[go: up one dir, main page]

CN115277060A - URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium - Google Patents

URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium Download PDF

Info

Publication number
CN115277060A
CN115277060A CN202210660003.2A CN202210660003A CN115277060A CN 115277060 A CN115277060 A CN 115277060A CN 202210660003 A CN202210660003 A CN 202210660003A CN 115277060 A CN115277060 A CN 115277060A
Authority
CN
China
Prior art keywords
protocol message
url
https
client
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210660003.2A
Other languages
Chinese (zh)
Inventor
李冬越
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202210660003.2A priority Critical patent/CN115277060A/en
Publication of CN115277060A publication Critical patent/CN115277060A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

本申请提供基于HTTPS协议的URL过滤方法及安全设备、存储介质。其中,基于HTTPS协议的URL过滤方法,应用于安全设备,包括预设能访问或排除访问的URL规则;接收客户端发送的请求协议报文;判断接收的请求协议报文是HTTPS还是HTTP协议报文;若是HTTPS协议报文,则提取并解析出协议报文的URL中的域名;判断解析出的域名是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求。本申请不需要对HTTPS进行卸载,即可实现请求报文的传输,大大降低了性能消耗,且提高了数据传输速度。

Figure 202210660003

This application provides a URL filtering method based on the HTTPS protocol, a security device, and a storage medium. Among them, the URL filtering method based on the HTTPS protocol is applied to the security device, including preset URL rules that can be accessed or excluded from access; receiving the request protocol message sent by the client; judging whether the received request protocol message is HTTPS or HTTP protocol message If it is an HTTPS protocol packet, extract and parse the domain name in the URL of the protocol packet; judge whether the parsed domain name is within the preset URL rule; decide to release or block the client's access request according to the judgment result. The present application can realize the transmission of the request message without uninstalling the HTTPS, which greatly reduces the performance consumption and improves the data transmission speed.

Figure 202210660003

Description

基于HTTPS协议的URL过滤方法及安全设备、存储介质URL filtering method, security device and storage medium based on HTTPS protocol

技术领域technical field

本申请涉及通讯设备技术领域,尤其涉及基于HTTPS协议的URL过滤方法及安全设备、存储介质。The present application relates to the technical field of communication equipment, in particular to a URL filtering method based on the HTTPS protocol, a security device, and a storage medium.

背景技术Background technique

HTTP(HyperText Transfer Protocol,超文本传输协议),用于传输超媒体文档的应用层协议,是为Web浏览器与Web服务器之间的通信而设计的。用于客户端和服务器端请求和应答。通过网页浏览器、网络爬虫或其它的工具,客户端发起一个HTTP请求到服务器上指定端口。应答的服务器上存储着资源,如HTML(Hyper Text Markup Language,超文本标记语言)文件和图像。请求携带着URL(Uniform Resource Locator,统一资源定位符),是资源的唯一地址,服务器通过这个地址便可以找到资源应答请求。HTTP (HyperText Transfer Protocol, Hypertext Transfer Protocol), an application layer protocol for transmitting hypermedia documents, is designed for communication between web browsers and web servers. Used for client and server side requests and responses. Through a web browser, web crawler or other tools, the client initiates an HTTP request to a specified port on the server. Resources, such as HTML (Hyper Text Markup Language, hypertext markup language) files and images are stored on the responding server. The request carries a URL (Uniform Resource Locator, Uniform Resource Locator), which is the unique address of the resource, through which the server can find the resource to respond to the request.

HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer,以安全为目标的HTTP通道)使用加密算法解决数据传输安全问题的方案。整个通信过程可以分为两大阶段:握手和数据传输阶段,数据传输阶段又可以分为非对称加密和对称加密两个阶段;对数据进行非对称加密或者对称加密是握手阶段协商的结果,此时传输的数据既是加密后的HTTP数据。HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, a security-oriented HTTP channel) uses encryption algorithms to solve data transmission security issues. The whole communication process can be divided into two stages: handshake and data transmission stage, and the data transmission stage can be divided into two stages: asymmetric encryption and symmetric encryption; asymmetric encryption or symmetric encryption of data is the result of negotiation in the handshake stage. The data transmitted at the time is encrypted HTTP data.

发明人所知现有基于HTTPS协议进行URL过滤,如图1所示,The inventor knows the existing URL filtering based on the HTTPS protocol, as shown in Figure 1,

(1)安全设备接受客户端发起建立SSL/TLS连接请求。(1) The security device accepts the client's request to establish an SSL/TLS connection.

(2)安全设备作为代理客户端向服务端发起建立SSL/TLS连接请求。(2) The security device acts as a proxy client to initiate an SSL/TLS connection request to the server.

(3)服务端向安全设备发送服务端证书。(3) The server sends the server certificate to the security device.

(4)安全设备验证服务端的证书、协商协议加密算法等信息并完成握手,成功建立连接。(4) The security device verifies the certificate of the server, negotiates information such as the encryption algorithm of the protocol, completes the handshake, and successfully establishes the connection.

(5)安全设备作为代理服务器相应客户端请求,根据服务端证书内容解密证书签发代理服务器证书供客户端验证。(5) The security device acts as a proxy server to respond to the request of the client, and according to the decrypted certificate of the server certificate content, the proxy server certificate is issued for the client to verify.

(6)客户端完成证书校验与作为代理服务器的安全设备完成握手,建立连接。(6) The client completes the certificate verification and completes the handshake with the security device acting as the proxy server, and establishes a connection.

(7)客户端向服务端发送加密的报文。(7) The client sends an encrypted message to the server.

(8)设备将客户端发来的报文解密,进行URL过滤业务。(8) The device decrypts the message sent by the client, and performs URL filtering service.

(9)URL过滤处理后将放行的报文再次加密后发往服务端。(9) After the URL filtering process, the released message is encrypted again and sent to the server.

经过上述流程中建立代理后,后续所有的报文都要进行解密、安全业务、加密发送的处理。可见这一实现URL过滤方案非常消耗性能且速度非常慢。After the proxy is established in the above process, all subsequent messages must be decrypted, secured, and encrypted. It can be seen that this implementation of URL filtering scheme consumes a lot of performance and is very slow.

发明内容Contents of the invention

为了克服相关技术中存在的问题,本申请提供了基于HTTPS协议的URL过滤方法及安全设备、存储介质。In order to overcome the problems existing in the related technologies, the present application provides a URL filtering method based on the HTTPS protocol, a security device, and a storage medium.

本申请提供了基于HTTPS协议的URL过滤方法,应用于安全设备,包括:This application provides a URL filtering method based on the HTTPS protocol, which is applied to security devices, including:

预设能访问或排除访问的URL规则;Preset URL rules that can be accessed or excluded from access;

接收客户端发送的请求协议报文;Receive the request protocol message sent by the client;

判断接收的请求协议报文是HTTPS还是HTTP协议报文;Determine whether the received request protocol message is HTTPS or HTTP protocol message;

若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;If it is an HTTPS protocol message, extracting and parsing the domain name in the URL of the protocol message;

判断解析出的域名是否在预设的URL规则内;Determine whether the resolved domain name is within the preset URL rules;

根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client.

进一步地,若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;Further, if it is judged to be an HTTP protocol message, it is directly judged whether the URL of the plain text of the protocol message is within the preset URL rule;

根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client.

优选的,不同内网的客户端连接不同的安全设备;Preferably, clients of different intranets are connected to different security devices;

安全设备还预设有客户安全访问策略;The security device is also preset with customer security access policies;

在判断接收的协议报文类型之前,基于客户端发送的协议报文判断客户安全访问策略;若在安全访问策略内,再判断协议报文的访问类型。Before judging the type of the received protocol message, judge the client's security access policy based on the protocol message sent by the client; if it is within the security access policy, then judge the access type of the protocol message.

进一步地,不同内网中客户端的安全访问策略不同。Furthermore, security access policies of clients in different intranets are different.

优选地,从HTTPS协议报文的扩展字段的SNI字段中提取域名。Preferably, the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message.

