/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tinyproxy may return empty output (instead of error page) when asked for invalid address #1482

Closed
marmarek opened this Issue Dec 4, 2015 · 22 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.1
3 participants
@marmarek @adrelanos @qubesos-bot
@marmarek
Member

marmarek commented Dec 4, 2015

Whonix Gw/Ws template script does this:

curl http://10.137.255.254:8082/

And search for magic string in the error page, to check if that is really (properly torified) tinyproxy running on Whonix Gateway. After QubesOS/qubes-core-agent-linux@69bb71b it is no longer blocked by the filtering rules, and the connection is really attempted. And (because of transparent proxy?) succeed. Then it is immediately terminated, but there are two cases:

  • connection was terminated before sending request headers there
  • connection was terminated after sending request and while waiting for response

In the first case, tinyproxy throws an error (including magic string) and that's ok. But in the second case, there is no error message - just empty output (even without response headers). So template scripts does not find its connected to Whonix Gateway.

Possible solutions (I can think of):

  • use some different way to check if tinyproxy is running on Whonix Gw. If still using magic string on wab page, it can use some really invalid url (curl -x http://10.137.255.254:8082/ http://invalid.invalid)
  • revert that commit - restore filtering
  • set some light filtering - basically blocking connection directly to 10.137.255.254

@marmarek marmarek added bug C: core P: major labels Dec 4, 2015

@marmarek marmarek added this to the Release 3.1 milestone Dec 4, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

/cc @adrelanos
Member

marmarek commented Dec 4, 2015

/cc @adrelanos
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member
Member

adrelanos commented Dec 4, 2015

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member 
whonixcheck --verbose --function check_qubes_update_proxy

(check_qubes)

This is the full curl command in enable-firewall.

UWT_DEV_PASSTHROUGH=1 curl --silent --connect-timeout 3 http://10.137.255.254:8082/
Member

adrelanos commented Dec 4, 2015 

whonixcheck --verbose --function check_qubes_update_proxy

(check_qubes)

This is the full curl command in enable-firewall.

UWT_DEV_PASSTHROUGH=1 curl --silent --connect-timeout 3 http://10.137.255.254:8082/
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member

This bricks upgrading indeed.

How much are we mothering our users? Protecting them from shooting their own feet? Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature? Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?
Member

adrelanos commented Dec 4, 2015

This bricks upgrading indeed.

How much are we mothering our users? Protecting them from shooting their own feet? Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature? Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

This bricks upgrading indeed.

This is how I've found this...

Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature?

You tell me :)

Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?

Yes, updates proxy in sys-whonix is to be able easily set updates over tor, even on non-Whonix templates.
Member

marmarek commented Dec 4, 2015

This bricks upgrading indeed.

This is how I've found this...

Is making it difficult to establish clearnet connections (non-torified upgrades) from Whonix TemplateVMs considered an important feature?

You tell me :)

Or is it a feature that one could easily decide to upgrade over Tor vs over clearnet by switching the TemplateVMs NetVM setting to either sys-firewall or sys-whonix?

Yes, updates proxy in sys-whonix is to be able easily set updates over tor, even on non-Whonix templates.

@marmarek marmarek added P: blocker and removed P: major labels Dec 4, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

Rising priority, because not being able to install updates is a release blocker.
Member

marmarek commented Dec 4, 2015

Rising priority, because not being able to install updates is a release blocker.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member

Let's revert back to filtering for now. Otherwise this breaks the release (and inclusion in the installer) of Whonix 12.
Member

adrelanos commented Dec 4, 2015

Let's revert back to filtering for now. Otherwise this breaks the release (and inclusion in the installer) of Whonix 12.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member

It would mean to revert the following three commits. (I don't think I missed one, but please recheck.)

I think it's best to create a branch that squashes/reverts these three commits so they can later be re-applied.
Member

adrelanos commented Dec 4, 2015

It would mean to revert the following three commits. (I don't think I missed one, but please recheck.)

I think it's best to create a branch that squashes/reverts these three commits so they can later be re-applied.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member

Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.

Otherwise I cannot think of a way how the gateway could figure out it's connected to a torified rather than non-torified updates proxy.
Member

adrelanos commented Dec 4, 2015

Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.

Otherwise I cannot think of a way how the gateway could figure out it's connected to a torified rather than non-torified updates proxy.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.

See referenced commit.
Member

marmarek commented Dec 4, 2015

Perhaps not so quick. Would you know how to implement set some light filtering - basically blocking connection directly to 10.137.255.254? Seems the better solution.

See referenced commit.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 4, 2015

Member

Awesome! Applied the config file changes. Works for me.
Member

adrelanos commented Dec 4, 2015

Awesome! Applied the config file changes. Works for me.

@marmarek marmarek closed this in marmarek/old-qubes-core-agent-linux@181c15f Dec 4, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

Building Whonix templates for R3.1 again...
Member

marmarek commented Dec 4, 2015

Building Whonix templates for R3.1 again...
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2015

Member

Hmm, maybe just whonix-gw is enough? It shouldn't matter in whonix-ws template (the fix there can be applied using standard update). Build takes a lot of time and we want to release R3.1-rc1 ASAP.
Member

marmarek commented Dec 4, 2015

Hmm, maybe just whonix-gw is enough? It shouldn't matter in whonix-ws template (the fix there can be applied using standard update). Build takes a lot of time and we want to release R3.1-rc1 ASAP.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 7, 2015

Member

Yes. I could not think of something where this should be a problem.
Member

adrelanos commented Dec 7, 2015

Yes. I could not think of something where this should be a problem.

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Sep 15, 2017

@marmarek
(redo) updates-proxy: explicitly block connection looping back to the… 
… proxy IP

Explicitly block something like "curl http://127.0.0.1:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

This was previously done for 10.137.255.254, but since migration to
qrexec-based connection, 127.0.0.1 is used instead.

Fixes QubesOS/qubes-issues#1482
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
6139ed5
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Sep 15, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Sep 15, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc24-cur-test label Sep 15, 2017

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Sep 15, 2017

Closed

core-agent-linux v4.0.8 (r4.0) #216

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Sep 15, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Sep 15, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.8-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc25-cur-test label Sep 15, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Sep 15, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.8-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Sep 15, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.8-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-jessie-cur-test label Sep 15, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Sep 15, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.8-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Sep 15, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.8-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-stretch-cur-test label Sep 15, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Oct 17, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc24 has been pushed to the r4.0 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Oct 17, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc24 has been pushed to the r4.0 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc24-stable and removed r4.0-fc24-cur-test labels Oct 17, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Oct 17, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc25 has been pushed to the r4.0 stable repository for the Fedora fc25 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Oct 17, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.11-1.fc25 has been pushed to the r4.0 stable repository for the Fedora fc25 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc25-stable and removed r4.0-fc25-cur-test labels Oct 17, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Oct 17, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.11-1+deb8u1 has been pushed to the r4.0 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Oct 17, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.11-1+deb8u1 has been pushed to the r4.0 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot removed the r4.0-jessie-cur-test label Oct 17, 2017

@qubesos-bot qubesos-bot added the r4.0-jessie-stable label Oct 17, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Oct 17, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.11-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Oct 17, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.11-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-stable and removed r4.0-stretch-cur-test labels Oct 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment