How do I force apt to use HTTPS only?
This question aims to provide a comprehensive actionable answer to questions 1, 2, and 3, but is worded in a manner that better fits with the guidelines and rules of a stackexchange site.
Asked
Active
Viewed 5,335 times
2 Answers
1
To force apt to exclusively use https and not use http in any way, you need to do three things:
- Make sure that your version of apt is capable of downloading packages via
https - Make sure that all your sources are accessible via
https - Make sure that apt cannot be transparently redirected to use
http
Step 1: Enable HTTPS Support
Recent versions of apt should have https support builtin or installed and enabled by default. If it somehow isn't, install https support manually:
sudo apt install apt-transport-https
Step 2: Check your Sources
The next step is to scan apt configuration for insecure sources. Open a terminal and run:
grep -nrE '^[ \t]*deb[ \t]+' '/etc/apt'
This command should go through all your apt sources and print them along with filenames and line numbers. Go through these source one-by-one changing each insecure source with a secure equivalent. A secure source in this context would start with "https://".
https://mirrors.kernel.org/ubuntu/ is known to work well as a drop-in replacement for http://[COUNTRY_CODE.]archive.ubuntu.com/ubuntu/ though it can be slow at times. Your regional ubuntu mirror may support https alongside plain http, but this is not guaranteed and may not be reliable (the domain can be changed to point to mirrors that don't support https). YMMV.
Step 3: Blacklist HTTP
Sadly, I haven't found a way to do this through apt's configuration alone. However, if you're willing to use ufw, the firewall that's preinstalled on all ubuntu desktops, it's possible to filter out apt's http requests while allowing secure requests to go through. This step is a precautionary measure to account for any mistakes in step 1 and 2, and to account for any configuration options I may have missed. This step does not consider proxies or nonstandard ports.
Note: ufw can be used to reject insecure connections from a single application (like apt) or can be used to reject insecure connections system-wide. What follows are instructions for setting up system-wide rejection because that's what I personally use on my system.
To reject insecure default http connections, add the following rule to ufw:
sudo ufw deny out to any port 80
Then enable the firewall by running:
sudo ufw enable
At this point, apt, and every other program on your system, should not be able to connect via insecure connections anymore.
If you find the need to allow insecure connections for some reason, you can always disable the firewall or delete the rule.
sudo ufw enable # Disables firewall
sudo ufw delete deny out to any port 80 # Removes rule
Cheers!
notte
- 121
0
Head_on_a_Stick wrote this to change http to https:
sudo sed -i 's|http:|https:|' /etc/apt/sources.list
sudo sed -i 's|http:|https:|' /etc/apt/sources.list.d/*.list
sudo apt update
Johan
- 103
- 6
-
This will not work if the repo does not support https (which some repos don't). – Artur Meinild Jan 24 '24 at 10:01
-
Thanks for the information Artur. Eventually one will find out and change back the protocol I guess. – Johan Jan 24 '24 at 10:08