[go: up one dir, main page]

CN107241451B - Method, device and system for tampering intervention based on content distribution network - Google Patents

Method, device and system for tampering intervention based on content distribution network Download PDF

Info

Publication number
CN107241451B
CN107241451B CN201710661039.1A CN201710661039A CN107241451B CN 107241451 B CN107241451 B CN 107241451B CN 201710661039 A CN201710661039 A CN 201710661039A CN 107241451 B CN107241451 B CN 107241451B
Authority
CN
China
Prior art keywords
static file
edge node
response message
tampered
tampering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710661039.1A
Other languages
Chinese (zh)
Other versions
CN107241451A (en
Inventor
王开辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201710661039.1A priority Critical patent/CN107241451B/en
Publication of CN107241451A publication Critical patent/CN107241451A/en
Application granted granted Critical
Publication of CN107241451B publication Critical patent/CN107241451B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • H04L67/5682Policies or rules for updating, deleting or replacing the stored data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于内容分发网络的篡改干预方法、装置及系统,其中,该方法包括:CDN边缘节点接收用户终端的请求消息,请求消息请求的是请求静态文件;确定回源的源站并发起回源请求;接收响应消息并发给用户终端;判断响应消息中的静态文件是否被篡改;如果未被篡改,则缓存静态文件;如果被篡改,则不缓存静态文件,当再次接到请求该静态文件的消息时,重新发起回源请求,若源站返回的是正常响应且源站与CDN边缘节点之间无篡改,缓存该正常响应的静态文件,实现篡改恢复。本发明中CDN边缘节点通过判断能及时发现文件被篡改,且不缓存被篡改的文件,用户下次请求该文件即可进行篡改恢复,缩短了篡改恢复的时间。

The invention discloses a tampering intervention method, device and system based on a content distribution network. The method includes: a CDN edge node receives a request message from a user terminal, and the request message requests a request for a static file; And initiate a back-to-origin request; receive a response message and send it to the user terminal; determine whether the static file in the response message has been tampered with; if it has not been tampered with, cache the static file; if it has been tampered with, it will not cache the static file. When the message of the static file is sent, the back-to-origin request is re-initiated. If the origin site returns a normal response and there is no tampering between the origin site and the CDN edge node, the static file of the normal response is cached to achieve tampering recovery. In the present invention, the CDN edge node can timely find out that the file has been tampered with by judging, and does not cache the tampered file, and the user can perform the tampering recovery next time when the user requests the file, which shortens the tampering recovery time.

Description

基于内容分发网络的篡改干预方法、装置及系统Method, device and system for tampering intervention based on content distribution network

技术领域technical field

本发明涉及数据防篡改和篡改恢复技术领域,特别涉及一种基于内容分发网络的篡改干预方法、装置及系统。The invention relates to the technical field of data anti-tampering and tampering recovery, in particular to a tampering intervention method, device and system based on a content distribution network.

背景技术Background technique

基于内容分发网络(Content Delivery Network,简称为CDN)的内容防篡改技术的基本思想是,用户请求CDN网络中响应头不带Cache-Control:no-cache或no-store或private或max-age=0的文件,即缓存在CDN边缘节点的静态文件(以下对这类文件简称为静态文件)时,若静态文件被恶意插入代码片段或者文件片段,此时响应用户非预期内容,如广告弹窗等。The basic idea of content tamper-proof technology based on Content Delivery Network (CDN) is that the response header in the user request CDN network does not carry Cache-Control: no-cache or no-store or private or max-age= 0 files, that is, static files cached on CDN edge nodes (hereinafter referred to as static files for this type of files), if the static files are maliciously inserted into code fragments or file fragments, the user will respond to unexpected content, such as advertising pop-ups. Wait.

目前的内容防篡改恢复方案步骤如下:The steps of the current content tamper-resistant recovery solution are as follows:

(1)用户请求源站新发布的静态文件或者已过期的静态文件时,CDN边缘节点需要进行回源请求;(1) When a user requests a newly released static file or an expired static file from the source site, the CDN edge node needs to make a back-to-source request;

(2)由CDN边缘节点的源站监控模块选择回具体哪一个源站,CDN边缘节点向该源站发起回源请求;(2) The source station monitoring module of the CDN edge node selects which source station to return, and the CDN edge node initiates a back-to-source request to the source station;

(3)源站正常响应;(3) The source station responds normally;

(4)CDN边缘节点将响应返回用户,且缓存对应的文件,不管该文件是否被恶意篡改。(4) The CDN edge node will return the response to the user and cache the corresponding file, regardless of whether the file has been maliciously tampered with.

(5)如果该文件被恶意篡改,那么在该文件过期之前,如果有用户请求该文件,则CDN边缘节点直接将缓存的该文件发送给用户,也就是用户接收到的仍是被篡改的文件。如果CDN边缘节点判定该文件过期,有用户请求该文件,则CDN边缘节点发起回源请求,且源站与CDN边缘节点之间不发生恶意篡改,此时篡改恢复,用户响应正常,也就是用户能够接收到未被恶意篡改的文件。(5) If the file is maliciously tampered with, before the file expires, if a user requests the file, the CDN edge node directly sends the cached file to the user, that is, the user receives the tampered file. . If the CDN edge node determines that the file is expired and a user requests the file, the CDN edge node initiates a back-to-source request, and there is no malicious tampering between the source station and the CDN edge node. At this time, the tampering is restored and the user responds normally, that is, the user Able to receive files that have not been maliciously tampered with.

上述内容防篡改恢复方案存在以下弊端:不管请求的静态文件是否存在恶意篡改,CDN边缘节点均缓存该静态文件。如果出现恶意篡改,则只有当缓存过期后回源重新请求,源站给出正常响应时,恶意篡改才恢复,同时过期时间不能重新设定,整个恢复过程,不能实现迅速恢复,在判定缓存未过期的这段时间,所有对该文件的请求返回的都是恶意篡改后的文件,延长了故障的时间,加剧了故障的影响。例如访问常用网页或者商城,发现广告弹窗一直存在,影响用户体验;如果这个空响应的文件缓存时间为1天,则至少要等1天后缓存过期且有用户请求该文件才有可能恢复正常。The above content tamper-proof recovery scheme has the following drawbacks: regardless of whether the requested static file is maliciously tampered with, the CDN edge node caches the static file. If malicious tampering occurs, the malicious tampering will be recovered only when the cache expires and the origin site gives a normal response, and the malicious tampering will not be reset. Rapid recovery cannot be achieved during the entire recovery process. During the period of expiration, all requests for the file return maliciously tampered files, which prolongs the time of the failure and aggravates the impact of the failure. For example, when visiting a commonly used webpage or shopping mall, it is found that the advertisement pop-up window always exists, which affects the user experience; if the cache time of the empty response file is 1 day, it will be possible to return to normal after at least 1 day after the cache expires and a user requests the file.

发明内容SUMMARY OF THE INVENTION

为了解决现有技术中篡改恢复需要等待文件过期才可能实现,影响用户体验的问题,本发明实施例提供了一种基于内容分发网络的篡改干预方法、装置及系统。In order to solve the problem in the prior art that tampering recovery needs to wait for file expiration, which affects user experience, embodiments of the present invention provide a content distribution network-based tampering intervention method, device, and system.

根据本发明实施例的一个方面,提供了一种基于内容分发网络的篡改干预方法,包括:According to an aspect of the embodiments of the present invention, a method for tampering intervention based on a content distribution network is provided, including:

内容分发网络CDN边缘节点接收用户终端的请求消息,其中所述请求消息请求的是静态文件;The CDN edge node of the content distribution network receives a request message from the user terminal, wherein the request message requests a static file;

所述CDN边缘节点确定回源的源站,并发起回源请求;The CDN edge node determines the source station of the back-to-source, and initiates a back-to-source request;

所述CDN边缘节点接收所述源站的响应消息,并将所述响应消息发送给所述用户终端;The CDN edge node receives the response message of the source station, and sends the response message to the user terminal;

所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改;The CDN edge node determines whether the static file in the response message has been tampered with;

如果未被篡改,则缓存所述静态文件;If it has not been tampered with, cache the static file;

如果被篡改,则不缓存所述静态文件,当再次接收到请求所述静态文件的消息时,所述CDN边缘节点重新发起回源请求,若所述源站返回的是正常响应且所述源站与所述CDN边缘节点之间无篡改发生,所述CDN边缘节点缓存所述正常响应的静态文件,实现篡改恢复。If it is tampered with, the static file will not be cached. When receiving a message requesting the static file again, the CDN edge node will re-initiate a back-to-origin request. If the origin site returns a normal response and the origin No tampering occurs between the station and the CDN edge node, and the CDN edge node caches the static file of the normal response to realize tampering recovery.

