From 181c15f4222f90156bfd08abf869de15e9b90b03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 4 Dec 2015 14:57:07 +0100
Subject: [PATCH] updates-proxy: explicitly block connection looping back to
 the proxy IP

Explicitly block something like "curl http://10.137.255.254:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

Fixes QubesOS/qubes-issues#1482
---
 Makefile                       | 1 +
 network/tinyproxy-updates.conf | 5 +++++
 network/updates-blacklist      | 1 +
 rpm_spec/core-vm.spec          | 1 +
 4 files changed, 8 insertions(+)
 create mode 100644 network/updates-blacklist

diff --git a/Makefile b/Makefile
index ab88e4d..e2ad45c 100644
--- a/Makefile
+++ b/Makefile
@@ -185,6 +185,7 @@ install-common:
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
+	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
diff --git a/network/tinyproxy-updates.conf b/network/tinyproxy-updates.conf
index d2a260a..5372fd9 100644
--- a/network/tinyproxy-updates.conf
+++ b/network/tinyproxy-updates.conf
@@ -22,3 +22,8 @@ Allow 10.137.0.0/16
 
 ConnectPort 443
 
+# Explicitly block connections to the proxy IP, to return an error in such
+# case. This error page contains a magic string which is used in Whonix to
+# detect whether proxy is torified or not.
+# See https://github.com/qubesos/qubes-issues/issues/1482 for details
+Filter "/etc/tinyproxy/updates-blacklist"
diff --git a/network/updates-blacklist b/network/updates-blacklist
new file mode 100644
index 0000000..734e64a
--- /dev/null
+++ b/network/updates-blacklist
@@ -0,0 +1 @@
+10.137.255.254
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index 116da0d..98e2bda 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -331,6 +331,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes/iptables.rules
 %config(noreplace) /etc/qubes/ip6tables.rules
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
+%config(noreplace) /etc/tinyproxy/updates-blacklist
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
 %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules
 /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop