Merge branch 'update-proxy' of github.com:nyxnor/qubes-doc into nyxnor-update-proxy

user/how-to-guides/how-to-install-software.md

@@ -144,11 +144,11 @@ Please see [How to Update](/doc/how-to-update/).
 
 In order to protect you from performing risky activities in templates, they do
 not have normal network access by default. Instead, templates use an [updates
-proxy](#updates-proxy) that allows you to install and update software without
+proxy](#updates-proxy) that allows you to install and update software using
-giving the template direct network access. **The updates proxy is already set
+the distribution package manager without giving the template direct network
-up to work automatically out-of-the-box and requires no special action from
+access.**The updates proxy is already setup to work automatically
-you.** Most users should simply follow the normal instructions for [installing
+out-of-the-box and requires no special action from you.** Most users should
-software from default
+simply follow the normal instructions for [installing software from default
 repositories](#installing-software-from-default-repositories) and
 [updating](/doc/how-to-update/) software. If your software is not available in
 the default repositories, see [installing software from other
@@ -304,19 +304,22 @@ This is like the simple revert, except:
 
 ### Updates proxy
 
-Updates proxy is a service which allows access only from package managers. This
+Updates proxy is a service which allows access from package managers
-is meant to mitigate user errors (like using browser in the template), rather
+configured to use the proxy by default, but can be used by any other
-than some real isolation. It is done with http proxy (tinyproxy) instead of
+program that accepts proxy arguments.
-simple firewall rules because it is hard to list all the repository mirrors
+The purpose of the proxy, instead of direct network access, is meant to
-(and keep that list up to date). The proxy is used only to filter the traffic,
+mitigate user errors of using applications such as the browser in the
-not to cache anything.
+template. Not necessarily what part of the network they can access, but only
+to applications trusted by the user, configured to use the proxy.
+The http proxy (tinyproxy) does not filter traffic because it is hard to list
+all the repository mirrors and keep that list up to date). it also does not
+cache anything.
 
 The proxy is running in selected VMs (by default all the NetVMs (1)) and
-intercepts traffic directed to 10.137.255.254:8082. Thanks to such
+intercepts traffic directed to 127.0.0.1:8082. Thanks to such
-configuration all the VMs can use the same proxy address, and if there is a
+configuration all the VMs can use the same proxy address.
-proxy on network path, it will handle the traffic (of course when firewall
+If the VM is configured to have access to the updates proxy
-rules allow that). If the VM is configured to have access to the updates proxy
+(2), the startup scripts will automatically configure dnf/apt to really use the
-(2), the startup scripts will automatically configure dnf to really use the
 proxy (3). Also access to updates proxy is independent of any other firewall
 settings (VM will have access to updates proxy, even if policy is set to block
 all the traffic).