On 2017-12-19 15:33, Unman wrote: > On Tue, Dec 19, 2017 at 03:09:05PM +0100, 'Tom Zander' via qubes-users wrote: >> On Monday, 18 December 2017 10:13:48 CET pr0xy wrote: >> > I am still a bit stuck concerning the Qubes Update Proxy. Where would I >> > set the environment variables for my corporate proxy so that I could >> > update dom0, templates and VMs? >> >> You should add sys-net to your template VM if you want that since the proxy >> that is in place today is to avoid your template VM from accessing the >> intranet or internet outside of your own machine. >> >> Then google on where the template operating system (Fedora or Debian etc) >> sets proxies for doing the command-line update, the configuration is the same >> as Fedora or Debian etc. >> I don’t know fedora at all, >> in archlinux you’ll have a file in /etc/pacman/ which sets the current proxy, >> in debian you’ll likely have one in /etc/apt/ >> >> grep -R -i PROXY /etc/* >> >> may be useful too. > > Tom > > Ive suggested before that if you give this advice you should > clearly state the consequences. > > op - please dont do this. sys-net will not enforce a firewall and it is > bad practice to expose your templates in this way. > > i understand you chose not to use the iptables route. > If you want to combine the Qubes proxy with an external proxy on > your network you should be able to do this by editing the tinyproxy.conf > file. You will find this in /etc/tinyproxy. > > Qubes uses tinyproxy for all the template updates. you can make > tinyproxy use an external proxy. > The change you need to make is: > upstream host:port > > check the documentation at > https://tinyproxy.github.io > > unman
I did try the iptables method you suggested, but like Marek said, the applications weren't aware of the proxy and didn't use it. I would just get failed connections without setting the proxy in each piece of software in each AppVM. The environment variable setting seemed to work better in the AppVMs. I tested setting the upstream host:port in the tinyproxy.conf of sys-firewall. That didn't seem to work as I couldn't get Template updates to connect to look for updates. I also tested setting this same method on sys-net, but with the same results. I also asked around on IRC about this, and was told that the Qubes Update Proxy could be adjusted from here: /etc/systemd/system/multi-user.target.wants/qubes-updates-proxy.service Wasn't sure how I could manipulate the proxy from there, but it does point to tinyproxy at /etc/tinyproxy/tinyproxy-updates.conf I tried adding the upstream host:port to that file on sys-firewall, but the template updates still give me an "Error: Failed to synchronize cache for repo 'updates'" The result was the same attempting the same setting on sys-net. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1213ec0cbfd74a27bb2ba34143bd0e2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
