Proxy at In

顾均
2023-12-01

Warning: the information on this page is not "official". In September 2018, Intel IT published their official page at https://wiki.ith.intel.com/display/proxy/Proxy+Users+Guide+Home

WPAD automatic configuration

For computers and programs supporting the use of WPAD (Web Proxy Autodiscovery Protocol) (almost all web browsers, chromebooks and more) a WPAD configuration file is maintained by Intel IT and available at: http://wpad.intel.com/wpad.dat This is the official configuration used by all Windows systems maintained by IT so it's very unlikely to be broken - or at least never for very long.

If needed this can also be passed as a configuration URL, for example, to Mozilla Firefox and FoxyProxy. One possible reason one might have to explicitly set this URL is for instance because Intel IT does not set ".intel.com" as a DNS search domain in every location (same reason why http://goto.intel.com/TAC always works while http://goto/TAC only works in most places).

This (complex) configuration works better with internal intel.com sites thanks to various exclusion lists.

If you forget this URL you can find it quickly again on any IT system: Start Menu->type "proxy"->LAN settings.

Applications

SSH from a Mac to AWS

Check https://intelpedia.intel.com/AWS_Administrative_Bastion_Host for background info.
Create ~/.ssh/config with the following line:

Host *.amazonaws.com
    ProxyCommand /usr/bin/nc -X 5 -x proxy-us.intel.com:1080 %h %p

Then start SSH with:

ssh -i "Key.pem" user@ec2.compute.amazonaws.com

Where Key.pem is the private key generated in AWS
Where user is the user in the AWS system
Where ec2.compute.amazonaws.com is the DNS of the AWS system
 

SSH from Linux pool to outside

You can ssh into external systems with Secure IT's ssh client that is installed in our Linux server pool with:

ssh -o ProxyCommand='socat - "socks5:%h:%p|tcp:proxy-socks.<site>.intel.com:1080"' SOME_EXTERNAL_TO_INTEL_SITE

You can also add this to your $HOME/.ssh/config file to simplify retyping (change <site> to your site, jf/sc/fm/us etc.):

Host example.com
   ProxyCommand nc -X 5 -x proxy-<site>.intel.com:1080 %h %p

Then type on the command line, for example: ssh somelogin@example.com

Using ssh2 to connect out via SOCKS proxy

Add this to your ~/.ssh2/ssh2_config:

github.com:
       ProxyCommand  /usr/intel/bin/socat - "socks5:%h:%p|tcp:proxy-socks.<site>.intel.com:1080"

With GIT

/usr/intel/pkgs/git/2.17.0/bin/git clone --config http.sslVersion=tlsv1.2 ssh://git@github.com/mmccoo/vocab.git

Using openssh to connect out via SOCKS proxy

With netcat

Modification of your .ssh/config file on a host where you use openssh you can modify your .ssh/config file to include

Host *
       ProxyCommand nc -X 5 -x proxy-us.intel.com:1080 %h %p

Please don't modify your system's master config file /etc/ssh/ssh_config file, this affects all users and probably isn't what you want to do. On OpenSuse or SLES/SLED the 'netcat' provided here is netcat-openbsd. Be sure each Host directive has a full empty line between entries in your config files.

If your system does not have BSD netcat, e.g. you run Fedora, consider using this ProxyCommand instead.

Host * 
       ProxyCommand nc --proxy-type socks5 --proxy proxy-us.intel.com:1080 %h %p

Debian Linux netcat's nc command does not support -X, -x, --proxy, and --proxy-type, so use connect-proxy instead:

Host *
       ProxyCommand connect-proxy -S proxy-us.intel.com:1080 %h %p

With connect.exe

If you do not have netcat installed, but you have connect.exe (which is the case for MinGW):

Inline:

ssh -o ProxyCommand='connect -S proxy-us.intel.com:1080 %h %p' externalsite.com

Using ~/.ssh/config:

Host *
       ProxyCommand  connect -S proxy-us.intel.com:1080 %h %p

git

To clone an http git URL (note: this does *NOT* work for git:// urls), inside Linux, do something like:

setenv http_proxy proxy-chain.intel.com:911
 git clone http://github.com/tpope/vim-fugitive.git

To clone an http git URL, inside Windows, do something like:

git config --global http.proxy http://proxy-chain.intel.com:911
 git clone --recursive https://github.com/spf13/spf13-vim.git

To clone an ssh git URL through the socks proxy (tested on OS X 10.8), do the following

1. Install connect (a socks proxy utility) using homebrew (or MacPorts) or your local package manager:

brew install connect

2. In your shell startup script (i.e. ~/.profile), set the following environment variables:

export SSH_SOCKS_SERVER='proxy-us.intel.com:1080' 
 export GIT_PROXY_COMMAND='~/bin/socks_connect'

3. Create a text file called ~/bin/socks_connect with the contents:

#!/usr/bin/env bash
 connect -5 -S $SSH_SOCKS_SERVER $*

4. Make the script executable:

chmod +x ~/bin/socks_connect

Cloning git:// in Linux

Requirement : socat

1. Create the proxy file at ~/bin/gitproxy

mkdir ~/bin
 vi ~/bin/gitproxy

2. Copy these lines to the gitproxy file and save it. You can replace 'png' with a local proxy server for better speed. For example, in the US, use proxy-jf.intel.com.

#!/bin/bash
 PROXY=proxy.png.intel.com
 exec socat STDIO SOCKS4:$PROXY:$1:$2

3. Edit ~/.gitconfig and put these lines in. Edit gitproxy, name and email.

[core]
 editor = vi
 gitproxy = /home/<linux username>/bin/gitproxy
 [user]
 name = <full name>
 email = <Intel email address>

4. Make the script executable:

chmod u+x ~/bin/gitproxy

Ubuntu 12.04 LTS and Newer Automatic Shell Script

The following shell script will set up Intel proxies on Ubuntu. The script has been tested on Ubuntu 12.04, 14.04, 16.04.2, and 18.04, but will probably work on other versions as well. Run it as follows:

wget --no-proxy --no-check-certificate https://intelpedia.intel.com/images/8/88/Setup_intel_proxy.sh.zip
 unzip Setup_intel_proxy.sh.zip
 chmod +x setup_intel_proxy.sh
 sudo ./setup_intel_proxy.sh

Matthew Fernandez: why does the above script set include 134.134.0.0/16 in no_proxy? At first I thought this was a mistake and it was supposed to be the private rage 172.16.0.0/12 (which is also missing), but after looking up 134.134.0.0/16 it seems this might be a range assigned to Intel in Hillsboro. Is this range universally reachable without a proxy for users outside US?

Proxy Environment Variables to set

Linux/UNIX/MinGW users who are using clients not capable of auto-configuration will want to define these environment variables.

export http_proxy=http://proxy-chain.intel.com:911
 export https_proxy=http://proxy-chain.intel.com:912
 export ftp_proxy=http://proxy-chain.intel.com:911
 export socks_proxy=http://proxy-us.intel.com:1080
 export no_proxy=intel.com,.intel.com,localhost,127.0.0.1

On OpenSuse or SLES look at /etc/sysconfig/proxy or use yast proxy, on other platforms consider modification of /etc/environment or ~/.bashrc

Ubuntu 12.04.4 LTS, Precise Pangolin Example

Manual Configuration

  • Edit the /etc/environment file
sudo vi /etc/environment
  • Copy the following lines in the file:
http_proxy=http://proxy-chain.intel.com:911
 https_proxy=http://proxy-chain.intel.com:912
 ftp_proxy=http://proxy-chain.intel.com:911
 socks_proxy=http://proxy-us.intel.com:1080
 no_proxy=intel.com,.intel.com,localhost,127.0.0.1
  • Save the file.
  • Let's make the Proxy available every time that we use sudo
  • Edit the /etc/sudoers file with visudo. To use nano, instead run sudo EDITOR=nano visudo /etc/sudoers.
sudo visudo -f /etc/sudoers
  • Find entry:
Defaults        env_reset
  • Below add
Defaults        env_keep += "http_proxy https_proxy ftp_proxy socks_proxy no_proxy"
  • Edit the /etc/apt/apt.conf file
sudo vi /etc/apt/apt.conf
  • Add the following lines:
Acquire::http::proxy "http://proxy-chain.intel.com:911";
 Acquire::https::proxy "http://proxy-chain.intel.com:912";

