On 2017-12-28 01:07, Unman wrote: > On Thu, Dec 21, 2017 at 10:57:26PM -0800, pr0xy wrote: >> On 2017-12-19 15:33, Unman wrote: >> > On Tue, Dec 19, 2017 at 03:09:05PM +0100, 'Tom Zander' via qubes-users >> > wrote: >> >> On Monday, 18 December 2017 10:13:48 CET pr0xy wrote: >> >> > I am still a bit stuck concerning the Qubes Update Proxy. Where would I >> >> > set the environment variables for my corporate proxy so that I could >> >> > update dom0, templates and VMs? >> >> >> >> You should add sys-net to your template VM if you want that since the >> >> proxy >> >> that is in place today is to avoid your template VM from accessing the >> >> intranet or internet outside of your own machine. >> >> >> >> Then google on where the template operating system (Fedora or Debian etc) >> >> sets proxies for doing the command-line update, the configuration is the >> >> same >> >> as Fedora or Debian etc. >> >> I don’t know fedora at all, >> >> in archlinux you’ll have a file in /etc/pacman/ which sets the current >> >> proxy, >> >> in debian you’ll likely have one in /etc/apt/ >> >> >> >> grep -R -i PROXY /etc/* >> >> >> >> may be useful too. >> > >> > Tom >> > >> > Ive suggested before that if you give this advice you should >> > clearly state the consequences. >> > >> > op - please dont do this. sys-net will not enforce a firewall and it is >> > bad practice to expose your templates in this way. >> > >> > i understand you chose not to use the iptables route. >> > If you want to combine the Qubes proxy with an external proxy on >> > your network you should be able to do this by editing the tinyproxy.conf >> > file. You will find this in /etc/tinyproxy. >> > >> > Qubes uses tinyproxy for all the template updates. you can make >> > tinyproxy use an external proxy. >> > The change you need to make is: >> > upstream host:port >> > >> > check the documentation at >> > https://tinyproxy.github.io >> > >> > unman >> >> I did try the iptables method you suggested, but like Marek said, the >> applications weren't aware of the proxy and didn't use it. I would just >> get failed connections without setting the proxy in each piece of >> software in each AppVM. The environment variable setting seemed to work >> better in the AppVMs. >> >> I tested setting the upstream host:port in the tinyproxy.conf of >> sys-firewall. That didn't seem to work as I couldn't get Template >> updates to connect to look for updates. I also tested setting this same >> method on sys-net, but with the same results. >> >> I also asked around on IRC about this, and was told that the Qubes >> Update Proxy could be adjusted from here: >> >> /etc/systemd/system/multi-user.target.wants/qubes-updates-proxy.service >> >> Wasn't sure how I could manipulate the proxy from there, but it does >> point to tinyproxy at /etc/tinyproxy/tinyproxy-updates.conf >> I tried adding the upstream host:port to that file on sys-firewall, but >> the template updates still give me an "Error: Failed to synchronize >> cache for repo 'updates'" The result was the same attempting the same >> setting on sys-net. >> >> > > Its very difficult to troubleshoot this without knowing more about what > is happening at the proxy , and in the Qubes networking. > > Those iptables rules work with squid as a transparent proxy without any > client configuration. But they dont work for you. Please make sure that > you therefore remove any trace of them from your system. > > As setting the proxy in tinyproxy didn't work for you either make sure > you remove those entries too. > > I suspect the best thing to try is to to edit the qubes proxy config > file in the template. In a Debian template its in /etc/apt/apt.conf.d and > in Fedora /etc/yum.conf.d or /etc/dnf/dnf.conf > (Sorry to be vague but i dont have a Qubes box to hand.) > > > Edit the file so that it points to your corporate proxy instead of the > 10.137.255.254 host. > Then make sure that you add the corporate proxy IP and port to allowed > in the template firewall. > You should be able to use just the HTTPS proxy port for both HTTP and > https traffic from the template. > > good luck > > unman
Thanks for following up on this Unman. I really appreciate it. SUCCESS! Changing the /etc/apt/apt.conf.d in Debian and the /etc/dnf/dnf.conf in Fedora, AND allowing the proxy IP on the firewall of EACH TemplateVM finally allows me to update them via the sys-firewall. That's a huge speed improvement over sys-whonix. Now I'm wondering if my failure to set firewall rules was the reason I couldn't use your earlier IPtables examples. I might revisit that, but for now this solution allows me to use Qubes somewhat normally behind this corporate proxy. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/115a577f709e5f0f28ae62cbe144512a%40riseup.net. For more options, visit https://groups.google.com/d/optout.
