I have many Ubuntu 16.04 LTS workstations and SQUID-deb proxy server (squid-deb-proxy package on server) for them with squid-deb-proxy-client on clients.
The whitelist on SQUID-deb proxy server contains all necessary repositories for all software sources for my machines:
$ cat /etc/squid-deb-proxy/mirror-dstdomain.acl.d/20-ubuntu # /etc/squid-deb-proxy/mirror-dstdomain.acl.d/20-ubuntu
#
# network destinations that are allowed by this cache
# main ubuntu servers
archive.canonical.com
archive.ubuntu.com
ru.archive.ubuntu.com
ports.ubuntu.com
security.ubuntu.com
ddebs.ubuntu.com
mirrors.ubuntu.com
ports.ubuntu.com
old-releases.ubuntu.com
#official third party repositories
archive.canonical.com
extras.ubuntu.com
# changelogs
changelogs.ubuntu.com
# launchpad personal package archives (disabled by default)
ppa.launchpad.net
private-ppa.launchpad.net
# additional mirror domains
## Google - Chrome, Earth, etc.
dl.google.com
## Opera browser
deb.opera.com
## OpenSuse build service
download.opensuse.org
## UbuntuZilla
downloads.sourceforge.net
## VirtualBox
download.virtualbox.org
## R language
cloud.r-project.org
## Wine
dl.winehq.org
## Typora markdown editor
typora.io
## VLC
download.videolan.org
## Vivaldi browser
repo.vivaldi.com
## PlayOnLinux
deb.playonlinux.com
During last sudo apt update followed by sudo apt dist-upgrade I got strange output:
$ sudo apt update
Hit:1 https://dl.winehq.org/wine-builds/ubuntu xenial InRelease
Hit:2 https://typora.io/linux ./ InRelease
Hit:3 https://cloud.r-project.org/bin/linux/ubuntu xenial/ InRelease
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:5 http://dl.google.com/linux/chrome/deb stable Release
Hit:6 http://deb.opera.com/opera stable InRelease
Hit:7 http://ppa.launchpad.net/anonbeat/guayadeque/ubuntu xenial InRelease
Hit:8 http://archive.canonical.com/ubuntu xenial InRelease
Hit:9 http://download.virtualbox.org/virtualbox/debian xenial InRelease
Hit:11 http://ppa.launchpad.net/atareao/atareao/ubuntu xenial InRelease
Hit:12 http://ppa.launchpad.net/atareao/telegram/ubuntu xenial InRelease
Hit:14 http://ppa.launchpad.net/fransschreuder1/qucs/ubuntu xenial InRelease
Hit:15 http://ppa.launchpad.net/jonathonf/firefox-esr/ubuntu xenial InRelease
Hit:16 http://ppa.launchpad.net/libreoffice/libreoffice-6-0/ubuntu xenial InRelease
Hit:17 http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu xenial InRelease
Hit:13 https://netix.dl.sourceforge.net/project/ubuntuzilla/mozilla/apt all InRelease
Hit:18 http://ppa.launchpad.net/outwiker-team/ppa/ubuntu xenial InRelease
Hit:19 http://ppa.launchpad.net/pulb/mailnag/ubuntu xenial InRelease
Hit:20 http://ppa.launchpad.net/ubuntu-desktop/ubuntu-make/ubuntu xenial InRelease
Hit:21 http://ppa.launchpad.net/webupd8team/brackets/ubuntu xenial InRelease
Hit:22 http://ppa.launchpad.net/webupd8team/java/ubuntu xenial InRelease
Hit:23 http://ppa.launchpad.net/webupd8team/y-ppa-manager/ubuntu xenial InRelease
Hit:24 http://ppa.launchpad.net/yannubuntu/boot-repair/ubuntu xenial InRelease
Ign:25 http://download.opensuse.org/repositories/home:/Alexx2000/xUbuntu_16.04 InRelease
Hit:26 http://download.opensuse.org/repositories/home:/Alexx2000/xUbuntu_16.04 Release
Hit:27 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:28 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:30 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:31 http://archive.ubuntu.com/ubuntu xenial-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
92 packages can be upgraded. Run 'apt list --upgradable' to see them.
$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
cups cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-ppdc cups-server-common dbus dbus-x11 evince evince-common flashplugin-installer gir1.2-evince-3.0
google-chrome-stable intel-microcode libcups2 libcups2:i386 libcups2-dev libcupscgi1 libcupsimage2 libcupsimage2:i386 libcupsimage2-dev libcupsmime1 libcupsppdc1 libdbus-1-3
libdbus-1-3:i386 libdbus-1-dev libdw-dev libdw1 libelf-dev libelf1 libelf1:i386 libevdocument3-4 libevince-dev libevview3-3 libglib2.0-0 libglib2.0-0:i386 libglib2.0-0-dbg
libglib2.0-0-refdbg libglib2.0-bin libglib2.0-data libglib2.0-dev libglib2.0-doc libopenjp2-7 libsndfile1 libsndfile1:i386 libsqlite3-0 libsqlite3-0:i386 libsqlite3-dev linux-libc-dev
linux-libc-dev:i386 linux-source linux-source-4.4.0 linux-tools-common python-apt python-apt-common python-apt-dev python3-apt qemu qemu-block-extra qemu-kvm qemu-system qemu-system-arm
qemu-system-common qemu-system-mips qemu-system-misc qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-utils sqlite3 sudo telegram thunderbird
thunderbird-globalmenu thunderbird-gnome-support thunderbird-locale-en thunderbird-locale-en-gb thunderbird-locale-en-us thunderbird-locale-ru typora u-boot-tools vim vim-common
vim-runtime vim-tiny xul-ext-calendar-timezones xul-ext-gdata-provider xul-ext-lightning
92 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 864 kB/382 MB of archives.
After this operation, 46,6 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Err:1 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 linux-libc-dev amd64 4.4.0-151.178
403 Forbidden
Err:1 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 linux-libc-dev amd64 4.4.0-151.178
403 Forbidden
E: Failed to fetch http://d16r8ew072anqo.cloudfront.net/20190620/linux-libc-dev_4.4.0-151.178_amd64.deb 403 Forbidden
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
In the output above please note non Canonical/Ubuntu domain http://d16r8ew072anqo.cloudfront.net. It is not expected, I do not have it in my sources.list:
$ grep -ir cloudfront /etc/apt/
$
This is absolutely bad idea to use unpredictable domain name!
How users should guess which name will be used next time? Why should I trust CloudFront servers?
I do not plan to edit whitelists on each dynamic domain change!