本申请还提供了基于HTTPS协议的URL过滤系统,包括客户端、安全设备和服务器,The application also provides a URL filtering system based on the HTTPS protocol, including a client, a security device and a server,

客户端,用于发起请求协议报文;The client is used to initiate a request protocol message;

安全设备,用于预设能访问或排除访问的URL规则;接收客户端发送的请求协议报文;判断接收的协议报文是HTTPS还是HTTP协议报文;若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;判断解析出的域名是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求;Security device, used to preset URL rules that can be accessed or excluded from access; receive the request protocol message sent by the client; determine whether the received protocol message is HTTPS or HTTP protocol message; if it is an HTTPS protocol message, extract and parse it Get the domain name in the URL of the protocol message; judge whether the resolved domain name is in the preset URL rule; decide to release or block the client’s access request according to the judgment result;

服务器,用于回应协议报文,所述回应协议报文对应放行的客户端请求协议报文。The server is configured to respond to a protocol message, and the response protocol message corresponds to the released client request protocol message.

进一步地,安全设备,还用于若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求。Further, the security device is also used to directly judge whether the URL of the plain text of the protocol message is within the preset URL rules if it is judged to be an HTTP protocol message; and decide to allow or block the client's access request according to the judgment result.

优选的,安全设备,还用于预设客户安全访问策略,在不同内网的客户端连接不同的安全设备状态下,在判断接收的协议报文类型之前,基于客户端发送的协议报文判断客户的安全访问策略;若在安全访问策略内,再判断协议报文的访问类型。Preferably, the security device is also used to preset client security access policies, and when clients of different intranets are connected to different security devices, before judging the type of the received protocol message, it is judged based on the protocol message sent by the client The client's security access policy; if it is within the security access policy, then judge the access type of the protocol message.

优选的,不同内网中客户端的安全访问策略不同。Preferably, security access policies of clients in different intranets are different.

优选的,从HTTPS协议报文的扩展字段的SNI字段中提取域名。Preferably, the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message.

本申请还提供了安全设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行程序时执行上述基于HTTPS协议的URL过滤方法。The present application also provides a security device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, it executes the URL filtering method based on the HTTPS protocol.

本申请最后还提供了存储介质,其上存储有计算机程序指令,程序指令被处理器执行时用于实现上述基于HTTPS协议的URL过滤方法。Finally, the present application also provides a storage medium on which computer program instructions are stored, and when the program instructions are executed by a processor, the above URL filtering method based on the HTTPS protocol is implemented.

本申请实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present application may include the following beneficial effects:

本申请实施例不需要对HTTPS进行卸载,即可实现请求报文的传输,大大降低了性能消耗,且提高了数据传输速度。In the embodiment of the present application, the transmission of the request message can be realized without unloading the HTTPS, which greatly reduces the performance consumption and improves the data transmission speed.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

附图说明Description of drawings

此处的附图被并入申请中并构成本申请的一部分,示出了符合本申请的实施例,并与申请一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the application and together with the application serve to explain the principles of the application.

图1是基于HTTPS协议的URL过滤现有技术逻辑框图;Fig. 1 is a logical block diagram of prior art URL filtering based on HTTPS protocol;

图2是本申请一个实施例示意图;Fig. 2 is a schematic diagram of an embodiment of the present application;

图3是本申请第二个实施例示意图;Fig. 3 is the schematic diagram of the second embodiment of the present application;

图4是本申请第三个实施例示意图;Fig. 4 is the schematic diagram of the third embodiment of the present application;

图5是本申请安全设备逻辑框图。Fig. 5 is a logic block diagram of the security device of the present application.

具体实施方式Detailed ways

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with aspects of the present application as recited in the appended claims.

本申请提供了基于HTTPS协议的URL过滤方法,应用于安全设备的一个实施例,如图2所示。包括:This application provides an HTTPS protocol-based URL filtering method, which is applied to an embodiment of a security device, as shown in FIG. 2 . include:

预设能访问或排除访问的URL规则;Preset URL rules that can be accessed or excluded from access;

接收客户端发送的请求协议报文;Receive the request protocol message sent by the client;

判断接收的请求协议报文是HTTPS还是HTTP协议报文;Determine whether the received request protocol message is HTTPS or HTTP protocol message;

若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;If it is an HTTPS protocol message, extracting and parsing the domain name in the URL of the protocol message;

判断解析出的域名是否在预设的URL规则内;Determine whether the resolved domain name is within the preset URL rules;

根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client.

作为一个优选实施例,如图3所示,若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;As a preferred embodiment, as shown in Figure 3, if it is judged to be an HTTP protocol message, then directly judge whether the URL of the plain text of the protocol message is in the preset URL rule;

根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client.

当然若判断是HTTP协议报文时也可以采用其他处理方式,例如直接阻断等。Of course, if it is judged to be an HTTP protocol message, other processing methods may also be adopted, such as direct blocking.

域名作为URL的组成部分,可以用来做URL过滤。本申请一个实施例中,在HTTPS协议报文的扩展字段的SNI字段中提取域名。A domain name is a component of a URL and can be used for URL filtering. In one embodiment of the present application, the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message.

由于不同客户的安全访问策略不同,因此本申请还提供了一实施例,在安全设备内预设有客户安全访问策略。不同内网的客户端连接不同的安全设备;在判断接收的协议报文类型之前,基于所述客户端发送的协议报文判断客户安全访问策略;若在客户安全访问策略内,再判断上述协议报文的访问类型是HTTP还是HTTPS协议,如图4所示。当然预设客户安全访问策略不一定要图4的流程顺序,可以和预设URL规则一起进行,图4对顺序不构成限制。Since security access policies of different customers are different, the present application also provides an embodiment, in which security access policies of customers are preset in the security device. Clients on different intranets connect to different security devices; before judging the type of protocol message received, judge the client’s security access policy based on the protocol message sent by the client; if it is within the client’s security access policy, then judge the above protocol Whether the access type of the packet is HTTP or HTTPS protocol, as shown in Figure 4. Of course, the preset customer security access policy does not necessarily require the process sequence shown in Figure 4, and can be performed together with the preset URL rules, and Figure 4 does not limit the sequence.

本申请还提供了基于HTTPS协议的URL过滤系统,包括客户端、安全设备和服务器。The application also provides a URL filtering system based on the HTTPS protocol, including a client, a security device and a server.

客户端,用于发起请求协议报文;The client is used to initiate a request protocol message;

安全设备,用于预设能访问或排除访问的URL规则;接收客户端发送的请求协议报文;判断接收的协议报文是HTTPS还是HTTP协议报文;若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;判断解析出的域名是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求;Security device, used to preset URL rules that can be accessed or excluded from access; receive the request protocol message sent by the client; determine whether the received protocol message is HTTPS or HTTP protocol message; if it is an HTTPS protocol message, extract and parse it Get the domain name in the URL of the protocol message; judge whether the resolved domain name is in the preset URL rule; decide to release or block the client’s access request according to the judgment result;

服务器,用于回应协议报文,所述回应协议报文对应放行的客户端请求协议报文。The server is configured to respond to a protocol message, and the response protocol message corresponds to the released client request protocol message.

上述实施例中,作为域名提取和解析的一个实施例,从HTTPS协议报文的扩展字段的SNI字段中提取域名。当然可以不限于所举实施例。In the above embodiment, as an embodiment of domain name extraction and resolution, the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message. It is of course not limited to the examples given.

作为又一实施例,本申请安全设备还用于若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求。As yet another embodiment, the security device of the present application is also used to directly judge whether the URL of the plain text of the protocol message is within the preset URL rules if it is judged to be an HTTP protocol message; and decide to release or block the client's access according to the judgment result ask.

作为又一实施例,本申请安全设备还用于预设客户安全访问策略,在不同内网的客户端连接不同的安全设备,不同内网中的客户端的安全访问策略不同。在判断接收的协议报文类型之前,基于客户端发送的协议报文判断客户的安全访问策略;若在安全访问策略内,判断协议报文的访问类型。As yet another embodiment, the security device of the present application is also used to preset client security access policies. Clients in different intranets are connected to different security devices, and clients in different intranets have different security access policies. Before judging the type of the received protocol message, judge the security access policy of the client based on the protocol message sent by the client; if it is within the security access policy, judge the access type of the protocol message.

本申请以TCP协议来举例进行说明。This application uses the TCP protocol as an example for illustration.

安全设备内预设能访问或排除访问的URL规则The URL rules that can be accessed or excluded are preset in the security device

客户端向服务器通过TCP三次握手建立会话;The client establishes a session with the server through the TCP three-way handshake;

客户端向服务器发送HTTPS报文协议请求,包括向服务器发起明文的Clienthello请求协议报文;(Clienthello请求协议报文包含版本信息,加密套件候选列表,压缩算法候选列表,随机数,扩展字段等信息。)The client sends an HTTPS message protocol request to the server, including sending a clear text Clienthello request protocol message to the server; (the Clienthello request protocol message contains information such as version information, cipher suite candidate list, compression algorithm candidate list, random number, extension field, etc. .)

Clienthello请求协议报文到达安全设备,安全设备进行HTTPS协议类型确认,以及是其Clienthello请求协议报文;The Clienthello request protocol message arrives at the security device, and the security device confirms the HTTPS protocol type and its Clienthello request protocol message;

安全设备提取并解析扩展字段extensions中SNI字段中的域名;The security device extracts and parses the domain name in the SNI field in the extension field;

判断域名是否在预设的URL规则内,根据判断结果决定放行或阻断客户端的访问请求;Judge whether the domain name is within the preset URL rules, and decide to release or block the client's access request according to the judgment result;

若放行,则安全设备转发客户端发送的访问请求;If allowed, the security device forwards the access request sent by the client;

服务器回应访问请求报文。The server responds with an access request message.

若有多个内网对外网进行访问,每个内网中的客户端安全访问策略不同,则每个内网内的客户端连接一个对应的安全设备。各对应的安全设备内与设有相连接的内网中的客户端安全访问策略,以及预设有对应的URL规则。If there are multiple intranets accessing the external network, and the client security access policies in each intranet are different, each client in the intranet is connected to a corresponding security device. Each corresponding security device is equipped with a client security access policy in the connected intranet, and a corresponding URL rule is preset.

不同内网中的客户端发出请求协议报文后,对应的安全设备先进行安全访问策略检查,满足安全访问策略要求的再对请求协议报文进行类型判断,若是HTTPS协议报文,则对该协议报文的扩展字段的SNI字段的域名进行提取和解析。判断域名是否在预设的URL规则内,根据判断结果决定放行或阻断客户端的访问请求。After clients in different intranets send request protocol packets, the corresponding security device first checks the security access policy, and then judges the type of the request protocol packet if it meets the requirements of the security access policy. If it is an HTTPS protocol packet, it The domain name of the SNI field in the extension field of the protocol message is extracted and parsed. Judge whether the domain name is within the preset URL rules, and decide to allow or block the client's access request according to the judgment result.

本申请还提供了安全设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行程序时执行上述基于HTTPS协议的URL过滤方法,如图5。The present application also provides a security device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, the above URL filtering method based on the HTTPS protocol is executed, as shown in FIG. 5 .

存储介质,其上存储有计算机程序指令,程序指令被处理器执行时用于实现上述基于HTTPS协议的URL过滤方法。The storage medium stores computer program instructions thereon, and the program instructions are used to implement the URL filtering method based on the HTTPS protocol when executed by the processor.

本申请实施例最后还提供了存储介质,其上存储有计算机程序指令,程序指令被处理器执行时用于实现上述零信任网络下动态访问鉴权方法。Finally, the embodiment of the present application also provides a storage medium on which computer program instructions are stored, and when the program instructions are executed by a processor, they are used to implement the above-mentioned dynamic access authentication method under the zero-trust network.

这里,存储介质可以是任何电子、磁性、光学或其它物理存储装置,可以包含或存储信息,如可执行指令、数据,等等。例如,存储介质可以是:RAM(Radom Access Memory,随机存取存储器)、易失存储器、非易失性存储器、闪存、存储驱动器(如硬盘驱动器)、固态硬盘、任何类型的存储盘(如光盘、dvd等),或者类似的存储介质,或者它们的组合。Here, a storage medium may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, and the like. For example, the storage medium can be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, storage driver (such as hard disk drive), solid-state hard disk, any type of storage disk (such as optical disk , dvd, etc.), or similar storage media, or a combination thereof.

