Restricting a qube to selected websites

Rooftop · January 26, 2021, 11:32am

A common requirement seems to be the ability to restrict a qube’s access to a certain subset of websites; something that is difficult to achieve using the firewall rules due to multi-hosted websites/CDN’s etc.

The following is a description of one way to setup a qube with restricted website access using only software that is already installed in Qubes OS.

Create a qube based on template:fedora-32 or fedora-33, lets call it my-proxy. Set its networking to sys-firewall.

Screenshot_2021-03-12_16-46-28

Open Qube Settings for my-proxy and in the Services tab, add an entry for tinyproxy (enter tinyproxy in the text field and click the plus button).

Create a qube based on template:fedora-32 or fedora-33, lets call it my-qube. Set its networking to none.

Screenshot_2021-03-12_16-47-55

First we need to make sure changes to the tinyproxy configuration files are preserved between reboots of my-proxy.

Start a terminal in my-proxy and run the following command:

sudo mkdir -p /rw/config/qubes-bind-dirs.d

Create the file /rw/config/qubes-bind-dirs.d/50_user.conf with the following contents:

binds+=( '/etc/tinyproxy' )

Restart the my-proxy qube so the changes take effect.

Edit /etc/tinyproxy/tinyproxy.conf and uncomment the following lines:

Filter "/etc/tinyproxy/filter"
FilterDefaultDeny Yes

Create the file /etc/tinyproxy/filter and add all host names that should be allowed (note that these are regular expressions).

For example, to only allow access to all websites in the example.net domain (eg. example.net, www.example.net, etc), add the following lines:

^example\.net$
\.example\.net$

Edit the file /rw/config/rc.local and add the following line at the end of the file to start tinyproxy when the my-proxy qube is started:

systemctl start tinyproxy

In dom0, create the file /etc/qubes-rpc/policy/qubes.ConnectTCP+8888 with the following contents (this will allow my-qube to connect to port 8888 of my-proxy):

my-qube @default allow,target=my-proxy

In my-qube, edit /rw/config/rc.local to add the following line which will create a link between port 8888 in my-qube and port 8888 in my-proxy (port 8888 being the default port used by tinyproxy):

qvm-connect-tcp ::8888

Start my-qubes’s Firefox and set HTTP Proxy to localhost port 8888 and select Also use this proxy for FTP and HTTPS.

You should now be unable to browse to any website which is not in list of allowed domains.

Bonus Feature - when you start my-qube, my-proxy will be automatically started by Qubes OS!

Notes

Many websites will try to load CSS, javscript libraries, images, etc from other domains. Blocking these could lead to websites not working correctly, so you may need to track down and add those other domains.
Attemping to access a blocked https site will result in “The proxy server is refusing connections” error - this is the expected hehaviour.`

Troubleshooting

In my-proxy, check that tinyproxy is running:
sudo systemctl status tinyproxy
If tinyproxy is not running, check that /var/run/qubes-service/tinyproxy exists. Also check the tinyproxy log file at /var/log/tinyproxy/tinyproxy.log for any error messages.
In my-qube, run the following:
qvm-connect-tcp ::8888
You should get an “Address is already in use” error.
In my-qube, check that the HTTP/HTTPS proxy has been set in Firefox.

Johnboy · January 26, 2021, 1:23pm

Thanks for your guide, might come in handy sometime.
Just two tiny mistakes i found: /rc/config/tinyproxy instead of /rw/config/tinyproxy

oijawyuh · January 26, 2021, 8:51pm

Hi @Rooftop. I tried your suggested solution and failed to get firefox in my-qubes to access the few test websites I included in the filter file. I followed all the steps you mentioned and double-checked them. I wonder if the problem is in my filter file. It put in it as a test the following websites. Would you be able to tell me if I need to add additional domains to the whitelist, for these websites to work, and what they are? Thank you.
^duckduckgo.com$
.duckduckgo.com$
^signal.org$
.signal.org$
^nytimes.com$
.nytimes.com$

Rooftop · January 26, 2021, 10:20pm

Thanks for spotting that @Johnboy . I have updated the post.

Rooftop · January 26, 2021, 10:34pm

@oijawyuh, You need to put a backslash () before any periods (.)

Try:

^duckduckgo\.com$
\.duckduckgo\.com$
^signal\.org$
\.signal\.org$
^nytimes\.com$
\.nytimes\.com$

That is working for me. I think you will need to restart the proxy VM after editing the filter file. The NY Times seemed to have some layout problems, but was readable.

oijawyuh · January 27, 2021, 7:54pm

Hi @Rooftop. Thank you for your reply. I re-initiated the whole installation, and it still didn’t work. After some testing, it turned out that sudo systemctl status tinyproxy in my-proxy VM /rw/config/rc.local didn’t work. When I manually ran sudo touch /var/run/qubes-service/tinyproxy then sudo systemctl status tinyproxy, the proxy in my-proxy worked and the whitelisted websites in my-qube opened.

However, that didn’t last long. Websites stopped opening after less than minute (after several rounds of testing - shutting down and rebooting both AppVMs) despite sudo systemctl status tinyproxy saying that tinyproxy is still active in my-proxy AppVM. Twice, a non-whitelisted website suddenly and briefly opened upon testing. It seems to me like tinyproxy is crashing. I don’t know, as I am not an IT guy.

FYI, this is what I put in the filter file:

^duckduckgo\.com$
\.duckduckgo\.com$
^signal\.org$
\.signal\.org$
^nytimes\.com$
\.nytimes\.com$
^nyt\.com$
\.nyt\.com$
\.googlesyndication\.com
^googlesyndication\.com
^qubes-os\.org$
\.qubes-os\.org$

Rooftop · January 28, 2021, 12:04am

Hi @oijawyuh. I have tested your filter file and it seems fine. I had one occasion where the proxy AppVM seemed to hang (possibly related to what is happening to you), but I wasn’t able to reproduce that problem. At no stage did I see any non-whitelisted sites. Can you check that you have to set the Network of your Firefox AppVM to none in Qube Settings?

Could you try the following? Start a Terminal in your proxy AppVM and run the following command:

sudo tail -f /var/log/tinyproxy/tinyproxy.log

Then start Firefox in you other AppVM and do some browsing.

This will display the tinyproxy log file, which should show you the sites you are visiting and those that are being blocked. Hopefully it will also give us a clue as to why it is stopping working.

deeplow · January 28, 2021, 7:41am

@Rooftop, I think by now you won’t be able to edit your original post, but from skimming through the conversation I get that some bit of the guide could be fixed. Is this correct?

If that’s the case I can make it into a wiki post so you can edit it and then revert it back to normal post. Would you want me to do this?

Rooftop · January 28, 2021, 8:14am

Thanks @deeplow, I do seem to still have the ability to edit my original post. I have already corrected the typo pointed out by @Johnboy, but I expect there will be more corrections and clarifications needed

oijawyuh · January 30, 2021, 8:47pm

Hi. In my-proxy, I launched the proxy by sudo touch /var/run/qubes-service/tinyproxy then sudo systemctl status tinyproxy. Then went to browse in my-qube firefox. This is the tinyprox log (part 1; I will include part 2 in a second post). Some websites (cnet.com, start.fedoraproject.org) did open at least in part even though they were not on the whitelist. Others opened for a less than a minute. qubes-os.org opened for a minute, and then failed to open.

Click to see log

INFO      Jan 30 21:24:57 [10980]: Initializing tinyproxy ...
INFO      Jan 30 21:24:57 [10980]: Reloading config file
INFO      Jan 30 21:24:57 [10980]: Setting "Via" header to 'tinyproxy'
INFO      Jan 30 21:24:57 [10980]: Adding Port [443] to the list allowed by CONNECT
INFO      Jan 30 21:24:57 [10980]: Adding Port [563] to the list allowed by CONNECT
INFO      Jan 30 21:24:57 [10980]: listen_sock called with addr = '(NULL)'
INFO      Jan 30 21:24:57 [10980]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6]
INFO      Jan 30 21:24:57 [10980]: listening on fd [0]
INFO      Jan 30 21:24:57 [10980]: trying to listen on host[::], family[10], socktype[1], proto[6]
INFO      Jan 30 21:24:57 [10980]: listening on fd [1]
INFO      Jan 30 21:24:57 [10980]: Now running as group "tinyproxy".
INFO      Jan 30 21:24:57 [10980]: Now running as user "tinyproxy".
INFO      Jan 30 21:24:57 [10980]: Creating child number 1 of 10 ...
CONNECT   Jan 30 21:24:57 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO      Jan 30 21:24:57 [10980]: Creating child number 2 of 10 ...
CONNECT   Jan 30 21:24:57 [11006]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:57 [11005]: Request (file descriptor 7): CONNECT location.services.mozilla.com:443 HTTP/1.1
CONNECT   Jan 30 21:24:57 [11006]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:24:57 [10980]: Creating child number 3 of 10 ...
INFO      Jan 30 21:24:57 [11005]: No upstream proxy for location.services.mozilla.com
INFO      Jan 30 21:24:57 [11006]: No upstream proxy for incoming.telemetry.mozilla.org
INFO      Jan 30 21:24:57 [10980]: Creating child number 4 of 10 ...
INFO      Jan 30 21:24:57 [11005]: opensock: opening connection to location.services.mozilla.com:443
INFO      Jan 30 21:24:57 [11006]: opensock: opening connection to incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:57 [10980]: Creating child number 5 of 10 ...
INFO      Jan 30 21:24:57 [10980]: Creating child number 6 of 10 ...
CONNECT   Jan 30 21:24:57 [11020]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO      Jan 30 21:24:57 [10980]: Creating child number 7 of 10 ...
CONNECT   Jan 30 21:24:57 [11020]: Request (file descriptor 7): CONNECT firefox.settings.services.mozilla.com:443 HTTP/1.1
INFO      Jan 30 21:24:57 [10980]: Creating child number 8 of 10 ...
INFO      Jan 30 21:24:57 [11020]: No upstream proxy for firefox.settings.services.mozilla.com
INFO      Jan 30 21:24:57 [10980]: Creating child number 9 of 10 ...
INFO      Jan 30 21:24:57 [11020]: opensock: opening connection to firefox.settings.services.mozilla.com:443
INFO      Jan 30 21:24:57 [11005]: opensock: getaddrinfo returned for location.services.mozilla.com:443
INFO      Jan 30 21:24:57 [10980]: Creating child number 10 of 10 ...
INFO      Jan 30 21:24:57 [10980]: Finished creating all children.
INFO      Jan 30 21:24:57 [11006]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:57 [10980]: Setting the various signals.
CONNECT   Jan 30 21:24:57 [11031]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO      Jan 30 21:24:57 [10980]: Starting main loop. Accepting connections.
INFO      Jan 30 21:24:57 [11020]: opensock: getaddrinfo returned for firefox.settings.services.mozilla.com:443
CONNECT   Jan 30 21:24:57 [11031]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:24:57 [11031]: No upstream proxy for incoming.telemetry.mozilla.org
INFO      Jan 30 21:24:57 [11031]: opensock: opening connection to incoming.telemetry.mozilla.org:443
CONNECT   Jan 30 21:24:57 [11020]: Established connection to host "firefox.settings.services.mozilla.com" using file descriptor 8.
INFO      Jan 30 21:24:57 [11031]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:57 [11020]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:57 [11012]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:57 [11012]: Request (file descriptor 7): CONNECT firefox.settings.services.mozilla.com:443 HTTP/1.1
INFO      Jan 30 21:24:57 [11012]: No upstream proxy for firefox.settings.services.mozilla.com
INFO      Jan 30 21:24:57 [11012]: opensock: opening connection to firefox.settings.services.mozilla.com:443
INFO      Jan 30 21:24:57 [11012]: opensock: getaddrinfo returned for firefox.settings.services.mozilla.com:443
CONNECT   Jan 30 21:24:57 [11012]: Established connection to host "firefox.settings.services.mozilla.com" using file descriptor 8.
INFO      Jan 30 21:24:57 [11012]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:57 [11005]: Established connection to host "location.services.mozilla.com" using file descriptor 8.
INFO      Jan 30 21:24:57 [11005]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:57 [11006]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
INFO      Jan 30 21:24:57 [11006]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:57 [11031]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
INFO      Jan 30 21:24:57 [11031]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:58 [11037]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:58 [11037]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:24:58 [11037]: No upstream proxy for incoming.telemetry.mozilla.org
INFO      Jan 30 21:24:58 [11037]: opensock: opening connection to incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:58 [11037]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
CONNECT   Jan 30 21:24:58 [11037]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
CONNECT   Jan 30 21:24:58 [11039]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO      Jan 30 21:24:58 [11037]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:58 [11039]: Request (file descriptor 7): CONNECT snippets.cdn.mozilla.net:443 HTTP/1.1
CONNECT   Jan 30 21:24:58 [11044]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO      Jan 30 21:24:58 [11039]: No upstream proxy for snippets.cdn.mozilla.net
CONNECT   Jan 30 21:24:58 [11044]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:24:58 [11039]: opensock: opening connection to snippets.cdn.mozilla.net:443
INFO      Jan 30 21:24:58 [11044]: No upstream proxy for incoming.telemetry.mozilla.org
INFO      Jan 30 21:24:58 [11044]: opensock: opening connection to incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:58 [11044]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:24:58 [11039]: opensock: getaddrinfo returned for snippets.cdn.mozilla.net:443
CONNECT   Jan 30 21:24:58 [11039]: Established connection to host "snippets.cdn.mozilla.net" using file descriptor 8.
INFO      Jan 30 21:24:58 [11039]: Not sending client headers to remote machine