ActiveState Perl CPAN

From a Windows cmd shell, do something like:

set http_proxy=http://proxy-chain.intel.com:911
 cpan

Java in Windows

To pass proxy parameters to java.exe in Windows:

java.exe -Dhttp.proxyHost=proxy-chain.intel.com -Dhttp.proxyPort=911 -Dhttps.proxyHost=proxy-chain.intel.com -Dhttps.proxyPort=912

Sublime Text 3

To install packages in Sublime Text 3 using Package Control, the proxy needs to be specified in Package Control settings: Preferences > Package Settings > Package Control > Settings - User

{
   "http_proxy": "proxy-chain.intel.com:911"
 }

If you see error message InvalidCertificateException add these lines to the same config :

"downloader_precedence":
 {
   "linux": [ "curl", "urllib",    "wget" ],
   "osx": [ "urllib" ],
   "windows": [ "wininet" ]
 }

Subversion

Add the following to ~/.subversion/servers:

http-proxy-host = proxy-us.intel.com
 http-proxy-port = 911

Spotify

Upon launch, go to sign in screen. Find the link to settings and enter:

Type: HTTP
Address: proxy-chain.intel.com
Port: 911
Username: <Leave Blank>
Password: <Leave Blank>

After entering, press "Update Proxy". Back at the login, you must use Spotify username/password credentials, logging in with email (versus username) will not work and login with Facebook will not work. After initial login, if nothing seems to load, File -> Exit and reopen.

Notepad++

Launch Notepad++ with administrator privileges
? (Help Menu) -> Set Updater Proxy...
Proxy server: proxy-chain.intel.com
Proxy port: 911
 

Plugins -> Plugin Manager -> Show Plugin Manager
Click Settings button
Proxy address : proxy-chain.intel.com
Proxy port: 911

Mumble VoIP

Configure->Settings->Network
Type: SOCKS5 proxy
Hostname: proxy-us.intel.com
Port: 1080
Username:
Password:

Visual Studio Code

File->Preferences->User Settings In settings.json add: {

"http.proxy": "http://proxy-chain.intel.com:911",
   "https.proxy": "https://proxy-chain.intel.com:912"

}

npm (node.js)

To install packages using npm for node.js set the proxy by executing the following:

npm config set proxy http://proxy-chain.intel.com:911
 npm config set https-proxy http://proxy-chain.intel.com:912
 npm config set strict-ssl false
 set HTTP_PROXY=http://proxy-chain.intel.com:911
 set HTTPS_PROXY=http://proxy-chain.intel.com:912
 npm --without-ssl --insecure install

Atom

Run

apm config set proxy "http://proxy-chain.intel.com:911"
 apm config set https_proxy "https://proxy-chain.intel.com:912"  
 npm config set proxy "http://proxy-chain.intel.com:911"
 npm config set https_proxy "https://proxy-chain.intel.com:912"

(Note that apm may not be on your path. Usually found in C:\Users\<USER>\AppData\Local\atom\app-<VERSION>\resources\app\apm\bin).

Gradle

If it does not exist, create the file .gradle/gradle.properties in your home directory.

Add to .gradle/gradle.properties:

systemProp.http.proxyHost=proxy-chain.intel.com
 systemProp.http.proxyPort=911
 systemProp.http.nonProxyHosts=*.intel.com|localhost
systemProp.https.proxyHost=proxy-chain.intel.com
 systemProp.https.proxyPort=912
 systemProp.https.nonProxyHosts=*.intel.com|localhost

Bower

Make a file called .bowerrc in your home directory which contains the following:

{
   "directory": "bower_components",
   "registry": "https://bower.herokuapp.com",
   "https-proxy": "http://proxy-chain.intel.com:912"
 }

If .bowerrc already exist, add

"https-proxy": "http://proxy-chain.intel.com:912"

Julia

Prior to 0.5.0 you need to execute the following in the <path to Julia>\Git\cmd\ directory

git config --global url."https://github.com/".insteadOf git://github.com/
 git config --global http.proxy http://proxy-chain.intel.com:911
 git config --global https.proxy https://proxy-chain.intel.com:912

You may also need to delete your .julia folder located somewhere like c:\Users\<username>\.julia and then run Pkg.init() from inside Julia.

After 0.5.0 you just need to set your proxy environment variables.

