The following is a description of **one** way to setup a Qube with restricted website access using only software that is already installed in Qubes OS.
Create a qube based on template:fedora-32, lets call it **my-proxy**. Set its networking to **sys-firewall**.
Create a qube based on template:fedora-32, lets call it **my-qube**. Set its networking to **none**.
Start a terminal in **my-proxy** and run the following commands:
| The following is a description of *one* way to setup a qube with restricted website access using only software that is already installed in Qubes OS.
Create a qube based on template:fedora-32 or fedora-33, lets call it **my-proxy**. Set its networking to **sys-firewall**.
Open **Qube Settings** for **my-proxy** and in the **Services** tab, add an entry for `tinyproxy` (enter tinyproxy in the text field and click the plus button).
Create a qube based on template:fedora-32 or fedora-33, lets call it **my-qube**. Set its networking to **none**.
First we need to make sure changes to the tinyproxy configuration files are preserved between reboots of **my-proxy**.
Start a terminal in **my-proxy** and run the following command:
|
sudo mkdir -p /rw/config/tinyproxy
sudo cp /etc/tinyproxy/tinyproxy.conf /rw/config/tinyproxy/tinyproxy.conf
| sudo mkdir -p /rw/config/qubes-bind-dirs.d
|
Edit **/rw/config/tinyproxy/tinyproxy.conf** and uncomment the following lines:
| Create the file **/rw/config/qubes-bind-dirs.d/50_user.conf** with the following contents:
|
| binds+=( '/etc/tinyproxy' )
```
Restart the **my-proxy** qube so the changes take effect.
Edit **/etc/tinyproxy/tinyproxy.conf** and uncomment the following lines:
```
|
Create the file **/rw/config/tinyproxy/filter** and add all hostnames that should be allowed (note that these are regular expressions).
| Create the file **/etc/tinyproxy/filter** and add all host names that should be allowed (note that these are regular expressions).
|
Run the following command, otherwise tinyproxy will not start:
`sudo touch /var/run/qubes-service/tinyproxy`
Edit the file **/rw/config/rc.local** and add the following lines at the end of the file to replace the default tinyproxy configuration with our custom configuration and then start tinyproxy when the my-proxy VM is started:
| Edit the file **/rw/config/rc.local** and add the following line at the end of the file to start tinyproxy when the **my-proxy** qube is started:
|
| rm -rf /etc/tinyproxy
ln -s /rw/config/tinyproxy /etc/tinyproxy
| |
In **dom0**, add the following to **/etc/qubes-rpc/policy/qubes.ConnectTCP**:
| In **dom0**, create the file **/etc/qubes-rpc/policy/qubes.ConnectTCP+8888** with the following contents (this will allow **my-qube** to connect to port 8888 of **my-proxy**):
|
In **my-qube**, edit **/rw/config/rc.local** to add the following line which will create a link between port 8888 in my-qube and port 8888 in my-proxy (port 8888 is the default port used by tinyproxy):
| In **my-qube**, edit **/rw/config/rc.local** to add the following line which will create a link between port 8888 in **my-qube** and port 8888 in **my-proxy** (port 8888 being the default port used by tinyproxy):
|
2. I'm relatively new to Qubes OS, so I welcome any suggestions/improvements/explanations of why this is a bad idea.
3. Attemping to access a blocked **https** site will result in "The proxy server is refusing connections" error - this is the expected hehaviour.`
| 2. Attemping to access a blocked **https** site will result in "The proxy server is refusing connections" error - this is the expected hehaviour.`
|