CONNECT   Jan 30 21:24:58 [11034]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:58 [11034]: Request (file descriptor 7): CONNECT snippets.cdn.mozilla.net:443 HTTP/1.1
INFO      Jan 30 21:24:58 [11034]: No upstream proxy for snippets.cdn.mozilla.net
INFO      Jan 30 21:24:58 [11034]: opensock: opening connection to snippets.cdn.mozilla.net:443
INFO      Jan 30 21:24:58 [11034]: opensock: getaddrinfo returned for snippets.cdn.mozilla.net:443
CONNECT   Jan 30 21:24:58 [11035]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:58 [11035]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:24:58 [11035]: No upstream proxy for incoming.telemetry.mozilla.org
CONNECT   Jan 30 21:24:58 [11044]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
INFO      Jan 30 21:24:58 [11035]: opensock: opening connection to incoming.telemetry.mozilla.org:443
CONNECT   Jan 30 21:24:58 [11034]: Established connection to host "snippets.cdn.mozilla.net" using file descriptor 8.
INFO      Jan 30 21:24:58 [11044]: Not sending client headers to remote machine
INFO      Jan 30 21:24:58 [11034]: Not sending client headers to remote machine
INFO      Jan 30 21:24:58 [11035]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
CONNECT   Jan 30 21:24:59 [11035]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
INFO      Jan 30 21:24:59 [11035]: Not sending client headers to remote machine
INFO      Jan 30 21:24:59 [11005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:24:59 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:59 [11005]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO      Jan 30 21:24:59 [11005]: No upstream proxy for ocsp.digicert.com
INFO      Jan 30 21:24:59 [11005]: opensock: opening connection to ocsp.digicert.com:80
INFO      Jan 30 21:24:59 [11005]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT   Jan 30 21:24:59 [11005]: Established connection to host "ocsp.digicert.com" using file descriptor 8.
INFO      Jan 30 21:24:59 [11005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:24:59 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:59 [11005]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO      Jan 30 21:24:59 [11005]: No upstream proxy for ocsp.digicert.com
INFO      Jan 30 21:24:59 [11005]: opensock: opening connection to ocsp.digicert.com:80
INFO      Jan 30 21:24:59 [11005]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT   Jan 30 21:24:59 [11005]: Established connection to host "ocsp.digicert.com" using file descriptor 8.
INFO      Jan 30 21:24:59 [11005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:24:59 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:59 [11005]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO      Jan 30 21:24:59 [11005]: No upstream proxy for ocsp.digicert.com
INFO      Jan 30 21:24:59 [11005]: opensock: opening connection to ocsp.digicert.com:80
INFO      Jan 30 21:24:59 [11005]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT   Jan 30 21:24:59 [11005]: Established connection to host "ocsp.digicert.com" using file descriptor 8.
INFO      Jan 30 21:24:59 [11005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:24:59 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:24:59 [11005]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO      Jan 30 21:24:59 [11005]: No upstream proxy for ocsp.digicert.com
INFO      Jan 30 21:24:59 [11005]: opensock: opening connection to ocsp.digicert.com:80
INFO      Jan 30 21:24:59 [11005]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT   Jan 30 21:24:59 [11005]: Established connection to host "ocsp.digicert.com" using file descriptor 8.
INFO      Jan 30 21:25:00 [11005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:00 [11005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:00 [11005]: Request (file descriptor 7): CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1
INFO      Jan 30 21:25:00 [11005]: No upstream proxy for incoming.telemetry.mozilla.org
INFO      Jan 30 21:25:00 [11005]: opensock: opening connection to incoming.telemetry.mozilla.org:443
INFO      Jan 30 21:25:00 [11005]: opensock: getaddrinfo returned for incoming.telemetry.mozilla.org:443
CONNECT   Jan 30 21:25:00 [11005]: Established connection to host "incoming.telemetry.mozilla.org" using file descriptor 8.
INFO      Jan 30 21:25:00 [11005]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:02 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:02 [11552]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:02 [11552]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO      Jan 30 21:25:02 [11552]: No upstream proxy for ocsp.digicert.com
INFO      Jan 30 21:25:02 [11552]: opensock: opening connection to ocsp.digicert.com:80
INFO      Jan 30 21:25:02 [11552]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT   Jan 30 21:25:02 [11552]: Established connection to host "ocsp.digicert.com" using file descriptor 8.
INFO      Jan 30 21:25:02 [11552]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:02 [11552]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:02 [11552]: Request (file descriptor 7): CONNECT start.fedoraproject.org:443 HTTP/1.1
INFO      Jan 30 21:25:02 [11552]: No upstream proxy for start.fedoraproject.org
INFO      Jan 30 21:25:02 [11552]: opensock: opening connection to start.fedoraproject.org:443
INFO      Jan 30 21:25:02 [11552]: opensock: getaddrinfo returned for start.fedoraproject.org:443
CONNECT   Jan 30 21:25:02 [11552]: Established connection to host "start.fedoraproject.org" using file descriptor 8.
INFO      Jan 30 21:25:02 [11552]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:07 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:07 [11950]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:07 [11950]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO      Jan 30 21:25:07 [11950]: No upstream proxy for www.google.com
INFO      Jan 30 21:25:07 [11950]: opensock: opening connection to www.google.com:443
INFO      Jan 30 21:25:07 [11950]: opensock: getaddrinfo returned for www.google.com:443
CONNECT   Jan 30 21:25:07 [11950]: Established connection to host "www.google.com" using file descriptor 8.
INFO      Jan 30 21:25:07 [11950]: Not sending client headers to remote machine
INFO      Jan 30 21:25:07 [11950]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:07 [11950]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:07 [11950]: Request (file descriptor 7): CONNECT fonts.googleapis.com:443 HTTP/1.1
INFO      Jan 30 21:25:07 [11950]: No upstream proxy for fonts.googleapis.com
INFO      Jan 30 21:25:07 [11950]: opensock: opening connection to fonts.googleapis.com:443
INFO      Jan 30 21:25:07 [11950]: opensock: getaddrinfo returned for fonts.googleapis.com:443
CONNECT   Jan 30 21:25:07 [11950]: Established connection to host "fonts.googleapis.com" using file descriptor 8.
INFO      Jan 30 21:25:07 [11950]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:12 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:12 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
ERROR     Jan 30 21:25:12 [12005]: read_request_line: Client (file descriptor: 7) closed socket before read.
ERROR     Jan 30 21:25:12 [12005]: Error reading readable client_fd 7
WARNING   Jan 30 21:25:12 [12005]: Could not retrieve request entity
CONNECT   Jan 30 21:25:12 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
ERROR     Jan 30 21:25:12 [12005]: read_request_line: Client (file descriptor: 7) closed socket before read.
ERROR     Jan 30 21:25:12 [12005]: Error reading readable client_fd 7
WARNING   Jan 30 21:25:12 [12005]: Could not retrieve request entity