Ruby gems

sudo gem install rake -p "http://proxy-chain.intel.com:911"

Note - it seems that the "-p" argument shown above does not work, and instead the environment variable HTTP_PROXY should be set to this path. For example (c-shell example given here):

setenv HTTP_PROXY http://proxy-chain.intel.com:911
 sudo gem install rake

Vagrant

Add the following environment variables to your system:

HTTP_PROXY=http://proxy-chain.intel.com:911
 HTTPS_PROXY=http://proxy-chain.intel.com:912

And/Or use the vagrant-proxyconf plugin

Maven

Create the file $HOME/.m2/settings.xml with the following content:

<settings>
   <proxies>
     <proxy>
       <id>http</id>
       <active>true</active>
       <protocol>http</protocol>
       <host>proxy-chain.intel.com</host>
       <port>911</port>
       <nonProxyHosts>intel.com</nonProxyHosts>
     </proxy>
     <proxy>
       <id>https</id>
       <active>true</active>
       <protocol>https</protocol>
       <host>proxy-chain.intel.com</host>
       <port>912</port>
       <nonProxyHosts>intel.com</nonProxyHosts>
     </proxy>
   </proxies>
 </settings>

Python

Anaconda Python

Make a file called .condarc in your $HOME directory which contains

proxy_servers:
     http: http://proxy-chain.intel.com:911
     https: https://proxy-chain.intel.com:912

In Windows, $HOME is C:\Users\<YOUR USERNAME>

NOTE:

In order to install Natural Language Processing Toolkit in Anaconda:
a) First run:  nltk.set_proxy('http://proxy-chain.intel.com:911')
b) Then run: nltk.download()

NOTE:

To install other packages without using 'conda install package_name' add the following code after importing 'os' package:
  import os
  os.environ['http_proxy'] = 'http://proxy-chain.intel.com:911'
  os.environ['HTTP_PROXY'] = 'http://proxy-chain.intel.com:911'
  os.environ['https_proxy'] = 'https://proxy-chain.intel.com:912'
  os.environ['HTTPS_PROXY'] = 'https://proxy-chain.intel.com:912'

Pip Python

command line

pip3 --proxy https://proxy-chain.intel.com:911 <...>

config file

Create the file pip.ini . On windows, located at: %APPDATA%\pip\pip.ini

Add these lines:

[global]
proxy = http://proxy-chain.intel.com:911

src: https://stackoverflow.com/a/43473312

wget

Make a file called .wgetrc in your $HOME directory (or the directory of whatever depends on wget) which contains

http_proxy=http://proxy-chain.intel.com:911
https_proxy=https://proxy-chain.intel.com:912
ftp_proxy=http://proxy-chain.intel.com:911

or set these as environmental variables as described in the section above. More details here.

curl

Add the following environment variable if you experience problems passing the proxy args to imbedded curl calls.

export ALL_PROXY='socks5://proxy-us.intel.com'

Eclipse

(Windows)

Under Preferences/Network Connections:

in "Active Provider" drop down menu: select "Manual"

fill table Proxy entries as following:

SchemaHostPortProviderAuthUserPassword
HTTPproxy-chain.intel.com911ManualNo
HTTPSproxy-chain.intel.com912ManualNo

(Linux)

same as above, but you might need to use a local proxy instead, like proxy-mu.

NOTE: under Proxy bypass you might add other local (test) servers that not require proxies

Docker

General SOCKS support in docker should now also be in main-stream code, see https://github.com/docker/docker/pull/20366

On Ubuntu Linux 14.04 Make sure docker daemon runs with http_proxy env variable defined (e.g., in /etc/default/docker).

On Ubuntu Linux 16.04 and beyond. As a result of OS using systemd; the docker daemon need extra configuration. Follow instructions from https://docs.docker.com/engine/admin/systemd/#http-proxy

Notice The docker service file might be /lib/systemd/system/docker.service

For the pre-Windows 10 versions of Docker and Kitematic start the virtualbox host with

docker-machine rm default
   docker-machine create -d virtualbox --engine-env HTTP_PROXY=http://proxy-chain.intel.com:911 \
       --engine-env HTTPS_PROXY=https://proxy-chain.intel.com:912 \
       --engine-env NO_PROXY=192.168.99.100 default

When you start Kitematic it will initially show an error, but just click "Use Virtualbox".

On Windows 10 (using Docker for Windows), right click on the Docker icon in the notification area, select Settings. Then click Proxies. Select "Manual proxy configuration" and enter the following then click Apply.

