On Mon, January 15, 2018 2:15 am, pr0xy wrote: > The company is using a Squid transparent proxy for HTTP/HTTPS and > another proxy for FTP (which I haven't completely figured out yet). The > proxies are: > > HTTP PROXY http://proxy.example.com:8080 > HTTPS PROXY http://proxy.example.com:8080 > FTP PROXY http://proxy.example.com:10021 > > > Step 1: Whonix > > > Set the torrc so that Whonix can connect thru the proxy. Go to > sys-whonix | Tor User Config and edit the torrc file to add these lines: > > DisableNetwork 0 > HTTPproxy 10.0.0.1:8080 > HTTPSproxy 10.0.0.1:8080 > FascistFirewall 1 > > > It's important here to use the IP address instead of the proxy name. > I've confirmed this on the Whonix forums. > > > Step 2: Set TemplateVM apps to use proxy > > > As Marek stated above, you can set http_proxy and https_proxy variables > in your template(s) and all app VMs based on them automatically will pick > it up. Just create /etc/profile.d/proxy.sh and export appropriate > variables from there. > > I added the following to > /etc/profile.d/proxy.sh > in Fedora and /etc/environment > in Debian templates: > > export http_proxy=http://proxy.example.com:8080 export > https_proxy=http://proxy.example.com:8080 > export ftp_proxy=http://proxy.example.com:10021 export > HTTP_PROXY=http://proxy.example.com:8080 > export HTTPS_PROXY=http://proxy.example.com:8080 export > FTP_PROXY=http://proxy.example.com:10021 > > > Here I used the fully qualified domain names instead of the proxy IP. > > > Step 3: Allow Qubes TemplateVMs to update via sys-firewall > > > Don't do this on the Whonix templates. They update thru sys-whonix. > > > Add the following to the bottom of > /etc/apt/apt.conf.d > in Debian, and /etc/dnf/dnf.conf > in Fedora after ### QUBES END ###: > > > (ex.) > [user@fedora-26 ~]$ sudo gedit /etc/dnf/dnf.conf > . > . > ### QUBES END ### > proxy=http://10.0.0.1:8080 > > > Again, here I had to use the IP of the proxy. I tested with the fully > qualified name, and it didn't work. > > Finally, allow the proxy IP on the firewall of EACH TemplateVM > From the Qubes Manager (R3.2) | Firewall rules > Address 10.0.0.1 > Protocol "Any" > > > That's working for me. I will try further experimentation with IPtables > and a ProxyVM, as those seem like better solutions. However, in the > meantime I have a working Qubes system and can actually do some work with > it instead of messing around with settings...for now.
I'm attempting to convert the above into a Qubes doc (https://github.com/awokd/qubes-doc/blob/transproxy/configuration/transparent-proxy.md) but don't have a Squid proxy to test against. For anyone who does (or is familiar with how they work): A) Does it look right? B) In step 3, adding apt/dnf proxy settings to all AppVMs based on the same template as the UpdateVM's seems a bit broad. Is there a way to fine-tune it? C) Any special R4.0 considerations? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/db47e5a873760b3dc32a3c5e2e901ee4.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.