CONNECT   Jan 30 21:25:12 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:12 [12005]: Request (file descriptor 7): CONNECT fonts.googleapis.com:443 HTTP/1.1
INFO      Jan 30 21:25:12 [12005]: No upstream proxy for fonts.googleapis.com
INFO      Jan 30 21:25:12 [12005]: opensock: opening connection to fonts.googleapis.com:443
INFO      Jan 30 21:25:12 [12005]: opensock: getaddrinfo returned for fonts.googleapis.com:443
CONNECT   Jan 30 21:25:12 [12005]: Established connection to host "fonts.googleapis.com" using file descriptor 8.
INFO      Jan 30 21:25:12 [12005]: Not sending client headers to remote machine
INFO      Jan 30 21:25:12 [12005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:12 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
ERROR     Jan 30 21:25:12 [12005]: read_request_line: Client (file descriptor: 7) closed socket before read.
ERROR     Jan 30 21:25:12 [12005]: Error reading readable client_fd 7
WARNING   Jan 30 21:25:12 [12005]: Could not retrieve request entity
CONNECT   Jan 30 21:25:13 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
ERROR     Jan 30 21:25:13 [12005]: read_request_line: Client (file descriptor: 7) closed socket before read.
ERROR     Jan 30 21:25:13 [12005]: Error reading readable client_fd 7
WARNING   Jan 30 21:25:13 [12005]: Could not retrieve request entity
CONNECT   Jan 30 21:25:13 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:13 [12005]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO      Jan 30 21:25:13 [12005]: No upstream proxy for www.google.com
INFO      Jan 30 21:25:13 [12005]: opensock: opening connection to www.google.com:443
INFO      Jan 30 21:25:13 [12005]: opensock: getaddrinfo returned for www.google.com:443
CONNECT   Jan 30 21:25:13 [12005]: Established connection to host "www.google.com" using file descriptor 8.
INFO      Jan 30 21:25:13 [12005]: Not sending client headers to remote machine
INFO      Jan 30 21:25:13 [12005]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:13 [12005]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:13 [12005]: Request (file descriptor 7): CONNECT signal.org:443 HTTP/1.1
INFO      Jan 30 21:25:13 [12005]: No upstream proxy for signal.org
INFO      Jan 30 21:25:13 [12005]: opensock: opening connection to signal.org:443
INFO      Jan 30 21:25:13 [12005]: opensock: getaddrinfo returned for signal.org:443
CONNECT   Jan 30 21:25:13 [12005]: Established connection to host "signal.org" using file descriptor 8.
INFO      Jan 30 21:25:13 [12005]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:17 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:17 [12281]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:17 [12281]: Request (file descriptor 7): CONNECT push.services.mozilla.com:443 HTTP/1.1
INFO      Jan 30 21:25:17 [12281]: No upstream proxy for push.services.mozilla.com
INFO      Jan 30 21:25:17 [12281]: opensock: opening connection to push.services.mozilla.com:443
INFO      Jan 30 21:25:17 [12281]: opensock: getaddrinfo returned for push.services.mozilla.com:443
CONNECT   Jan 30 21:25:17 [12281]: Established connection to host "push.services.mozilla.com" using file descriptor 8.
INFO      Jan 30 21:25:17 [12281]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:22 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:22 [12609]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:22 [12609]: Request (file descriptor 7): POST http://ocsp.pki.goog/gts1o1core HTTP/1.1
INFO      Jan 30 21:25:22 [12609]: No upstream proxy for ocsp.pki.goog
INFO      Jan 30 21:25:22 [12609]: opensock: opening connection to ocsp.pki.goog:80
INFO      Jan 30 21:25:22 [12609]: opensock: getaddrinfo returned for ocsp.pki.goog:80
CONNECT   Jan 30 21:25:22 [12609]: Established connection to host "ocsp.pki.goog" using file descriptor 8.
INFO      Jan 30 21:25:22 [12609]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:22 [12609]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:22 [12609]: Request (file descriptor 7): CONNECT fedoramagazine.org:443 HTTP/1.1
INFO      Jan 30 21:25:22 [12609]: No upstream proxy for fedoramagazine.org
INFO      Jan 30 21:25:22 [12609]: opensock: opening connection to fedoramagazine.org:443
INFO      Jan 30 21:25:22 [12609]: opensock: getaddrinfo returned for fedoramagazine.org:443
CONNECT   Jan 30 21:25:22 [12609]: Established connection to host "fedoramagazine.org" using file descriptor 8.
INFO      Jan 30 21:25:22 [12609]: Not sending client headers to remote machine
NOTICE    Jan 30 21:25:27 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 30 21:25:27 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:27 [12679]: Request (file descriptor 7): CONNECT fedoramagazine.org:443 HTTP/1.1
INFO      Jan 30 21:25:27 [12679]: No upstream proxy for fedoramagazine.org
INFO      Jan 30 21:25:27 [12679]: opensock: opening connection to fedoramagazine.org:443
INFO      Jan 30 21:25:27 [12679]: opensock: getaddrinfo returned for fedoramagazine.org:443
CONNECT   Jan 30 21:25:27 [12679]: Established connection to host "fedoramagazine.org" using file descriptor 8.
INFO      Jan 30 21:25:27 [12679]: Not sending client headers to remote machine
INFO      Jan 30 21:25:28 [11552]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:28 [11552]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:28 [11552]: Request (file descriptor 7): CONNECT fedoramagazine.org:443 HTTP/1.1
INFO      Jan 30 21:25:28 [11552]: No upstream proxy for fedoramagazine.org
INFO      Jan 30 21:25:28 [11552]: opensock: opening connection to fedoramagazine.org:443
INFO      Jan 30 21:25:28 [11552]: opensock: getaddrinfo returned for fedoramagazine.org:443
INFO      Jan 30 21:25:28 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:28 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:28 [12679]: Request (file descriptor 7): CONNECT fedoramagazine.org:443 HTTP/1.1
INFO      Jan 30 21:25:28 [12679]: No upstream proxy for fedoramagazine.org
INFO      Jan 30 21:25:28 [12679]: opensock: opening connection to fedoramagazine.org:443
INFO      Jan 30 21:25:28 [12679]: opensock: getaddrinfo returned for fedoramagazine.org:443
CONNECT   Jan 30 21:25:28 [11552]: Established connection to host "fedoramagazine.org" using file descriptor 8.
INFO      Jan 30 21:25:28 [11552]: Not sending client headers to remote machine
CONNECT   Jan 30 21:25:29 [12679]: Established connection to host "fedoramagazine.org" using file descriptor 8.
INFO      Jan 30 21:25:29 [12679]: Not sending client headers to remote machine
INFO      Jan 30 21:25:29 [11552]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Jan 30 21:25:29 [11552]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:29 [11552]: Request (file descriptor 7): CONNECT fonts.gstatic.com:443 HTTP/1.1
INFO      Jan 30 21:25:29 [11552]: No upstream proxy for fonts.gstatic.com
INFO      Jan 30 21:25:29 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Jan 30 21:25:29 [11552]: opensock: opening connection to fonts.gstatic.com:443
CONNECT   Jan 30 21:25:29 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT   Jan 30 21:25:29 [12679]: Request (file descriptor 7): CONNECT fedoramagazine.org:443 HTTP/1.1
INFO      Jan 30 21:25:29 [12679]: No upstream proxy for fedoramagazine.org
INFO      Jan 30 21:25:29 [12679]: opensock: opening connection to fedoramagazine.org:443
INFO      Jan 30 21:25:29 [12679]: opensock: getaddrinfo returned for fedoramagazine.org:443
INFO      Jan 30 21:25:29 [11552]: opensock: getaddrinfo returned for fonts.gstatic.com:443

This is the filter file.

^duckduckgo\.com$
\.duckduckgo\.com$
^signal\.org$
\.signal\.org$
^nytimes\.com$
\.nytimes\.com$
^nyt\.com$
\.nyt\.com$
\.googlesyndication\.com
^googlesyndication\.com
^qubes-os\.org$
\.qubes-os\.org$
^protonmail\.com$
\.protonmail\.com$
^twitter\.com$
\.twitter\.com$

oijawyuh · January 30, 2021, 8:48pm

Part 2 of the log (split because there’s a character limit on the posts)

Click to see log

CONNECT Jan 30 21:25:30 [12679]: Established connection to host “fedoramagazine.org” using file descriptor 8.
CONNECT Jan 30 21:25:30 [11552]: Established connection to host “fonts.gstatic.com” using file descriptor 8.
INFO Jan 30 21:25:30 [12679]: Not sending client headers to remote machine
INFO Jan 30 21:25:30 [11552]: Not sending client headers to remote machine
INFO Jan 30 21:25:30 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:30 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:30 [12679]: Request (file descriptor 7): CONNECT fonts.gstatic.com:443 HTTP/1.1
INFO Jan 30 21:25:30 [12679]: No upstream proxy for fonts.gstatic.com
INFO Jan 30 21:25:30 [12679]: opensock: opening connection to fonts.gstatic.com:443
INFO Jan 30 21:25:30 [12679]: opensock: getaddrinfo returned for fonts.gstatic.com:443
CONNECT Jan 30 21:25:31 [12679]: Established connection to host “fonts.gstatic.com” using file descriptor 8.
INFO Jan 30 21:25:31 [12679]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:32 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): POST http://ocsp.digicert.com/ HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for ocsp.digicert.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to ocsp.digicert.com:80
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for ocsp.digicert.com:80
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “ocsp.digicert.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:32 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:32 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:32 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:32 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:32 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:32 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:32 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:32 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): GET http://news.com/ HTTP/1.1
INFO Jan 30 21:25:33 [13352]: No upstream proxy for news.com
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to news.com:80
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for news.com:80
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “news.com” using file descriptor 8.
INFO Jan 30 21:25:33 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [12679]: Request (file descriptor 7): POST http://r3.o.lencr.org/ HTTP/1.1
INFO Jan 30 21:25:33 [12679]: No upstream proxy for r3.o.lencr.org
INFO Jan 30 21:25:33 [12679]: opensock: opening connection to r3.o.lencr.org:80
INFO Jan 30 21:25:33 [12679]: opensock: getaddrinfo returned for r3.o.lencr.org:80
CONNECT Jan 30 21:25:33 [12679]: Established connection to host “r3.o.lencr.org” using file descriptor 8.
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO Jan 30 21:25:33 [13352]: No upstream proxy for www.google.com
CONNECT Jan 30 21:25:33 [12679]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [12679]: No upstream proxy for www.google.com
INFO Jan 30 21:25:33 [12679]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for www.google.com:443
INFO Jan 30 21:25:33 [12679]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “www.google.com” using file descriptor 8.
CONNECT Jan 30 21:25:33 [12679]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [12679]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO Jan 30 21:25:33 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [12679]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [12679]: No upstream proxy for www.google.com
INFO Jan 30 21:25:33 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:33 [12679]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [12679]: opensock: getaddrinfo returned for www.google.com:443
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:33 [12679]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [12679]: Not sending client headers to remote machine
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
CONNECT Jan 30 21:25:33 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [12679]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
INFO Jan 30 21:25:33 [12679]: No upstream proxy for www.google.com
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [12679]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [12679]: opensock: getaddrinfo returned for www.google.com:443
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:33 [12679]: Established connection to host “www.google.com” using file descriptor 8.
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [12679]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [12679]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [12679]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [12679]: Request (file descriptor 7): CONNECT qubes-os.org:443 HTTP/1.1
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [12679]: No upstream proxy for qubes-os.org
INFO Jan 30 21:25:33 [13352]: No upstream proxy for www.google.com
INFO Jan 30 21:25:33 [12679]: opensock: opening connection to qubes-os.org:443
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [12679]: opensock: getaddrinfo returned for qubes-os.org:443
INFO Jan 30 21:25:33 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:33 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:33 [13352]: Request (file descriptor 7): CONNECT safebrowsing.googleapis.com:443 HTTP/1.1
INFO Jan 30 21:25:33 [13352]: No upstream proxy for safebrowsing.googleapis.com
INFO Jan 30 21:25:33 [13352]: opensock: opening connection to safebrowsing.googleapis.com:443
CONNECT Jan 30 21:25:33 [12679]: Established connection to host “qubes-os.org” using file descriptor 8.
INFO Jan 30 21:25:33 [12679]: Not sending client headers to remote machine
INFO Jan 30 21:25:33 [13352]: opensock: getaddrinfo returned for safebrowsing.googleapis.com:443
CONNECT Jan 30 21:25:33 [13352]: Established connection to host “safebrowsing.googleapis.com” using file descriptor 8.
INFO Jan 30 21:25:33 [13352]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:37 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:37 [13562]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:37 [13562]: Request (file descriptor 7): POST http://ocsp.pki.goog/gts1o1core HTTP/1.1
INFO Jan 30 21:25:37 [13562]: No upstream proxy for ocsp.pki.goog
INFO Jan 30 21:25:37 [13562]: opensock: opening connection to ocsp.pki.goog:80
INFO Jan 30 21:25:37 [13562]: opensock: getaddrinfo returned for ocsp.pki.goog:80
CONNECT Jan 30 21:25:37 [13562]: Established connection to host “ocsp.pki.goog” using file descriptor 8.
INFO Jan 30 21:25:38 [13562]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:38 [13562]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:38 [13562]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:38 [13562]: No upstream proxy for www.google.com
INFO Jan 30 21:25:38 [13562]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:38 [13562]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:38 [13562]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:38 [13562]: Not sending client headers to remote machine
INFO Jan 30 21:25:38 [13562]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:38 [13562]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:38 [13562]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:38 [13562]: No upstream proxy for www.google.com
INFO Jan 30 21:25:38 [13562]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:38 [13562]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:38 [13562]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:38 [13562]: Not sending client headers to remote machine
INFO Jan 30 21:25:38 [13562]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:38 [13562]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:38 [13562]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:38 [13562]: No upstream proxy for www.google.com
INFO Jan 30 21:25:38 [13562]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:38 [13562]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:38 [13562]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:38 [13562]: Not sending client headers to remote machine
INFO Jan 30 21:25:38 [13562]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:38 [13562]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:38 [13562]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:38 [13562]: No upstream proxy for www.google.com
INFO Jan 30 21:25:38 [13562]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:38 [13562]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:38 [13562]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:38 [13562]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:42 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:42 [13605]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:42 [13605]: Request (file descriptor 7): POST http://ocsp.pki.goog/gts1o1core HTTP/1.1
INFO Jan 30 21:25:42 [13605]: No upstream proxy for ocsp.pki.goog
INFO Jan 30 21:25:42 [13605]: opensock: opening connection to ocsp.pki.goog:80
INFO Jan 30 21:25:42 [13605]: opensock: getaddrinfo returned for ocsp.pki.goog:80
CONNECT Jan 30 21:25:42 [13605]: Established connection to host “ocsp.pki.goog” using file descriptor 8.
INFO Jan 30 21:25:42 [13605]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:42 [13605]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:42 [13605]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:42 [13605]: No upstream proxy for www.google.com
INFO Jan 30 21:25:42 [13605]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:42 [13605]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:42 [13605]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:42 [13605]: Not sending client headers to remote machine
INFO Jan 30 21:25:42 [13605]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:42 [13605]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:42 [13605]: Request (file descriptor 7): CONNECT www.google.com:443 HTTP/1.1
INFO Jan 30 21:25:42 [13605]: No upstream proxy for www.google.com
INFO Jan 30 21:25:42 [13605]: opensock: opening connection to www.google.com:443
INFO Jan 30 21:25:42 [13605]: opensock: getaddrinfo returned for www.google.com:443
CONNECT Jan 30 21:25:42 [13605]: Established connection to host “www.google.com” using file descriptor 8.
INFO Jan 30 21:25:42 [13605]: Not sending client headers to remote machine
INFO Jan 30 21:25:42 [13605]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:42 [13605]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:42 [13605]: Request (file descriptor 7): GET http://duckduckgo.com/ HTTP/1.1
INFO Jan 30 21:25:42 [13605]: No upstream proxy for duckduckgo.com
INFO Jan 30 21:25:42 [13605]: opensock: opening connection to duckduckgo.com:80
INFO Jan 30 21:25:42 [13605]: opensock: getaddrinfo returned for duckduckgo.com:80
CONNECT Jan 30 21:25:42 [13605]: Established connection to host “duckduckgo.com” using file descriptor 8.
INFO Jan 30 21:25:42 [13605]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:42 [13605]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:42 [13605]: Request (file descriptor 7): CONNECT www.cnet.com:443 HTTP/1.1
INFO Jan 30 21:25:42 [13605]: No upstream proxy for www.cnet.com
INFO Jan 30 21:25:42 [13605]: opensock: opening connection to www.cnet.com:443
INFO Jan 30 21:25:43 [13605]: opensock: getaddrinfo returned for www.cnet.com:443
CONNECT Jan 30 21:25:43 [13605]: Established connection to host “www.cnet.com” using file descriptor 8.
INFO Jan 30 21:25:43 [13605]: Not sending client headers to remote machine
INFO Jan 30 21:25:44 [13352]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:44 [13352]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:44 [13352]: Request (file descriptor 7): CONNECT www.qubes-os.org:443 HTTP/1.1
INFO Jan 30 21:25:44 [13352]: No upstream proxy for www.qubes-os.org
INFO Jan 30 21:25:44 [13352]: opensock: opening connection to www.qubes-os.org:443
INFO Jan 30 21:25:44 [13352]: opensock: getaddrinfo returned for www.qubes-os.org:443
CONNECT Jan 30 21:25:44 [13352]: Established connection to host “www.qubes-os.org” using file descriptor 8.
INFO Jan 30 21:25:44 [13352]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:47 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:47 [13963]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:47 [13963]: Request (file descriptor 7): POST http://ocsp.pki.goog/gts1o1core HTTP/1.1
INFO Jan 30 21:25:47 [13963]: No upstream proxy for ocsp.pki.goog
INFO Jan 30 21:25:47 [13963]: opensock: opening connection to ocsp.pki.goog:80
INFO Jan 30 21:25:47 [13963]: opensock: getaddrinfo returned for ocsp.pki.goog:80
CONNECT Jan 30 21:25:47 [13963]: Established connection to host “ocsp.pki.goog” using file descriptor 8.
INFO Jan 30 21:25:47 [13963]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:47 [13963]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:47 [13963]: Request (file descriptor 7): CONNECT www.cnet.com:443 HTTP/1.1
INFO Jan 30 21:25:47 [13963]: No upstream proxy for www.cnet.com
INFO Jan 30 21:25:47 [13963]: opensock: opening connection to www.cnet.com:443
INFO Jan 30 21:25:47 [13963]: opensock: getaddrinfo returned for www.cnet.com:443
CONNECT Jan 30 21:25:47 [13963]: Established connection to host “www.cnet.com” using file descriptor 8.
INFO Jan 30 21:25:47 [13963]: Not sending client headers to remote machine
INFO Jan 30 21:25:48 [13963]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:48 [13963]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:48 [13963]: Request (file descriptor 7): POST http://ocsp.pki.goog/gts1o1core HTTP/1.1
INFO Jan 30 21:25:48 [13963]: No upstream proxy for ocsp.pki.goog
INFO Jan 30 21:25:48 [13963]: opensock: opening connection to ocsp.pki.goog:80
INFO Jan 30 21:25:48 [13963]: opensock: getaddrinfo returned for ocsp.pki.goog:80
CONNECT Jan 30 21:25:48 [13963]: Established connection to host “ocsp.pki.goog” using file descriptor 8.
INFO Jan 30 21:25:48 [13963]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:25:48 [13963]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:48 [13963]: Request (file descriptor 7): CONNECT duckduckgo.com:443 HTTP/1.1
INFO Jan 30 21:25:48 [13963]: No upstream proxy for duckduckgo.com
INFO Jan 30 21:25:48 [13963]: opensock: opening connection to duckduckgo.com:443
INFO Jan 30 21:25:48 [13963]: opensock: getaddrinfo returned for duckduckgo.com:443
CONNECT Jan 30 21:25:48 [13963]: Established connection to host “duckduckgo.com” using file descriptor 8.
INFO Jan 30 21:25:48 [13963]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:52 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:52 [14102]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:52 [14102]: Request (file descriptor 7): CONNECT cnet1.cbsistatic.com:443 HTTP/1.1
INFO Jan 30 21:25:52 [14102]: No upstream proxy for cnet1.cbsistatic.com
INFO Jan 30 21:25:52 [14102]: opensock: opening connection to cnet1.cbsistatic.com:443
INFO Jan 30 21:25:52 [14102]: opensock: getaddrinfo returned for cnet1.cbsistatic.com:443
CONNECT Jan 30 21:25:52 [14102]: Established connection to host “cnet1.cbsistatic.com” using file descriptor 8.
INFO Jan 30 21:25:52 [14102]: Not sending client headers to remote machine
NOTICE Jan 30 21:25:57 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:25:57 [14245]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:25:57 [14245]: Request (file descriptor 7): CONNECT cnet3.cbsistatic.com:443 HTTP/1.1
INFO Jan 30 21:25:57 [14245]: No upstream proxy for cnet3.cbsistatic.com
INFO Jan 30 21:25:57 [14245]: opensock: opening connection to cnet3.cbsistatic.com:443
INFO Jan 30 21:25:57 [14245]: opensock: getaddrinfo returned for cnet3.cbsistatic.com:443
CONNECT Jan 30 21:25:57 [14245]: Established connection to host “cnet3.cbsistatic.com” using file descriptor 8.
INFO Jan 30 21:25:57 [14245]: Not sending client headers to remote machine
NOTICE Jan 30 21:26:02 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:26:02 [14417]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:26:02 [14417]: Request (file descriptor 7): CONNECT cmg1.cbsistatic.com:443 HTTP/1.1
INFO Jan 30 21:26:02 [14417]: No upstream proxy for cmg1.cbsistatic.com
INFO Jan 30 21:26:02 [14417]: opensock: opening connection to cmg1.cbsistatic.com:443
INFO Jan 30 21:26:02 [14417]: opensock: getaddrinfo returned for cmg1.cbsistatic.com:443
CONNECT Jan 30 21:26:02 [14417]: Established connection to host “cmg1.cbsistatic.com” using file descriptor 8.
INFO Jan 30 21:26:02 [14417]: Not sending client headers to remote machine
NOTICE Jan 30 21:26:07 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:26:07 [14526]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:26:07 [14526]: Request (file descriptor 7): CONNECT cnet4.cbsistatic.com:443 HTTP/1.1
INFO Jan 30 21:26:07 [14526]: No upstream proxy for cnet4.cbsistatic.com
INFO Jan 30 21:26:07 [14526]: opensock: opening connection to cnet4.cbsistatic.com:443
INFO Jan 30 21:26:07 [14526]: opensock: getaddrinfo returned for cnet4.cbsistatic.com:443
CONNECT Jan 30 21:26:07 [14526]: Established connection to host “cnet4.cbsistatic.com” using file descriptor 8.
INFO Jan 30 21:26:07 [14526]: Not sending client headers to remote machine
NOTICE Jan 30 21:26:12 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 30 21:26:12 [14527]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:26:12 [14527]: Request (file descriptor 7): CONNECT cdn.cookielaw.org:443 HTTP/1.1
INFO Jan 30 21:26:12 [14527]: No upstream proxy for cdn.cookielaw.org
INFO Jan 30 21:26:12 [14527]: opensock: opening connection to cdn.cookielaw.org:443
INFO Jan 30 21:26:12 [14527]: opensock: getaddrinfo returned for cdn.cookielaw.org:443
CONNECT Jan 30 21:26:12 [14527]: Established connection to host “cdn.cookielaw.org” using file descriptor 8.
INFO Jan 30 21:26:12 [14527]: Not sending client headers to remote machine
INFO Jan 30 21:26:15 [11006]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT Jan 30 21:26:15 [11006]: Connect (file descriptor 7): localhost [127.0.0.1]
CONNECT Jan 30 21:26:15 [11006]: Request (file descriptor 7): CONNECT cnet2.cbsistatic.com:443 HTTP/1.1
INFO Jan 30 21:26:15 [11006]: No upstream proxy for cnet2.cbsistatic.com
INFO Jan 30 21:26:15 [11006]: opensock: opening connection to cnet2.cbsistatic.com:443
INFO Jan 30 21:26:15 [11006]: opensock: getaddrinfo returned for cnet2.cbsistatic.com:443
CONNECT Jan 30 21:26:15 [11006]: Established connection to host “cnet2.cbsistatic.com” using file descriptor 8.
INFO Jan 30 21:26:15 [11006]: Not sending client headers to remote machine
NOTICE Jan 30 21:26:17 [10980]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
NOTICE Jan 30 21:26:22 [10980]: Waiting servers (1) is less than MinSpareServers (5). Creating new child.
INFO Jan 30 21:26:25 [11035]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO Jan 30 21:26:25 [11031]: Closed connection between local client (fd:7) and remote client (fd:8)

deeplow · January 30, 2021, 10:57pm

@oijawyuh I’ve edited your post to put the log inside an expandable thingy so it doesn’t clutter the thread. Hope you don’t mind.

In these cases you can also name the log [something].log and drop it over the post to upload it as an attachment.

icequbes1 · January 31, 2021, 1:26am

@Rooftop @oijawyuh

Make sure to include -r when removing /etc/tinyproxy, as /etc/tinyproxy in the template root file system is a directory.

Otherwise the symlink command will create /etc/tinyproxy/tinyproxy and the tinyproxy daemon will not be looking at /rw/config/tinyproxy/tinyproxy.conf, but the default one, which doesn’t have any filtering.

rm -rf /etc/tinyproxy

@Rooftop, nice guide. Here are some further suggestions/tips:

You can add a service named “tinyproxy” to the Services tab of my-proxy so that /var/run/qubes-service/[input] is created automatically at qube boot.
You can further limit the ports my-qube will have access to on my-proxy over RPC by placing the dom0 RPC rule in the file /etc/qubes-rpc/qubes.ConnectTCP+8888.
Usage of bind-dirs will allow more seamless configuration for tinyproxy to avoid the rm -rf /etc/tinyproxy in rc.local. Configure /etc/tinyproxy as a bind dir, reboot, make all tinyproxy config / filtering changes in /etc/tinyproxy, and further reboots will keep the config.

Rooftop · January 31, 2021, 9:50am

@icequbes1, thanks for the tips. I’ve updated the instructions for missing -r in the rm in /rw/config/rc.local. This is almost certainly what is causing @oijawyuh’s problems!

I noticed that, but was a bit surprised that it didn’t actually start the service?

Did not know about this. I’ll add this when I update the first post.

You are right - this is probably a better way to do it. I’ll add this when when I update the first post.

Rooftop · January 31, 2021, 10:00am

@oijawyuh, as pointed out by @icequbes1, there is a mistake in my instructions (which is effectively causing tinyproxy to ignore your configuration files and just use it’s default settings).

The /rw/config/rc.local file should contain:

rm -rf /etc/tinyproxy
ln -s /rw/config/tinyproxy /etc/tinyproxy
systemctl start tinyproxy

Note the first line has changed!
Once you make that change to your proxy VM and reboot it, you should see something like the following in the tinyproxy log file:

CONNECT   Jan 31 20:51:09 [636]: Request (file descriptor 7): CONNECT location.services.mozilla.com:443 HTTP/1.1
NOTICE    Jan 31 20:51:09 [636]: Proxying refused on filtered domain "location.services.mozilla.com"
CONNECT   Jan 31 20:51:09 [628]: Request (file descriptor 7): GET http://detectportal.firefox.com/success.txt?ipv4 HTTP/1.1
INFO      Jan 31 20:51:09 [636]: no entity
NOTICE    Jan 31 20:51:09 [628]: Proxying refused on filtered domain "detectportal.firefox.com"

I’m really sorry that such a stupid typo caused you so much trouble

icequbes1 · January 31, 2021, 4:50pm

Correct. Unfortunately it’s not as intuitive as it could be, but the “Services” job is to only signal if certain files should be created when the qube boots - it doesn’t actually start a service. Services such as tinyproxy are then configured to only start if the respective qubes-service file exists.

The other things I pointed out were mentioned only if you or others wanted to take further advantage of Qubes’ capabilities; what you have works and is a great solution.

fiftyfourthparallel · February 1, 2021, 11:41am

I glanced over your post hoping to find something less cumbersome than using the qubes firewall GUI or qvm-firewall to individually whitelist websites and the resources they depend on, so this was kind of disappointing.

I’m not technical, so maybe I’m missing something–can someone explain to me what the difference between using tinyproxy and qubes firewall is in this context?

Rooftop · February 1, 2021, 10:28pm

The main difference is that with tinyproxy you whitelist sites by hostname/domain name, whereas qubes firewall whitelists by IP address (you can enter a hostname, but it is converted to an IP address when the configuration is saved). This means that if the hostname can resolve to multiple IP addresses (which is the case for websites behind CDN’s or load balancers) then tinyproxy will work, whereas the qubes firewall may work, but may also fail intermittently.

Depending on the type of site you are whitelisting, it may not be that hard to work out the list of required domains. The tinyproxy log file will list every site which it blocks access to, so you can work out which ones need to be whitelisted.

Also, the tinyproxy whitelisting uses regular expressions, so you can easily whitelist entire domains.

fiftyfourthparallel · February 2, 2021, 12:59am

Got it–thank you.

oijawyuh · February 2, 2021, 8:21pm

Thank you @Rooftop and others for this very useful post. I’m currently testing the my-proxy VM and it’s mostly working. 10% of the times, it fails and I reboot both my-proxy and my-qube. Then it works.

How does one places the dom0 RPC rule in the file /etc/qubes-rpc/qubes.ConnectTCP+8888 ? I am not an IT guy. I’ve edited Dom0 files before, but I never encountered the ConnectTCP+8888 before. If dom0 RPC rule is edited, does this mean my-qube Firefox proxy edit is no longer requires?

Would you consider submitting the instruction for my-proxy AppVM be added to Qubes Documentation?

And a last question. Can proxy VM settings be the VPN VM (VPN gateway using iptables and CLI scripts) in order not to have yet another AppVM running and wasting RAM?

Thank you!