Proxying the pkg repository with Apache

puppydog

puppydog

BLUF: What do I need to do to make this work?

I'm trying to use a jail to act as a proxy for pkg.freebsd.org so that all jails on my network pull their updates from that jail and it is the only jail that has direct access to the internet.

I have a basic reverse proxy set up with apache24, and it seems to be working fine at least for serving the pkg.freebsd.org page - when I curl the jail's IP from another host, it returns exactly what I see when curling pkg.freebsd.org itself. I assume it must be that it needs more than a basic reverse proxy to fully work here, but I can't figure out what.

When testing it by trying to make one of my jails update through it, it fails with the following error:

Code: 
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
pkg: No SRV record found for the repo 'FreeBSD'
pkg: An error occured while fetching package
pkg: packagesite URL error for pkg+http://172.18.100.133/FreeBSD:14:amd64/quarterly/meta.txz -- pkg+:// implies SRV mirror type
repository FreeBSD has no meta file, using default settings
pkg: packagesite URL error for pkg+http://172.18.100.133/FreeBSD:14:amd64/quarterly/data.pkg -- pkg+:// implies SRV mirror type
pkg: packagesite URL error for pkg+http://172.18.100.133/FreeBSD:14:amd64/quarterly/data.txz -- pkg+:// implies SRV mirror type
pkg: packagesite URL error for pkg+http://172.18.100.133/FreeBSD:14:amd64/quarterly/packagesite.pkg -- pkg+:// implies SRV mirror type
pkg: packagesite URL error for pkg+http://172.18.100.133/FreeBSD:14:amd64/quarterly/packagesite.txz -- pkg+:// implies SRV mirror type
Unable to update repository FreeBSD
Error updating repositories!

The config being used is as follows:
Code: 
FreeBSD: {
  url: "pkg+http://172.18.100.133/${ABI}/quarterly",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

I've tried using http and none mirror types with removing the pkg+ part from the url, but nothing is successful.

My reverse proxy configuration is as follows:
Code: 
<VirtualHost *:80>
    ServerName 172.18.100.133
    ProxyRequests Off
    ProxyPreserveHost Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass / http://pkg.freebsd.org/
    ProxyPassReverse / http://pkg.freebsd.org/
</VirtualHost>

Curling the proxy jail from a lan host:
Code: 
[user@workstation]$ curl 172.18.100.133
<!DOCTYPE html lang="en">
<html>
<head>
<title>pkg0.nyi.FreeBSD.org</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<h1>FreeBSD.org pkg mirror</h1>
<p>This is <a href="http://pkg0.nyi.freebsd.org">pkg0.nyi.FreeBSD.org</a> - an east coast US regional mirror for pkg(8).</p>
<p>It is generously hosted by <a href="https://365datacenters.com/">365 Data Centers</a> in New Jersey, USA.</p>
<p>We use MaxMind GeoLite based geo-dns to choose a close mirror for you.</p>
<p><b>IMPORTANT: We do <u>NOT</u> guarantee uptime of any particular mirror.</b>  We provide SRV fallbacks for redundancy.</p>
<p>This server's package sets:</p>
<ul>
<li><a href="FreeBSD%3A13%3Ai386">FreeBSD:13:i386</a>
<li><a href="FreeBSD%3A13%3Aamd64">FreeBSD:13:amd64</a>
<li><a href="FreeBSD%3A13%3Aaarch64">FreeBSD:13:aarch64</a>
<li><a href="FreeBSD%3A14%3Ai386">FreeBSD:14:i386</a>
<li><a href="FreeBSD%3A14%3Aamd64">FreeBSD:14:amd64</a>
<li><a href="FreeBSD%3A14%3Aaarch64">FreeBSD:14:aarch64</a>
<li><a href="FreeBSD%3A15%3Aamd64">FreeBSD:15:amd64</a>
<li><a href="FreeBSD%3A15%3Aaarch64">FreeBSD:15:aarch64</a>
</ul>
<p>Tier-2 support package sets:</p>
<ul>
<li><a href="FreeBSD%3A13%3Aarmv6">FreeBSD:13:armv6</a>
<li><a href="FreeBSD%3A13%3Aarmv7">FreeBSD:13:armv7</a>
<li><a href="FreeBSD%3A13%3Apowerpc">FreeBSD:13:powerpc</a> (only quarterly is updated)
<li><a href="FreeBSD%3A13%3Apowerpc64">FreeBSD:13:powerpc64</a> (only quarterly is updated)
<li><a href="FreeBSD%3A13%3Apowerpc64le">FreeBSD:13:powerpc64le</a> (only quarterly is updated)
<li><a href="FreeBSD%3A14%3Aarmv6">FreeBSD:14:armv6</a>
<li><a href="FreeBSD%3A14%3Aarmv7">FreeBSD:14:armv7</a>
<li><a href="FreeBSD%3A14%3Apowerpc">FreeBSD:14:powerpc</a> (only quarterly is updated)
<li><a href="FreeBSD%3A14%3Apowerpc64">FreeBSD:14:powerpc64</a> (only quarterly is updated)
<li><a href="FreeBSD%3A14%3Apowerpc64le">FreeBSD:14:powerpc64le</a> (only quarterly is updated)
<li><a href="FreeBSD%3A15%3Aarmv7">FreeBSD:15:armv7</a>
<li><a href="FreeBSD%3A15%3Apowerpc">FreeBSD:15:powerpc</a>
<li><a href="FreeBSD%3A15%3Apowerpc64">FreeBSD:15:powerpc64</a>
<li><a href="FreeBSD%3A15%3Apowerpc64le">FreeBSD:15:powerpc64le</a>
</ul>
<p>Other mirrors:</p>
<ul>
<li><a href="http://pkg0.bbt.freebsd.org/">pkg0.bbt.freebsd.org</a>
<li><a href="http://pkg0.bra.freebsd.org/">pkg0.bra.freebsd.org</a>
<li><a href="http://pkg0.chi.freebsd.org/">pkg0.chi.freebsd.org</a>
<li><a href="http://pkg0.fmt.freebsd.org/">pkg0.fmt.freebsd.org</a>
<li><a href="http://pkg0.fra.freebsd.org/">pkg0.fra.freebsd.org</a>
<li><a href="http://pkg0.jinx.freebsd.org/">pkg0.jinx.freebsd.org</a>
<li><a href="http://pkg0.kul.freebsd.org/">pkg0.kul.freebsd.org</a>
<li><a href="http://pkg0.kwc.freebsd.org/">pkg0.kwc.freebsd.org</a>
<li><a href="http://pkg0.sjb.freebsd.org/">pkg0.sjb.freebsd.org</a>
<li><a href="http://pkg0.syd.freebsd.org/">pkg0.syd.freebsd.org</a>
<li><a href="http://pkg0.tuk.freebsd.org/">pkg0.tuk.freebsd.org</a>
<li><a href="http://pkg0.twn.freebsd.org/">pkg0.twn.freebsd.org</a>
</ul>
<p><a href="https://www.FreeBSD.org/">FreeBSD.org home</a></p>
</body></html>

