On Thu, Dec 21, 2017 at 10:57:26PM -0800, pr0xy wrote: > On 2017-12-19 15:33, Unman wrote: > > On Tue, Dec 19, 2017 at 03:09:05PM +0100, 'Tom Zander' via qubes-users > > wrote: > >> On Monday, 18 December 2017 10:13:48 CET pr0xy wrote: > >> > I am still a bit stuck concerning the Qubes Update Proxy. Where would I > >> > set the environment variables for my corporate proxy so that I could > >> > update dom0, templates and VMs? > >> > >> You should add sys-net to your template VM if you want that since the proxy > >> that is in place today is to avoid your template VM from accessing the > >> intranet or internet outside of your own machine. > >> > >> Then google on where the template operating system (Fedora or Debian etc) > >> sets proxies for doing the command-line update, the configuration is the > >> same > >> as Fedora or Debian etc. > >> I don’t know fedora at all, > >> in archlinux you’ll have a file in /etc/pacman/ which sets the current > >> proxy, > >> in debian you’ll likely have one in /etc/apt/ > >> > >> grep -R -i PROXY /etc/* > >> > >> may be useful too. > > > > Tom > > > > Ive suggested before that if you give this advice you should > > clearly state the consequences. > > > > op - please dont do this. sys-net will not enforce a firewall and it is > > bad practice to expose your templates in this way. > > > > i understand you chose not to use the iptables route. > > If you want to combine the Qubes proxy with an external proxy on > > your network you should be able to do this by editing the tinyproxy.conf > > file. You will find this in /etc/tinyproxy. > > > > Qubes uses tinyproxy for all the template updates. you can make > > tinyproxy use an external proxy. > > The change you need to make is: > > upstream host:port > > > > check the documentation at > > https://tinyproxy.github.io > > > > unman > > I did try the iptables method you suggested, but like Marek said, the > applications weren't aware of the proxy and didn't use it. I would just > get failed connections without setting the proxy in each piece of > software in each AppVM. The environment variable setting seemed to work > better in the AppVMs. > > I tested setting the upstream host:port in the tinyproxy.conf of > sys-firewall. That didn't seem to work as I couldn't get Template > updates to connect to look for updates. I also tested setting this same > method on sys-net, but with the same results. > > I also asked around on IRC about this, and was told that the Qubes > Update Proxy could be adjusted from here: > > /etc/systemd/system/multi-user.target.wants/qubes-updates-proxy.service > > Wasn't sure how I could manipulate the proxy from there, but it does > point to tinyproxy at /etc/tinyproxy/tinyproxy-updates.conf > I tried adding the upstream host:port to that file on sys-firewall, but > the template updates still give me an "Error: Failed to synchronize > cache for repo 'updates'" The result was the same attempting the same > setting on sys-net. > >
Its very difficult to troubleshoot this without knowing more about what is happening at the proxy , and in the Qubes networking. Those iptables rules work with squid as a transparent proxy without any client configuration. But they dont work for you. Please make sure that you therefore remove any trace of them from your system. As setting the proxy in tinyproxy didn't work for you either make sure you remove those entries too. I suspect the best thing to try is to to edit the qubes proxy config file in the template. In a Debian template its in /etc/apt/apt.conf.d and in Fedora /etc/yum.conf.d or /etc/dnf/dnf.conf (Sorry to be vague but i dont have a Qubes box to hand.) Edit the file so that it points to your corporate proxy instead of the 10.137.255.254 host. Then make sure that you add the corporate proxy IP and port to allowed in the template firewall. You should be able to use just the HTTPS proxy port for both HTTP and https traffic from the template. good luck unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171228010748.igkrp6w32emwpxen%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.