上述实施方式阐明的系统,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The systems described in the above embodiments can be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementing device is a computer, which may take the form of a personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media player, navigation device, e-mail device, game control device, etc. desktops, tablets, wearables, or any combination of these.

本领域内的技术人员应明白,本公开的实施方式可提供为方法、系统、或计算机程序产品。因此,本公开可采用完全硬件实施方式、完全软件实施方式、或结合软件和硬件方面的实施方式的形式。而且,本公开实施方式可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本公开是参照根据本公开实施方式的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可以由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其它可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其它可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present disclosure. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

而且,这些计算机程序指令也可以存储在能引导计算机或其它可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或者多个流程和/或方框图一个方框或者多个方框中指定的功能。Moreover, these computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其它可编程数据处理设备上,使得在计算机或者其它可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其它可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operational steps are performed on the computer or other programmable equipment to produce computer-implemented processing, so that the information executed on the computer or other programmable equipment The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

本领域技术人员应明白,本公开的实施方式可提供为方法、系统或计算机程序产品。因此,本公开可以采用完全硬件实施方式、完全软件实施方式、或者结合软件和硬件方面的实施方式的形式。而且,本公开可以采用在一个或者多个其中包含有计算机可用程序代码的计算机可用存储介质(可以包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present disclosure may be provided as methods, systems or computer program products. Accordingly, the present disclosure can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It should be understood that the present application is not limited to the precise constructions which have been described above and shown in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

以上仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above are only preferred embodiments of the application, and are not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application shall be included in the protection of the application. within range.

Claims (12)

1.基于HTTPS协议的URL过滤方法,应用于安全设备,其特征在于,包括:1. The URL filtering method based on the HTTPS protocol, applied to a security device, is characterized in that, comprising: 预设能访问或排除访问的URL规则;Preset URL rules that can be accessed or excluded from access; 接收客户端发送的请求协议报文;Receive the request protocol message sent by the client; 判断接收的请求协议报文是HTTPS还是HTTP协议报文;Determine whether the received request protocol message is HTTPS or HTTP protocol message; 若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;If it is an HTTPS protocol message, extracting and parsing the domain name in the URL of the protocol message; 判断解析出的域名是否在预设的URL规则内;Determine whether the resolved domain name is within the preset URL rules; 根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client. 2.根据权利要求1所述的基于HTTPS协议的URL过滤方法,其特征在于,若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;2. the URL filtering method based on HTTPS protocol according to claim 1, is characterized in that, if it is judged that it is an HTTP protocol message, then directly judge whether the URL of the plain text of the protocol message is in the preset URL rule; 根据判断结果决定放行或阻断客户端的访问请求。According to the judgment result, it is decided to allow or block the access request of the client. 3.根据权利要求1所述的基于HTTPS协议的URL过滤方法,其特征在于,不同内网的客户端连接不同的安全设备;3. the URL filtering method based on HTTPS protocol according to claim 1, is characterized in that, the clients of different intranets are connected to different security devices; 所述安全设备还预设有客户安全访问策略;The security device is also preset with a customer security access policy; 在判断接收的协议报文类型之前,基于所述客户端发送的协议报文判断客户的安全访问策略;若在安全访问策略内,再判断协议报文的访问类型。Before judging the type of the received protocol message, judge the security access policy of the client based on the protocol message sent by the client; if it is within the security access policy, then judge the access type of the protocol message. 4.根据权利要求3所述的基于HTTPS协议的URL过滤方法,其特征在于,不同内网中客户端的安全访问策略不同。4. The URL filtering method based on the HTTPS protocol according to claim 3, wherein the security access policies of clients in different intranets are different. 5.根据权利要求1所述的基于HTTPS协议的URL过滤方法,其特征在于,从HTTPS协议报文的扩展字段的SNI字段中提取域名。5. The URL filtering method based on the HTTPS protocol according to claim 1, wherein the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message. 6.基于HTTPS协议的URL过滤系统,包括客户端、安全设备和服务器,其特征在于,6. The URL filtering system based on the HTTPS protocol, comprising a client, a security device and a server, is characterized in that, 客户端,用于发起请求协议报文;The client is used to initiate a request protocol message; 安全设备,用于预设能访问或排除访问的URL规则;接收客户端发送的请求协议报文;判断接收的协议报文是HTTPS还是HTTP协议报文;若是HTTPS协议报文,则提取并解析出所述协议报文的URL中的域名;判断解析出的域名是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求;Security device, used to preset URL rules that can be accessed or excluded from access; receive the request protocol message sent by the client; determine whether the received protocol message is HTTPS or HTTP protocol message; if it is an HTTPS protocol message, extract and parse it Get the domain name in the URL of the protocol message; judge whether the resolved domain name is in the preset URL rule; decide to release or block the client’s access request according to the judgment result; 服务器,用于回应协议报文,所述回应协议报文对应放行的客户端请求协议报文。The server is configured to respond to a protocol message, and the response protocol message corresponds to the released client request protocol message. 7.根据权利要求6所述的基于HTTPS协议的URL过滤系统,其特征在于,安全设备,还用于若判断是HTTP协议报文,则直接判断协议报文明文的URL是否在预设的URL规则内;根据判断结果决定放行或阻断客户端的访问请求。7. The URL filtering system based on the HTTPS protocol according to claim 6, wherein the safety device is also used to directly judge whether the URL of the plain text of the protocol message is at the preset URL if it is judged to be an HTTP protocol message. Within the rules; according to the judgment result, it is decided to allow or block the client's access request. 8.根据权利要求6所述的基于HTTPS协议的URL过滤系统,其特征在于,安全设备,还用于不同内网的客户端连接不同的安全设备;所述安全设备还预设有客户安全访问策略;在判断接收的协议报文类型之前,基于所述客户端发送的协议报文判断客户的安全访问策略;若在安全访问策略内,再判断协议报文的访问类型。8. The URL filtering system based on HTTPS protocol according to claim 6, characterized in that, the security device is also used for clients of different intranets to connect to different security devices; the security device is also preset with client security access Policy; before judging the type of the received protocol message, judge the security access policy of the client based on the protocol message sent by the client; if it is within the security access policy, then judge the access type of the protocol message. 9.根据权利要求8所述的基于HTTPS协议的URL过滤系统,其特征在于,不同内网中客户端的安全访问策略不同。9. The URL filtering system based on HTTPS protocol according to claim 8, characterized in that the security access policies of clients in different intranets are different. 10.根据权利要求6所述的基于HTTPS协议的URL过滤系统,其特征在于,从HTTPS协议报文的扩展字段的SNI字段中提取域名。10. The URL filtering system based on the HTTPS protocol according to claim 6, wherein the domain name is extracted from the SNI field of the extension field of the HTTPS protocol message. 11.安全设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,处理器执行程序时执行权利要求1-5任意一项的基于HTTPS协议的URL过滤方法。11. A security device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, characterized in that, when the processor executes the program, it executes the URL based on the HTTPS protocol of any one of claims 1-5 filter method. 12.存储介质,其上存储有计算机程序指令,其特征在于,程序指令被处理器执行时用于实现权利要求1-5任一项中的基于HTTPS协议的URL过滤方法。12. A storage medium on which computer program instructions are stored, wherein the program instructions are used to implement the URL filtering method based on the HTTPS protocol in any one of claims 1-5 when executed by a processor.
CN202210660003.2A 2022-06-13 2022-06-13 URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium Pending CN115277060A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210660003.2A CN115277060A (en) 2022-06-13 2022-06-13 URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210660003.2A CN115277060A (en) 2022-06-13 2022-06-13 URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115277060A true CN115277060A (en) 2022-11-01

