Introduction

This guide is meant to users who want to allow a qube to reach some websites but not the all Internet, but facing the issue that using the firewall does not work well if DNS names on which the associated IPs often change.

⚠️ This guide is for advanced users who understand what a HTTP(s) proxy is, and how to type commands or edit files in a terminal.

The setup will create a "sys-proxy-out" qube that will define a list of allowed domains, and use qvm-connect-tcp to allow client qubes to use it as a proxy. Those qubes could have no netvm, but still reach the filtered websites.

I based it on debian 12 xfce so it's easy to setup and will be supported long term.

Setup the template

• Install debian-12-xfce template
• Make a clone of it, let's call it debian-12-xfce-squid
• Start the qube and open a terminal
• Type sudo apt install -y squid
• Type sudo systemctl disable squid
• Delete and replace /etc/squid/squid.conf with this content (the default file is not suitable at all)

acl localnet src 127.0.0.1/32

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl permit_list dstdomain '/rw/config/domains.txt'
http_access allow localnet permit_list

http_port 3128

logfile_rotate 0
coredump_dir /var/spool/squid
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

Close the template, you are done with it.

Setup an out proxy qube

This step could be repeated multiple times, if you want to have multiple proxies with different lists of domains.

• Create a new qube based on the template you configured above
• Configure its firewall to allow the destination * and port TCP 443, and also * and port TCP 80 (this covers basic needs for doing http/https). This is an extra safety to be sure the proxy will not use another port.
• Start the qube
• Add this line to /rw/config/rc.local: systemctl start squid
• Configure the domain list in /rw/config/domains.txt with this format:

# for a single domain
domain.example

# for all direct subdomains of qubes.org including qubes.org
# this work for doc.qubes-os.org for instance, but not foo.doc.qubes-os.org
.qubes-os.org

⚠️ If you have a line with a domain included by another line, squid will not start as it considers it an error! For instance .qubes.org includes doc.qubes-os.org.

In dom0, edit the file /etc/qubes/policy.d/50-squid.policy with this content:

qubes.ConnectTCP +3128 MyQube @default allow target=sys-proxy-out
qubes.ConnectTCP +3128 MyQube2 @default allow target=sys-proxy-out

This will allow qubes MyQube and MyQube2 to use the proxy from sys-proxy-out. Adapt to your needs here. 👍

How to use the proxy

Now the proxy is set up, and MyQube is allowed to use it, a few more things are required:

• Start qube MyQube
• Edit /rw/config/rc.local to add qvm-connect-tcp ::3128
• Configure http(s) clients to use localhost:3128 as a proxy

It's possible to define the proxy user wide, this should be picked by all running programs, using this:

mkdir -p /home/user/.config/environment.d/
cat <<EOF >/home/user/.config/environment.d/proxy.conf
all_proxy=http://127.0.0.1:3128/
EOF

Congratulations for reaching this line!

Going further

The sys-proxy-out could be a disposable. In order to proceed:

• mark sys-proxy-out as a disposable template in its settings

• create a new disposable qube using sys-proxy-out as a template

• adapt the dom0 rule to have the new disposable qube name in the target field