如何强制仅使用HTTPS？ 由 任性发布于 2020-05-09 13:33:04 aptsecurityhttpsmirrorsapt-mirror 收藏 如何强制仅使用HTTPS？ This question aims to provide a comprehensive actionable answer to questions 1, 2, and 3, but is worded in a manner that better fits with the guidelines and rules of a stackexchange site. 请 登录后发表观点 燕晓彤 2020-05-09 13:33:05 回复 要强制apt只使用https而不以任何方式使用http，您需要做三件事： Make sure that your version of apt is capable of downloading packages via https Make sure that all your sources are accessible via https Make sure that apt cannot be transparently redirected to use http 步骤1：获得HTTPS支持 apt的最新版本应内置有https支持或默认情况下已安装和启用。如果不是这样，请手动安装https支持： sudo apt install apt-transport-https 步骤2：检查来源 下一步是扫描apt配置中的不安全来源。打开一个终端并运行： grep -nrE '^[ \t]*deb[ \t]+' '/etc/apt' 此命令应遍历所有apt源，并将它们与文件名和行号一起打印。逐一浏览这些源，并以安全等效项更改每个不安全的源。在这种情况下，安全来源应以“ https：//”开头。 https://mirrors.kernel.org/ubuntu/ is known to work well as a drop-in replacement for http://[COUNTRY_CODE.]archive.ubuntu.com/ubuntu/ though it can be very slow. Your regional ubuntu mirror may support https, but this is not guaranteed and may not be reliable (if the dns points to mirrors from different providers). YMMV. Step 3: Blacklist HTTP Sadly, I haven't found a way to do this through apt's configuration alone. However, if you're willing to use ufw, the firewall that's preinstalled on all ubuntu desktops, it's possible to filter out apt's http requests while allowing secure requests to go through. This step is a precautionary measure to account for any mistakes in step 1 and 2, and to account for any configuration options I may have missed. This step does not consider proxies or nonstandard ports. Note: ufw can be used to reject insecure connections from a single application (like apt) or can be used to reject insecure connections system-wide. What follows are instructions for setting up system-wide rejection because that's what I personally use on my system. To reject insecure default http connections, add the following rule to ufw: sudo ufw deny out to any port 80 然后运行以下命令启用防火墙： sudo ufw enable 此时，apt和系统上的所有其他程序都将不再能够通过不安全的连接进行连接。 如果出于某种原因发现需要允许不安全的连接，则可以始终禁用防火墙或删除规则。 sudo ufw enable # Disables firewall sudo ufw delete deny out to any port 80 # Removes rule 干杯!