doc: add browser isolation feature to design guide

ben-grande · Jun 25, 2024 · d316999 · d316999
1 parent 9c28068
commit d316999
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 49 deletions.
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
@@ -14,10 +14,11 @@ Qusal design document.
     * [Qube naming](#qube-naming)
     * [Qube label](#qube-label)
     * [Qube menu](#qube-menu)
-    * [Qube features](#qube-features)
+  * [Qube features](#qube-features)
   * [Qube connections](#qube-connections)
   * [Qrexec call and policy](#qrexec-call-and-policy)
   * [Qrexec socket services](#qrexec-socket-services)
+* [Browser isolation from the managed service](#browser-isolation-from-the-managed-service)
 
 ## Goal
 
@@ -256,3 +257,16 @@ Rules for client RPC call:
   `rc.local`;
 - Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
   instructional use as it is very short.
+
+## Browser isolation from the managed service
+
+Some projects have daemons and can be managed through a browser. The CLI is
+not suitable for everybody and sometimes it can be incomplete on GUI focused
+applications. Implement browser separation from the server to avoid browsing
+malicious sites and exposing the browser to direct network on the same machine
+the server is running. The browser qube is offline and only has access to the
+admin interface. In other words, it has control over the server functions, if
+the browser is compromised, it can compromise the server.
+
+Some projects that uses this enhancement are `sys-pihole`, `sys-syncthing` and
+`sys-cacher`.
diff --git a/salt/sys-cacher/README.md b/salt/sys-cacher/README.md
@@ -83,26 +83,22 @@ qubes.UpdatesProxy * dev @anyvm   deny
 
 ### Report Page and Maintenance Tasks
 
-The report page is available from `sys-cacher` and `sys-cacher-browser` at
-`http://127.0.0.1:8082/acng-report.html` and any other client qube that has
-`sys-cacher` as it's update qube. This is apt-cacher-ng limitation and is bad
-security wise, every client has administrative access to the cacher qube.  You
-should add the following to the end of `sys-cacher` rc.local:
-```sh
-echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
-```
-Where username and password are HTTP Auth strings.
+The APT-Cacher-NG WebUI address is `http://127.0.0.1:8082/acng-report.html`
 
 If you want to view statistics or manage the server through a GUI, open
 `sys-cacher` or `sys-cacher-browser` desktop file `cacher-browser.desktop`
-from Dom0. Addresses starting with `http` or `https` will be redirected
+from the app menu. Addresses starting with `http` or `https` will be redirected
 to `sys-cacher-browser`.
 
-The browser separation from the server is to avoid browsing malicious sites
-and exposing the browser to direct network on the same machine the server is
-running. The browser qube is offline and only has access to the admin
-interface. In other words, it has control over the server functions, if the
-browser is compromised, it can compromise the server.
+The report page is available from `sys-cacher` and `sys-cacher-browser` at
+and any other client qube that has `sys-cacher` as it's update qube. This is
+apt-cacher-ng limitation and is bad security wise, every client has
+administrative access to the cacher qube.  You should add the following to the
+end of `sys-cacher` rc.local:
+```sh
+echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
+```
+Where username and password are HTTP Auth strings.
 
 ### Connect to the cacher via IP instead of Qrexec
 

diff --git a/salt/sys-pihole/README.md b/salt/sys-pihole/README.md
@@ -61,28 +61,17 @@ sudo qubesctl state.apply sys-pihole.prefs
 
 ### Web interface
 
-Pi-hole will be installed with these default settings:
+If you want to view statistics or manage the server through a GUI, open
+`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
+from the app menu. Addresses starting with `http` or `https` will be
+redirected to `sys-pihole-browser`.
+
+Pi-hole will be installed with the following settings:
 
 - The DNS provider is Quad9 (filtered, DNSSEC)
 - Steven Black's Unified Hosts List is included
 - Query logging is enabled to show everything.
 
-You can change the settings via the admin interface:
-
-- URL: http://localhost/admin
-- There is no password (access allowed only through localhost)
-
-If you want to view statistics or manage the server through a GUI, open
-`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
-from Dom0. Addresses starting with `http` or `https` will be redirected
-to `sys-pihole-browser`.
-
-The browser separation from the server is to avoid browsing malicious sites
-and exposing the browser to direct network on the same machine the server is
-running. The browser qube is offline and only has access to the admin
-interface. In other words, it has control over the server functions, if the
-browser is compromised, it can compromise the server.
-
 ### Torified Pi-Hole
 
 If you want to combine Pi-Hole with Tor, then you should reconfigure your

diff --git a/salt/sys-syncthing/README.md b/salt/sys-syncthing/README.md
@@ -74,32 +74,25 @@ qusal.Syncthing  *  SOURCE  @default allow target=DESTINATION default_target=DEF
 
 ## Usage
 
-The Syncthing address is `http://127.0.0.1:8384`.
+The Syncthing WebUI address is `http://127.0.0.1:8384`.
 
 If you want to view statistics or manage the server through a GUI, open
 `sys-syncthing` or `sys-syncthing-browser` desktop file
-`syncthing-browser.desktop` from Dom0 or run `syncthing -browser-only` from
-`sys-syncthing`. Addresses starting with `http` or `https` will be redirected
-to `sys-syncthing-browser`.
-
-The browser separation from the server is to avoid browsing malicious sites
-and exposing the browser to direct network on the same machine the server is
-running. The browser qube is offline and only has access to the admin
-interface. In other words, it has control over the server functions, if the
-browser is compromised, it can compromise the server.
-
-To use the service, from the client, add a Remote Device, and copy the
-`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`,
+`syncthing-browser.desktop` from the app menu. Addresses starting with `http`
+or `https` will be redirected to `sys-syncthing-browser`.
+
+To use the service, from the client, add a `Remote Device`, and copy the
+`Device ID` from the server qube, on the `Advanced` tab, under `Addresses`,
 change `dynamic` to `tcp://127.0.0.1:22001`
 
 If the sender qube has no netvm set, under `Settings`, disable `Enable NAT
 traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying`
 
 ## Debugging
 
-If sys-net has more than one network card the first external interface will
-be used by default.
-If this is incorrect, you must change it manually. In Dom0 run:
+If sys-net has more than one network card the first external interface will be
+used by default.  If this is incorrect, you must change it manually. In Dom0
+run:
 ```sh
 qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
 qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000