apt-cacher-rs is a simple caching proxy daemon for Debian style repositories.
It is inspired by and an alternative to apt-cacher and apt-cacher-ng.
Before you can create a Debian package, the following commands must be run once to install the necessary dependencies:
apt-get -y install dpkg-dev liblzma-dev
cargo install cargo-debThen run the following command to build the Debian package in target/debian/apt-cacher-rs.deb:
cargo debapt-cacher-rs can be easily run inside a container.
Build an image with the following command based on the in-tree Dockerfile:
podman build -t apt-cacher-rs:dev -f Dockerfile .The image expects a volume mounted at /data to store the database and cached files.
You must also provide a configuration file via a mount on /app/apt-cacher-rs.conf, since the default configuration does not permit any clients.
For example you can start a container via:
podman run -p 3142:3142/tcp --read-only --rm -v apt-cacher-rs-data:/data:nodev,noexec,nosuid -v /srv/apt-cacher-rs.conf:/app/apt-cacher-rs.conf:ro apt-cacher-rs:devThe image's ENTRYPOINT hard-codes --config-file=/app/apt-cacher-rs.conf, --cache-path=/data/cache and --database-path=/data/apt-cacher-rs.db; any extra arguments passed to podman run are appended after these flags.
To use different paths, override the entrypoint via --entrypoint.
The most relevant flags (see apt-cacher-rs --help for the full list):
--config-file=<PATH>: path to the configuration file (default /etc/apt-cacher-rs/apt-cacher-rs.conf). If the default file is missing the built-in defaults are used; a missing non-default file is an error.--cache-path=<PATH>: overrides thecache_directoryfield from the configuration file (or its default).--database-path=<PATH>: overrides thedatabase_pathfield from the configuration file (or its default).
Install the Debian package via dpkg on a local network server and add the following configuration file on every client system that should utilize the proxy:
/etc/apt/apt.conf.d/30proxy
Acquire::http::Proxy "http://<proxy_ip>:3142/";
If your sources contain HTTPS repositories you like to cache as well, change their URL schema to http:// to cache their packages.
Note that connections from the client to the proxy are unencrypted (but all packages are by default verified by apt(8) after download to have a valid GPG signature).
apt-cacher-rs contains a minimal web interface for some statistics at http://<proxy-ip>:3142/, and important logs can be viewed at http://<proxy-ip>:3142/logs.
Packages in the cache that are no longer referenced by any known upstream repository are pruned every 24h, unless they have been downloaded less than 3 days ago.
The list of known upstream repositories is gathered by inspecting proxied package list requests (i.e. by apt update).
The cleanup can also be manually triggered by sending the signal USR2 to the apt-cacher-rs process.
apt-cacher-rs also reacts to these maintenance signals:
USR1: reopen the active log file (when logging to a file)
apt-cacher-rs exposes several optional cargo features (the default set is mmap, tls_rustls, sendfile):
mmap(default): serve cached files via memory-mapped I/O (memmap2).sendfile(default): serve cached files to clients with zero-copysendfile(2).tls_rustls(default): userustlsas the TLS backend for upstream connections.tls_hyper: use the system-provided TLS implementation (hyper-tls/native TLS) instead ofrustls; disable default features when enabling this.webpki-roots: bundle Mozilla's CA root set withrustlsinstead of relying on the system trust store.splice: proxy upstream responses to clients usingsplice(2)(impliessendfile).ktls: offload TLS encryption to the kernel via kTLS (impliesspliceandtls_rustls).
The proxy interface should not be made public available to the internet or completely untrusted clients. That could lead to Denial of Service issues, like congesting the network traffic or exhausting the filesystem's capacity.