A common requirement seems to be the ability to restrict a qube's access to a certain subset of websites; something that is difficult to achieve using the firewall rules due to multi-hosted websites/CDN's etc.

The following is a description of one way to setup a Qube with restricted website access using only software that is already installed in Qubes OS.

Create a qube based on template:fedora-32, lets call it my-proxy. Set its networking to sys-firewall.

Create a qube based on template:fedora-32, lets call it my-qube. Set its networking to none.

Start a terminal in my-proxy and run the following commands:

sudo mkdir -p /rw/config/tinyproxy
sudo cp /etc/tinyproxy/tinyproxy.conf /rw/config/tinyproxy/tinyproxy.conf

Edit /rw/config/tinyproxy/tinyproxy.conf and uncomment the following lines:

Filter "/etc/tinyproxy/filter"
FilterDefaultDeny Yes

Create the file /rw/config/tinyproxy/filter and add all hostnames that should be allowed (note that these are regular expressions).

For example, to only allow access to all websites in the example.net domain (eg. example.net, www.example.net, etc), add the following lines:

^example\.net$
\.example\.net$

Run the following command, otherwise tinyproxy will not start:

sudo touch /var/run/qubes-service/tinyproxy

Edit the file /rw/config/rc.local and add the following lines at the end of the file to replace the default tinyproxy configuration with our custom configuration and then start tinyproxy when the my-proxy VM is started:

rm -rf /etc/tinyproxy
ln -s /rw/config/tinyproxy /etc/tinyproxy

systemctl start tinyproxy

In dom0, add the following to /etc/qubes-rpc/policy/qubes.ConnectTCP:

my-qube @default allow,target=my-proxy

In my-qube, edit /rw/config/rc.local to add the following line which will create a link between port 8888 in my-qube and port 8888 in my-proxy (port 8888 is the default port used by tinyproxy):

qvm-connect-tcp ::8888

Start my-qubes's Firefox and set HTTP Proxy to localhost port 8888 and select Also use this proxy for FTP and HTTPS.

You should now be unable to browse to any website which is not in list of allowed domains.

Bonus Feature - when you start my-qube, my-proxy will be automatically started by Qubes OS!

Notes

  1. Many websites will try to load CSS, javscript libraries, images, etc from other domains. Blocking these could lead to websites not working correctly, so you may need to track down and add those other domains.

  2. I'm relatively new to Qubes OS, so I welcome any suggestions/improvements/explanations of why this is a bad idea.

  3. Attemping to access a blocked https site will result in "The proxy server is refusing connections" error - this is the expected hehaviour.`

Troubleshooting

  1. In my-proxy, check that tinyproxy is running: sudo systemctl status tinyproxy If tinyproxy is not running, check that /var/run/qubes-service/tinyproxy exists. Also check the tinyproxy log file at /var/log/tinyproxy/tinyproxy.log for any error messages.
  2. In my-qube, run the following: qvm-connect-tcp ::8888 You should get an "Address is already in use" error.
  3. In my-qube, check that the HTTP/HTTPS proxy has been set in Firefox.