进一步的,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:Further, the CDN edge node determines whether the static file in the response message has been tampered with, including:

所述CDN边缘节点分别从对应的至少两个响应消息中获取至少两个第一特征值;The CDN edge node obtains at least two first feature values from corresponding at least two response messages respectively;

所述CDN边缘节点判断所述至少两个第一特征值是否一致;The CDN edge node judges whether the at least two first feature values are consistent;

如果一致,则确定所述静态文件未被篡改;If it is consistent, it is determined that the static file has not been tampered with;

如果不一致,则确定所述静态文件被篡改。If not, it is determined that the static file has been tampered with.

进一步的,还包括:所述CDN边缘节点判断所述至少两个第一特征值是否一致时,先判断是否是首次接收到请求所述静态文件的请求消息。Further, the method further includes: when the CDN edge node judges whether the at least two first characteristic values are consistent, first judge whether it is the first time that a request message for requesting the static file is received.

进一步的,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:Further, the CDN edge node determines whether the static file in the response message has been tampered with, including:

所述CDN边缘节点提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;The CDN edge node extracts the second feature value carried in the response message, wherein the second feature value uniquely identifies the static file;

所述CDN边缘节点利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值;The CDN edge node uses the calculation method negotiated with the source station to calculate and obtain the third characteristic value according to the response message;

所述CDN边缘节点判断所述第二特征值与所述第三特征值是否一致;The CDN edge node determines whether the second eigenvalue is consistent with the third eigenvalue;

如果一致,则确定所述静态文件未被篡改;If it is consistent, it is determined that the static file has not been tampered with;

如果不一致,则确定所述静态文件被篡改。If not, it is determined that the static file has been tampered with.

进一步的,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:Further, the CDN edge node determines whether the static file in the response message has been tampered with, including:

所述协商的计算方法,是由所述源站利用预先与所述CDN系统协商的计算方法。The negotiated calculation method is a calculation method negotiated with the CDN system in advance by the source station.

进一步的,如果所述源站与所述用户终端之间存在多个CDN节点,所述CDN边缘节点将所述响应消息发送给所述用户终端包括:Further, if there are multiple CDN nodes between the source station and the user terminal, the CDN edge node sending the response message to the user terminal includes:

所述CDN边缘节点利用所述多个CDN节点之间的预设私有协议对所述响应消息进行处理;The CDN edge node processes the response message by using a preset private protocol among the multiple CDN nodes;

所述CDN边缘节点将所述处理后的响应消息通过所述多个CDN节点进行传输;The CDN edge node transmits the processed response message through the multiple CDN nodes;

当用户终端侧的CDN边缘节点接收到所述处理后的响应消息时,利用所述预设私有协议对所述处理后的响应消息进行还原,并将还原的响应消息发送给所述用户终端。When the CDN edge node on the user terminal side receives the processed response message, it restores the processed response message by using the preset private protocol, and sends the restored response message to the user terminal.

根据本发明实施例的另一个方面,提供了一种基于内容分发网络的篡改干预装置,应用于内容分发网络CDN边缘节点,所述装置包括:According to another aspect of the embodiments of the present invention, there is provided a content distribution network-based tampering intervention device, which is applied to a CDN edge node of a content distribution network, and the device includes:

接收单元,用于接收用户终端的请求消息,以及接收所述源站的响应消息;a receiving unit, configured to receive a request message from a user terminal and a response message from the source station;

回源单元,用于确定回源的源站,并发起回源请求;The back-to-source unit is used to determine the back-to-source origin station and initiate a back-to-source request;

第一发送单元,用于将所述响应消息发送给所述用户终端;a first sending unit, configured to send the response message to the user terminal;

判断单元,用于判断所述响应消息中的静态文件是否被篡改;a judging unit for judging whether the static file in the response message has been tampered with;

缓存单元,用于在未被篡改的情况下,缓存所述静态文件;a cache unit, configured to cache the static file without being tampered with;

处理单元,用于在被篡改的情况下,不缓存所述静态文件,当再次接收到请求所述静态文件的消息时,重新发起所述回源请求,若所述源站返回的是正常响应且所述源站与所述CDN边缘节点之间无篡改发生,缓存所述正常响应的静态文件,实现篡改恢复。A processing unit, configured to not cache the static file in the case of being tampered with, and re-initiate the back-to-origin request when the message requesting the static file is received again, if the origin site returns a normal response And no tampering occurs between the source station and the CDN edge node, and the static file of the normal response is cached to realize tampering recovery.

进一步的,应用于内容分发网络CDN边缘节点,所述装置包括:Further, applied to a CDN edge node of a content distribution network, the device includes:

所述接收单元包括第一接收单元和第二接收单元,其中,所述第一接收单元用于接收用户终端的请求消息;所述第二接收单元用于接收所述源站的响应消息。The receiving unit includes a first receiving unit and a second receiving unit, wherein the first receiving unit is configured to receive a request message from a user terminal; the second receiving unit is configured to receive a response message from the source station.

进一步的,所述判断单元包括:Further, the judging unit includes:

第一判断模块,用于判断是否是首次接收到请求所述静态文件的请求消息;a first judging module for judging whether it is the first time that a request message requesting the static file is received;

获取模块,用于从所述响应消息中获取至少两个第一特征值;an obtaining module, configured to obtain at least two first characteristic values from the response message;

第二判断模块,用于判断所述至少两个第一特征值是否一致;a second judgment module, configured to judge whether the at least two first characteristic values are consistent;

第一确定模块,用于在一致的情况下,确定所述静态文件未被篡改;以及在不一致的情况下,确定所述静态文件被篡改。A first determining module, configured to determine that the static file has not been tampered with in the case of consistency; and determine that the static file has been tampered with in the case of inconsistency.

进一步的,所述判断单元用于判断是否是首次接收到请求所述静态文件的请求消息;从所述响应消息中获取至少两个第一特征值并判断所述至少两个第一特征值是否一致;以及用于在一致的情况下,确定所述静态文件未被篡改,并且在不一致的情况下,确定所述静态文件被篡改。Further, the judging unit is configured to judge whether it is the first time to receive a request message requesting the static file; obtain at least two first characteristic values from the response message and judge whether the at least two first characteristic values are Consistent; and for determining that the static file has not been tampered with in the case of consistency, and determining that the static file has been tampered with in the case of inconsistency.

进一步的,所述判断单元包括:Further, the judging unit includes:

提取模块,用于提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;an extraction module, configured to extract the second characteristic value carried in the response message, wherein the second characteristic value uniquely identifies the static file;

计算模块,用于利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值,所述计算方法是由所述源站利用预先与CDN系统协商的计算方法;a calculation module, configured to obtain a third eigenvalue according to the response message by using a calculation method negotiated with the source station, and the calculation method is a calculation method negotiated with the CDN system in advance by the source station;

第三判断模块,用于判断所述第二特征值与所述第三特征值是否一致;a third judgment module, configured to judge whether the second characteristic value is consistent with the third characteristic value;

第二确定模块,用于在一致的情况下,确定所述静态文件未被篡改;以及在不一致的情况下,确定所述静态文件被篡改。The second determining module is configured to determine that the static file has not been tampered with in the case of consistency; and determine that the static file has been tampered with in the case of inconsistency.

进一步的,所述判断单元用于提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;用于利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值,所述计算方法是由所述源站利用预先与CDN系统协商的计算方法;用于判断所述第二特征值与所述第三特征值是否一致;以及用于在一致的情况下,确定所述静态文件未被篡改,并且在不一致的情况下,确定所述静态文件被篡改。Further, the judging unit is used to extract the second characteristic value carried in the response message, wherein the second characteristic value uniquely identifies the static file; for using the calculation method negotiated with the source station, The third characteristic value is calculated and obtained according to the response message, and the calculation method is a calculation method negotiated by the source station with the CDN system in advance; it is used to judge whether the second characteristic value is consistent with the third characteristic value ; and for determining that the static file has not been tampered with in the case of consistency, and determining that the static file has been tampered with in the case of inconsistency.

进一步的,所述第一发送单元包括:Further, the first sending unit includes:

处理模块,用于在所述源站与所述用户终端之间存在多个CDN节点的情况下,利用所述多个CDN节点之间的预设私有协议对所述响应消息进行处理,处理后的响应消息不能被其他设备识别;A processing module, configured to process the response message by using a preset private protocol between the multiple CDN nodes when there are multiple CDN nodes between the source station and the user terminal, and after processing The response message cannot be recognized by other devices;

传输模块,用于将所述处理后的响应消息通过所述多个CDN节点进行传输;a transmission module, configured to transmit the processed response message through the multiple CDN nodes;

还原模块,用于作为用户终端侧的CDN边缘节点接收到所述处理后的响应消息时,利用所述预设私有协议对所述处理后的响应消息进行还原,并将还原的响应消息发送给所述用户终端。The restoration module is configured to use the preset private protocol to restore the processed response message when the CDN edge node on the user terminal side receives the processed response message, and send the restored response message to the user terminal.

根据本发明实施例的再一个方面,提供了一种基于内容分发网络的篡改干预系统,包括:用户终端、内容分发网络CDN边缘节点以及源站,其中,According to yet another aspect of the embodiments of the present invention, a content distribution network-based tampering intervention system is provided, including: a user terminal, a content distribution network CDN edge node, and a source station, wherein,

所述用户终端,用于发送请求消息,其中所述请求消息请求的是静态文件;The user terminal is configured to send a request message, wherein the request message requests a static file;

所述CDN边缘节点包括所述基于内容分发网络的篡改干预装置;The CDN edge node includes the content distribution network-based tampering intervention device;

所述源站包括:The origin site includes:

第三接收单元,用于接收所述CDN边缘节点发送的回源请求;a third receiving unit, configured to receive a back-to-source request sent by the CDN edge node;

第二发送单元,用于向所述CDN边缘节点发送响应消息。The second sending unit is configured to send a response message to the CDN edge node.

进一步的,所述源站还包括:Further, the source site also includes:

计算单元,用于利用预先与所述CDN边缘节点协商的计算方法计算得到唯一标识所述静态文件的特征值,并将所述特征值置于所述响应消息中。A computing unit, configured to obtain a characteristic value uniquely identifying the static file by using a calculation method negotiated with the CDN edge node in advance, and place the characteristic value in the response message.

本发明实施例的技术方案通过CDN边缘节点判断文件是否被恶意篡改,如无恶意篡改,则正常缓存文件,如有恶意篡改,则不缓存该文件,后续用户继续访问此文件时,需要回源重新请求,当源站响应正常且源站与CDN边缘节点之间无篡改发生,此时篡改恢复。CDN边缘节点通过判断能够及时发现文件被恶意篡改,且不缓存被恶意篡改的文件;无需等缓存到期才进行恶意篡改的恢复,只要用户下次请求该文件即可进行恶意篡改的恢复,缩短了篡改恢复的时间,及时将异常数据恢复,保证用户体验。另外,通过预设的私有协议在多个CDN节点之间传输不能被其他设备识别的数据,保证CDN节点之间传输的内容不会被恶意篡改,同时可以有效的针对网络状况及时修改拥塞策略,提高传输速度与稳定性,保证用户体验。The technical solution of the embodiment of the present invention determines whether the file has been maliciously tampered with by the CDN edge node. If there is no malicious tampering, the file is normally cached. Re-request, when the source station responds normally and there is no tampering between the source station and the CDN edge node, then the tampering is restored. CDN edge nodes can detect maliciously tampered files in time by judging, and do not cache maliciously tampered files; there is no need to wait for the cache to expire before maliciously tampered recovery, as long as the user requests the file next time, maliciously tampered recovery can be performed, shortening the time To save the time for tampering and recovery, abnormal data can be recovered in time to ensure user experience. In addition, data that cannot be identified by other devices is transmitted between multiple CDN nodes through a preset private protocol, ensuring that the content transmitted between CDN nodes will not be maliciously tampered with, and at the same time, it can effectively modify the congestion policy in time for network conditions. Improve transmission speed and stability to ensure user experience.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

图1是本发明实施例提供的基于内容分发网络的篡改干预方法的流程图;1 is a flowchart of a method for tampering intervention based on a content distribution network provided by an embodiment of the present invention;

图2是本发明实施例提供的基于内容分发网络的篡改干预装置的结构框图;2 is a structural block diagram of a content distribution network-based tampering intervention device provided by an embodiment of the present invention;

图3是本发明实施例提供的基于内容分发网络的篡改干预系统的结构框图;3 is a structural block diagram of a content distribution network-based tampering intervention system provided by an embodiment of the present invention;

图4是本发明实施例提供的基于内容分发网络的篡改干预系统的示意图。FIG. 4 is a schematic diagram of a tampering intervention system based on a content distribution network provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

本发明实施例提供了一种基于内容分发网络的篡改干预方法,如图1所示,该方法包括如下步骤S101至步骤S106。需要说明的是本发明实施例中的篡改干预包括篡改预防以及篡改恢复,换而言之,本发明实施例不但可以预防静态文件被篡改,而且可以将被篡改的静态文件进行恢复。An embodiment of the present invention provides a method for tampering intervention based on a content distribution network. As shown in FIG. 1 , the method includes the following steps S101 to S106. It should be noted that the tampering intervention in the embodiment of the present invention includes tampering prevention and tampering recovery. In other words, the embodiment of the present invention can not only prevent the static file from being tampered with, but also restore the tampered static file.

步骤S101,CDN边缘节点接收用户终端的请求消息,其中该请求消息请求的是静态文件;本实施例中的静态文件可以是源站新发布的静态文件或者缓存已过期的静态文件;Step S101, the CDN edge node receives a request message from the user terminal, where the request message requests a static file; the static file in this embodiment may be a static file newly released by the origin site or a static file that has expired in the cache;

步骤S102,CDN边缘节点确定回源的源站,并发起回源请求;具体的,可以由CDN边缘节点的源站监控模块确定回哪个源站;Step S102, the CDN edge node determines the source station to be returned to the source, and initiates a back-to-source request; specifically, the source station monitoring module of the CDN edge node may determine which source station to return to;

步骤S103,CDN边缘节点接收源站的响应消息,并将响应消息发送给用户终端;Step S103, the CDN edge node receives the response message of the source station, and sends the response message to the user terminal;

步骤S104,CDN边缘节点判断响应消息中的静态文件是否被篡改;Step S104, the CDN edge node judges whether the static file in the response message has been tampered with;

步骤S105,如果未被篡改,则缓存静态文件;Step S105, if it has not been tampered with, cache the static file;

步骤S106,如果被篡改,则不缓存静态文件,当再次接收到请求该静态文件的消息时,CDN边缘节点重新发起回源请求,若源站返回的是正常响应且源站与CDN边缘节点之间无篡改发生,CDN边缘节点缓存该正常响应的静态文件,实现篡改恢复。Step S106, if the static file is tampered with, the static file is not cached, and when the message requesting the static file is received again, the CDN edge node re-initiates the source back request. If no tampering occurs, the CDN edge node caches the static file of the normal response to achieve tampering recovery.

上述实施例的方法,用户请求源站新发布的静态文件或者缓存已过期的静态文件时,CDN边缘节点增加判断文件是否被恶意篡改的步骤,如无恶意篡改,则正常缓存文件,如有恶意篡改,则不缓存该文件,后续用户继续访问此文件时,需要回源重新请求,当源站响应正常且源站与CDN边缘节点之间无篡改发生,此时篡改恢复。CDN边缘节点通过判断能够及时发现文件被恶意篡改,且不缓存被恶意篡改的文件;无需等缓存到期才进行恶意篡改的恢复,只要用户下次请求该文件即可进行恶意篡改的恢复,缩短了篡改恢复的时间,及时将异常数据恢复,保证用户体验。In the method of the above embodiment, when the user requests a static file newly released by the origin site or caches an expired static file, the CDN edge node adds a step of judging whether the file has been maliciously tampered with. If there is no malicious tampering, the file will be cached normally. If the file is tampered with, the file will not be cached. When subsequent users continue to access the file, they need to go back to the origin and request again. When the origin site responds normally and there is no tampering between the origin site and the CDN edge node, the tampering is restored. CDN edge nodes can detect maliciously tampered files in time by judging, and do not cache maliciously tampered files; there is no need to wait for the cache to expire before maliciously tampered recovery, as long as the user requests the file next time, maliciously tampered recovery can be performed, shortening the time To save the time for tampering and recovery, abnormal data can be recovered in time to ensure user experience.

本发明实施例提供了以下两种CDN边缘节点判断静态文件是否被篡改的方法,下面分别进行说明。The embodiments of the present invention provide the following two methods for the CDN edge node to determine whether a static file has been tampered with, which will be described separately below.

(1)多次判定从响应消息中获取的特征值,具体步骤如下:CDN边缘节点判断是否是首次接收到请求该静态文件的请求消息;如果不是,则CDN边缘节点分别从对应的至少两个响应消息中获取至少两个第一特征值;CDN边缘节点判断这至少两个第一特征值是否一致;如果一致,则确定静态文件未被篡改;如果不一致,则确定静态文件被篡改。(1) Determine the feature value obtained from the response message multiple times. The specific steps are as follows: the CDN edge node determines whether it is the first time to receive the request message requesting the static file; if not, the CDN edge node from the corresponding at least two At least two first feature values are obtained from the response message; the CDN edge node determines whether the at least two first feature values are consistent; if they are consistent, it is determined that the static file has not been tampered with; if they are inconsistent, it is determined that the static file has been tampered with.

本方法基于概率统计,即篡改现象偶发且不可预期。如果CDN边缘节点首次接收到请求该静态文件的请求消息,则按照本方法,不缓存获取的静态文件,并等待后续用户请求该静态文件,以再次回源获得该静态文件,从而判断这两次或更多次的特征值是否一致。The method is based on probability statistics, that is, the tampering phenomenon is occasional and unpredictable. If the CDN edge node receives the request message requesting the static file for the first time, according to this method, the acquired static file is not cached, and waits for subsequent users to request the static file, so as to obtain the static file from the source again, so as to determine the two Whether the eigenvalues of one or more times are consistent.

具体的,上述第一特征值可以是静态文件的MD5值(Message Digest AlgorithmMD5,即消息摘要算法第五版),或者其他在静态文件被篡改以后会发生变化的值,以便能够及时通过该特征值的变化,确定出静态文件被篡改。Specifically, the above-mentioned first characteristic value may be the MD5 value of the static file (Message Digest AlgorithmMD5, that is, the fifth edition of the message digest algorithm), or other values that will change after the static file is tampered with, so that the characteristic value can be passed in time. changes, determine that static files have been tampered with.

使用本方法判断静态文件是否被篡改,缩短了文件异常的恢复时间,比如缓存时间为1天的文件,不需要等1天后才进行恶意篡改的恢复,只要用户下一次请求该文件即进行恶意篡改的恢复,大大减少了数据恢复的时间。Using this method to determine whether a static file has been tampered with can shorten the recovery time of abnormal files. For example, a file whose cache time is 1 day does not need to wait for 1 day before malicious tampering is restored. As long as the user requests the file next time, malicious tampering is performed. recovery, greatly reducing the data recovery time.

(2)CDN边缘节点与源站协商一种计算方法,CDN边缘节点和源站均利用该计算方法计算特征值,CDN边缘节点比较自身计算的值与源站计算的值是否一致,来确认文件的唯一性。具体步骤如下:CDN边缘节点提取响应消息中携带的第二特征值,其中,第二特征值唯一标识静态文件,由源站利用预先与CDN边缘节点协商的计算方法计算得到;CDN边缘节点利用该计算方法,根据响应消息计算得到第三特征值;CDN边缘节点判断第二特征值与第三特征值是否一致;如果一致,则确定静态文件未被篡改;如果不一致,则确定静态文件被篡改。(2) The CDN edge node and the source station negotiate a calculation method. Both the CDN edge node and the source station use this calculation method to calculate the characteristic value. The CDN edge node compares the value calculated by itself with the value calculated by the source station to confirm the file. uniqueness. The specific steps are as follows: the CDN edge node extracts the second feature value carried in the response message, wherein the second feature value uniquely identifies the static file, and is calculated by the source station using the calculation method negotiated with the CDN edge node in advance; the CDN edge node uses the In the calculation method, the third characteristic value is calculated according to the response message; the CDN edge node judges whether the second characteristic value and the third characteristic value are consistent; if they are consistent, it is determined that the static file has not been tampered with;

具体的,源站计算的第二特征值可以携带在响应头中。例如,第二特征值和第三特征值可以是根据从响应消息的http头获取的len信息以及文件MD5值进行计算得到的。Specifically, the second feature value calculated by the source station may be carried in the response header. For example, the second characteristic value and the third characteristic value may be calculated according to the len information obtained from the http header of the response message and the MD5 value of the file.

本方法基于与预先协商的计算方法,如果CDN边缘节点计算的值与源站计算的值不一致,则判断出静态文件被篡改,不缓存该静态文件,后续用户继续请求访问此文件时,重复进行上述回源以及判断是否被篡改的过程,直到两个值一致,才缓存该文件。使用本方法判断静态文件是否被篡改,能唯一确认,保证CDN边缘节点不会缓存被恶意篡改的文件,大大缩短了篡改恢复时间。This method is based on the calculation method negotiated in advance. If the value calculated by the CDN edge node is inconsistent with the value calculated by the origin site, it is determined that the static file has been tampered with, and the static file is not cached. When subsequent users continue to request access to this file, repeat the process. The above process of returning to the source and judging whether it has been tampered with will not cache the file until the two values are consistent. Using this method to determine whether a static file has been tampered with can be uniquely confirmed, ensuring that the CDN edge node will not cache files that have been maliciously tampered with, and greatly shortening the tampering recovery time.

在实际的网络环境中,源站与用户终端之间可能存在多个CDN节点,用户请求文件到CDN边缘节点回源获取文件的过程中,需要经过这多个CDN节点的传输,CDN节点之间链路不可控,也存在篡改文件的可能。In the actual network environment, there may be multiple CDN nodes between the source station and the user terminal. In the process of the user requesting files to the CDN edge node and returning to the source to obtain the files, the transmission of these multiple CDN nodes is required. The link is not controllable, and there is also the possibility of tampering with files.

考虑到这种情况,本发明优选实施例提供了防止CDN节点之间传输的文件不会被篡改的实现方法,具体的,CDN边缘节点将响应消息发送给用户终端包括:CDN边缘节点利用多个CDN节点之间的预设私有协议对响应消息进行处理,处理后的响应消息不能被其他设备识别;CDN边缘节点将处理后的响应消息通过多个CDN节点进行传输;当用户终端侧的CDN边缘节点接收到处理后的响应消息时,利用预设私有协议对处理后的响应消息进行还原,并将还原的响应消息发送给用户终端。Considering this situation, the preferred embodiment of the present invention provides an implementation method for preventing files transmitted between CDN nodes from being tampered with. Specifically, the CDN edge node sending a response message to the user terminal includes: the CDN edge node utilizes multiple The preset private protocol between CDN nodes processes the response message, and the processed response message cannot be recognized by other devices; the CDN edge node transmits the processed response message through multiple CDN nodes; when the CDN edge on the user terminal side When the node receives the processed response message, it restores the processed response message by using a preset private protocol, and sends the restored response message to the user terminal.

本优选实施例通过预设的私有协议在多个CDN节点之间进行数据传输,可直观理解为在多个CDN节点间搭建了隧道,隧道中内容对外显示为乱码,即不能被其他设备识别。由此可以保证CDN节点之间传输的内容不会被恶意篡改,同时可以有效的针对网络状况及时修改拥塞策略,提高传输速度与稳定性,保证用户体验。另外,结合上述判断文件是否被篡改的方法(1)或(2),能够全链路保证内容不会被恶意篡改。This preferred embodiment transmits data between multiple CDN nodes through a preset private protocol. It can be intuitively understood that a tunnel is built between multiple CDN nodes, and the content in the tunnel is displayed as garbled externally, that is, it cannot be recognized by other devices. This can ensure that the content transmitted between CDN nodes will not be maliciously tampered with, and at the same time, it can effectively modify the congestion policy in time for network conditions, improve transmission speed and stability, and ensure user experience. In addition, in combination with the above-mentioned method (1) or (2) for judging whether a file has been tampered with, the entire link can be ensured that the content will not be maliciously tampered with.

本发明实施例还提供了一种基于内容分发网络的篡改干预装置,应用于CDN边缘节点,可以用于实现上述篡改干预方法,具体实现细节可参考上述方法实施例。如图2所示,该装置包括:第一接收单元21、回源单元22、第二接收单元23、第一发送单元24、判断单元25、缓存单元26和处理单元27。The embodiment of the present invention also provides a tampering intervention device based on a content distribution network, which is applied to a CDN edge node and can be used to implement the foregoing tampering intervention method. For specific implementation details, refer to the foregoing method embodiments. As shown in FIG. 2 , the apparatus includes: a first receiving unit 21 , a back-to-source unit 22 , a second receiving unit 23 , a first sending unit 24 , a judging unit 25 , a buffering unit 26 and a processing unit 27 .

第一接收单元21,用于接收用户终端的请求消息,其中该请求消息请求的是源站新发布的静态文件或者缓存已过期的静态文件;The first receiving unit 21 is configured to receive a request message from the user terminal, where the request message requests a static file newly released by the origin site or a static file whose cache has expired;

回源单元22,连接至第一接收单元21,用于确定回源的源站,并发起回源请求;The back-to-source unit 22, connected to the first receiving unit 21, is used to determine the back-to-source source station and initiate a back-to-source request;

第二接收单元23,连接至回源单元22,用于接收源站的响应消息;The second receiving unit 23 is connected to the back-to-source unit 22, and is used for receiving the response message of the source station;

第一发送单元24,连接至第二接收单元23,用于将响应消息发送给用户终端;The first sending unit 24, connected to the second receiving unit 23, is used for sending the response message to the user terminal;

判断单元25,连接至第二接收单元23,用于判断响应消息中的静态文件是否被篡改;The judging unit 25 is connected to the second receiving unit 23, and is used for judging whether the static file in the response message has been tampered with;

缓存单元26,连接至判断单元25,用于在未被篡改的情况下,缓存静态文件;The cache unit 26, connected to the judgment unit 25, is used to cache the static file under the condition that it has not been tampered with;

处理单元27,连接至判断单元25,用于在被篡改的情况下,不缓存静态文件,当再次接收到请求该静态文件的消息时,重新发起回源请求,若源站返回的是正常响应且源站与CDN边缘节点之间无篡改发生,缓存该正常响应的静态文件,实现篡改恢复。The processing unit 27 is connected to the judging unit 25, and is used to not cache the static file in the case of being tampered with. When the message requesting the static file is received again, the back-to-origin request is re-initiated. If the source station returns a normal response In addition, there is no tampering between the origin site and the CDN edge node, and the static file of the normal response is cached to achieve tampering recovery.

需要说明的是,本发明实施例中的第一接收单元21和第二接收单元23也可以合并成为一个接收单元,通过该合并后的接收单元接收用户终端的请求消息,以及接收源站的响应消息;此时也可以看作是该合并后的接收单元包括了第一接收单元21和第二接收单元23。因此,是否将第一接收单元21和第二接收单元23合并为一个接收单元,可根据实际需要进行设定,本发明对此不作限定。It should be noted that the first receiving unit 21 and the second receiving unit 23 in the embodiment of the present invention may also be combined into one receiving unit, and the combined receiving unit receives the request message of the user terminal and the response of the source station. message; at this time, it can also be regarded that the combined receiving unit includes the first receiving unit 21 and the second receiving unit 23 . Therefore, whether to combine the first receiving unit 21 and the second receiving unit 23 into one receiving unit can be set according to actual needs, which is not limited in the present invention.

上述实施例的装置,CDN边缘节点通过判断能够及时发现文件被恶意篡改,且不缓存被恶意篡改的文件;无需等缓存到期才进行恶意篡改的恢复,只要用户下次请求该文件即可进行恶意篡改的恢复,缩短了篡改恢复的时间,及时将异常数据恢复,保证用户体验。In the device of the above embodiment, the CDN edge node can timely find out that the file has been maliciously tampered with by judging, and does not cache the maliciously tampered file; it does not need to wait for the cache to expire before performing malicious tampering recovery, as long as the user requests the file next time. The recovery of malicious tampering shortens the time for tampering and recovery, and restores abnormal data in time to ensure user experience.

在一个实施例中,判断单元25包括:第一判断模块,用于判断是否是首次接收到请求静态文件的请求消息;获取模块,连接至第一判断模块,用于在不是首次接收的情况下,分别从对应的至少两个响应消息中获取至少两个第一特征值;第二判断模块,连接至获取模块,用于判断至少两个第一特征值是否一致;第一确定模块,连接至第二判断模块,用于在一致的情况下,确定静态文件未被篡改;以及在不一致的情况下,确定静态文件被篡改。本实施例中的判断单元25适用于上述判断静态文件是否被篡改的方法(2)。In one embodiment, the judging unit 25 includes: a first judging module for judging whether it is the first time to receive a request message requesting a static file; an obtaining module, connected to the first judging module, for when it is not the first time to receive a request message , respectively obtain at least two first characteristic values from the corresponding at least two response messages; the second judgment module, connected to the obtaining module, is used to judge whether the at least two first characteristic values are consistent; the first determination module is connected to The second judging module is configured to determine that the static file has not been tampered with in the case of consistency; and determine that the static file has been tampered with in the case of inconsistency. The judging unit 25 in this embodiment is applicable to the above-mentioned method (2) for judging whether a static file has been tampered with.

适用于上述判断静态文件是否被篡改的方法(3)中的判断单元25包括:提取模块,用于提取响应消息中携带的第二特征值,其中,第二特征值唯一标识静态文件,由源站利用预先与CDN边缘节点协商的计算方法计算得到;计算模块,用于利用计算方法,根据响应消息计算得到第三特征值;第三判断模块,连接至计算模块与提取模块,用于判断第二特征值与第三特征值是否一致;第二确定模块,连接至第三判断模块,用于在一致的情况下,确定静态文件未被篡改;以及在不一致的情况下,确定静态文件被篡改。The judging unit 25, which is applicable to the above-mentioned method (3) for judging whether a static file has been tampered with, includes: an extraction module, configured to extract the second characteristic value carried in the response message, wherein the second characteristic value uniquely identifies the static file, and is determined by the source The station is calculated by using the calculation method negotiated with the CDN edge node in advance; the calculation module is used to calculate the third eigenvalue according to the response message by using the calculation method; the third judgment module is connected to the calculation module and the extraction module, and is used to judge the first Whether the second characteristic value is consistent with the third characteristic value; the second determining module, connected to the third determining module, is used to determine that the static file has not been tampered with in the case of consistency; and in the case of inconsistency, determine that the static file has been tampered with .

需要说明的是,本发明实施例中的判断单元25也可以不包括第一判断模块、第二判断模块和第一确定模块,而直接通过判断单元25判断是否是首次接收到请求静态文件的请求消息;从响应消息中获取至少两个第一特征值并判断至少两个第一特征值是否一致;以及用于在一致的情况下,确定静态文件未被篡改,并且在不一致的情况下,确定静态文件被篡改。It should be noted that the judging unit 25 in the embodiment of the present invention may also not include the first judging module, the second judging module, and the first determining module, and directly judge whether the request for a static file is received for the first time through the judging unit 25. message; obtain at least two first characteristic values from the response message and determine whether the at least two first characteristic values are consistent; and be used to determine that the static file has not been tampered with in the case of consistency, and to determine in the case of inconsistency Static files are tampered with.

