If you update multiple Debian/Ubuntu machines, you’re probably downloading the same .deb files repeatedly.
That wastes bandwidth, slows patching windows, and makes offline-ish maintenance harder than it needs to be.
A better pattern is a local APT cache server with apt-cacher-ng:
- first machine downloads packages from upstream
- the cache keeps those package files locally
- next machines reuse cached packages over LAN
This post gives you a complete setup you can actually run.
Why this works (and where it doesn’t)
apt-cacher-ng acts like a proxy/cache for APT repositories.
- Package payloads over HTTP can be cached and reused.
- For HTTPS repos, a common approach is CONNECT pass-through. That keeps transport encrypted but generally does not cache HTTPS payloads in that mode.
So in real deployments, gains depend on your repo mix and transport path.
1) Install apt-cacher-ng on one Linux host
Choose a host reachable by your clients (for example 192.168.1.50).
sudo apt update
sudo apt install -y apt-cacher-ng
sudo systemctl enable --now apt-cacher-ng
sudo systemctl status --no-pager apt-cacher-ng
Default listen port is 3142.
If you run a firewall:
# UFW example
sudo ufw allow from 192.168.1.0/24 to any port 3142 proto tcp
Quick health check from another machine:
curl -I http://192.168.1.50:3142/
You should get an HTTP response (often 200 or 403 depending on endpoint/path).
2) Point Debian/Ubuntu clients at the cache
On each client, create /etc/apt/apt.conf.d/99proxy:
sudo tee /etc/apt/apt.conf.d/99proxy >/dev/null <<'EOF'
Acquire::http::Proxy "http://192.168.1.50:3142";
EOF
Then refresh:
sudo apt update
If you need to disable quickly on one host:
sudo rm -f /etc/apt/apt.conf.d/99proxy
sudo apt update
3) HTTPS repositories: choose your behavior explicitly
If your clients use HTTPS repository URLs, a widely used option is CONNECT pass-through on the cache host.
Edit /etc/apt-cacher-ng/acng.conf:
# Allow CONNECT passthrough to TLS port
PassThroughPattern: ^(.*):443$
Then reload:
sudo systemctl restart apt-cacher-ng
Important: with pass-through, HTTPS content is typically tunneled and not cached. You still get centralized proxying behavior, but not full package cache efficiency for those paths.
4) Validate cache effectiveness (don’t guess)
Run updates on two clients back-to-back and compare behavior.
Client A (cold run)
sudo apt clean
sudo apt update
sudo apt install -y curl jq
Client B (warm run)
sudo apt clean
sudo apt update
sudo apt install -y curl jq
Now inspect apt-cacher-ng stats on the cache host:
curl -s http://127.0.0.1:3142/acng-report.html | grep -Ei 'Hits|Misses|Data'
You should see hit/miss and transfer counters move after repeated installs.
5) Safe maintenance
Expire stale cache objects
apt-cacher-ng provides an admin/report endpoint for expiration tasks.
If cache growth is uncontrolled, run expiration from the report UI or scripted maintenance as documented upstream.
Basic service checks
sudo journalctl -u apt-cacher-ng -n 100 --no-pager
sudo systemctl is-active apt-cacher-ng
Keep the server itself patched
sudo apt update
sudo apt install --only-upgrade -y apt-cacher-ng
Operational notes that matter
- Put the cache on wired LAN if possible; Wi-Fi bottlenecks can erase gains.
- Keep proxy config explicit in
/etc/apt/apt.conf.d/so rollback is one file delete. - For laptops moving between trusted/untrusted networks, avoid blind auto-discovery unless you trust that network.
- Treat this as an optimization layer, not a trust bypass. APT signature verification still matters.
Conclusion
If you manage more than a couple of Debian/Ubuntu nodes, apt-cacher-ng is a low-complexity win:
- less repeated bandwidth
- faster repeated installs/updates
- better control over patch windows
Start with one cache host, two clients, and verify hit rates before rolling wider.
References
- Debian Wiki — AptCacherNg: https://wiki.debian.org/AptCacherNg
- Apt-Cacher NG User Manual (official): https://www.unix-ag.uni-kl.de/~bloch/acng/html/index.html
- apt.conf(5) Debian manpage: https://manpages.debian.org/bookworm/apt/apt.conf.5.en.html
Top comments (0)