mirror of
https://github.com/ben-grande/qusal.git
synced 2025-01-11 07:29:33 -05:00
doc: add browser isolation feature to design guide
This commit is contained in:
Ben Grande
parent
9c280689d8
commit
d31699952c
@ -14,10 +14,11 @@ Qusal design document.
|
||||
* [Qube naming](#qube-naming)
|
||||
* [Qube label](#qube-label)
|
||||
* [Qube menu](#qube-menu)
|
||||
* [Qube features](#qube-features)
|
||||
* [Qube features](#qube-features)
|
||||
* [Qube connections](#qube-connections)
|
||||
* [Qrexec call and policy](#qrexec-call-and-policy)
|
||||
* [Qrexec socket services](#qrexec-socket-services)
|
||||
* [Browser isolation from the managed service](#browser-isolation-from-the-managed-service)
|
||||
|
||||
## Goal
|
||||
|
||||
@ -256,3 +257,16 @@ Rules for client RPC call:
|
||||
`rc.local`;
|
||||
- Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
|
||||
instructional use as it is very short.
|
||||
|
||||
## Browser isolation from the managed service
|
||||
|
||||
Some projects have daemons and can be managed through a browser. The CLI is
|
||||
not suitable for everybody and sometimes it can be incomplete on GUI focused
|
||||
applications. Implement browser separation from the server to avoid browsing
|
||||
malicious sites and exposing the browser to direct network on the same machine
|
||||
the server is running. The browser qube is offline and only has access to the
|
||||
admin interface. In other words, it has control over the server functions, if
|
||||
the browser is compromised, it can compromise the server.
|
||||
|
||||
Some projects that uses this enhancement are `sys-pihole`, `sys-syncthing` and
|
||||
`sys-cacher`.
|
||||
|
||||
@ -83,27 +83,23 @@ qubes.UpdatesProxy * dev @anyvm deny
|
||||
|
||||
### Report Page and Maintenance Tasks
|
||||
|
||||
The APT-Cacher-NG WebUI address is `http://127.0.0.1:8082/acng-report.html`
|
||||
|
||||
If you want to view statistics or manage the server through a GUI, open
|
||||
`sys-cacher` or `sys-cacher-browser` desktop file `cacher-browser.desktop`
|
||||
from the app menu. Addresses starting with `http` or `https` will be redirected
|
||||
to `sys-cacher-browser`.
|
||||
|
||||
The report page is available from `sys-cacher` and `sys-cacher-browser` at
|
||||
`http://127.0.0.1:8082/acng-report.html` and any other client qube that has
|
||||
`sys-cacher` as it's update qube. This is apt-cacher-ng limitation and is bad
|
||||
security wise, every client has administrative access to the cacher qube. You
|
||||
should add the following to the end of `sys-cacher` rc.local:
|
||||
and any other client qube that has `sys-cacher` as it's update qube. This is
|
||||
apt-cacher-ng limitation and is bad security wise, every client has
|
||||
administrative access to the cacher qube. You should add the following to the
|
||||
end of `sys-cacher` rc.local:
|
||||
```sh
|
||||
echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
|
||||
```
|
||||
Where username and password are HTTP Auth strings.
|
||||
|
||||
If you want to view statistics or manage the server through a GUI, open
|
||||
`sys-cacher` or `sys-cacher-browser` desktop file `cacher-browser.desktop`
|
||||
from Dom0. Addresses starting with `http` or `https` will be redirected
|
||||
to `sys-cacher-browser`.
|
||||
|
||||
The browser separation from the server is to avoid browsing malicious sites
|
||||
and exposing the browser to direct network on the same machine the server is
|
||||
running. The browser qube is offline and only has access to the admin
|
||||
interface. In other words, it has control over the server functions, if the
|
||||
browser is compromised, it can compromise the server.
|
||||
|
||||
### Connect to the cacher via IP instead of Qrexec
|
||||
|
||||
Because the `sys-cacher` qube is listening on port `8082`, you can use it from
|
||||
|
||||
@ -61,28 +61,17 @@ sudo qubesctl state.apply sys-pihole.prefs
|
||||
|
||||
### Web interface
|
||||
|
||||
Pi-hole will be installed with these default settings:
|
||||
If you want to view statistics or manage the server through a GUI, open
|
||||
`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
|
||||
from the app menu. Addresses starting with `http` or `https` will be
|
||||
redirected to `sys-pihole-browser`.
|
||||
|
||||
Pi-hole will be installed with the following settings:
|
||||
|
||||
- The DNS provider is Quad9 (filtered, DNSSEC)
|
||||
- Steven Black's Unified Hosts List is included
|
||||
- Query logging is enabled to show everything.
|
||||
|
||||
You can change the settings via the admin interface:
|
||||
|
||||
- URL: http://localhost/admin
|
||||
- There is no password (access allowed only through localhost)
|
||||
|
||||
If you want to view statistics or manage the server through a GUI, open
|
||||
`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
|
||||
from Dom0. Addresses starting with `http` or `https` will be redirected
|
||||
to `sys-pihole-browser`.
|
||||
|
||||
The browser separation from the server is to avoid browsing malicious sites
|
||||
and exposing the browser to direct network on the same machine the server is
|
||||
running. The browser qube is offline and only has access to the admin
|
||||
interface. In other words, it has control over the server functions, if the
|
||||
browser is compromised, it can compromise the server.
|
||||
|
||||
### Torified Pi-Hole
|
||||
|
||||
If you want to combine Pi-Hole with Tor, then you should reconfigure your
|
||||
|
||||
@ -74,22 +74,15 @@ qusal.Syncthing * SOURCE @default allow target=DESTINATION default_target=DEF
|
||||
|
||||
## Usage
|
||||
|
||||
The Syncthing address is `http://127.0.0.1:8384`.
|
||||
The Syncthing WebUI address is `http://127.0.0.1:8384`.
|
||||
|
||||
If you want to view statistics or manage the server through a GUI, open
|
||||
`sys-syncthing` or `sys-syncthing-browser` desktop file
|
||||
`syncthing-browser.desktop` from Dom0 or run `syncthing -browser-only` from
|
||||
`sys-syncthing`. Addresses starting with `http` or `https` will be redirected
|
||||
to `sys-syncthing-browser`.
|
||||
`syncthing-browser.desktop` from the app menu. Addresses starting with `http`
|
||||
or `https` will be redirected to `sys-syncthing-browser`.
|
||||
|
||||
The browser separation from the server is to avoid browsing malicious sites
|
||||
and exposing the browser to direct network on the same machine the server is
|
||||
running. The browser qube is offline and only has access to the admin
|
||||
interface. In other words, it has control over the server functions, if the
|
||||
browser is compromised, it can compromise the server.
|
||||
|
||||
To use the service, from the client, add a Remote Device, and copy the
|
||||
`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`,
|
||||
To use the service, from the client, add a `Remote Device`, and copy the
|
||||
`Device ID` from the server qube, on the `Advanced` tab, under `Addresses`,
|
||||
change `dynamic` to `tcp://127.0.0.1:22001`
|
||||
|
||||
If the sender qube has no netvm set, under `Settings`, disable `Enable NAT
|
||||
@ -97,9 +90,9 @@ traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying`
|
||||
|
||||
## Debugging
|
||||
|
||||
If sys-net has more than one network card the first external interface will
|
||||
be used by default.
|
||||
If this is incorrect, you must change it manually. In Dom0 run:
|
||||
If sys-net has more than one network card the first external interface will be
|
||||
used by default. If this is incorrect, you must change it manually. In Dom0
|
||||
run:
|
||||
```sh
|
||||
qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
|
||||
qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
|
||||
|
||||
Loading…
Reference in New Issue
Block a user