Family

ID=83759722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210660003.2A Pending CN115277060A (en) 2022-06-13 2022-06-13 URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115277060A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117240735A (en) * 2023-11-09 2023-12-15 湖南戎腾网络科技有限公司 Method, system, equipment and storage medium for filtering audio and video streams
CN115688089B (en) * 2022-11-23 2025-07-22 中国人民解放军国防科技大学 PCIE protocol security extension method, system and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010244134A (en) * 2009-04-01 2010-10-28 Mitsubishi Electric Corp URL filtering apparatus and URL filtering method
US9419942B1 (en) * 2013-06-05 2016-08-16 Palo Alto Networks, Inc. Destination domain extraction for secure protocols
WO2016127799A1 (en) * 2015-02-13 2016-08-18 中兴通讯股份有限公司 Video advertisement filter method, apparatus and system
CN105938472A (en) * 2015-08-26 2016-09-14 杭州迪普科技有限公司 Web access control method and device
CN109450945A (en) * 2018-12-26 2019-03-08 成都西维数码科技有限公司 A kind of web page access method for safety monitoring based on SNI
CN112291199A (en) * 2020-09-30 2021-01-29 新华三信息安全技术有限公司 Message processing method and device, electronic equipment and storage medium
CN112468476A (en) * 2020-11-20 2021-03-09 中国建设银行股份有限公司 Equipment management system and method for different types of terminals to access application

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010244134A (en) * 2009-04-01 2010-10-28 Mitsubishi Electric Corp URL filtering apparatus and URL filtering method
US9419942B1 (en) * 2013-06-05 2016-08-16 Palo Alto Networks, Inc. Destination domain extraction for secure protocols
WO2016127799A1 (en) * 2015-02-13 2016-08-18 中兴通讯股份有限公司 Video advertisement filter method, apparatus and system
CN105938472A (en) * 2015-08-26 2016-09-14 杭州迪普科技有限公司 Web access control method and device
CN109450945A (en) * 2018-12-26 2019-03-08 成都西维数码科技有限公司 A kind of web page access method for safety monitoring based on SNI
CN112291199A (en) * 2020-09-30 2021-01-29 新华三信息安全技术有限公司 Message processing method and device, electronic equipment and storage medium
CN112468476A (en) * 2020-11-20 2021-03-09 中国建设银行股份有限公司 Equipment management system and method for different types of terminals to access application

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115688089B (en) * 2022-11-23 2025-07-22 中国人民解放军国防科技大学 PCIE protocol security extension method, system and medium
CN117240735A (en) * 2023-11-09 2023-12-15 湖南戎腾网络科技有限公司 Method, system, equipment and storage medium for filtering audio and video streams
CN117240735B (en) * 2023-11-09 2024-01-19 湖南戎腾网络科技有限公司 Method, system, equipment and storage medium for filtering audio and video streams

Similar Documents

Publication Publication Date Title
US8832782B2 (en) Single sign-on system and method
EP2850770B1 (en) Transport layer security traffic control using service name identification
US9930067B1 (en) Techniques for secure session reestablishment
US8707026B2 (en) Apparatus for certificate-based cookie security
CN103685187B (en) Method for realizing resource access control by switching SSL authentication mode according to needs
CN114338844B (en) Cross-protocol communication method and device between client servers
JP2018534884A (en) Client-cloud or remote server secure data or file object encryption gateway
CN106790090A (en) Communication means, apparatus and system based on SSL
US20170339253A1 (en) Fastpath web sessions with http header modification by redirecting clients
CN108200104A (en) The method and system that a kind of progress SSL shakes hands
US20130291089A1 (en) Data communication method and device and data interaction system based on browser
CN101299667A (en) Authentication method, system, client equipment and server
JP2010539735A (en) Denial of service attack blocking method using TCP state transition
CN104767742A (en) A secure communication method, gateway, network side server and system
US20120023158A1 (en) Method for secure transfer of multiple small messages
US20170070486A1 (en) Server public key pinning by url
CN106169990A (en) A kind of encrypt data on flows monitoring method, Apparatus and system
CN106656939A (en) National secret SSL protocol and standard SSL protocol forwarding system and method
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
CN115277060A (en) URL (Uniform resource locator) filtering method based on HTTPS (Hypertext transfer protocol secure) protocol, security equipment and storage medium
CN113612790B (en) Data security transmission method and device based on equipment identity pre-authentication
CN114826692A (en) Information login system, method, electronic device and storage medium
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN115118713B (en) Data processing method and device and electronic equipment
CN116545995A (en) Portal authentication method, system, equipment and storage medium based on HTTPS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination