Getting your Raspberry Pi to update through your school firewall

I have seen many posts on both Twitter and CAS about teachers having issues getting their class Raspberry Pis to update and install software through their school firewalls, so I thought I would share the simple solution that I have implemented at my school.

It actually leverages something that I put in place for our Ubuntu Linux servers, but works just as well for Raspberry Pi devices too.

Now if your school network is similar to mine it will make use of a proxy server for Internet access which will probably also require some form of authentication which is more than likely to be tied into the school’s Internet filtering.

The Raspberry Pi (running the Raspbian OS) is in essence a stripped down version of Debian Linux; as is Ubuntu. Now all derivatives of Debian have this in common; they use apt (or aptitude) to install, update and manage their installed software packages. It is possible to configure apt-get in Debian to make use of an authenticating proxy server to access the Internet; but I have never been successful in doing so.

As I began to bring up more Ubuntu Linux servers at school, I became less happy about allowing all of these servers to have direct outgoing access to the Internet (ports 80 and 443) through the firewall, so began to look for other alternatives.

At my previous school we had bought up a Ubuntu Server which acted as a local apt repository of all the packages we wanted access to on our local servers. Now this was an option to me again; but it is one which takes a considerable amount of local storage as you have to store all the packages on your local apt repository. The second option is to set up an apt cache server. This sits between your local servers and the Internet and intercepts the apt requests and proxies them through itself, storing a cached version of the package to serve to the next server which requests it.

The are two apt caching servers available to you: Apt-Cacher and Apt-Cacher NG. The main difference between the two is that Apt-Cacher NG handles apt repositories from multiple distributions without any additional configuration; Apt-Cacher does not.

So what are the benefits of installing this server? It will mean that your firewall need only allow one server (the caching server) direct access to the Internet. All other servers can access the apt repositories via the local network!

I shall not go into great detail about installing Apt-Cacher NG as it “just works”, however here are some very basic steps to configure it. For more detail visit the very good documentation.

  1. Install a Ubuntu server (it doesn’t need much RAM – 1 Gb will do. Our production server only has a 50 Gb HDD and is only using 25% of that)
  2. Assign your new server a static IP address and internal DNS address etc.
  3. Have an exception put in your firewall to allow this IP address access to port 80 and 443 and set your proxy server to ignore any traffic from this IP address too
  4. Update your Ubuntu server and reboot:
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo reboot now
  5. Now installapt-Cacher NG by typing:
    sudo apt-get install apt-cacher-ng

There you now have an Apt-Cacher server installed; easy wasn’t it!

You do now need to configure your clients however. According to the documentation you have two options; add an environment variable to apt on the client or edit each apt sources file to direct it through the caching server. I went for option two as it makes things more transparent to the user (student) how things are configured.

On the Raspberry Pi (Raspbian image) there are three files you will need to edit:

/etc/apt/sources.list
/etc/apt/sources.list.d/collbora.list
/etc/apt/sources.list.d/raspi.list

Open each one as the root user with your favourite text editor (I use Nano). For example:

sudo nano /etc/apt/sources.list

In each file you will find a line similar to this:

deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi

Edit the URL so that it now has your caching server’s IP address and the port 3142 in front of the address. So if your caching server had the IP address 192.168.0.25 your edited sources.list file would now look like this:

deb http://192.168.0.25:3142/mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi

Save the file and do the same for all files inside the sources.list.d directory too.

Now update your Raspberry Pi by typing:

sudo apt-get update
sudo apt-get dist-upgrade

You have just updated your Raspberry Pi through your new caching server without the need to bypass the school’s firewall!

I made these changes and then made various other tweaks (local NTP server etc.) and produced our image for the SD cards for all our Raspberry Pis.

Happy hacking!

2 thoughts on “Getting your Raspberry Pi to update through your school firewall

Leave a Reply

Your email address will not be published. Required fields are marked *