Web Server (HTTP):         http://proxy-chain.intel.com:911
    Secure Web Server (HTTPS): http://proxy-chain.intel.com:912
    Bypass for these hosts:    intel.com,.intel.com,localhost,127.0.0.1

yum / dnf

Add the following line to /etc/yum.conf

proxy=https://proxy-chain.intel.com:912

Fedora 24 and newer, update into /etc/dnf/dnf.conf (Use the http version, dnf doesn't like https proxy)

proxy=http://proxy-chain.intel.com:911

Rust - rustup

To download and install Rust using rustup, download rustup-init here: https://www.rust-lang.org/install.html. Then run rustup-init.exe.

For more information, see https://github.com/rust-lang-nursery/rustup.rs#working-with-network-proxies

On Windows:

The easiest way is to create a permanent environmental variable. To create an environmental variable, right-click the Start button and go to System -> Advanced system settings -> Advanced tab -> Environment Variables... -> (Under System variables) New.... Set Variable name to https_proxy, set Variable value to socks5://proxy-us.intel.com:1080, and click OK. Then run rustup-init.exe.

Alternatively, to temporarily set an environmental variable before running rustup-init.exe, open up a terminal where rustup-init.exe is.

In Command Prompt, run this command:

set https_proxy=socks5://proxy-us.intel.com:1080

If using PowerShell, run this instead:

$env:https_proxy = "socks5://proxy-us.intel.com:1080"

Then run ./rustup-init.exe.

SSH to Intel AI DevCloud via colfaxresearch.com

After obtaining a username and then downloading and configuring your private SSH key, add to your account's ~/.ssh/config. Adjust u9999/9999 as appropriate.

Host colfax
    User u9999
    HostName localhost
    Port 4022
    IdentityFile ~/.ssh/colfax-access-key-9999
    ProxyCommand ssh -T colfax-via-proxy

Host colfax-via-proxy
    User guest
    HostName cluster.colfaxresearch.com
    IdentityFile ~/.ssh/colfax-access-key-9999
    LocalForward 4022 c009:22
    # (Windows) ProxyCommand connect.exe -S proxy-us.intel.com:1080 %h %p
    # (Mac) ProxyCommand nc -X 5 -x proxy-us.intel.com:1080 %h %p
    # (Unix) ProxyCommand nc -x proxy-us.intel.com:1080 %h %p

Usage: ssh colfax

SecureCRT SSH and SecureFX SFTP

SecureCRT and SecureFX clients support SSH and SFTP, respectively. It is a commercial product for MS Windows from VanDyke Software. It is similar to the F-Secure SSH Client.

To configure SecureCRT/FX:

  • Go to Options--> Global Options --> Firewall
  • Click "Add" and add
    • Name: "Intel Proxy" (or any name you want to call it)
    • Hostname: proxy-us.intel.com (or proxy-jf, proxy-sc, etc.)
    • Port: 1080
  • Click "OK"
  • Add a session to an exernal host:
  • Goto "Session Manager" and click on "New Session" (icon) to enter the New Session Wizard
    • Select "SSH2" as the SecureCRT protocol, then "Next"
    • Enter your Hostname (foo.bar.com), select Firewall "Intel Proxy", and Username (your login name), then "Next"
    • Enter "SFTP" as the SecureFX protocol, then "Next", then "Finish"
  • To use, click on "Session Manager" then click on the hostname session you just created

IRC Client Pidgin

To reach a chat server outside the Intel network, Pidgin (or another IRC client) can be configured with the following settings:

Basic Tab:

Protocol: IRC
          Username: (any nickname you choose, but it has to be something)
          Server: irc.freenode.net 
          No password

Advanced Tab:

Port: 6697
          Encodings: UTF-8
          Check “Use SSL”

Proxy Tab:

Proxy type: SOCKS 5
          Host: proxy-us.intel.com (or your local equivalent, see below)
          Port: 1080

Other Intel proxies besides proxy-us.intel.com include proxy-jf, proxy-sc, proxy-iind, proxy-iild, proxy-ir, proxy-mu, proxy-png, proxy-prc, all ending with .intel.com.

Architecture

There are two types of proxy servers at Intel.

