From d31699952c6b1fc74d0e48dfe47a0108f3e7d199 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 25 Jun 2024 23:17:22 +0200 Subject: [PATCH] doc: add browser isolation feature to design guide --- docs/DESIGN.md | 16 +++++++++++++++- salt/sys-cacher/README.md | 26 +++++++++++--------------- salt/sys-pihole/README.md | 23 ++++++----------------- salt/sys-syncthing/README.md | 23 ++++++++--------------- 4 files changed, 40 insertions(+), 48 deletions(-) diff --git a/docs/DESIGN.md b/docs/DESIGN.md index 375e8e7..40f48bc 100644 --- a/docs/DESIGN.md +++ b/docs/DESIGN.md @@ -14,10 +14,11 @@ Qusal design document. * [Qube naming](#qube-naming) * [Qube label](#qube-label) * [Qube menu](#qube-menu) - * [Qube features](#qube-features) + * [Qube features](#qube-features) * [Qube connections](#qube-connections) * [Qrexec call and policy](#qrexec-call-and-policy) * [Qrexec socket services](#qrexec-socket-services) +* [Browser isolation from the managed service](#browser-isolation-from-the-managed-service) ## Goal @@ -256,3 +257,16 @@ Rules for client RPC call: `rc.local`; - Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for instructional use as it is very short. + +## Browser isolation from the managed service + +Some projects have daemons and can be managed through a browser. The CLI is +not suitable for everybody and sometimes it can be incomplete on GUI focused +applications. Implement browser separation from the server to avoid browsing +malicious sites and exposing the browser to direct network on the same machine +the server is running. The browser qube is offline and only has access to the +admin interface. In other words, it has control over the server functions, if +the browser is compromised, it can compromise the server. + +Some projects that uses this enhancement are `sys-pihole`, `sys-syncthing` and +`sys-cacher`. diff --git a/salt/sys-cacher/README.md b/salt/sys-cacher/README.md index a77668b..23783f2 100644 --- a/salt/sys-cacher/README.md +++ b/salt/sys-cacher/README.md @@ -83,27 +83,23 @@ qubes.UpdatesProxy * dev @anyvm deny ### Report Page and Maintenance Tasks +The APT-Cacher-NG WebUI address is `http://127.0.0.1:8082/acng-report.html` + +If you want to view statistics or manage the server through a GUI, open +`sys-cacher` or `sys-cacher-browser` desktop file `cacher-browser.desktop` +from the app menu. Addresses starting with `http` or `https` will be redirected +to `sys-cacher-browser`. + The report page is available from `sys-cacher` and `sys-cacher-browser` at -`http://127.0.0.1:8082/acng-report.html` and any other client qube that has -`sys-cacher` as it's update qube. This is apt-cacher-ng limitation and is bad -security wise, every client has administrative access to the cacher qube. You -should add the following to the end of `sys-cacher` rc.local: +and any other client qube that has `sys-cacher` as it's update qube. This is +apt-cacher-ng limitation and is bad security wise, every client has +administrative access to the cacher qube. You should add the following to the +end of `sys-cacher` rc.local: ```sh echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf ``` Where username and password are HTTP Auth strings. -If you want to view statistics or manage the server through a GUI, open -`sys-cacher` or `sys-cacher-browser` desktop file `cacher-browser.desktop` -from Dom0. Addresses starting with `http` or `https` will be redirected -to `sys-cacher-browser`. - -The browser separation from the server is to avoid browsing malicious sites -and exposing the browser to direct network on the same machine the server is -running. The browser qube is offline and only has access to the admin -interface. In other words, it has control over the server functions, if the -browser is compromised, it can compromise the server. - ### Connect to the cacher via IP instead of Qrexec Because the `sys-cacher` qube is listening on port `8082`, you can use it from diff --git a/salt/sys-pihole/README.md b/salt/sys-pihole/README.md index 739f118..4d3e474 100644 --- a/salt/sys-pihole/README.md +++ b/salt/sys-pihole/README.md @@ -61,28 +61,17 @@ sudo qubesctl state.apply sys-pihole.prefs ### Web interface -Pi-hole will be installed with these default settings: +If you want to view statistics or manage the server through a GUI, open +`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop` +from the app menu. Addresses starting with `http` or `https` will be +redirected to `sys-pihole-browser`. + +Pi-hole will be installed with the following settings: - The DNS provider is Quad9 (filtered, DNSSEC) - Steven Black's Unified Hosts List is included - Query logging is enabled to show everything. -You can change the settings via the admin interface: - -- URL: http://localhost/admin -- There is no password (access allowed only through localhost) - -If you want to view statistics or manage the server through a GUI, open -`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop` -from Dom0. Addresses starting with `http` or `https` will be redirected -to `sys-pihole-browser`. - -The browser separation from the server is to avoid browsing malicious sites -and exposing the browser to direct network on the same machine the server is -running. The browser qube is offline and only has access to the admin -interface. In other words, it has control over the server functions, if the -browser is compromised, it can compromise the server. - ### Torified Pi-Hole If you want to combine Pi-Hole with Tor, then you should reconfigure your diff --git a/salt/sys-syncthing/README.md b/salt/sys-syncthing/README.md index 72f387a..b10761d 100644 --- a/salt/sys-syncthing/README.md +++ b/salt/sys-syncthing/README.md @@ -74,22 +74,15 @@ qusal.Syncthing * SOURCE @default allow target=DESTINATION default_target=DEF ## Usage -The Syncthing address is `http://127.0.0.1:8384`. +The Syncthing WebUI address is `http://127.0.0.1:8384`. If you want to view statistics or manage the server through a GUI, open `sys-syncthing` or `sys-syncthing-browser` desktop file -`syncthing-browser.desktop` from Dom0 or run `syncthing -browser-only` from -`sys-syncthing`. Addresses starting with `http` or `https` will be redirected -to `sys-syncthing-browser`. +`syncthing-browser.desktop` from the app menu. Addresses starting with `http` +or `https` will be redirected to `sys-syncthing-browser`. -The browser separation from the server is to avoid browsing malicious sites -and exposing the browser to direct network on the same machine the server is -running. The browser qube is offline and only has access to the admin -interface. In other words, it has control over the server functions, if the -browser is compromised, it can compromise the server. - -To use the service, from the client, add a Remote Device, and copy the -`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`, +To use the service, from the client, add a `Remote Device`, and copy the +`Device ID` from the server qube, on the `Advanced` tab, under `Addresses`, change `dynamic` to `tcp://127.0.0.1:22001` If the sender qube has no netvm set, under `Settings`, disable `Enable NAT @@ -97,9 +90,9 @@ traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying` ## Debugging -If sys-net has more than one network card the first external interface will -be used by default. -If this is incorrect, you must change it manually. In Dom0 run: +If sys-net has more than one network card the first external interface will be +used by default. If this is incorrect, you must change it manually. In Dom0 +run: ```sh qvm-port-forward -a del -q sys-syncthing -n udp -p 22000 qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000