A common requirement seems to be the ability to restrict a Qubes access to a certain subset of websites; something that is difficult to achieve using the firewall rules due to multi-hosted websites/CDN's etc.

The following is a description of one way to setup a Qube with restricted website access using only software that is already installed in Qubes OS.

Create a qube based on template:fedora-32, lets call it my-proxy. Set its networking to sys-firewall.

Create a qube based on template:fedora-32, lets call it my-qube. Set its networking to none.

Start a terminal in my-proxy and run the following commands:

sudo mkdir -p /rw/config/tinyproxy
sudo cp /etc/tinyproxy/tinyproxy.conf /rw/config/tinyproxy/tinyproxy.conf

Edit /rc/config/tinyproxy/tinyproxy.conf and uncomment the following lines:

Filter "/etc/tinyproxy/filter"
FilterDefaultDeny Yes

Create the file /rc/config/tinyproxy/filter and add all hostnames that should be allowed (note that these are regular expressions).

For example, to only allow access to all websites in the example.net domain (eg. example.net, www.example.net, etc), add the following lines:

^example\.net$
\.example\.net$

Run the following command, otherwise tinyproxy will not start:

sudo touch /var/run/qubes-service/tinyproxy

Edit the file /rw/config/rc.local and add the following lines at the end of the file to replace the default tinyproxy configuration with our custom configuration and then start tinyproxy when the my-proxy VM is started:

rm -f /etc/tinyproxy
ln -s /rw/config/tinyproxy /etc/tinyproxy
systemctl start tinyproxy

In dom0, add the following to /etc/qubes-rpc/policy/qubes.ConnectTCP:

my-qube @default allow,target=my-proxy

In my-qube, edit /rw/config/rc.local to add the following line which will create a link between port 8888 in my-qube and port 8888 in my-proxy (port 8888 is the default port used by tinyproxy):

qvm-connect-tcp ::8888

Start my-qubes's Firefox and set HTTP Proxy to localhost port 8888 and select Also use this proxy for FTP and HTTPS.

You should now be unable to browse to any website which is not in list of allowed domains.

Bonus Feature - when you start my-qube, my-proxy will be automatically started by Qubes OS!

Notes

  1. Many websites will try to load CSS, javscript libraries, images, etc from other domains. Blocking these could lead to websites not working correctly, so you may need to track down and add those other domains.
  2. I'm relatively new to Qubes OS, so I welcome any suggestions/improvements/explanations of why this is a bad idea.