And just to see that it can reach deeper:
Code: 
[user@workstation ]$ wget http://172.18.100.133/FreeBSD:14:amd64/quarterly/data.txz
--2024-05-11 16:51:00--  http://172.18.100.133/FreeBSD:14:amd64/quarterly/data.txz
Connecting to 172.18.100.133:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7272160 (6.9M) [application/octet-stream]
Saving to: ‘data.txz’

data.txz                                           100%[================================================================================================================>]   6.93M  10.6MB/s    in 0.7s  

2024-05-11 16:51:01 (10.6 MB/s) - ‘data.txz’ saved [7272160/7272160]
 
Not really, just that I'm more familiar with reverse proxies and it does the job well enough.
 
So I'll post my config with forward proxy as that might be useful to other people too and I couldn't find a similar topic here on this forum.

The config file goes as follows:

Code: 
ServerRoot "/usr/local"
Mutex default:/var/run/webproxy
PidFile /var/run/webproxy/apache.pid
ScoreBoardFile /var/run/webproxy/apache_runtime_status

LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule cache_module libexec/apache24/mod_cache.so
LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule unixd_module libexec/apache24/mod_unixd.so

Listen 8080

ServerLimit 1000
MaxRequestWorkers 1000
MaxSpareServers 100

<Directory />
    AllowOverride none
    Require all denied
</Directory>

ErrorLog "/var/log/webproxy/error.log"
LogLevel warn
LogFormat "%{%Y-%m-%d %H:%M:%S}t %h %l %u \"%r\" %>s %b \"%{cache-status}e\" \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "/var/log/webproxy/access.log" combinedio

DocumentRoot "/usr/local/www/apache24/data"

<Directory "/usr/local/www/apache24/data">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

ProxyRequests On
EnableSendfile On
CacheDirLength 4
CacheMaxFileSize 1073741824
CacheRoot /var/cache/webproxy/
CacheEnable disk http://
CacheMaxExpire 604800

<Proxy "*">
  Require all denied
</Proxy>

<ProxyMatch "^http://[a-z0-9.-]+\.[fF][rR][eE][eE][bB][sS][dD]\.org/">
    Require all granted
    CacheMaxExpire 31536000
</ProxyMatch>

It needs a bunch of directories found in the config above owned by user running the proxy. It's started with command like:
setuidgid proxy /usr/local/sbin/httpd -f /usr/local/etc/proxy.conf -k start

Then you may upgrade
HTTP_PROXY=127.0.0.1:8080 pkg upgrade
HTTP_PROXY=127.0.0.1:8080 freebsd-update fetch

If the jails/VMs/servers behind the proxy do not have access to public DNS, then you run into this problem and you have to modify the config file to include mirror_type: "NONE".

And finally few notes regarding caching:
  • It really does make a difference and I highly recommend it. The first server takes a while and all others just jump through the download phase.
  • I have never had problems with sort of infinite CacheMaxExpire 31536000, although it's going to work perfectly fine with much lower value like 86400.
 
You must log in or register to reply here.
Back
Top