block tinyproxy requests to 127.0.0.1, 10.137.255.254 #3
Conversation
migrates existing qubes-whonix-specific tinyproxy filter from qubes-core-agent-linux to qubes-whonix. note that this is not a security measure as requests to other loopback addresses are still allowed. this filter is an accommodation for whonix torification detection. QubesOS/qubes-issues#1482
replacing /etc/tinyproxy/updates-blacklist identical from qubes-core-agent-linux
3nprob
changed the title
|
I'm not sure how Generally, IMO this cleanup has more risk of breaking all whonix updates (for example depending on order of those updates landing in repo or being installed) than it's worth it. |
So the idea is that it doesn't matter (the files are identical but at different paths). I do think it makes a lot more sense for the qubes-whonix-specific config to not be part of the base config of every dist by Ideally the tinyproxy configs would be modularized (though tinyproxy doesn't support either config dirs or imports so that seems like a no-go) or split and the appropriate one used depending on runtime (and here's where I also doubt if it's worth the squeeze) |
|
If this seems like it could be breaking in any way (users who have manually changed the filter file), maybe it could be considered for whonix 18 (trixie)? |
|
The problem is, if qubes update lands first, then updates-blacklist file is gone -> whonix updates broken. If whonix update lands first, then you end up with two
That's a question to @adrelanos , but upgrade needs to work anyway - distribution upgrades are a thing. |
|
So the redundant Filter directives in the case of this PR shouldn't be an issue AFAICT - I did some local testing with various permutations without issue. So I believe it should be OK in that order, and keep working even if core-agent stays as-is. Agreed the core-agent update might need some more thought. (Hence putting it in draft and marking it as blocked by the change here) |
Documented just now: |
|
@adrelanos did you have a chance to look at this? :) |
|
Due to...
and because I don't see the benefit, didn't consider. I don't see any bug that needs fixing. The best you could do is probably help Qubes to obsolete tinyproxy. |
Thanks for the feedback. I guess to me, it is a bug that with default configuration, attempting to use a localhost repo (locally hosted or via a separate proxy) will be intercepted by the proxy and blocked.
Oh, was not aware this was the intention but sounds promising. Any pointers to what should be done appreciated, or maybe I figure something out. |
|
I cannot find these discussions anymore. Created for it. |
|
Without having looked deep enough yet, I think tinyproxy currently serves two purposes?
|
3 participants
Changes
Migrates existing qubes-whonix-specific tinyproxy filter from qubes-core-agent-linux to qubes-whonix. It seems that this belongs better here.
Note that this is not a security measure as requests to other loopback addresses are still allowed. this filter is an accommodation for whonix torification detection.
The filter file is renamed from
/etc/tinyproxy/updates-blacklistto/etc/tinyproxy/updates-blocklistin order to ensure conflict-free upgrades with regards to package ownership of those files.Mandatory Checklist
Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint
Optional Checklist
The following items are optional but might be requested in certain cases.