Linux

Apt socks5h proxy settings fail when specified on the command line

Apt supports HTTP, HTTPS and SOCKS5H (SOCKS5 with remote DNS resolution) proxies, according to both the source code and the man page, but when specifying the proxy values on the command line, apt reports that the proxy is unsupported:

root@host:~# apt -o 'Acquire::https::proxy="socks5h://127.0.0.1:1080"' -o 'Acquire::http::proxy="socks5h://127.0.0.1:1080"' update
Ign:1 http://apt.postgresql.org/pub/repos/apt buster-pgdg InRelease
Ign:2 https://download.docker.com/linux/debian buster InRelease
Ign:3 https://apt.kubernetes.io kubernetes-xenial InRelease
Ign:4 http://repository.veeam.com/backup/linux/agent/dpkg/debian/public stable InRelease
Err:5 http://apt.postgresql.org/pub/repos/apt buster-pgdg Release
  Unsupported proxy configured: "socks5h://127.0.0.1:1080
Err:6 http://repository.veeam.com/backup/linux/agent/dpkg/debian/public stable Release
  Unsupported proxy configured: "socks5h://127.0.0.1:1080
Err:7 https://download.docker.com/linux/debian buster Release
  Unsupported proxy configured: "socks5h://127.0.0.1:1080
Err:8 https://apt.kubernetes.io kubernetes-xenial Release
  Unsupported proxy configured: "socks5h://127.0.0.1:1080
...

Oddly enough, adding these same values to the config file:

root@host:~# cat /etc/apt/apt.conf.d/50proxy.conf
Acquire::https::proxy "socks5h://127.0.0.1:1080";
Acquire::http::proxy "socks5h://127.0.0.1:1080";

…results in a successful apt fetch:

root@host:~# apt update
Hit:1 ftp://mirror.ac.za/debian/debian buster InRelease
Hit:2 ftp://mirror.ac.za/debian/debian buster-backports InRelease
Hit:3 ftp://mirror.ac.za/debian/debian buster-proposed-updates InRelease
Hit:4 http://repository.veeam.com/backup/linux/agent/dpkg/debian/public stable InRelease
Hit:5 https://download.docker.com/linux/debian buster InRelease
Hit:7 http://apt.postgresql.org/pub/repos/apt buster-pgdg InRelease
Get:6 https://packages.cloud.google.com/apt kubernetes-xenial InRelease [9,383 B]
Get:8 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages [56.5 kB]
Fetched 65.9 kB in 5s (14.2 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
18 packages can be upgraded. Run 'apt list --upgradable' to see them.
...

Why there’s a difference between the two isn’t clear to me, since setting the option on the command line clearly reaches the appropriate code path, but it reports that the proxy is valid. The source code that checks the prefixes seems the same either way, and it simply checks for socks5h as a prefix, and then tries http and https, before displaying the “Unsupported proxy configured” message.

Oddly, this quirk doesn’t seem to be known online.