#FuckYouHTTPProxy | How to use an HTTP proxy system-wide on Linux | How to do transparent proxying with corporates' HTTP proxies

Preamble:

  • Corporates use HTTP proxies.
  • HTTP proxies suck.
  • HTTP proxies implementation on Linux sucks than everything.
  • I have no control of the shitty proxy I'm talking about

Problem:

HTTP proxies suck and corporates use HTTP proxies.
Ok, I already said that.
In the company I'm working in as security consultant, all machines connected to the intranet can't reach the internet. The only way to do so, is to use an internal HTTP proxy that does deep inspection of the internet traffic in order to block "malicious" sites, control downlodaded contents and so on. It's a mess, because also security related websites are blocked too.
The big problem comes when you are also involved in system operations, particullary with Linux systems: handling the proxy in Unix-like systems is a nightmare.
Yes, there is the http_proxy environment variable, you set it and almost every software will use its content to proxy network requests.
Almost.
And what if you need to do some routing, for example to run Docker containers or virtual machines, or proxy-unaware applications?
It happens that, if you don't specify the http_proxy variable inside every single container or vm, they won't reach the internet.
Now, from

How to configure PiHole in QubesOS (ProxyVM)

Pi Hole is a framework that aims to block advertisements on your network using a sinkhole approach on known advertisements domains.

PiHole is based on Raspberry PI, a device that almost all computer enthusiasts have in their home, it is built on top of DNSMasq weaponized with community-maintained blacklist and can be backed with your favorite DNS servers.

But PiHole is not just and adblocker: it provides also a DHCP server and a dashboard for configuration, monitoring and tracking visited urls, allowing the PI owner to detect suspicious behaviors in the network.
Is very convenient to use it, because you have a central point in the network in which ads are conveyed avoiding the usage of addons that act browser-level, and preventing anti ad-blockers mechanisms.
Furthermore, it's open-source and available on GitHub
If you like to play with dedicated hardware, you can adopt a standard approach buying a cheap Raspberry Zero, installing PiHole on it, configuring it to be recognized as an USB ethernet adapter and play with NAT on your machine to give connectivity to him.

The annoying thing comes when you use to use a laptop: you don't have your Raspberry PI in your pocket and, if you