On 2017-12-03 01:07, Marek Marczykowski-Górecki wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Fri, Dec 01, 2017 at 02:46:55AM -0800, pr0xy wrote: >> On 2017-12-01 10:30, awokd wrote: >> > On Thu, November 30, 2017 22:36, pr0xy wrote: >> > >> >> Specifically I need to pass HTTP, HTTPS and FTP through >> >> the corporate proxies. I modified your example to this: >> >> >> >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80:443 -j DNAT --to >> >> proxy.example.com:8080 >> >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 21 -j DNAT --to >> >> proxy.example.com:10021 >> >> >> >> I placed that in the /rw/config/rc.local of sys-net and made it >> >> executable. Rebooting the machine shows that it's persistent, and they >> >> show up in the PREROUTING section when I check >> >> iptables --table nat --list >> >> >> >> Problem is that AppVMs connected to the sys-firewall > sys-net don't >> >> seem to take advantage of those settings. For example, I can't use >> >> Firefox to connect to internet sites without manually setting the proxy >> >> in the browser. Likewise, TemplateVMs with the same routing can't >> >> update. >> > >> > Might depend on how that corporate proxy is configured. For example, if it >> > requires authentication. How friendly/linux savvy are the people who admin >> > it? >> >> I'm the first person to run anything non-Windows in this network, so >> this is new territory. It's a Squid 3.3.8 proxy for HTTP and HTTPS. The >> FTP proxy is something else. There are no usernames or passwords >> required for the proxy. >> >> They gave me all the settings and told me to work it out if I want to >> use Qubes, so that's what I'm trying to do... >> >> >> Should I instead be making these iptables settings in a ProxyVM, and >> >> connect like: AppVM/StandaloneVM/TemplateVM > ProxyVM > sys-firewall > >> >> sys-net? >> > >> > This would be my approach for flexibility but either should work. >> >> All the documentation I'm seeing makes me think it should work as well. >> >> I'm not looking into the option of setting environment variables on each >> template to see if that might work. So far the only other option that >> has worked is to manually set the proxy in each piece of software, in >> each AppVM. > > Above iptables example will not work in most cases - HTTP direct > connection and HTTP proxy connection have some differences. Client > application must be aware that http proxy is being used. > > There are two options: > 1. Setup ProxyVM with some application that will intercept all the > connections and wrap them into HTTP proxy connection. Tor can do that, > but as a side effect you'll get all your traffic through tor. You can > also setup some HTTP proxy in transparent mode (at least squid supports > that). > > 2. Configure each application, in each VM to use HTTP proxy. > This may sound laborious, but in fact it is not: you can > set http_proxy and https_proxy variables in your template(s) and all VMs > based on it automatically will pick it up. Just create > /etc/profile.d/proxy.sh and export appropriate variables from there. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJaHt2yAAoJENuP0xzK19csogEH/3MLAWIm1C6vqpX/iugoxLl6 > 4tk0x4KXKWsNNfR50ir/8INgLWWXrCxk9QbZXy010nC3Dp0TNso3ei6ae+fc25as > 2aj36TOyDA8ztV5F0libiZFxDCWcfzskvW7GiC57JlOustCq2CTTkaz3p5eHyjp8 > ITnnOKpA/Ji7MTloxPNedw8hzpyMxJQudqryd7DDribbTHozG/xtBTRR/ZhPaIjI > Z849e8uRj47xrPWyVyOtuP6KGy5Q79CYCk1qM3bCd9EKipYNwqUZGZsPkI3SAfhv > xiM5YfP7Frc/62H64Z0KiieP9M5XIys64OWzK+trfSCCOzYafJDtJvti4q02s0o= > =vfFi > -----END PGP SIGNATURE-----
THANKs Marek! I may try a transparent proxy in a VM at some point, but for now I went with your second suggestion and added this to /etc/profile.d/proxy.sh in Fedora and /etc/environment in Debian templates: export http_proxy=http://proxy.example.com:8080 export https_proxy=http://proxy.example.com:8080 export ftp_proxy=http://proxy.example.com:10021 It seems to work for most browsers and other apps that need a web connection. No need to set the HTTP proxy in all my apps. That's a time saver. =============== How can I set this for the Qubes Updates Proxy? System > Global settings > UpdateVM I've tried adding these proxy rules to Fedora and basing my sys-firewall and sys-net on that. Updating templates "Fail to synchronize cache for repo 'updates'" when I try setting the UpdateVM and TemplateVM to anything but sys-whonix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f7f1c761c58915271d959682b790691%40riseup.net. For more options, visit https://groups.google.com/d/optout.