Re: [qubes-users] Re: Using http_proxy environment variable in Templates with qubes Updates Proxy

2019-03-29 Thread unman 
On Thu, Mar 28, 2019 at 08:52:57AM -0700, Matthew Finkel wrote:
> On Sunday, March 10, 2019 at 3:24:08 PM UTC, farrilis wrote:
> > Using Qubes 4.0 in Whonix 14 template
> > 
> > 
> > When using curl, the -x (or --proxy) parameter accepts the address
> > (127.0.0.1:8082) that redirects to Qubes Updates proxy over RPC, and
> > returns what you would expect.
> > 
> > But with wget (which I think is a better choice than curl), setting the
> > http_proxy environment variable is needed (according to 'man wget' and
> > web resources)
> > 
> > 
> > Using the following commands:
> > 
> > 'export use_proxy=on'
> > 'export http_proxy=http://127.0.0.1:8082'
> > 'wget https://gitlab.com/repo/filename'
> > 
> > produces this output:
> > 
> > " Resolving gitlab.com (gitlab.com)... failed: Non-recoverable failure
> > in name resolution.
> > wget: unable to resolve host address 'gitlab.com' "
> > 
> > 
> > Then try a domain name that does not exist:
> > 
> > " Connecting to 127.0.0.1:8082... connected.
> > Proxy request sent, awaiting response... 500 Unable to connect
> > 2019-03-10 15:17:23 ERROR 500: Unable to connect. "
> > 
> > 
> > What could the problem be? curl can use 127.0.0.1:8082, why not wget?
> 
> 
> wget leaks dns - by this I mean wget tries resolving the domain name locally 
> and then uses the result from that as the destination of the proxied 
> connection. If the DNS resolution query fails, then wget gives you that 
> error. Curl, in comparison, (correctly) asks the proxy to handle the entire 
> connection including the hostname resolution.
> 

This isnt the case in buster, where (from my testing) wget honours the
proxy variable and does not attempt local dns lookups.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190330030200.mah7sjzyltqgvcmf%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Using http_proxy environment variable in Templates with qubes Updates Proxy

2019-03-28 Thread Matthew Finkel 
On Sunday, March 10, 2019 at 3:24:08 PM UTC, farrilis wrote:
> Using Qubes 4.0 in Whonix 14 template
> 
> 
> When using curl, the -x (or --proxy) parameter accepts the address
> (127.0.0.1:8082) that redirects to Qubes Updates proxy over RPC, and
> returns what you would expect.
> 
> But with wget (which I think is a better choice than curl), setting the
> http_proxy environment variable is needed (according to 'man wget' and
> web resources)
> 
> 
> Using the following commands:
> 
> 'export use_proxy=on'
> 'export http_proxy=http://127.0.0.1:8082'
> 'wget https://gitlab.com/repo/filename'
> 
> produces this output:
> 
> " Resolving gitlab.com (gitlab.com)... failed: Non-recoverable failure
> in name resolution.
> wget: unable to resolve host address 'gitlab.com' "
> 
> 
> Then try a domain name that does not exist:
> 
> " Connecting to 127.0.0.1:8082... connected.
> Proxy request sent, awaiting response... 500 Unable to connect
> 2019-03-10 15:17:23 ERROR 500: Unable to connect. "
> 
> 
> What could the problem be? curl can use 127.0.0.1:8082, why not wget?


wget leaks dns - by this I mean wget tries resolving the domain name locally 
and then uses the result from that as the destination of the proxied 
connection. If the DNS resolution query fails, then wget gives you that error. 
Curl, in comparison, (correctly) asks the proxy to handle the entire connection 
including the hostname resolution.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7bf862a9-f536-41b0-90fb-80557c8bf825%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.