此外,判断单元25还可以不包括提取模块、计算模块、第三判断模块,以及第二确定模块,而直接通过判断单元25提取所述响应消息中携带的第二特征值,其中,第二特征值唯一标识所述静态文件;利用与源站协商的计算方法,根据响应消息计算得到第三特征值,该计算方法是由源站利用预先与CDN系统协商的计算方法;判断第二特征值与第三特征值是否一致;以及用于在一致的情况下,确定静态文件未被篡改,并且在不一致的情况下,确定所述静态文件被篡改。In addition, the judgment unit 25 may not include the extraction module, the calculation module, the third judgment module, and the second determination module, and directly extract the second feature value carried in the response message through the judgment unit 25, wherein the second feature The value uniquely identifies the static file; the third characteristic value is calculated according to the response message by using the calculation method negotiated with the source station, and the calculation method is the calculation method negotiated with the CDN system in advance by the source station; Whether the third characteristic value is consistent; and is used to determine that the static file has not been tampered with in the case of consistency, and determine that the static file has been tampered with in the case of inconsistency.

因此,判断单元25是否包括第一判断模块、第二判断模块、第一确定模块、取模块、计算模块、第三判断模块,以及第二确定模块,可根据实际需要进行设定,本发明对此不作限定。Therefore, whether the judging unit 25 includes a first judging module, a second judging module, a first judging module, a fetching module, a calculating module, a third judging module, and a second judging module can be set according to actual needs. This is not limited.

优选的,第一发送单元24包括:处理模块,用于在源站与用户终端之间存在多个CDN节点的情况下,利用多个CDN节点之间的预设私有协议对响应消息进行处理,处理后的响应消息不能被其他设备识别;传输模块,连接至处理模块,用于将处理后的响应消息通过多个CDN节点进行传输;还原模块,用于作为用户终端侧的CDN边缘节点接收到处理后的响应消息时,利用预设私有协议对处理后的响应消息进行还原,并将还原的响应消息发送给用户终端。这样能够保证CDN节点之间传输的内容不会被恶意篡改。Preferably, the first sending unit 24 includes: a processing module configured to process the response message by using a preset private protocol between the multiple CDN nodes when there are multiple CDN nodes between the source station and the user terminal, The processed response message cannot be recognized by other devices; the transmission module, connected to the processing module, is used to transmit the processed response message through multiple CDN nodes; the restoration module is used to receive the received response message as the CDN edge node on the user terminal side. When the processed response message is processed, the processed response message is restored by using a preset private protocol, and the restored response message is sent to the user terminal. This ensures that the content transmitted between CDN nodes will not be maliciously tampered with.

本发明实施例还提供了一种基于内容分发网络的篡改干预系统,如图3所示,该系统包括:用户终端10、CDN边缘节点20以及源站30。An embodiment of the present invention further provides a tampering intervention system based on a content distribution network. As shown in FIG. 3 , the system includes: a user terminal 10 , a CDN edge node 20 and a source station 30 .

用户终端10,用于发送请求消息,其中该请求消息请求的是源站新发布的静态文件或者缓存已过期的静态文件;The user terminal 10 is configured to send a request message, where the request message requests a static file newly released by the origin site or a static file whose cache has expired;

CDN边缘节点20,连接至用户终端10,包括上述实施例所述的基于内容分发网络的篡改干预装置;The CDN edge node 20, connected to the user terminal 10, includes the tampering intervention device based on the content distribution network described in the above embodiment;

源站30,连接至CDN边缘节点20,包括:第三接收单元31,用于接收CDN边缘节点20发送的回源请求;第二发送单元32,连接至第三接收单元31,用于向CDN边缘节点20发送响应消息。The source station 30, connected to the CDN edge node 20, includes: a third receiving unit 31 for receiving a back-to-source request sent by the CDN edge node 20; a second sending unit 32, connected to the third receiving unit 31, for sending the CDN The edge node 20 sends a response message.

上述实施例的系统,CDN边缘节点通过判断能够及时发现文件被恶意篡改,且不缓存被恶意篡改的文件;无需等缓存到期才进行恶意篡改的恢复,只要用户下次请求该文件即可进行恶意篡改的恢复,缩短了篡改恢复的时间,及时将异常数据恢复,保证用户体验。In the system of the above embodiment, the CDN edge node can timely find out that the file has been maliciously tampered with by judging, and does not cache the maliciously tampered file; there is no need to wait for the cache to expire before the malicious tampering can be recovered, as long as the user requests the file next time. The recovery of malicious tampering shortens the time for tampering and recovery, and restores abnormal data in time to ensure user experience.

优选的,源站30还可以包括:计算单元,连接至第三接收单元31,用于利用预先与CDN边缘节点协商的计算方法计算得到唯一标识静态文件的特征值,并将该特征值置于响应消息中。Preferably, the source station 30 may further include: a computing unit, connected to the third receiving unit 31, configured to obtain a feature value uniquely identifying the static file by using a computing method negotiated with the CDN edge node in advance, and place the feature value in the in the response message.

下面结合图4对本发明的方案进行详细说明。The solution of the present invention will be described in detail below with reference to FIG. 4 .

如图4所示,用户终端10与源站30之间存在多个CDN节点,用户请求静态文件,用户终端10发送请求到CDN边缘节点20A,CDN边缘节点20A通过预设私有协议向CDN边缘节点20B转发该请求;CDN边缘节点20B回源站30获取静态文件,使用上述方法(1)或(2)判断静态文件是否被篡改,以决定是否缓存该文件,并将响应通过预设私有协议发送给CDN边缘节点20A。As shown in FIG. 4 , there are multiple CDN nodes between the user terminal 10 and the source station 30. The user requests a static file, the user terminal 10 sends the request to the CDN edge node 20A, and the CDN edge node 20A sends the request to the CDN edge node through a preset private protocol. 20B forwards the request; CDN edge node 20B returns to the origin station 30 to obtain the static file, uses the above method (1) or (2) to determine whether the static file has been tampered with, to decide whether to cache the file, and sends the response through a preset private protocol To the CDN edge node 20A.

如果判断出静态文件被篡改,则CDN边缘节点20B不缓存该静态文件,CDN边缘节点20A对接收到的响应进行处理,得到用户终端10能够识别的静态文件,将该静态文件返回给用户终端10,同时不缓存该静态文件,后续用户访问该文件,仍进行回源请求。If it is determined that the static file has been tampered with, the CDN edge node 20B does not cache the static file, and the CDN edge node 20A processes the received response to obtain a static file that can be identified by the user terminal 10, and returns the static file to the user terminal 10. , and do not cache the static file, and subsequent users will still make back-to-origin requests to access the file.

如果判断出静态文件未被篡改,则CDN边缘节点20B缓存该静态文件。CDN边缘节点20A对接收到的响应进行处理,得到用户终端10能够识别的静态文件,将该静态文件返回给用户终端10,同时将响应缓存,后续用户继续访问,则直接将缓存的响应给用户。If it is determined that the static file has not been tampered with, the CDN edge node 20B caches the static file. The CDN edge node 20A processes the received response, obtains a static file that can be identified by the user terminal 10, returns the static file to the user terminal 10, and caches the response at the same time. If subsequent users continue to access, the cached response is directly sent to the user. .

