs of the mirror. 253# 254# WARNING: Expect side effects! Some archives use this header to guess 255# capabilities of the client (i.e. allow redirection and/or https links) and 256# change their behaviour accordingly but ACNG might not support the expected 257# features. 258# 259# Default: 260# 261# UserAgent: Yet Another HTTP Client/1.2.3p4 262 263# In some cases the Import and Expiration tasks might create fresh volatile 264# data for internal use by reconstructing them using patch files. This 265# by-product might be recompressed with bzip2 and with some luck the resulting 266# file becomes identical to the *.bz2 file on the server which can be used by 267# APT when requesting a complete version of this file. 268# The downside of this feature is higher CPU load on the server during 269# the maintenance tasks, and the outcome might have not much value in a LAN 270# where all clients update their data often and regularly and therefore usually 271# don't need the full version of the index file. 272# 273# RecompBz2: 0 274 275# Network timeout for outgoing connections, in seconds. 276# 277# NetworkTimeout: 60 278 279# Sometimes it makes sense to not store the data in cache and just return the 280# package data to client while it comes in. The following DontCache* parameters 281# can enable this behaviour for certain URL types. The tokens are extended 282# regular expressions which the URLs are evaluated against. 283# 284# DontCacheRequested is applied to the URL as it comes in from the client. 285# Example: exclude packages built with kernel-package for x86 286# DontCacheRequested: linux-.*_10\...\.Custo._i386 287# Example usecase: exclude popular private IP ranges from caching 288# DontCacheRequested: 192.168.0 ^10\..* 172.30 289# 290# DontCacheResolved is applied to URLs after mapping to the target server. If 291# multiple backend servers are specified then it's only matched against the 292# download link for the FIRST possible source (due to implementation limits). 293# 294# Example usecase: all Ubuntu stuff comes from a local mirror (specified as 295# backend), don't cache it again: 296# DontCacheResolved: ubuntumirror.local.net 297# 298# DontCache directive sets (overrides) both, DontCacheResolved and 299# DontCacheRequested. Provided for convenience, see those directives for 300# details. 301# 302# Example: 303# DontCache: .*.local.university.int 304 305# Default permission set of freshly created files and directories, as octal 306# numbers (see chmod(1) for details). 307# Can by limited by the umask value (see umask(2) for details) if it's set in 308# the environment of the starting shell, e.g. in apt-cacher-ng init script or 309# in its configuration file. 310# 311# DirPerms: 00755 312# FilePerms: 00664 313 314# It's possible to use use apt-cacher-ng as a regular web server with a limited 315# feature set, i.e. directory browsing, downloads of any files, Content-Type 316# based on /etc/mime.types, but without sorting, CGI execution, index page 317# redirection and other funny things. 318# To get this behavior, mappings between virtual directories and real 319# directories on the server must be defined with the LocalDirs directive. 320# Virtual and real directories are separated by spaces, multiple pairs are 321# separated by semi-colons. Real directories must be absolute paths. 322# NOTE: Since the names of that key directories share the same namespace as 323# repository names (see Remap-...) it is administrator's job to avoid conflicts 324# between them or explicitly create them. 325# 326# LocalDirs: woo /data/debarchive/woody ; hamm /data/debarchive/hamm 327LocalDirs: acng-doc @DOCDIR@ 328 329# Precache a set of files referenced by specified index files. This can be used 330# to create a partial mirror usable for offline work. There are certain limits 331# and restrictions on the path specification, see manual and the cache control 332# web site for details. A list of (maybe) relevant index files could be 333# retrieved via "apt-get --print-uris update" on a client machine. 334# 335# Example: 336# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages* 337 338# Arbitrary set of data to append to request headers sent over the wire. Should 339# be a well formated HTTP headers part including newlines (DOS style) which 340# can be entered as escape sequences (\r\n). 341# 342# RequestAppendix: X-Tracking-Choice: do-not-track\r\n 343 344# Specifies the IP protocol families to use for remote connections. Order does 345# matter, first specified are considered first. Possible combinations: 346# v6 v4 347# v4 v6 348# v6 349# v4 350# Default: use native order of the system's TCP/IP stack, influenced by the 351# BindAddress value. 352# 353# ConnectProto: v6 v4 354 355# Regular expiration algorithm finds package files which are no longer listed 356# in any index file and removes them of them after a safety period. 357# This option allows to keep more versions of a package in the cache after 358# the safety period is over. 359# 360# KeepExtraVersions: 0 361 362# Optionally uses TCP access control provided by libwrap, see hosts_access(5) 363# for details. Daemon name is apt-cacher-ng. 364# 365# Default: guessed on startup by looking for explicit mention of apt-cacher-ng 366# in /etc/hosts.allow or /etc/hosts.deny files. 367# 368# UseWrap: 0 369UseWrap: 0 370 371# If many machines from the same local network attempt to update index files 372# (apt-get update) at nearly the same time, the known state of these index file 373# is temporarily frozen and multiple requests receive the cached response 374# without contacting the remote server again. This parameter (in seconds) 375# specifies the length of this period before these (volatile) files are 376# considered outdated. 377# Setting this value too low transfers more data and increases remote server 378# load, setting this too high (more than a couple of minutes) increases the 379# risk of delivering inconsistent responses to the clients. 380# 381# FreshIndexMaxAge: 27 382 383# Usually the users are not allowed to specify custom TCP ports of remote 384# mirrors in the requests, only the default HTTP port can be used (as 385# workaround, proxy administrator can create Remap- rules with custom ports). 386# This restriction can be disabled by specifying a list of allowed ports or 0 387# for any port. 388# 389# AllowUserPorts: 80 390 391# Normally the HTTP redirection responses are forwarded to the original caller 392# (i.e. APT) which starts a new download attempt from the new URL. This 393# solution is ok for client configurations with proxy mode but doesn't work 394# well with configurations using URL prefixes in sources.list. To work around 395# this the server can restart its own download with a redirection URL, 396# configured with the following option. The downside is that this might be used 397# to circumvent download source policies by malicious users. 398# The RedirMax option specifies how many such redirects the server is allowed 399# to follow per request, 0 disables the internal redirection. 400# Default: guessed on startup, 0 if ForceManaged is used and 5 otherwise. 401# 402# RedirMax: 5 403 404# There some broken HTTP servers and proxy servers in the wild which don't 405# support the If-Range header correctly and return incorrect data when the 406# contents of a (volatile) file changed. Setting VfileUseRangeOps to zero 407# disables Range-based requests while retrieving volatile files, using 408# If-Modified-Since and requesting the complete file instead. Setting it to 409# a negative value removes even If-Modified-Since headers. 410# 411# VfileUseRangeOps: 1 412 413# Allow data pass-through mode for certain hosts when requested by the client 414# using a CONNECT request. This is particularly useful to allow access to SSL 415# sites (https proxying). The string is a regular expression which should cover 416# the server name with port and must be correctly formated and terminated. 417# Examples: 418# PassThroughPattern: private-ppa\.launchpad\.net:443$ 419# PassThroughPattern: .* # this would allow CONNECT to everything 420# 421# Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$ 422# PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$ 423 424# It's possible that an evil client requests a volatile file but does not 425# retrieve the response and keeps the connection effectively stuck over 426# many hours, blocking the particular file for other download attempts (which 427# leads to not reporting file changes on server side to other users). The work 428# around is the use of alternative file descriptors inside of apt-cacher-ng, 429# however this might cost some extra download traffic due to worse cache usage. 430# The ResponseFreezeDetectTime value specifies when a file descriptor in the 431# mentioned state is to be considered defect and will require special handling. 432# Default time is 500 seconds. 433# 434# ResponseFreezeDetectTime: 500 435 436# Keep outgoing connections alive and reuse them for later downloads from 437# the same server as long as possible. 