Given a local network with multiple Debian machines, it is useful to perhaps create a local package cache such that subsequent updates via apt-get or aptitude pull already downloaded packages from the local network instead of querying the origin servers / mirrors every time.

The guide illustrates the usage of apt-cache-ng along with several tweaks that should accomplish a transparent caching of Debian packages on the local network such that machines on the network do not need to re-download the packages themselves and can instead pull them from an internal repository.

The plan is rather simple: use a central server that will be pulling packages whenever clients request them and storing them locally such that subsequent requests for the same packages will be retrieved from the local store instead of retrieved anew.

A single package has to be installed, named apt-cache-ng:

aptitude install apt-cache-ng

which should pull and install any relevant dependencies.

On client Debian machines, create the file at /etc/apt/00apt-cache-ng with the following contents:

Acquire::http::Proxy "http://server.hostname:3142/";
Acquire::https::Proxy "DIRECT";

where:

• server.hostname is the hostname or IP address of the server running apt-cache-ng

This configuration file does the following stuff:

• Any requests to HTTP Debian repositories will be passed through apt-cache-ng.
• Any requests to HTTPs Debian repositories will be fetched directly and by pass the cache.

Since HTTPs is encapsulated, apt-cache-ng cannot perform a MITM attack and retrieve the package such that any attempts to retrieve packages though apt-cache-ng for any HTTPs repositories would fail.

If you have enough storage space, a good idea is to edit /etc/apt-cacher-ng/acng.conf and set the value of ExThreshold to 30 days to allow apt-cache-ng to hold packages for a longer time.

apt-cache-ng is able to pass requests to an upstream web-proxy, which, in turn, can pass the requests through an anonymizing network such as tor. One of the reasons for doing so is that an upstream observer may be able to monitor your traffic and check which updates or packages have been pulled to your system with the hope of finding vulnerable software.

One way to do this would be to use proxy-chaining to make Squid forward requests to polipo and then through tor and then point apt-cache-ng to Squid - one sample configuration that could be used for Squid would be a configuration with two cache peers.