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (15)

1.一种基于内容分发网络的篡改干预方法,其特征在于,包括:1. a tampering intervention method based on content distribution network, is characterized in that, comprises: 内容分发网络CDN边缘节点接收用户终端的请求消息,其中所述请求消息请求的是静态文件;The CDN edge node of the content distribution network receives a request message from the user terminal, wherein the request message requests a static file; 所述CDN边缘节点确定回源的源站,并发起回源请求;The CDN edge node determines the source station of the back-to-source, and initiates a back-to-source request; 所述CDN边缘节点接收所述源站的响应消息,并将所述响应消息发送给所述用户终端;The CDN edge node receives the response message of the source station, and sends the response message to the user terminal; 所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改;The CDN edge node determines whether the static file in the response message has been tampered with; 如果未被篡改,则缓存所述静态文件;If it has not been tampered with, cache the static file; 如果被篡改,则不缓存所述静态文件,当再次接收到请求所述静态文件的消息时,所述CDN边缘节点重新发起回源请求,若所述源站返回的是正常响应且所述源站与所述CDN边缘节点之间无篡改发生,所述CDN边缘节点缓存所述正常响应的静态文件,实现篡改恢复。If it is tampered with, the static file will not be cached. When receiving a message requesting the static file again, the CDN edge node will re-initiate a back-to-origin request. If the origin site returns a normal response and the origin No tampering occurs between the station and the CDN edge node, and the CDN edge node caches the static file of the normal response to realize tampering recovery. 2.如权利要求1所述的基于内容分发网络的篡改干预方法,其特征在于,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:2. The content distribution network-based tampering intervention method according to claim 1, wherein the CDN edge node determines whether the static file in the response message is tampered with, comprising: 所述CDN边缘节点分别从对应的至少两个响应消息中获取至少两个第一特征值;The CDN edge node obtains at least two first feature values from corresponding at least two response messages respectively; 所述CDN边缘节点判断所述至少两个第一特征值是否一致;The CDN edge node judges whether the at least two first feature values are consistent; 如果一致,则确定所述静态文件未被篡改;If it is consistent, it is determined that the static file has not been tampered with; 如果不一致,则确定所述静态文件被篡改。If not, it is determined that the static file has been tampered with. 3.如权利要求2所述的基于内容分发网络的篡改干预方法,其特征在于,还包括:3. The tampering intervention method based on content distribution network as claimed in claim 2, is characterized in that, also comprises: 所述CDN边缘节点判断所述至少两个第一特征值是否一致时,先判断是否是首次接收到请求所述静态文件的请求消息。When determining whether the at least two first characteristic values are consistent, the CDN edge node first determines whether it is the first time that a request message for requesting the static file is received. 4.如权利要求1所述的基于内容分发网络的篡改干预方法,其特征在于,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:4. The content distribution network-based tampering intervention method according to claim 1, wherein the CDN edge node determines whether the static file in the response message has been tampered with, comprising: 所述CDN边缘节点提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;The CDN edge node extracts the second feature value carried in the response message, wherein the second feature value uniquely identifies the static file; 所述CDN边缘节点利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值;The CDN edge node uses the calculation method negotiated with the source station to calculate and obtain the third characteristic value according to the response message; 所述CDN边缘节点判断所述第二特征值与所述第三特征值是否一致;The CDN edge node determines whether the second eigenvalue is consistent with the third eigenvalue; 如果一致,则确定所述静态文件未被篡改;If it is consistent, it is determined that the static file has not been tampered with; 如果不一致,则确定所述静态文件被篡改。If not, it is determined that the static file has been tampered with. 5.如权利要求4所述的基于内容分发网络的篡改干预方法,其特征在于,所述CDN边缘节点判断所述响应消息中的静态文件是否被篡改,包括:5. The content distribution network-based tampering intervention method of claim 4, wherein the CDN edge node determines whether the static file in the response message has been tampered with, comprising: 所述协商的计算方法,是由所述源站利用预先与CDN系统协商的计算方法。The negotiated calculation method is a calculation method negotiated by the source station with the CDN system in advance. 6.如权利要求1至5中任一项所述的基于内容分发网络的篡改干预方法,其特征在于,如果所述源站与所述用户终端之间存在多个CDN节点,所述CDN边缘节点将所述响应消息发送给所述用户终端包括:6. The content distribution network-based tampering intervention method according to any one of claims 1 to 5, wherein if there are multiple CDN nodes between the source station and the user terminal, the CDN edge The node sending the response message to the user terminal includes: 所述CDN边缘节点利用所述多个CDN节点之间的预设私有协议对所述响应消息进行处理;The CDN edge node processes the response message by using a preset private protocol among the multiple CDN nodes; 所述CDN边缘节点将所述处理后的响应消息通过所述多个CDN节点进行传输;The CDN edge node transmits the processed response message through the multiple CDN nodes; 当用户终端侧的CDN边缘节点接收到所述处理后的响应消息时,利用所述预设私有协议对所述处理后的响应消息进行还原,并将还原的响应消息发送给所述用户终端。When the CDN edge node on the user terminal side receives the processed response message, it restores the processed response message by using the preset private protocol, and sends the restored response message to the user terminal. 7.一种基于内容分发网络的篡改干预装置,应用于内容分发网络CDN边缘节点,其特征在于,所述装置包括:7. A tampering intervention device based on a content distribution network, applied to a CDN edge node of a content distribution network, wherein the device comprises: 接收单元,用于接收用户终端的请求消息,以及接收源站的响应消息;a receiving unit, configured to receive the request message of the user terminal and the response message of the source station; 回源单元,用于确定回源的源站,并发起回源请求;The back-to-source unit is used to determine the back-to-source origin station and initiate a back-to-source request; 第一发送单元,用于将所述响应消息发送给所述用户终端;a first sending unit, configured to send the response message to the user terminal; 判断单元,用于判断所述响应消息中的静态文件是否被篡改;a judging unit for judging whether the static file in the response message has been tampered with; 缓存单元,用于在未被篡改的情况下,缓存所述静态文件;a cache unit, configured to cache the static file without being tampered with; 处理单元,用于在被篡改的情况下,不缓存所述静态文件,当再次接收到请求所述静态文件的消息时,重新发起所述回源请求,若所述源站返回的是正常响应且所述源站与所述CDN边缘节点之间无篡改发生,缓存所述正常响应的静态文件,实现篡改恢复。A processing unit, configured to not cache the static file in the case of being tampered with, and re-initiate the back-to-origin request when the message requesting the static file is received again, if the origin site returns a normal response And no tampering occurs between the source station and the CDN edge node, and the static file of the normal response is cached to realize tampering recovery. 8.如权利要求7所述的基于内容分发网络的篡改干预装置,应用于内容分发网络CDN边缘节点,其特征在于,所述装置包括:8. The content distribution network-based tampering intervention device according to claim 7, applied to a CDN edge node of a content distribution network, wherein the device comprises: 所述接收单元包括第一接收单元和第二接收单元,其中,所述第一接收单元用于接收用户终端的请求消息;所述第二接收单元用于接收所述源站的响应消息。The receiving unit includes a first receiving unit and a second receiving unit, wherein the first receiving unit is configured to receive a request message from a user terminal; the second receiving unit is configured to receive a response message from the source station. 9.如权利要求7所述的基于内容分发网络的篡改干预装置,其特征在于,所述判断单元包括:9. The tampering intervention device based on a content distribution network according to claim 7, wherein the judging unit comprises: 第一判断模块,用于判断是否是首次接收到请求所述静态文件的请求消息;a first judging module for judging whether it is the first time that a request message requesting the static file is received; 获取模块,用于从所述响应消息中获取至少两个第一特征值;an obtaining module, configured to obtain at least two first characteristic values from the response message; 第二判断模块,用于判断所述至少两个第一特征值是否一致;a second judgment module, configured to judge whether the at least two first characteristic values are consistent; 第一确定模块,用于在一致的情况下,确定所述静态文件未被篡改;以及在不一致的情况下,确定所述静态文件被篡改。A first determining module, configured to determine that the static file has not been tampered with in the case of consistency; and determine that the static file has been tampered with in the case of inconsistency. 10.如权利要求7所述的基于内容分发网络的篡改干预装置,其特征在于,所述判断单元用于判断是否是首次接收到请求所述静态文件的请求消息;从所述响应消息中获取至少两个第一特征值并判断所述至少两个第一特征值是否一致;以及用于在一致的情况下,确定所述静态文件未被篡改,并且在不一致的情况下,确定所述静态文件被篡改。10. The tampering intervention device based on a content distribution network according to claim 7, wherein the judging unit is configured to judge whether it is the first time to receive a request message requesting the static file; obtain from the response message at least two first feature values and judging whether the at least two first feature values are consistent; and in the case of consistency, determining that the static file has not been tampered with, and in the case of inconsistency, determining the static file The file has been tampered with. 11.如权利要求7所述的基于内容分发网络的篡改干预装置,其特征在于,所述判断单元包括:11. The tampering intervention device based on a content distribution network according to claim 7, wherein the judging unit comprises: 提取模块,用于提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;an extraction module, configured to extract the second characteristic value carried in the response message, wherein the second characteristic value uniquely identifies the static file; 计算模块,用于利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值,所述计算方法是由所述源站利用预先与CDN系统协商的计算方法;a calculation module, configured to obtain a third eigenvalue according to the response message by using a calculation method negotiated with the source station, and the calculation method is a calculation method negotiated with the CDN system in advance by the source station; 第三判断模块,用于判断所述第二特征值与所述第三特征值是否一致;a third judgment module, configured to judge whether the second characteristic value is consistent with the third characteristic value; 第二确定模块,用于在一致的情况下,确定所述静态文件未被篡改;以及在不一致的情况下,确定所述静态文件被篡改。The second determining module is configured to determine that the static file has not been tampered with in the case of consistency; and determine that the static file has been tampered with in the case of inconsistency. 12.如权利要求7所述的基于内容分发网络的篡改干预装置,其特征在于,所述判断单元用于提取所述响应消息中携带的第二特征值,其中,所述第二特征值唯一标识所述静态文件;用于利用与所述源站协商的计算方法,根据所述响应消息计算得到第三特征值,所述计算方法是由所述源站利用预先与CDN系统协商的计算方法;用于判断所述第二特征值与所述第三特征值是否一致;以及用于在一致的情况下,确定所述静态文件未被篡改,并且在不一致的情况下,确定所述静态文件被篡改。12. The tampering intervention device based on a content distribution network according to claim 7, wherein the judging unit is configured to extract the second characteristic value carried in the response message, wherein the second characteristic value is unique Identifying the static file; for obtaining a third characteristic value by calculating the response message according to the calculation method negotiated with the source station, and the calculation method is the calculation method negotiated with the CDN system in advance by the source station ; for judging whether the second characteristic value is consistent with the third characteristic value; and for determining that the static file has not been tampered with in the case of consistency, and determining that the static file is inconsistent in the case of inconsistency tampered with. 13.如权利要求7至12中任一项所述的基于内容分发网络的篡改干预装置,其特征在于,所述第一发送单元包括:13. The tampering intervention device based on a content distribution network according to any one of claims 7 to 12, wherein the first sending unit comprises: 处理模块,用于在所述源站与所述用户终端之间存在多个CDN节点的情况下,利用所述多个CDN节点之间的预设私有协议对所述响应消息进行处理,处理后的响应消息不能被其他设备识别;A processing module, configured to process the response message by using a preset private protocol between the multiple CDN nodes when there are multiple CDN nodes between the source station and the user terminal, and after processing The response message cannot be recognized by other devices; 传输模块,用于将所述处理后的响应消息通过所述多个CDN节点进行传输;a transmission module, configured to transmit the processed response message through the multiple CDN nodes; 还原模块,用于作为用户终端侧的CDN边缘节点接收到所述处理后的响应消息时,利用所述预设私有协议对所述处理后的响应消息进行还原,并将还原的响应消息发送给所述用户终端。The restoration module is configured to use the preset private protocol to restore the processed response message when the CDN edge node on the user terminal side receives the processed response message, and send the restored response message to the user terminal. 14.一种基于内容分发网络的篡改干预系统,其特征在于,包括:用户终端、内容分发网络CDN边缘节点以及源站,其中,14. A content distribution network-based tampering intervention system, comprising: a user terminal, a content distribution network CDN edge node, and a source station, wherein, 所述用户终端,用于发送请求消息,其中所述请求消息请求的是静态文件;The user terminal is configured to send a request message, wherein the request message requests a static file; 所述CDN边缘节点包括权利要求7至11中任一项所述的基于内容分发网络的篡改干预装置;The CDN edge node comprises the content distribution network-based tampering intervention device according to any one of claims 7 to 11; 所述源站包括:The origin site includes: 第三接收单元,用于接收所述CDN边缘节点发送的回源请求;a third receiving unit, configured to receive a back-to-source request sent by the CDN edge node; 第二发送单元,用于向所述CDN边缘节点发送响应消息。The second sending unit is configured to send a response message to the CDN edge node. 15.如权利要求14所述的基于内容分发网络的篡改干预系统,其特征在于,所述源站还包括:15. The content distribution network-based tampering intervention system according to claim 14, wherein the source station further comprises: 计算单元,用于利用预先与所述CDN边缘节点协商的计算方法计算得到唯一标识所述静态文件的特征值,并将所述特征值置于所述响应消息中。A computing unit, configured to obtain a characteristic value uniquely identifying the static file by using a calculation method negotiated with the CDN edge node in advance, and place the characteristic value in the response message.
CN201710661039.1A 2017-08-04 2017-08-04 Method, device and system for tampering intervention based on content distribution network Active CN107241451B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710661039.1A CN107241451B (en) 2017-08-04 2017-08-04 Method, device and system for tampering intervention based on content distribution network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710661039.1A CN107241451B (en) 2017-08-04 2017-08-04 Method, device and system for tampering intervention based on content distribution network

