On 2017-12-08 08:16, pr0xy wrote: > On 2017-12-03 01:07, Marek Marczykowski-Górecki wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On Fri, Dec 01, 2017 at 02:46:55AM -0800, pr0xy wrote: >>> On 2017-12-01 10:30, awokd wrote: >>> > On Thu, November 30, 2017 22:36, pr0xy wrote: >>> > >>> >> Specifically I need to pass HTTP, HTTPS and FTP through >>> >> the corporate proxies. I modified your example to this: >>> >> >>> >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80:443 -j DNAT --to >>> >> proxy.example.com:8080 >>> >> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 21 -j DNAT --to >>> >> proxy.example.com:10021 >>> >> >>> >> I placed that in the /rw/config/rc.local of sys-net and made it >>> >> executable. Rebooting the machine shows that it's persistent, and they >>> >> show up in the PREROUTING section when I check >>> >> iptables --table nat --list >>> >> >>> >> Problem is that AppVMs connected to the sys-firewall > sys-net don't >>> >> seem to take advantage of those settings. For example, I can't use >>> >> Firefox to connect to internet sites without manually setting the proxy >>> >> in the browser. Likewise, TemplateVMs with the same routing can't >>> >> update. >>> > >>> > Might depend on how that corporate proxy is configured. For example, if it >>> > requires authentication. How friendly/linux savvy are the people who admin >>> > it? >>> >>> I'm the first person to run anything non-Windows in this network, so >>> this is new territory. It's a Squid 3.3.8 proxy for HTTP and HTTPS. The >>> FTP proxy is something else. There are no usernames or passwords >>> required for the proxy. >>> >>> They gave me all the settings and told me to work it out if I want to >>> use Qubes, so that's what I'm trying to do... >>> >>> >> Should I instead be making these iptables settings in a ProxyVM, and >>> >> connect like: AppVM/StandaloneVM/TemplateVM > ProxyVM > sys-firewall > >>> >> sys-net? >>> > >>> > This would be my approach for flexibility but either should work. >>> >>> All the documentation I'm seeing makes me think it should work as well. >>> >>> I'm not looking into the option of setting environment variables on each >>> template to see if that might work. So far the only other option that >>> has worked is to manually set the proxy in each piece of software, in >>> each AppVM. >> >> Above iptables example will not work in most cases - HTTP direct >> connection and HTTP proxy connection have some differences. Client >> application must be aware that http proxy is being used. >> >> There are two options: >> 1. Setup ProxyVM with some application that will intercept all the >> connections and wrap them into HTTP proxy connection. Tor can do that, >> but as a side effect you'll get all your traffic through tor. You can >> also setup some HTTP proxy in transparent mode (at least squid supports >> that). >> >> 2. Configure each application, in each VM to use HTTP proxy. >> This may sound laborious, but in fact it is not: you can >> set http_proxy and https_proxy variables in your template(s) and all VMs >> based on it automatically will pick it up. Just create >> /etc/profile.d/proxy.sh and export appropriate variables from there. >> >> - -- >> Best Regards, >> Marek Marczykowski-Górecki >> Invisible Things Lab >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQEcBAEBCAAGBQJaHt2yAAoJENuP0xzK19csogEH/3MLAWIm1C6vqpX/iugoxLl6 >> 4tk0x4KXKWsNNfR50ir/8INgLWWXrCxk9QbZXy010nC3Dp0TNso3ei6ae+fc25as >> 2aj36TOyDA8ztV5F0libiZFxDCWcfzskvW7GiC57JlOustCq2CTTkaz3p5eHyjp8 >> ITnnOKpA/Ji7MTloxPNedw8hzpyMxJQudqryd7DDribbTHozG/xtBTRR/ZhPaIjI >> Z849e8uRj47xrPWyVyOtuP6KGy5Q79CYCk1qM3bCd9EKipYNwqUZGZsPkI3SAfhv >> xiM5YfP7Frc/62H64Z0KiieP9M5XIys64OWzK+trfSCCOzYafJDtJvti4q02s0o= >> =vfFi >> -----END PGP SIGNATURE----- > > THANKs Marek! > > I may try a transparent proxy in a VM at some point, but for now I went > with your second suggestion and added this to /etc/profile.d/proxy.sh in > Fedora and /etc/environment in Debian templates: > > export http_proxy=http://proxy.example.com:8080 > export https_proxy=http://proxy.example.com:8080 > export ftp_proxy=http://proxy.example.com:10021 > > It seems to work for most browsers and other apps that need a web > connection. No need to set the HTTP proxy in all my apps. That's a time > saver. > > =============== > > How can I set this for the Qubes Updates Proxy? > System > Global settings > UpdateVM > > I've tried adding these proxy rules to Fedora and basing my sys-firewall > and sys-net on that. Updating templates "Fail to synchronize cache for > repo 'updates'" when I try setting the UpdateVM and TemplateVM to > anything but sys-whonix.
I am still a bit stuck concerning the Qubes Update Proxy. Where would I set the environment variables for my corporate proxy so that I could update dom0, templates and VMs? I see some documentation mentioning the updates proxy here: https://www.qubes-os.org/doc/software-update-vm/ I have read the section about "Updates proxy" several times, but I am not sure what I would change. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3beb7124ba1e3df22da9eaf421d618d2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