438# 439# ReuseConnections: 1 440 441# Maximum number of requests sent in a batch to remote servers before the first 442# response is expected. Using higher values can greatly improve average 443# throughput depending on network latency and the implementation of remote 444# servers. Makes most sense when also enabled on the client side, see apt.conf 445# documentation for details. 446# 447# Default: 10 if ReuseConnections is set, 1 otherwise 448# 449# PipelineDepth: 10 450 451# Path to the system directory containing trusted CA certificates used for 452# outgoing connections, see OpenSSL documentation for details. 453# 454# CApath: /etc/ssl/certs 455# 456# Path to a single trusted trusted CA certificate used for outgoing 457# connections, see OpenSSL documentation for details. 458# 459# CAfile: 460 461# There are different ways to detect that an upstream proxy is broken and turn 462# off its use and connect directly. The first is through a custom command - 463# when it returns successfully, the proxy is used, otherwise not and the 464# command will be rerun only after a specified period. 465# Another way is to try to connect to the proxy first and detect a connection 466# timeout. The connection will then be made without HTTP proxy for the life 467# time of the particular download stream and it may also affect other other 468# parallel downloads. 469# NOTE: this operation modes are still experimental and are subject to change! 470# Unwanted side effects may occur with multiple simultaneous user connections 471# or with specific per-repository proxy settings. 472# 473# Shell command, default: not set. Executed with the default shell and 474# permissions of the apt-cacher-ng's process user. Examples: 475# /bin/ip route | grep -q 192.168.117 476# /usr/sbin/arp | grep -q 00:22:1f:51:8e:c1 477# 478# OptProxyCheckCommand: ... 479# 480# Check intervall, in seconds. 481# 482# OptProxyCheckInterval: 99 483# 484# Conection timeout in seconds, default: negative, means disabled. 485# 486# OptProxyTimeout: -1 487 488# It's possible to limit the processing speed of download agents to set an 489# overall download speed limit. Unit: KiB/s, Default: unlimited. 490# 491# MaxDlSpeed: 500 492 493# In special corner cases, download clients attempt to download random chunks 494# of a files headers, i.e. the first kilobytes. The "don't get client stuck" 495# policy converts this usually to a 200 response starting the body from the 496# beginning but that confuses some clients. When this option is set to a 497# certain value, this modifies the behaviour and allows to start a file 498# download where the distance between available data and the specified range 499# lies within that bounds. This can look like random lag for the user but 500# should be harmless apart from that. 501# 502# MaxInresponsiveDlSize: 64000 503 504# In mobile environments having an adhoc connection with a redirection to some 505# id verification side, this redirect might damage the cache since the data is 506# involuntarily stored as package data. There is a mechanism which attempts to 507# detect a such situation and mitigate the mentioned effects by not storing the 508# data and also dropping the DNS cache. The trigger is the occurrence of a 509# specific SUBSTRING in the content type field of the final download target 510# (i.e. the auth web site) and at least one followed redirection. 511# 512# BadRedirDetectMime: text/html 513 514# When a BUS signal is received (typically on IO errors), a shell command can be 515# executed before the daemon is terminated. 516# Example: 517# BusAction: ls -l /proc/$PPID/ | mail -s SIGBUS! root 518 519# Only set this value for debugging purposes. It disables SSL security checks 520# like strict host verification. 0 means no, any other value can have 521# differrent meaning in the future. 522# 523# NoSSLChecks: 0 524 525# Setting this value means: on file downloads from/via cache, tag relevant 526# files. And when acngtool runs the shrink command, it will look at the day 527# when the file was retrieved from cache last time (and not when it was 528# originally downloaded). 529# 530# TrackFileUse: 0 531 532# Controls preallocation of file system space where this feature is supported. 533# This might reduce disk fragmentation and therefore improve later read 534# performance. However, write performance can be reduced which could be 535# exploited by malicious users. 536# The value defines a size limit of how much to report to the OS as expected 537# file size (starting from the beginning of the file). 538# Set to zero to disable this feature completely. Default: one megabyte 539# 540# ReserveSpace: 1048576 541