updates-proxy: explicitly block connection looping back to the proxy IP

Explicitly block something like "curl http://10.137.255.254:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

Fixes QubesOS/qubes-issues#1482

Makefile

@@ -185,6 +185,7 @@ install-common:
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
+	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh

network/tinyproxy-updates.conf

@@ -22,3 +22,8 @@ Allow 10.137.0.0/16
 
 ConnectPort 443
 
+# Explicitly block connections to the proxy IP, to return an error in such
+# case. This error page contains a magic string which is used in Whonix to
+# detect whether proxy is torified or not.
+# See https://github.com/qubesos/qubes-issues/issues/1482 for details
+Filter "/etc/tinyproxy/updates-blacklist"

network/updates-blacklist

@@ -0,0 +1 @@
+10.137.255.254

rpm_spec/core-vm.spec

@@ -331,6 +331,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes/iptables.rules
 %config(noreplace) /etc/qubes/ip6tables.rules
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
+%config(noreplace) /etc/tinyproxy/updates-blacklist
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
 %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules
 /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop