Go back to topic: URL filtering HTTPS proxy
| curl -x http://localhost:3128 https:// | curl -x http://localhost:3128 https://a_domain_not_listed/ |
| :information_source: If you want to check | :information_source: If you want to check squid started correctly, type `systemctl status squid`. You should read that it's active, and that there are no error in the log lines. |
| - Add this line to `/rw/config/rc.local`: `systemctl start squid` | |
| :information_source: | :information_source: When you change the file with the domain list, you need to reload squid with `sudo systemctl reload squid`. :information_source: If you want to check if squid started correctly, type `systemctl status squid`. You should read that it's active, and that there are no error in the log lines. |
| :information_source: If you want to check if squid started correctly, type `systemctl status squid`. | |
| In dom0, edit the file `/etc/qubes/policy.d/50-squid.policy` | In dom0, using the "Qubes Policy Editor" GUI, create a new file `50-squid` (or edit the file `/etc/qubes/policy.d/50-squid.policy`) and append the configuration lines that you need to adapt from the following example: |
| - Create a new | - Create a new qube, let's call it `sys-proxy-out`, based on the template you configured above (`debian-12-xfce-squid` in the example) |
| # Use case - an offline qube that need to reach a particular website - a web browsing qube restricted to a list of websites - mix multiple netvm / VPNs into a single qube |
| I based it on debian 12 | I based it on debian 12 xfce, so it's easy to set up and will be supported long term. |
| refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 | |
| The configuration file only allows the proxy to be used for ports 80 and 443, and disables cache (which would only apply to port 80). | |
| Congratulations | Congratulations on reaching this line! |
| ### | ### Check allowed domains are reachable |
| ### | ### Check non-allowed domains are denied |
| The output should be `curl: (56) CONNECT tunnel failed, response 403`. | The output should be `curl: (56) CONNECT tunnel failed, response 403`. ### Verify nothing is getting cached In the qube `sys-proxy-out`, inspect `/var/spool/squid/`, it should be empty. If not, please report here, this should not happen. Some logs file exist in `/var/log/squid/`, if you don't want any hints about queried domains, configure squid accordingly. Privacy-specific tweaks are beyond the scope of this guide. |
| cache deny all | |
| :information_source: If you change the file, reload with `sudo systemctl reload squid`. You should read that it's active, and that there are no error in the log lines. | |
| :information_source: If you want to check if squid started correctly, type `systemctl status squid`. :warning: As far as I know, it is only possible to allow a hostname or a wildcard of this hostname, so you at least need to know the depth of the hostname. If you want to allow `anything.anylevel.domain.com`, you could use `dstdom_regex` instead of `dstdomain`, but it seems a regular source of configuration problems, and should not be useful for most users. |
| This guide is | This guide is for users who want to let a qube access some specific websites, but *not* the entire Internet. It’s especially useful when using the Qubes firewall isn’t enough — for example, when websites change their IPs often, making domain-based rules unreliable. :warning: This guide assumes you know what an HTTP(S) proxy is, and that you're comfortable using the terminal to run commands or edit files. The setup will create a `sys-proxy-out` qube that filters access to a list of allowed domains. It uses `qvm-connect-tcp` so that other qubes can use this proxy, even if they don’t have a NetVM. That way, those qubes can reach only the websites you’ve allowed — nothing more. |
| ## Using a disposable qube for the proxy | |
| - adapt the dom0 rule to have the new disposable qube name in the target field ## Checking logs In the proxy qube, you can check all requests done in `/var/log/squid/access.log`, you can filter with `grep TCP_DENIED` to see denied requests, this can be useful to adapt the domain list. ## Test the proxy ### For allowed domains From the http(s) client qube, you can try this command to see if the proxy is working: ``` curl -x http://localhost:3128 https://a_domain_you_allowed/ ``` If the output is not `curl: (56) CONNECT tunnel failed, response 403` then it's working. ### To check non-allowed domains are denied Use the same command as above, but with a domain you did not allow ``` curl -x http://localhost:3128 https://a_domain_you_allowed/ ``` The output should be `curl: (56) CONNECT tunnel failed, response 403`. |