DMZ or External proxy servers

These servers provide proxy access between Intel and the public internet. The DMZ proxy servers operate in clustered pools that sit behind load balancers which will distribute your traffic up among the proxy servers as well as provide redundancy for when a proxy server is down for maintenance. The DMZ proxy servers can only access external content, and cannot access internal content or web pages. The proxy-us.intel.com address is the load balanced address for the DMZ proxy servers in the US (there are other Intel DMZ proxy pools for Ireland, Israel, Malaysia, China, Germany, and India). The proxy-us.intel.com address is actually split between two separate pools, One in JF (proxy-jf.intel.com) and one in FM (proxy-fm.intel.com). Using the proxy-us.intel.com address is the recommended DMZ address in the US, as it provides very high redundancy across two campuses, and two separate Internet Service providers. There are many legacy DNS address for various campuses such as proxy-hf.intel.com, or proxy-ch.intel.com, which all point back to proxy-us.intel.com.

Internal Proxy servers

Internal proxy servers enable access to internal intel resources such as SharePoint sites etc…, these proxy servers do not have access to the Internet, however they are configured with forwarding policies that will forward queries to external websites to the DMZ proxy servers. When you hear the phrase “proxy-Chain”, this is referring to the “chain” of proxy servers that start at the Internal proxy’s, then forward requests to the external proxys’s if necessary. Additionally the proxy-chain.intel.com address is a geographically aware DNS address on the load balancers, which will direct your traffic to the nearest Internal proxy server to your location, then to the nearest DMZ proxy server. This behavior is especially useful when you are fetching both internal and external resources using clients that do not understand NO_PROXY; by using the proxy chain, you send all requests to a proxy that does know the difference.


Another concept to understand is the autoproxy.

Autoproxy

Intel uses an Autoproxy system based on the industry standard WPAD (Web Proxy Auto discovery) protocol. When your web browser is configured to use “Automatically detect settings” it will look up and contact one of the many WPAD servers we run, which will dynamically generate (based on your geographical location, IP network range, and other variables) a file called WPAD.DAT, which is a large JavaScript file that will tell your browser where to direct traffic. For example, the WPAD.dat file will tell your browser to send traffic to the DMZ proxy servers for external websites, and the Internal proxy servers for internal websites. Additionally we will use JavaScript to force traffic for some specific sites out specific proxy servers, typically in cases where the destination has whitelisted a specific IP range for us to access secure content. If you would like to inspect the WPAD.dat file yourself in more detail, you can simply point your browser to http://wpad.intel.com/wpad.dat and save the file, you can then open it as a text file and view the javascript that will be passed to your browser.

HTTP VS. SOCKS PROXYS

Another point to mention is the different between HTTP, and SOCKS proxy servers. HTTP proxy servers, as their name implies can only handle HTTP and HTTPS traffic, and cannot handle traffic for other protocols (such as SSH, Telnet, IM Protocols, etc…). SOCKS (or more specifically SOCKS5) is a protocol that will enable almost any application to work via the proxy servers, as long as the application supports SOCKS, and the require port has been approved by Intel InfoSec and enabled on the Firewalls. For example, if you wanted to SSH out of Intel, you could configure an application like Putty to use “proxy-us.intel.com” port 1080 using the SOCKS5 protocol, and would then be able to SSH via the Intel firewalls to external hosts.

Proxy Ports

Proxy ports serve to distinguish between the type of traffic and protocol, so the load balancers and proxy servers know what type of traffic they are dealing with. Standard HTTP traffic should use port 911, HTTPS/SSL traffic should use port 912, SOCKS5 traffic should use port 1080. The primary reason for distinguishing between HTTP and HTTPS traffic is session persistency. HTTP traffic will only have a session persistency of 30 seconds via our load balancers, meaning that your traffic will only be sent to the same proxy server for up to 30 seconds before the load balancers will direct traffic to another proxy server in order to effectively balance the massive volume of internet traffic we generate. Such short session persistency time will break HTTPS however, because if the load balancer changes traffic to a different proxy server in the middle of a session, that will change your external IP address, which will break the encrypted SSL session, as it will look like someone trying to inject data into the secure session, and the remote host will terminate the session. For this reason we use port 912 with HTTPS traffic, which will use a 1 hour session timer, which is long enough for almost all secure sessions.

Complete list of proxy servers

  • World: proxy-chain.intel.com (redirects traffic to the most appropriate proxy server from the regional servers below)
  • US: proxy-us.intel.com (splits traffic between proxy-jf.intel.com and proxy-fm.intel.com)
  • India: proxy-iind.intel.com
  • Israel: proxy-iil.intel.com
  • Ireland: proxy-ir.intel.com
  • Germany: proxy-mu.intel.com
  • Malaysia: proxy-png.intel.com
  • China: proxy-prc.intel.com (splits traffic between proxy-shm.intel.com and proxy-shz.intel.com)

SOCKS connection not working for proxy-chain.intel.com

As of at least 2018-08-21, SOCKS connections to port 1080 do not seem to work for the server "proxy-chain.intel.com". It seems that SOCKS connections are only able to work to site-specific / country-specific servers such as "proxy-us.intel.com" as well as "proxy-socks.fm.intel.com", etc. Does anyone know the reason for this? Is "proxy-chain.intel.com" using some other port for SOCKS, or is SOCKS not supported at all on that server? Can someone with information about this please document it here? Thanks, --Mpelstei (talk) 11:35, 21 August 2018 (PDT)

Why can't this be handled at the gateway???

The single gateway that other companies use that does not require individual applications/systems to be configured, is called “transparent” proxy mode. Intel uses what’s referred to as “Explicit” proxy mode.

Transparent proxy servers are used in scenarios where the primary reason you have implemented proxy servers is for Content control (restricting inappropriate work websites), and caching. Transparent proxy mode requires no proxy configuration on any applications, as the network will use policy based routing to direct all HTTP/HTTPS traffic to the proxy servers automatically. Non HTTP/HTTPS traffic, however, will be directed around the proxy servers, allowing them to connect directly to the internet. While this is very convenient, it is also much less secure, and Intel Information Security policy prevents us from operating transparent proxy servers.

One of the primary advantages from a security perspective of using explicit proxy servers is that it complements the company's Data Loss Prevention procedures, by making it much more difficult for unauthorized data exfiltration. For example, if a Virus made it into the Intel network and was attempting to collect sensitive data and send it back out using FTP, the virus would be unable to send the traffic out of Intel without detailed knowledge of our proxy infrastructure, as the virus would need to be configure to use the appropriate Intel proxy servers. This is particularity important at a company like Intel where our intellectual property is worth many billions of dollars. Additionally, the Transparent proxy mode does not scale as well for high bandwidth scenarios, or companies with a worldwide footprint.

Note that the load balanced records (like proxy.sc.intel.com and proxy.fm.intel.com) will not respond to ping commands, and that is expected. The individual machines, e.g. proxy-chain.glb.intel.com will respond to ping.

If the application uses non-standard ports for access, then IT Service Operations will need to get a request to the proxy team to enable those specific ports.
Contact:
GSM Infrastructure IT Service Operations / Technical Assistance Center (TAC) [1]

Conditional Proxy

Use the following script as proxy command if you need to use ssh/git/etc.. from inside and outside the Intel network:

#!/usr/bin/perl -w

 my $nc = '/usr/bin/nc';
 my ($host, $port) = @ARGV;
 my $proxy = 'proxy-us.intel.com';

 if ($host !~ /\./ || $host =~ /(^|\.)intel\.com$/ ||
    $host =~ /^(10|172\.1[6789]|172\.2[0-9]|172\.3[01]|192\.168|192\.0\.2|143\.183|134\.134)\./ ||
    ! gethostbyname($proxy) ) {
    exec($nc, $host, $port);
 } else {
    exec($nc, '-X', '5', '-x', $proxy.':1080', $host, $port);
 }

This script requires netcat.

Netcat examples

Connecting to a web server:

  • Through SOCKS 5:
nc -X 5 -x proxy-us.intel.com:1080 google.com 80
  • Through HTTP CONNECT proxy server:
nc -X connect -x proxy-chain.intel.com:911 google.com 80
  • Connecting to an SSH server with SOCKS 5:
nc -X 5 -x proxy-us.intel.com:1080 login.trilug.org 22

... Older historical information and references ...

Proxy Servers at Intel are managed by DNS Engineering. To see the proxy server settings, simply surf to autoproxy.intel.com and open the file (JavaScript syntax) which opens at this location.

If you know that your application needs a direct proxy server, you can find one at this listing of Intel proxy servers. (Use port 911 for the proxy server. For PuTTY proxy configuration, setting to port 1080 and using SOCKS5 appears to work.)

See also

 

 类似资料:

相关阅读

相关文章

相关问答