Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign uptinyproxy may return empty output (instead of error page) when asked for invalid address #1482
Comments
marmarek
added
bug
C: core
P: major
labels
Dec 4, 2015
marmarek
added this to the Release 3.1 milestone
Dec 4, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
/cc @adrelanos |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
|
Good catch! It's a problem. Could potentially brick upgrading Whonix
TemplateVMs. Looking into it now.
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
whonixcheck --verbose --function check_qubes_update_proxy
This is the full curl command in enable-firewall.
UWT_DEV_PASSTHROUGH=1 curl --silent --connect-timeout 3 http://10.137.255.254:8082/
This is the full curl command in
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
This bricks upgrading indeed.
How much are we mothering our users? Protecting them from shooting their own feet? Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature? Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?
|
This bricks upgrading indeed. How much are we mothering our users? Protecting them from shooting their own feet? Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature? Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Dec 4, 2015
Member
This bricks upgrading indeed.
This is how I've found this...
Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature?
You tell me :)
Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?
Yes, updates proxy in sys-whonix is to be able easily set updates over tor, even on non-Whonix templates.
This is how I've found this...
You tell me :)
Yes, updates proxy in sys-whonix is to be able easily set updates over tor, even on non-Whonix templates. |
marmarek
added
P: blocker
and removed
P: major
labels
Dec 4, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Dec 4, 2015
Member
Rising priority, because not being able to install updates is a release blocker.
|
Rising priority, because not being able to install updates is a release blocker. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
Let's revert back to filtering for now. Otherwise this breaks the release (and inclusion in the installer) of Whonix 12.
|
Let's revert back to filtering for now. Otherwise this breaks the release (and inclusion in the installer) of Whonix 12. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
It would mean to revert the following three commits. (I don't think I missed one, but please recheck.)
- marmarek/qubes-core-agent-linux@7a0286d
- marmarek/qubes-core-agent-linux@69bb71b
- marmarek/qubes-core-agent-linux@15c69f4
I think it's best to create a branch that squashes/reverts these three commits so they can later be re-applied.
|
It would mean to revert the following three commits. (I don't think I missed one, but please recheck.)
I think it's best to create a branch that squashes/reverts these three commits so they can later be re-applied. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adrelanos
Dec 4, 2015
Member
Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.
Otherwise I cannot think of a way how the gateway could figure out it's connected to a torified rather than non-torified updates proxy.
|
Perhaps not so quick. Would you know how to implement Otherwise I cannot think of a way how the gateway could figure out it's connected to a torified rather than non-torified updates proxy. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Dec 4, 2015
Member
Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.
See referenced commit.
See referenced commit. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Awesome! Applied the config file changes. Works for me. |
marmarek
closed this
in
marmarek/old-qubes-core-agent-linux@181c15f
Dec 4, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Building Whonix templates for R3.1 again... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Dec 4, 2015
Member
Hmm, maybe just whonix-gw is enough? It shouldn't matter in whonix-ws template (the fix there can be applied using standard update). Build takes a lot of time and we want to release R3.1-rc1 ASAP.
|
Hmm, maybe just whonix-gw is enough? It shouldn't matter in whonix-ws template (the fix there can be applied using standard update). Build takes a lot of time and we want to release R3.1-rc1 ASAP. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Yes. I could not think of something where this should be a problem. |
added a commit
to marmarek/qubes-core-agent-linux
that referenced
this issue
Sep 15, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Sep 15, 2017
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:
sudo yum update --enablerepo=qubes-vm-r4.0-current-testing
qubesos-bot
commented
Sep 15, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
the
r4.0-fc24-cur-test
label
Sep 15, 2017
qubesos-bot
referenced this issue
in QubesOS/updates-status
Sep 15, 2017
Closed
core-agent-linux v4.0.8 (r4.0) #216
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Sep 15, 2017
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:
sudo yum update --enablerepo=qubes-vm-r4.0-current-testing
qubesos-bot
commented
Sep 15, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
the
r4.0-fc25-cur-test
label
Sep 15, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Sep 15, 2017
Automated announcement from builder-github
The package qubes-core-agent_4.0.8-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
qubesos-bot
commented
Sep 15, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
the
r4.0-jessie-cur-test
label
Sep 15, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Sep 15, 2017
Automated announcement from builder-github
The package qubes-core-agent_4.0.8-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
qubesos-bot
commented
Sep 15, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
the
r4.0-stretch-cur-test
label
Sep 15, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Oct 17, 2017
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc24 has been pushed to the r4.0 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:
sudo yum update
qubesos-bot
commented
Oct 17, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
r4.0-fc24-stable
and removed
r4.0-fc24-cur-test
labels
Oct 17, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Oct 17, 2017
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc25 has been pushed to the r4.0 stable repository for the Fedora fc25 template.
To install this update, please use the standard update command:
sudo yum update
qubesos-bot
commented
Oct 17, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
added
r4.0-fc25-stable
and removed
r4.0-fc25-cur-test
labels
Oct 17, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Oct 17, 2017
Automated announcement from builder-github
The package qubes-core-agent_4.0.11-1+deb8u1 has been pushed to the r4.0 stable repository for the Debian jessie template.
To install this update, please use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
qubesos-bot
commented
Oct 17, 2017
|
Automated announcement from builder-github The package
|
qubesos-bot
removed
the
r4.0-jessie-cur-test
label
Oct 17, 2017
qubesos-bot
added
the
r4.0-jessie-stable
label
Oct 17, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Oct 17, 2017
Automated announcement from builder-github
The package qubes-core-agent_4.0.11-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian stretch template.
To install this update, please use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
qubesos-bot
commented
Oct 17, 2017
|
Automated announcement from builder-github The package
|
marmarek commentedDec 4, 2015
Whonix Gw/Ws template script does this:
And search for magic string in the error page, to check if that is really (properly torified) tinyproxy running on Whonix Gateway. After QubesOS/qubes-core-agent-linux@69bb71b it is no longer blocked by the filtering rules, and the connection is really attempted. And (because of transparent proxy?) succeed. Then it is immediately terminated, but there are two cases:
In the first case, tinyproxy throws an error (including magic string) and that's ok. But in the second case, there is no error message - just empty output (even without response headers). So template scripts does not find its connected to Whonix Gateway.
Possible solutions (I can think of):
curl -x http://10.137.255.254:8082/ http://invalid.invalid)