Publications (2)

Publication Number Publication Date
CN107241451A CN107241451A (en) 2017-10-10
CN107241451B true CN107241451B (en) 2019-07-16

Family

ID=59988661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710661039.1A Active CN107241451B (en) 2017-08-04 2017-08-04 Method, device and system for tampering intervention based on content distribution network

Country Status (1)

Country Link
CN (1) CN107241451B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650166B (en) * 2018-06-27 2022-06-28 中国电信股份有限公司 Content distribution method and system
CN112866310B (en) * 2019-11-12 2022-03-04 北京金山云网络技术有限公司 CDN back-to-source verification method and verification server, CDN cluster
CN112839070B (en) * 2019-11-22 2023-08-22 北京金山云网络技术有限公司 Data processing method and device and node equipment in CDN (content delivery network)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932358A (en) * 2012-11-07 2013-02-13 网宿科技股份有限公司 Third-party document-rewriting and rapid distribution method and device based on content distribution network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9165154B2 (en) * 2009-02-16 2015-10-20 Microsoft Technology Licensing, Llc Trusted cloud computing and services framework
CN103368963A (en) * 2013-07-15 2013-10-23 网宿科技股份有限公司 HTTP message tamper-proofing method in content distribution network
CN103986735B (en) * 2014-06-05 2017-04-19 北京赛维安讯科技发展有限公司 CDN (content distribution network) antitheft system and antitheft method
CN105049486B (en) * 2015-06-16 2019-03-26 腾讯科技(北京)有限公司 Method for edition management, the apparatus and system of static file

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932358A (en) * 2012-11-07 2013-02-13 网宿科技股份有限公司 Third-party document-rewriting and rapid distribution method and device based on content distribution network

Also Published As

Publication number Publication date
CN107241451A (en) 2017-10-10

Similar Documents

Publication Publication Date Title
US8145908B1 (en) Web content defacement protection system
CN112087644B (en) Pull stream request processing method, device and system, electronic equipment and storage medium
TWI535255B (en) A metod and device thereof for sending business requirements
CN104753980B (en) Data transmission method and relevant apparatus and communication system
US20130346552A1 (en) Download method, system, and device for mobile terminal
CN104735086B (en) Method and device for safely downloading file
CN107241451B (en) Method, device and system for tampering intervention based on content distribution network
CN106657105B (en) Method and device for sending target resources
CN105657000A (en) Message transmission method and device
WO2017080459A1 (en) Method, device and system for caching and providing service contents and storage medium
CN105812435A (en) Application upgrading data package processing method and device, electronic equipment, and system
US10999396B2 (en) Apparatus and method for caching data
CN106790334A (en) A kind of page data transmission method and system
CN112463653A (en) Data refreshing method and device and electronic equipment
EP3528474A1 (en) Webpage advertisement anti-shielding method, content distribution network and client
CN108614750A (en) The restoration methods and device of delay machine data
KR101650829B1 (en) Method, apparatus, and system for acquiring object
EP3186959B1 (en) Enrichment of upper layer protocol content in tcp based session
CN115037537A (en) Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium
CN113225348A (en) Request anti-replay verification method and device
CN102868753B (en) Adaptive null response restoration methods and device after content-based distributing network optimization
CN106412893A (en) Rapid Portal authentication method, system, and WIFI device
CN115714805A (en) Cross-platform communication connection method and system and electronic equipment
CN114793180A (en) Method and device for intercepting abnormal network traffic, intercepting equipment and medium
US8935376B2 (en) Method and device for alternative status notification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant