New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add behind-proxy #603
Add behind-proxy #603
Conversation
configuration/behind-proxy.md
Outdated
export ftp_proxy=http://proxy.example.com:10021 | ||
export HTTP_PROXY=http://proxy.example.com:8080 | ||
export HTTPS_PROXY=http://proxy.example.com:8443 | ||
export FTP_PROXY=http://proxy.example.com:10021 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What applications use uppercase versions? AFAIK the lowercase in the standard.
configuration/behind-proxy.md
Outdated
Perform the following steps from inside that template. | ||
|
||
Add `proxy=http://10.0.0.1:8080` to the bottom of `/etc/apt/apt.conf.d/71proxy` in Debian templates. | ||
In Fedora, add it to `/etc/dnf/dnf.conf` instead, after the line that says `### QUBES END ###`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will not work in Qubes 4.0, because templates have no direct network access at all. Better to configure proxy in updates-proxy service. See Upstream
setting in tinyproxy.conf(5)
. This would require modifying /etc/tinyproxy/tinyproxy-updates.conf
, including making it persistent (a file in /rw
+ cp ... /etc/tinyproxy/tinyproxy-updates.con
in /rw/config/rc.local
?).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought adding the proxy setting here would result in it only getting used by the UpdateVM (e.g. sys-net) based on this template, and the templates themselves would actually continue to use qubes-rpc (4.0) or restricted networking (3.2) to pull updates from the UpdateVM. What am I missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking about it a bit more, I could see this proxy setting might override the one for tinyproxy-updates
when using a debian-9 based sys-net to supply updates for the debian-9 template. Would it work to combine the approaches and apply the apt.conf.d / dnf.conf
modifications strictly to the UpdateVM (instead of the underlying template) via your persistence approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you update template, dnf/apt is used only inside that template. And dnf/apt in template needs to be configured to use updates proxy - overriding proxy setting there will break updates. On the updates proxy side (sys-net) it is just http proxy, nothing more. Modifying dnf/apt configuration there have no effect on what is used by template to download updates.
There are some cases where modifying apt/dnf config to use some (corporate?) proxy in TemplateBasedVM is desirable - for example if you want to (temporarily) install package directly there, instead of installing it permanently in template. Another case is just checking for updates to decide whether template update is needed.
For those cases, it might be ok to set proxy setting before ### QUBES BEGIN ###
(or in file ordered before 71proxy). This way, the setting will be used only in TemplateBasedVM, but will be overridden in TemplateVM to updates proxy. This needs to be tested, I'm not sure about apt and dnf behavior with duplicated settings.
Note that there is a minor conflict in |
Updated. |
Is this document more suited to the Community docs vs. official? |
The topic seems suitable for the official docs, in my opinion. |
Given the change in policy (QubesOS/qubes-issues#4693) (and the fact that the Qubes devs haven't had time to re-review it in well over a year), I think this would now be more suitable for the Community docs. |
Did an "RFC" on qubes-users but got no replies, so putting this here.