CN117319076A

CN117319076A - Network request interception method and device and electronic equipment

Info

Publication number: CN117319076A
Application number: CN202311466223.2A
Authority: CN
Inventors: 乔杰
Original assignee: Beijing Volcano Engine Technology Co Ltd
Current assignee: Beijing Volcano Engine Technology Co Ltd
Priority date: 2023-11-06
Filing date: 2023-11-06
Publication date: 2023-12-29

Abstract

The embodiments of the present application disclose network request interception methods, devices and electronic devices. A specific implementation of the method includes: in response to receiving a network request, obtaining the target address of the network request, where the target address includes an Internet protocol address and/or a gateway address, and the network request originates from a publisher in a publish-subscribe model. The subscription model includes publishers and subscribers. The publisher sends messages to the topic, and the subscriber consumes the messages in the subscribed topic; performs a preset operation on the target address to obtain the index value to determine whether the target topic exists, where, The target topic is the topic corresponding to the index value; if it exists, the request information of the network request is sent to the target topic so that the target subscriber can obtain the request information and determine whether to intercept the network request, where the target subscriber is the subscription Subscribers to the target topic. This implementation decouples the production and consumption of network requests to improve system performance.

Description

Network request interception method, device and electronic device

技术领域Technical field

本公开实施例涉及计算机技术领域，具体涉及网络请求拦截方法、装置和电子设备。The embodiments of the present disclosure relate to the field of computer technology, and specifically to network request interception methods, devices and electronic devices.

背景技术Background technique

随着互联网技术的发展，服务器每天会接收到大量的网络请求，一些异常或者违法请求会威胁服务器的安全，造成服务器瘫痪或者非法获取用户信息，此时，需要对这些异常或者违法的网络请求进行拦截。With the development of Internet technology, servers will receive a large number of network requests every day. Some abnormal or illegal requests will threaten the security of the server, causing the server to paralyze or illegally obtain user information. At this time, these abnormal or illegal network requests need to be processed. Interception.

现有的网络请求的拦截多集中在Nginx的IP名单设置，以及系统内部的网络身份信息验证来进行限制。上述两种针对网络请求的限制在技术实现层面上主要采用的是IP地址信息判断，以及服务器业务系统的网络地址信息，网络请求头信息进行具体的伪冒判断。Existing interception of network requests is mostly focused on Nginx's IP list settings and network identity information verification within the system. The above two restrictions on network requests mainly use IP address information judgment at the technical implementation level, as well as the network address information of the server business system and network request header information for specific counterfeiting judgment.

发明内容Contents of the invention

提供该公开内容部分以便以简要的形式介绍构思，这些构思将在后面的具体实施方式部分被详细描述。该公开内容部分并不旨在标识要求保护的技术方案的关键特征或必要特征，也不旨在用于限制所要求的保护的技术方案的范围。This Disclosure is provided to introduce in simplified form the concepts that are later described in detail in the Detailed Description. This disclosure section is not intended to identify key features or essential features of the claimed technical solution, nor is it intended to be used to limit the scope of the claimed technical solution.

第一方面，本公开实施例提供了一种网络请求拦截方法，包括：响应于接收到网络请求，获取网络请求的目标地址，其中，目标地址包括互联网协议地址和/或网关地址，网络请求来源于发布订阅模型中的发布者，发布订阅模型包括发布者和订阅者，发布者将消息发送到主题中，订阅者对所订阅的主题中的消息进行消费；对目标地址进行预设运算得到索引值，确定是否存在目标主题，其中，目标主题是与索引值对应的主题；若存在，则将网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截，其中，目标订阅者为订阅目标主题的订阅者。In a first aspect, embodiments of the present disclosure provide a method for intercepting network requests, including: in response to receiving a network request, obtaining a target address of the network request, where the target address includes an Internet protocol address and/or a gateway address, and the source of the network request. For publishers in the publish-subscribe model, the publish-subscribe model includes publishers and subscribers. The publisher sends messages to topics, and subscribers consume messages in the subscribed topics; preset operations are performed on the target address to obtain the index. value to determine whether there is a target topic, where the target topic is the topic corresponding to the index value; if it exists, the request information of the network request is sent to the target topic so that the target subscriber can obtain the request information and determine whether to make the network request. Perform interception, where the target subscriber is the subscriber who subscribes to the target topic.

第二方面，本公开实施例提供了一种网络请求拦截装置，包括：获取单元，用于响应于接收到网络请求，获取网络请求的目标地址，其中，目标地址包括互联网协议地址和/或网关地址，网络请求来源于发布订阅模型中的发布者，发布订阅模型包括发布者和订阅者，发布者将消息发送到主题中，订阅者对所订阅的主题中的消息进行消费；确定单元，用于对目标地址进行预设运算得到索引值，确定是否存在目标主题，其中，目标主题是与索引值对应的主题；拦截单元，用于若存在，则将网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截，其中，目标订阅者为订阅目标主题的订阅者。In a second aspect, embodiments of the present disclosure provide a network request interception device, including: an acquisition unit, configured to obtain the target address of the network request in response to receiving the network request, wherein the target address includes an Internet protocol address and/or a gateway Address, the network request comes from the publisher in the publish-subscribe model. The publish-subscribe model includes publishers and subscribers. The publisher sends messages to the topic, and the subscriber consumes the messages in the subscribed topic; determine the unit with Perform a preset operation on the target address to obtain the index value to determine whether there is a target topic, where the target topic is the topic corresponding to the index value; the interception unit is used to send the request information of the network request to the target topic if it exists , for the target subscriber to obtain the request information and determine whether to intercept the network request, where the target subscriber is the subscriber that subscribes to the target topic.

第三方面，本公开实施例提供了一种电子设备，包括：一个或多个处理器；存储装置，用于存储一个或多个程序，当所述一个或多个程序被所述一个或多个处理器执行，使得所述一个或多个处理器实现如第一方面所述的网络请求拦截方法。In a third aspect, embodiments of the present disclosure provide an electronic device, including: one or more processors; a storage device configured to store one or more programs. When the one or more programs are processed by the one or more Execution by multiple processors causes the one or more processors to implement the network request interception method described in the first aspect.

第四方面，本公开实施例提供了一种计算机可读介质，其上存储有计算机程序，该程序被处理器执行时实现如第一方面所述的网络请求拦截方法的步骤。In a fourth aspect, embodiments of the present disclosure provide a computer-readable medium on which a computer program is stored. When the program is executed by a processor, the steps of the network request interception method as described in the first aspect are implemented.

本公开实施例提供的网络请求拦截方法、装置和电子设备，通过响应于接收到发布订阅模型中的发布者发送的网络请求，获取上述网络请求的目标地址；之后，对上述目标地址进行预设运算得到索引值，确定是否存在与索引值对应的目标主题；若存在，则将上述网络请求的请求信息发送到上述目标主题中，以供订阅上述目标主题的订阅者获取上述请求信息并确定是否对上述网络请求进行拦截。通过使用发布订阅模式处理网络请求，生产者这端生产出网络请求之后，在订阅者这端确定是否对网络请求进行拦截，从而将网络请求的生产和消费进行解耦，提高系统性能。The network request interception method, device and electronic device provided by the embodiments of the present disclosure obtain the target address of the above-mentioned network request by responding to the network request sent by the publisher in the publish-subscribe model; and then preset the above-mentioned target address. The operation obtains the index value and determines whether there is a target topic corresponding to the index value; if it exists, the request information of the above network request is sent to the above target topic so that subscribers who subscribe to the above target topic can obtain the above request information and determine whether Intercept the above network requests. By using the publish-subscribe model to process network requests, after the producer side generates the network request, the subscriber side determines whether to intercept the network request, thereby decoupling the production and consumption of network requests and improving system performance.

附图说明Description of drawings

结合附图并参考以下具体实施方式，本公开各实施例的上述和其他特征、优点及方面将变得更加明显。贯穿附图中，相同或相似的附图标记表示相同或相似的元素。应当理解附图是示意性的，原件和元素不一定按照比例绘制。The above and other features, advantages, and aspects of various embodiments of the present disclosure will become more apparent with reference to the following detailed description taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It is to be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale.

图1是根据本公开的网络请求拦截方法的一个实施例的流程图；Figure 1 is a flow chart of an embodiment of a network request interception method according to the present disclosure;

图2是根据本公开的网络请求拦截方法中目标订阅者对网络请求进行拦截的一个实施例的流程图；Figure 2 is a flow chart of one embodiment of interception of network requests by a target subscriber in the network request interception method according to the present disclosure;

图3是根据本公开的网络请求拦截装置的一个实施例的结构示意图；Figure 3 is a schematic structural diagram of an embodiment of a network request interception device according to the present disclosure;

图4是本公开的各个实施例可以应用于其中的示例性系统架构图；Figure 4 is an exemplary system architecture diagram in which various embodiments of the present disclosure may be applied;

图5是适于用来实现本公开实施例的电子设备的计算机系统的结构示意图。FIG. 5 is a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present disclosure.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的实施例。虽然附图中显示了本公开的某些实施例，然而应当理解的是，本公开可以通过各种形式来实现，而且不应该被解释为限于这里阐述的实施例，相反提供这些实施例是为了更加透彻和完整地理解本公开。应当理解的是，本公开的附图及实施例仅用于示例性作用，并非用于限制本公开的保护范围。Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the disclosure are shown in the drawings, it should be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, which rather are provided for A more thorough and complete understanding of this disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of the present disclosure.

应当理解，本公开的方法实施方式中记载的各个步骤可以按照不同的顺序执行，和/或并行执行。此外，方法实施方式可以包括附加的步骤和/或省略执行示出的步骤。本公开的范围在此方面不受限制。It should be understood that various steps described in the method implementations of the present disclosure may be executed in different orders and/or in parallel. Furthermore, method embodiments may include additional steps and/or omit performance of illustrated steps. The scope of the present disclosure is not limited in this regard.

本文使用的术语“包括”及其变形是开放性包括，即“包括但不限于”。术语“基于”是“至少部分地基于”。术语“一个实施例”表示“至少一个实施例”；术语“另一实施例”表示“至少一个另外的实施例”；术语“一些实施例”表示“至少一些实施例”。其他术语的相关定义将在下文描述中给出。As used herein, the term "include" and its variations are open-ended, ie, "including but not limited to." The term "based on" means "based at least in part on." The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; and the term "some embodiments" means "at least some embodiments". Relevant definitions of other terms will be given in the description below.

需要注意，本公开中提及的“第一”、“第二”等概念仅用于对不同的装置、模块或单元进行区分，并非用于限定这些装置、模块或单元所执行的功能的顺序或者相互依存关系。It should be noted that concepts such as “first” and “second” mentioned in this disclosure are only used to distinguish different devices, modules or units, and are not used to limit the order of functions performed by these devices, modules or units. Or interdependence.

需要注意，本公开中提及的“一个”、“多个”的修饰是示意性而非限制性的，本领域技术人员应当理解，除非在上下文另有明确指出，否则应该理解为“一个或多个”。It should be noted that the modifications of "one" and "plurality" mentioned in this disclosure are illustrative and not restrictive. Those skilled in the art will understand that unless the context clearly indicates otherwise, it should be understood as "one or Multiple”.

本公开实施方式中的多个装置之间所交互的消息或者信息的名称仅用于说明性的目的，而并不是用于对这些消息或信息的范围进行限制。The names of messages or information exchanged between multiple devices in the embodiments of the present disclosure are for illustrative purposes only and are not used to limit the scope of these messages or information.

请参考图1，示出了根据本公开的网络请求拦截方法的一个实施例的流程100。该网络请求拦截方法，包括以下步骤：Please refer to FIG. 1 , which shows a process 100 of one embodiment of a network request interception method according to the present disclosure. This network request interception method includes the following steps:

步骤101，响应于接收到网络请求，获取网络请求的目标地址。Step 101: In response to receiving the network request, obtain the target address of the network request.

在本实施例中，网络请求拦截方法的执行主体可以确定是否接收到网络请求。上述网络请求通常来源于发布订阅模型中的发布者，发布订阅模型包括发布者和订阅者，发布者将消息发送到主题中，订阅者对所订阅的主题中的消息进行消费。主题可以理解为存放消息的容器。In this embodiment, the execution subject of the network request interception method can determine whether a network request is received. The above network requests usually originate from the publisher in the publish-subscribe model. The publish-subscribe model includes publishers and subscribers. The publisher sends messages to the topic, and the subscriber consumes the messages in the subscribed topic. A topic can be understood as a container for storing messages.

在软件架构中，发布订阅是一种消息范式，消息的发送者(称为发布者)不会将消息直接发送给特定的接收者(称为订阅者)。而是将发布的消息分为不同的类别，无需了解哪些订阅者(如果有的话)可能存在。同样的，订阅者可以表达对一个或多个类别的兴趣，只接收感兴趣的消息，无需了解哪些发布者(如果有的话)存在。In software architecture, publish-subscribe is a messaging paradigm in which the sender of a message (called a publisher) does not send the message directly to a specific receiver (called a subscriber). Instead, published messages are grouped into different categories without knowing which subscribers (if any) might exist. Likewise, subscribers can express interest in one or more categories and receive only messages of interest without knowing which publishers (if any) exist.

若接收到网络请求，则上述执行主体可以获取上述网络请求的目标地址。在这里，上述目标地址通常包括互联网协议(Internet Protocol Address，IP)地址和/或网关地址。If a network request is received, the above execution subject can obtain the target address of the above network request. Here, the above-mentioned target address usually includes an Internet Protocol Address (IP) address and/or a gateway address.

步骤102，对目标地址进行预设运算得到索引值，确定是否存在目标主题。Step 102: Perform a preset operation on the target address to obtain the index value, and determine whether the target topic exists.

在本实施例中，上述执行主体可以对上述目标地址进行预设运算得到索引值。在这里，上述执行主体可以利用RSA算法对上述目标地址进行计算得到索引值。RSA是一种非对称加密算法，所谓非对称就是指该算法需要一对密钥，使用其中一个加密，则需要用另一个才能解密。索引提供指向存储在表的指定列中的数据值的指针，然后根据您指定的排序顺序对这些指针排序。数据库使用索引以找到特定值，然后顺指针找到包含该值的行，这样可以使对应于表的SQL语句执行得更快，可快速访问数据库表中的特定信息。In this embodiment, the execution subject may perform a preset operation on the target address to obtain an index value. Here, the above execution subject can use the RSA algorithm to calculate the above target address to obtain the index value. RSA is an asymmetric encryption algorithm. The so-called asymmetry means that the algorithm requires a pair of keys. If you use one of them to encrypt, you need to use the other to decrypt. Indexes provide pointers to data values stored in specified columns of a table, and then sort these pointers according to a sort order that you specify. The database uses indexes to find a specific value and then points forward to find the row containing that value. This allows SQL statements corresponding to the table to execute faster and allows quick access to specific information in the database table.

之后，上述执行主体可以确定是否存在目标主题，上述目标主题通常是指与上述索引值对应的主题。上述执行主体中可以存储有索引值与主题之间的对应关系的对应关系表，上述执行主体可以将上述索引值作为key，在上述对应关系表中查询是否存在与key对应的主题(即value)。Afterwards, the above-mentioned execution subject can determine whether there is a target topic, and the above-mentioned target topic usually refers to the topic corresponding to the above-mentioned index value. The above-mentioned execution subject may store a correspondence table containing the correspondence between the index value and the topic. The above-mentioned execution subject may use the above-mentioned index value as a key and query whether there is a topic (i.e. value) corresponding to the key in the above-mentioned correspondence table. .

需要说明的是，来源于同一个区域的目标地址对应的索引值通常指向同一个主题。It should be noted that the index values corresponding to target addresses from the same area usually point to the same topic.

若存在目标主题，则上述执行主体可以执行步骤103。If the target topic exists, the above execution subject can execute step 103.

步骤103，若存在，则将网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截。Step 103, if it exists, send the request information of the network request to the target topic so that the target subscriber can obtain the request information and determine whether to intercept the network request.

在本实施例中，若在步骤102中确定出存在目标主题，则上述执行主体可以将上述网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截。上述目标订阅者通常为订阅上述目标主题的订阅者。上述请求信息可以包括但不限于：IP地址、网关地址、内容类型、字符集、请求时间、内容长度和操作。In this embodiment, if it is determined that the target topic exists in step 102, the execution subject may send the request information of the network request to the target topic, so that the target subscriber can obtain the request information and determine whether to perform the network request. Interception. The above target subscribers are usually subscribers who subscribe to the above target topic. The above request information may include but is not limited to: IP address, gateway address, content type, character set, request time, content length and operation.

作为示例，上述请求信息可以为："IP":"128.12.11.244","gateway":"HTTP/1.1200OK；Jerry-Response-data:response-jerry；Content-Type:text/html；charset＝UTF-8；Date:Fri,30Sep 2022 09:35:22GMT；content-length:"2","operate":"query"。As an example, the above request information can be: "IP": "128.12.11.244", "gateway": "HTTP/1.1200OK; Jerry-Response-data: response-jerry; Content-Type: text/html; charset=UTF -8; Date: Fri, 30Sep 2022 09:35:22GMT; content-length: "2", "operate": "query".

具体地，上述执行主体将上述网络请求的请求信息发送到目标主题之后，订阅该目标主题的目标订阅者会接收到通知，并从该目标主题中获取上述请求信息；之后，目标订阅者可以确定是否对上述网络请求进行拦截。Specifically, after the above execution subject sends the request information of the above network request to the target topic, the target subscriber who subscribes to the target topic will receive the notification and obtain the above request information from the target topic; after that, the target subscriber can determine Whether to intercept the above network requests.

作为示例，上述目标订阅者可以确定上述网络请求是否符合预设拦截规则，若符合上述拦截规则，则可以对上述网络请求进行拦截。上述拦截规则可以为在预设第一时长(例如，1分钟)内来源于同一个IP地址的网络请求的同类型操作的执行次数超过预设第一次数阈值(例如，20次)，也可以为在预设第二时长(例如，2分钟)内来源于同一个IP地址的网络请求的任意操作的执行次数超过预设次数(例如，60次)，在此不做具体限制。As an example, the above-mentioned target subscriber can determine whether the above-mentioned network request complies with the preset interception rules, and if it meets the above-mentioned interception rules, the above-mentioned network request can be intercepted. The above interception rule may be that the number of executions of the same type of operation from a network request originating from the same IP address exceeds the preset first count threshold (for example, 20 times) within a preset first period of time (for example, 1 minute), or It can be that the number of executions of any operation from a network request originating from the same IP address exceeds the preset number of times (for example, 60 times) within a preset second period of time (for example, 2 minutes), and there is no specific limit here.

本公开的上述实施例提供的方法通过响应于接收到发布订阅模型中的发布者发送的网络请求，获取上述网络请求的目标地址；之后，对上述目标地址进行预设运算得到索引值，确定是否存在与索引值对应的目标主题；若存在，则将上述网络请求的请求信息发送到上述目标主题中，以供订阅上述目标主题的订阅者获取上述请求信息并确定是否对上述网络请求进行拦截。通过使用发布订阅模式处理网络请求，生产者这端生产出网络请求之后，在订阅者这端确定是否对网络请求进行拦截，从而将网络请求的生产和消费进行解耦，提高系统性能。The method provided by the above-mentioned embodiments of the present disclosure obtains the target address of the above-mentioned network request by responding to the network request sent by the publisher in the publish-subscribe model; then, performs a preset operation on the above-mentioned target address to obtain the index value, and determines whether There is a target topic corresponding to the index value; if it exists, the request information of the above-mentioned network request is sent to the above-mentioned target topic, so that subscribers who subscribe to the above-mentioned target topic can obtain the above-mentioned request information and determine whether to intercept the above-mentioned network request. By using the publish-subscribe model to process network requests, after the producer side generates the network request, the subscriber side determines whether to intercept the network request, thereby decoupling the production and consumption of network requests and improving system performance.

在一些可选的实现方式中，上述目标订阅者可以通过如下步骤确定是否对上述网络请求进行拦截：上述目标订阅者可以确定上述目标地址是否存在于预设的待拦截地址集合中。上述待拦截地址集合通常存放在Nginx中，网络请求通常会先经过Nginx。Nginx是一个web服务器也可以用来做负载均衡及反向代理使用，目前使用最多的就是负载均衡。In some optional implementations, the target subscriber can determine whether to intercept the network request through the following steps: the target subscriber can determine whether the target address exists in a preset set of addresses to be intercepted. The above set of addresses to be intercepted is usually stored in Nginx, and network requests usually go through Nginx first. Nginx is a web server that can also be used for load balancing and reverse proxy. Currently, load balancing is the most commonly used.

若未存在于上述待拦截地址集合中，则上述目标订阅者可以确定上述网络请求是否符合预设拦截规则。上述拦截规则可以为来源于同一个用户或同一区域(例如，同一机房)的IP地址在预设第三时长(例如，1分钟)内的同类型操作的执行次数超过预设第三次数阈值(例如，40次)，也可以为来源于同一个用户或同一区域的IP地址在预设第四时长(例如，2分钟)内的任意操作的执行次数超过预设第四次数阈值(例如，80次)，在此不做具体限制。If it does not exist in the above set of addresses to be intercepted, the above target subscriber can determine whether the above network request complies with the preset interception rules. The above interception rule may be that the number of executions of the same type of operation by an IP address originating from the same user or the same area (for example, the same computer room) within a preset third period of time (for example, 1 minute) exceeds the preset third threshold ( For example, 40 times), or the number of executions of any operation by an IP address originating from the same user or the same region within a preset fourth period of time (for example, 2 minutes) exceeds the preset fourth threshold (for example, 80 times). times), there are no specific restrictions here.

若上述网络请求符合上述拦截规则，则上述目标订阅者可以确定上述目标地址是否存在于预设的可疑地址集合中。上述可疑地址集合中的地址通常为之前已被确认符合上述拦截规则的地址。If the above network request complies with the above interception rule, the above target subscriber can determine whether the above target address exists in the preset suspicious address set. The addresses in the above suspicious address collection are usually addresses that have been previously confirmed to comply with the above blocking rules.

若存在于上述可疑地址集合中，则可以将上述目标地址添加到上述待拦截地址集合中。也就是说，若上述目标地址再次被判定为可疑地址，则就会被添加到上述待拦截地址集合中。If it exists in the above set of suspicious addresses, the above target address can be added to the above set of addresses to be intercepted. In other words, if the above target address is determined to be a suspicious address again, it will be added to the above set of addresses to be intercepted.

通过这种方式可以对可疑网络请求进行二次验证，防止对可疑IP地址的误操作，可以更加准确地对网络请求进行拦截。In this way, suspicious network requests can be verified twice, preventing misuse of suspicious IP addresses, and intercepting network requests more accurately.

在一些可选的实现方式中，上述目标订阅者可以通过如下方式将上述目标地址添加到上述待拦截地址集合中：上述目标订阅者可以确定上述目标地址在上述可疑地址集合中对应的目标字段是否为第一数值。上述目标字段通常表征是否已被添加到待拦截地址集合中，上述第一数值通常表征地址为可疑地址。In some optional implementations, the above-mentioned target subscriber can add the above-mentioned target address to the above-mentioned set of addresses to be intercepted in the following manner: the above-mentioned target subscriber can determine whether the target field corresponding to the above-mentioned target address in the above-mentioned suspicious address set is is the first value. The above target field usually indicates whether the address has been added to the set of addresses to be intercepted, and the above first value usually indicates that the address is a suspicious address.

若判断出上述目标字段为上述第一数值，则可以将上述目标字段的数值修改为第二数值，上述第二数值通常表征未被添加到上述待拦截地址集合中。If it is determined that the target field is the first value, the value of the target field can be modified to a second value. The second value usually indicates that the address has not been added to the set of addresses to be intercepted.

响应于检测到上述目标字段的数值为第二数值，上述目标订阅者可以将上述目标地址添加到上述待拦截地址集合中。也就是说，在判断出上述目标地址为可疑地址且未被添加到上述待拦截地址集合中，则可以将其添加到待拦截地址集合中。In response to detecting that the value of the target field is the second value, the target subscriber may add the target address to the set of addresses to be intercepted. That is to say, after it is determined that the above target address is a suspicious address and has not been added to the above set of addresses to be intercepted, it can be added to the set of addresses to be intercepted.

需要说明的是，在将上述目标地址添加到上述待拦截地址集合之后，会将述目标地址对应的目标字段的数值修改为第三数值，上述第三数值通常表征已被添加到待拦截地址集合中。It should be noted that after the above target address is added to the above set of addresses to be intercepted, the value of the target field corresponding to the above target address will be modified to a third value. The above third value usually indicates that it has been added to the set of addresses to be intercepted. middle.

这种通过对目标地址对应的目标字段判断的方式实现了IP地址和网关地址是否违规的判断逻辑。This method of judging whether the IP address and gateway address violates the rules is implemented by judging the target field corresponding to the target address.

在一些可选的实现方式中，上述目标订阅者可以通过如下方式响应于检测到上述目标字段的数值为第二数值，将上述目标地址添加到上述待拦截地址集合中：上述目标订阅者可以设置定时任务，在定时任务被触发后，上述目标订阅者会接收到定时任务执行指令，之后，可以检索出上述可疑地址集合中目标字段为上述第二数值的地址。而后，可以将检索出的地址添加到上述待拦截地址集合中，以及将上述检索出的地址对应的目标字段的数值修改为第三数值，上述第三数值通常表征已被添加到待拦截地址集合中。In some optional implementations, the above-mentioned target subscriber can respond to detecting that the value of the above-mentioned target field is the second value in the following manner, adding the above-mentioned target address to the above-mentioned set of addresses to be intercepted: the above-mentioned target subscriber can set For scheduled tasks, after the scheduled task is triggered, the above-mentioned target subscriber will receive the scheduled task execution instruction. After that, the address whose target field is the above-mentioned second value in the above-mentioned suspicious address set can be retrieved. Then, the retrieved address can be added to the above set of addresses to be intercepted, and the value of the target field corresponding to the above retrieved address can be modified to a third value. The above third value usually indicates that the address has been added to the set of addresses to be intercepted. middle.

需要说明的是，将检索出的地址添加到上述待拦截地址集合之后，需要对Nginx进行重启，重启后的Nginx会利用更新后的待拦截地址集合对后续接收到的地址进行拦截判断。It should be noted that after adding the retrieved address to the above set of addresses to be intercepted, Nginx needs to be restarted. After restarting, Nginx will use the updated set of addresses to be intercepted to intercept subsequent addresses received.

在这里，上述目标字段可以为“是否已被添加到Nginx”字段，作为示例，上述第一数值可以为2，上述第二数值可以为1，上述第三数值可以为0。Here, the above-mentioned target field may be a "whether it has been added to Nginx" field. As an example, the above-mentioned first value may be 2, the above-mentioned second value may be 1, and the above-mentioned third value may be 0.

这种方式通过定时任务执行的方式将地址违规判断与添加到待拦截集合这两个任务进行解耦，进一步提高系统性能。This method decouples the two tasks of determining address violations and adding them to the set to be intercepted through scheduled task execution, further improving system performance.

在一些可选的实现方式中，在确定上述目标地址是否存在于预设的可疑地址集合中之后，若确定出不存在于上述可疑地址集合中，则上述目标订阅者可以将上述目标地址存储到上述可疑地址集合中，字段信息可以分别是自增ID字段、IP地址字段、网关信息字段和上述目标字段，通常将上述目标字段设置为上述第一数值，即默认上述目标地址为可疑地址。通过这种方式可以将第一次违规的网络请求的目标地址添加到可疑地址集合中，相比于直接对网络请求进行拦截，这种方式可以防止对网络请求的误拦截。In some optional implementations, after determining whether the above-mentioned target address exists in the preset suspicious address set, if it is determined that it does not exist in the above-mentioned suspicious address set, the above-mentioned target subscriber can store the above-mentioned target address in In the above set of suspicious addresses, the field information may be an auto-incremented ID field, an IP address field, a gateway information field and the above-mentioned target field. Usually, the above-mentioned target field is set to the above-mentioned first value, that is, the above-mentioned target address is a suspicious address by default. In this way, the target address of the first violating network request can be added to the set of suspicious addresses. Compared with directly intercepting network requests, this method can prevent mistaken interception of network requests.

在一些可选的实现方式中，在确定上述目标地址是否存在于预设的待拦截地址集合中之后，若确定出存在于上述待拦截地址集合中，则上述目标订阅者可以对上述网络请求进行拦截，也就是说，在上述网络请求经过Nginx服务器时，直接被Nginx服务器拦截。In some optional implementations, after determining whether the above-mentioned target address exists in the preset set of addresses to be intercepted, if it is determined to exist in the above set of addresses to be intercepted, the above-mentioned target subscriber can make the above-mentioned network request. Interception, that is to say, when the above network request passes through the Nginx server, it is directly intercepted by the Nginx server.

在一些可选的实现方式中，索引值与主题之间的对应关系可以是通过如下方式确定的：可以获取预设地址库，该地址库中可以存储有已知的目标地址，例如，已接收到的网络请求的IP地址和网关地址。之后，针对上述地址库中的每个地址，可以对该地址进行预设运算得到索引值。作为示例，可以分别对IP地址和网关地址进行哈希运算得到哈希码作为索引值，也可以分别对IP地址和网关地址进行RSA运算得到索引值。而后，可以将该索引值与上述发布订阅模型中的一个主题进行匹配，生成该索引值与该主题之间的对应关系。需要说明的是，来源于同一个区域的地址对应的索引值通常与同一个主题相匹配。一个主题可以只与一个区域的地址的索引值相对应，也可以与多个区域的地址的索引值相对应。In some optional implementations, the correspondence between the index value and the topic can be determined in the following way: a preset address library can be obtained, and the address library can store known target addresses, for example, received The IP address and gateway address of the network request. Afterwards, for each address in the above address library, a preset operation can be performed on the address to obtain an index value. As an example, you can perform a hash operation on the IP address and the gateway address respectively to obtain the hash code as the index value, or you can perform an RSA operation on the IP address and the gateway address respectively to obtain the index value. Then, the index value can be matched with a topic in the above publish-subscribe model to generate a corresponding relationship between the index value and the topic. It should be noted that the index values corresponding to addresses originating from the same area usually match the same topic. A topic can only correspond to the index value of the address of one area, or it can correspond to the index value of the addresses of multiple areas.

在一些可选的实现方式中，上述执行主体可以通过如下方式对上述目标地址进行预设运算得到索引值：上述执行主体可以对上述目标地址进行哈希(Hash)运算得到哈希码(Hash Code)作为索引值。哈希是把任意长度的输入(又叫做预映射pre-image)，通过散列算法变换成固定长度的输出，该输出就是散列值。这种转换是一种压缩映射，也就是，散列值的空间通常远小于输入的空间，不同的输入可能会散列成相同的输出，所以不可能从散列值来确定唯一的输入值。简单的说就是一种将任意长度的消息压缩到某一固定长度的消息摘要的函数。In some optional implementations, the above-mentioned execution subject can perform a preset operation on the above-mentioned target address to obtain the index value in the following manner: the above-mentioned execution subject can perform a hash operation on the above-mentioned target address to obtain a hash code. ) as the index value. Hashing converts input of any length (also called pre-mapping pre-image) into a fixed-length output through a hash algorithm, and the output is the hash value. This transformation is a compressed mapping, that is, the space of hash values is usually much smaller than the space of inputs, and different inputs may hash to the same output, so it is impossible to determine a unique input value from the hash value. Simply put, it is a function that compresses a message of any length into a message digest of a fixed length.

在一些可选的实现方式中，上述发布订阅模型可以为卡夫卡(Kafka)系统。Kafka是一款分布式流媒体平台，是一种高吞吐量、持久性、分布式的发布订阅的消息队列系统。利用Kafka系统对网络请求进行拦截，可以提高请求拦截效果。In some optional implementations, the above publish-subscribe model can be a Kafka system. Kafka is a distributed streaming media platform and a high-throughput, durable, distributed publish-subscribe message queue system. Using the Kafka system to intercept network requests can improve the request interception effect.

继续参考图2，其示出了网络请求拦截方法中目标订阅者对网络请求进行拦截的一个实施例的流程200。该网络请求拦截方法的流程200，包括以下步骤：Continuing to refer to FIG. 2 , it shows a process 200 of one embodiment in which a target subscriber intercepts a network request in the network request interception method. The process 200 of the network request interception method includes the following steps:

步骤201，确定目标地址是否存在于预设的待拦截地址集合中。Step 201: Determine whether the target address exists in a preset set of addresses to be intercepted.

在本实施例中，目标订阅者可以确定上述目标地址是否存在于预设的待拦截地址集合中。上述待拦截地址集合通常存放在Nginx中，网络请求通常会先经过Nginx。Nginx是一个web服务器也可以用来做负载均衡及反向代理使用，目前使用最多的就是负载均衡。In this embodiment, the target subscriber can determine whether the above target address exists in a preset set of addresses to be intercepted. The above set of addresses to be intercepted is usually stored in Nginx, and network requests usually go through Nginx first. Nginx is a web server that can also be used for load balancing and reverse proxy. Currently, load balancing is the most commonly used.

若确定出未存在于上述待拦截地址集合中，则上述目标订阅者可以执行步骤202。If it is determined that the address does not exist in the set of addresses to be intercepted, the target subscriber may perform step 202.

若确定出存在于上述待拦截地址集合中，则上述目标订阅者可以执行步骤209。If it is determined that the address exists in the set of addresses to be intercepted, the target subscriber may perform step 209.

步骤202，若未存在于待拦截地址集合中，则确定网络请求是否符合预设拦截规则。Step 202: If the address does not exist in the set of addresses to be intercepted, determine whether the network request complies with the preset interception rules.

在本实施例中，若在步骤201中确定出未存在于待拦截地址集合中，则上述目标订阅者可以确定上述网络请求是否符合预设拦截规则。In this embodiment, if it is determined in step 201 that the address does not exist in the set of addresses to be intercepted, the target subscriber can determine whether the network request complies with the preset interception rules.

上述拦截规则可以为来源于同一个用户或同一区域(例如，同一机房)的IP地址在预设第三时长(例如，1分钟)内的同类型操作的执行次数超过预设第三次数阈值(例如，40次)，也可以为来源于同一个用户或同一区域的IP地址在预设第四时长(例如，2分钟)内的任意操作的执行次数超过预设第四次数阈值(例如，80次)，在此不做具体限制。The above interception rule may be that the number of executions of the same type of operation by an IP address originating from the same user or the same area (for example, the same computer room) within a preset third period of time (for example, 1 minute) exceeds the preset third threshold ( For example, 40 times), or the number of executions of any operation by an IP address originating from the same user or the same region within a preset fourth period of time (for example, 2 minutes) exceeds the preset fourth threshold (for example, 80 times). times), there are no specific restrictions here.

若确定出符合上述拦截规则，则上述目标订阅者可以执行步骤203。If it is determined that the above interception rules are met, the above target subscriber can perform step 203.

步骤203，若符合拦截规则，则确定目标地址是否存在于预设的可疑地址集合中。Step 203: If the interception rules are met, determine whether the target address exists in a preset suspicious address set.

在本实施例中，若在步骤202中确定出符合上述拦截规则，则上述目标订阅者可以确定上述目标地址是否存在于预设的可疑地址集合中。上述可疑地址集合中的地址通常为之前已被确认符合上述拦截规则的地址。In this embodiment, if it is determined in step 202 that the interception rule is met, the target subscriber can determine whether the target address exists in a preset suspicious address set. The addresses in the above suspicious address collection are usually addresses that have been previously confirmed to comply with the above blocking rules.

若存在于上述可疑地址集合中，则上述目标订阅者可以执行步骤204。If it exists in the above suspicious address set, the above target subscriber can perform step 204.

若不存在于上述可疑地址集合中，则上述目标订阅者可以执行步骤208。If it does not exist in the above suspicious address set, the above target subscriber can perform step 208.

步骤204，若存在于可疑地址集合中，则确定目标地址在可疑地址集合中对应的目标字段是否为第一数值。Step 204: If it exists in the suspicious address set, determine whether the target field corresponding to the target address in the suspicious address set is the first value.

在本实施例中，若在步骤203中确定出存在于上述可疑地址集合中，则上述目标订阅者可以确定上述目标地址在上述可疑地址集合中对应的目标字段是否为第一数值。上述目标字段通常表征是否已被添加到待拦截地址集合中，上述第一数值通常表征地址为可疑地址。In this embodiment, if it is determined in step 203 that the target address exists in the suspicious address set, the target subscriber can determine whether the target field corresponding to the target address in the suspicious address set is the first value. The above target field usually indicates whether the address has been added to the set of addresses to be intercepted, and the above first value usually indicates that the address is a suspicious address.

若目标字段为第一数值，则上述目标订阅者可以执行步骤205。If the target field is the first value, the above target subscriber can perform step 205.

步骤205，若目标字段为第一数值，则将目标字段的数值修改为第二数值。Step 205: If the target field is the first value, modify the value of the target field to the second value.

在本实施例中，若在步骤204中判断出上述目标字段为上述第一数值，则上述目标订阅者可以将上述目标字段的数值修改为第二数值，上述第二数值通常表征未被添加到上述待拦截地址集合中。In this embodiment, if it is determined in step 204 that the target field is the first value, the target subscriber can modify the value of the target field to a second value. The second value usually indicates that the target field has not been added to In the above set of addresses to be intercepted.

步骤206，响应于接收到定时任务执行指令，检索出可疑地址集合中目标字段为第二数值的地址。Step 206: In response to receiving the scheduled task execution instruction, retrieve the address whose target field is the second value in the suspicious address set.

在本实施例中，上述目标订阅者可以设置定时任务，在定时任务被触发后，上述目标订阅者会接收到定时任务执行指令，之后，可以检索出上述可疑地址集合中目标字段为上述第二数值的地址。In this embodiment, the above-mentioned target subscriber can set a scheduled task. After the scheduled task is triggered, the above-mentioned target subscriber will receive the scheduled task execution instruction. After that, it can be retrieved that the target field in the above-mentioned suspicious address set is the above-mentioned second The address of the value.

步骤207，将检索出的地址添加到待拦截地址集合中，以及将检索出的地址对应的目标字段的数值修改为第三数值。Step 207: Add the retrieved address to the set of addresses to be intercepted, and modify the value of the target field corresponding to the retrieved address to a third value.

在本实施例中，上述目标订阅者可以将检索出的地址添加到上述待拦截地址集合中，以及将上述检索出的地址对应的目标字段的数值修改为第三数值，上述第三数值通常表征已被添加到待拦截地址集合中。In this embodiment, the target subscriber can add the retrieved address to the set of addresses to be intercepted, and modify the value of the target field corresponding to the retrieved address to a third value. The third value usually represents has been added to the set of addresses to be blocked.

步骤208，若不存在于可疑地址集合中，则将目标地址存储到可疑地址集合中，以及将目标字段设置为第一数值。Step 208: If it does not exist in the suspicious address set, store the target address in the suspicious address set, and set the target field to the first value.

在本实施例中，若在步骤203中确定出不存在于上述可疑地址集合中，则上述目标订阅者可以将上述目标地址存储到上述可疑地址集合中，字段信息可以分别是自增ID字段、IP地址字段、网关信息字段和上述目标字段，通常将上述目标字段设置为上述第一数值，即默认上述目标地址为可疑地址。In this embodiment, if it is determined in step 203 that it does not exist in the above-mentioned suspicious address set, the above-mentioned target subscriber can store the above-mentioned target address in the above-mentioned suspicious address set. The field information can be an auto-increment ID field, In the IP address field, the gateway information field and the above-mentioned target field, the above-mentioned target field is usually set to the above-mentioned first value, that is, the above-mentioned target address is a suspicious address by default.

步骤209，若存在于待拦截地址集合中，则对网络请求进行拦截。Step 209: If it exists in the set of addresses to be intercepted, intercept the network request.

在本实施例中，若在步骤201中确定出存在于上述待拦截地址集合中，则上述目标订阅者可以对上述网络请求进行拦截，也就是说，在上述网络请求经过Nginx服务器时，直接被Nginx服务器拦截。In this embodiment, if it is determined in step 201 that the target subscriber exists in the set of addresses to be intercepted, the target subscriber can intercept the network request. That is to say, when the network request passes through the Nginx server, it is directly intercepted. Nginx server interception.

本公开的上述实施例提供的方法可以对可疑网络请求进行二次验证，防止对可疑IP地址的误操作，可以更加准确地对网络请求进行拦截。此外，通过定时任务执行的方式将地址违规判断与添加到待拦截集合这两个任务进行解耦，进一步提高系统性能。The method provided by the above embodiments of the present disclosure can perform secondary verification on suspicious network requests, prevent misuse of suspicious IP addresses, and intercept network requests more accurately. In addition, the two tasks of determining address violations and adding to the set to be intercepted are decoupled through scheduled task execution to further improve system performance.

进一步参考图3，作为对上述各图所示方法的实现，本申请提供了一种网络请求拦截装置的一个实施例，该装置实施例与图1所示的方法实施例相对应，该装置具体可以应用于各种电子设备中。With further reference to Figure 3, as an implementation of the methods shown in the above figures, this application provides an embodiment of a network request interception device. The device embodiment corresponds to the method embodiment shown in Figure 1. The device is specifically Can be used in various electronic devices.

如图3所示，本实施例的网络请求拦截装置300包括：获取单元301、确定单元302和拦截单元303。其中，获取单元301用于响应于接收到网络请求，获取网络请求的目标地址，其中，目标地址包括互联网协议地址和/或网关地址，网络请求来源于发布订阅模型中的发布者，发布订阅模型包括发布者和订阅者，发布者将消息发送到主题中，订阅者对所订阅的主题中的消息进行消费；确定单元302用于对目标地址进行预设运算得到索引值，确定是否存在目标主题，其中，目标主题是与索引值对应的主题；拦截单元303用于若存在，则将网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截，其中，目标订阅者为订阅目标主题的订阅者。As shown in FIG. 3 , the network request interception device 300 in this embodiment includes: an acquisition unit 301 , a determination unit 302 and an interception unit 303 . Wherein, the obtaining unit 301 is used to obtain the target address of the network request in response to receiving the network request, where the target address includes an Internet protocol address and/or a gateway address, and the network request originates from the publisher in the publish-subscribe model. The publish-subscribe model Including publishers and subscribers, publishers send messages to topics, and subscribers consume messages in the subscribed topics; the determination unit 302 is used to perform a preset operation on the target address to obtain the index value, and determine whether the target topic exists , where the target topic is the topic corresponding to the index value; the interception unit 303 is used to send the request information of the network request to the target topic if it exists, so that the target subscriber can obtain the request information and determine whether to intercept the network request. , where the target subscriber is the subscriber who subscribes to the target topic.

在本实施例中，网络请求拦截装置300的获取单元301、确定单元302和拦截单元303的具体处理可以参考图1对应实施例中的步骤101、步骤102和步骤103。In this embodiment, the specific processing of the acquisition unit 301, the determination unit 302 and the interception unit 303 of the network request interception device 300 can refer to step 101, step 102 and step 103 in the corresponding embodiment of Figure 1.

在一些可选的实现方式中，目标订阅者通过如下步骤确定是否对网络请求进行拦截：确定目标地址是否存在于预设的待拦截地址集合中；若未存在于待拦截地址集合中，则确定网络请求是否符合预设拦截规则；若符合拦截规则，则确定目标地址是否存在于预设的可疑地址集合中；若存在于可疑地址集合中，则将目标地址添加到待拦截地址集合中。In some optional implementations, the target subscriber determines whether to intercept the network request through the following steps: determine whether the target address exists in the preset set of addresses to be intercepted; if it does not exist in the set of addresses to be intercepted, determine Whether the network request meets the preset interception rules; if it meets the interception rules, it is determined whether the target address exists in the preset suspicious address set; if it exists in the suspicious address set, the target address is added to the set of addresses to be intercepted.

在一些可选的实现方式中，目标订阅者通过如下步骤将目标地址添加到待拦截地址集合中：确定目标地址在可疑地址集合中对应的目标字段是否为第一数值，其中，目标字段表征是否已被添加到待拦截地址集合中，第一数值表征地址为可疑地址；若目标字段为第一数值，则将目标字段的数值修改为第二数值，其中，第二数值表征未被添加到待拦截地址集合中；响应于检测到目标字段的数值为第二数值，将目标地址添加到待拦截地址集合中。In some optional implementations, the target subscriber adds the target address to the set of addresses to be intercepted through the following steps: determine whether the target field corresponding to the target address in the suspicious address set is the first value, where the target field indicates whether has been added to the set of addresses to be intercepted, and the first numerical value indicates that the address is a suspicious address; if the target field is the first numerical value, the value of the target field is modified to the second numerical value, wherein the second numerical value indicates that the address has not been added to the set of addresses to be intercepted. in the set of intercepted addresses; in response to detecting that the value of the target field is the second value, the target address is added to the set of addresses to be intercepted.

在一些可选的实现方式中，目标订阅者通过如下步骤响应于检测到目标字段的数值为第二数值，将目标地址添加到待拦截地址集合中：响应于接收到定时任务执行指令，检索出可疑地址集合中目标字段为第二数值的地址；将检索出的地址添加到待拦截地址集合中，以及将检索出的地址对应的目标字段的数值修改为第三数值，其中，第三数值表征已被添加到待拦截地址集合中。In some optional implementations, the target subscriber responds to detecting that the value of the target field is the second value through the following steps: adding the target address to the set of addresses to be intercepted: in response to receiving the scheduled task execution instruction, retrieving The target field in the suspicious address set is an address with the second value; the retrieved address is added to the set of addresses to be intercepted, and the value of the target field corresponding to the retrieved address is modified to a third value, where the third value represents has been added to the set of addresses to be blocked.

在一些可选的实现方式中，在确定目标地址是否存在于预设的可疑地址集合中之后，步骤还包括：若不存在于可疑地址集合中，则将目标地址存储到可疑地址集合中，以及将目标字段设置为第一数值。In some optional implementations, after determining whether the target address exists in a preset suspicious address set, the step further includes: if it does not exist in the suspicious address set, storing the target address in the suspicious address set, and Set the target field to the first value.

在一些可选的实现方式中，在确定目标地址是否存在于预设的待拦截地址集合中之后，步骤还包括：若存在于待拦截地址集合中，则对网络请求进行拦截。In some optional implementations, after determining whether the target address exists in a preset set of addresses to be intercepted, the step further includes: intercepting the network request if it exists in the set of addresses to be intercepted.

在一些可选的实现方式中，索引值与主题之间的对应关系是通过如下方式确定的：获取预设地址库；针对地址库中的每个地址，对该地址进行预设运算得到索引值，将该索引值与发布订阅模型中的一个主题进行匹配，生成该索引值与该主题之间的对应关系，其中，来源于同一个区域的地址对应的索引值与同一个主题相匹配。In some optional implementations, the correspondence between the index value and the topic is determined by: obtaining the preset address library; for each address in the address library, performing a preset operation on the address to obtain the index value , match the index value with a topic in the publish-subscribe model, and generate a correspondence between the index value and the topic, where the index value corresponding to the address originating from the same area matches the same topic.

在一些可选的实现方式中，确定单元302进一步通过如下方式对目标地址进行预设运算得到索引值：对目标地址进行哈希运算得到哈希码作为索引值。In some optional implementations, the determining unit 302 further performs a preset operation on the target address to obtain the index value in the following manner: performs a hash operation on the target address to obtain a hash code as the index value.

在一些可选的实现方式中，发布订阅模型为卡夫卡系统。In some optional implementations, the publish-subscribe model is Kafka system.

进一步参考图4，图4示出了可以应用本公开的网络请求拦截方法的实施例的示例性系统架构400。With further reference to FIG. 4 , FIG. 4 illustrates an exemplary system architecture 400 to which embodiments of the network request interception method of the present disclosure may be applied.

如图4所示，系统架构400可以包括发布者4011、4012、4013，网络4021、4022，服务器403和订阅者4041、4042、4043。网络4021用以在发布者4011、4012、4013和服务器403之间提供通信链路的介质，网络4022用以在服务器403和订阅者4041、4042、4043之间提供通信链路的介质。网络4021、4022可以包括各种连接类型，例如有线、无线通信链路或者光纤电缆等等。As shown in Figure 4, the system architecture 400 may include publishers 4011, 4012, 4013, networks 4021, 4022, servers 403 and subscribers 4041, 4042, 4043. Network 4021 is used to provide a medium for communication links between publishers 4011, 4012, 4013 and server 403, and network 4022 is used to provide a medium for communication links between server 403 and subscribers 4041, 4042, 4043. Networks 4021, 4022 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

用户可以使用发布者4011、4012、4013通过网络4021与服务器403交互，使用订阅者4041、4042、4043通过网络4022与服务器403交互以发送或接收消息等，例如，服务器403可以对从发布者4011、4012、4013接收到的网络请求存储到主题中，以及可以将网络请求发送到对应的订阅者4041、4042、4043中。发布者4011、4012、4013和订阅者4041、4042、4043上可以安装有各种通讯客户端应用，例如购物类应用、即时通讯软件等。Users can use publishers 4011, 4012, 4013 to interact with the server 403 through the network 4021, and use subscribers 4041, 4042, 4043 to interact with the server 403 through the network 4022 to send or receive messages, etc., for example, the server 403 can interact with the server 403 from the publisher 4011 , 4012, 4013 received network requests are stored in the topic, and the network requests can be sent to the corresponding subscribers 4041, 4042, 4043. Various communication client applications can be installed on the publishers 4011, 4012, 4013 and the subscribers 4041, 4042, 4043, such as shopping applications, instant messaging software, etc.

发布者4011、4012、4013可以是硬件，也可以是软件。当发布者4011、4012、4013为硬件时，可以是具有显示屏并且支持信息交互的各种电子设备，包括但不限于智能手机、平板电脑、膝上型便携计算机等。当发布者4011、4012、4013为软件时，可以安装在上述所列举的电子设备中。其可以实现成多个软件或软件模块(例如用来提供分布式服务的多个软件或软件模块)，也可以实现成单个软件或软件模块。在此不做具体限定。Publishers 4011, 4012, and 4013 can be hardware or software. When the publishers 4011, 4012, and 4013 are hardware, they can be various electronic devices with display screens and supporting information interaction, including but not limited to smart phones, tablet computers, laptop computers, etc. When the publishers 4011, 4012, and 4013 are software, they can be installed in the electronic devices listed above. It can be implemented as multiple software or software modules (for example, multiple software or software modules used to provide distributed services), or as a single software or software module. There are no specific limitations here.

订阅者4041、4042、4043可以是硬件，也可以是软件。当订阅者4041、4042、4043为硬件时，可以是具有显示屏并且支持信息交互的各种电子设备，包括但不限于智能手机、平板电脑、膝上型便携计算机等。当订阅者4041、4042、4043为软件时，可以安装在上述所列举的电子设备中。其可以实现成多个软件或软件模块(例如用来提供分布式服务的多个软件或软件模块)，也可以实现成单个软件或软件模块。在此不做具体限定。Subscribers 4041, 4042, and 4043 can be hardware or software. When the subscribers 4041, 4042, and 4043 are hardware, they may be various electronic devices with display screens and supporting information interaction, including but not limited to smart phones, tablet computers, laptop computers, etc. When the subscribers 4041, 4042, and 4043 are software, they can be installed in the electronic devices listed above. It can be implemented as multiple software or software modules (for example, multiple software or software modules used to provide distributed services), or as a single software or software module. There are no specific limitations here.

服务器403可以是提供各种服务的服务器。例如，可以是对网络请求进行分析的后台服务器。服务器103可以首先接收到发布者4011、4012、4013发送的网络请求，获取网络请求的目标地址；之后，对目标地址进行预设运算得到索引值，确定是否存在与索引值对应的目标主题；若存在，则将网络请求的请求信息发送到目标主题中，以供订阅目标主题的订阅者4041、4042、4043获取请求信息并确定是否对网络请求进行拦截。Server 403 may be a server that provides various services. For example, it can be a backend server that analyzes network requests. The server 103 can first receive the network request sent by the publishers 4011, 4012, and 4013, and obtain the target address of the network request; then, perform a preset operation on the target address to obtain the index value, and determine whether there is a target topic corresponding to the index value; if If exists, the request information of the network request is sent to the target topic, so that the subscribers 4041, 4042, and 4043 who subscribe to the target topic can obtain the request information and determine whether to intercept the network request.

需要说明的是，服务器403可以是硬件，也可以是软件。当服务器403为硬件时，可以实现成多个服务器组成的分布式服务器集群，也可以实现成单个服务器。当服务器403为软件时，可以实现成多个软件或软件模块(例如用来提供分布式服务)，也可以实现成单个软件或软件模块。在此不做具体限定。It should be noted that the server 403 may be hardware or software. When the server 403 is hardware, it can be implemented as a distributed server cluster composed of multiple servers, or it can be implemented as a single server. When the server 403 is software, it may be implemented as multiple software or software modules (for example, used to provide distributed services), or it may be implemented as a single software or software module. There are no specific limitations here.

还需要说明的是，本公开实施例所提供的网络请求拦截方法通常由服务器403执行，则网络请求拦截装置通常设置于服务器403中。It should also be noted that the network request interception method provided by the embodiment of the present disclosure is usually executed by the server 403, and the network request interception device is usually provided in the server 403.

应该理解，图4中的发布者、网络、服务器和订阅者的数目仅仅是示意性的。根据实现需要，可以具有任意数目的发布者、网络、服务器和订阅者。It should be understood that the numbers of publishers, networks, servers and subscribers in Figure 4 are only illustrative. You can have any number of publishers, networks, servers, and subscribers depending on your implementation needs.

下面参考图5，其示出了适于用来实现本公开的实施例的电子设备(例如图4中的服务器)500的结构示意图。图5示出的电子设备仅仅是一个示例，不应对本公开的实施例的功能和使用范围带来任何限制。Referring now to FIG. 5 , a schematic structural diagram of an electronic device (eg, the server in FIG. 4 ) 500 suitable for implementing embodiments of the present disclosure is shown. The electronic device shown in FIG. 5 is only an example and should not bring any limitations to the functions and usage scope of the embodiments of the present disclosure.

如图5所示，电子设备500可以包括处理装置(例如中央处理器、图形处理器等)501，其可以根据存储在只读存储器(ROM)502中的程序或者从存储装置508加载到随机访问存储器(RAM)503中的程序而执行各种适当的动作和处理。在RAM 503中，还存储有电子设备500操作所需的各种程序和数据。处理装置501、ROM 502以及RAM 503通过总线504彼此相连。输入/输出(I/O)接口505也连接至总线504。As shown in FIG. 5 , the electronic device 500 may include a processing device (eg, central processing unit, graphics processor, etc.) 501 that may be loaded into a random access device according to a program stored in a read-only memory (ROM) 502 or from a storage device 508 . The program in the memory (RAM) 503 executes various appropriate actions and processes. In the RAM 503, various programs and data required for the operation of the electronic device 500 are also stored. The processing device 501, the ROM 502 and the RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.

通常，以下装置可以连接至I/O接口505：包括例如触摸屏、触摸板、键盘、鼠标、摄像头、麦克风、加速度计、陀螺仪等的输入装置506；包括例如液晶显示器(LCD)、扬声器、振动器等的输出装置507；包括例如磁带、硬盘等的存储装置508；以及通信装置509。通信装置509可以允许电子设备500与其他设备进行无线或有线通信以交换数据。虽然图5示出了具有各种装置的电子设备500，但是应理解的是，并不要求实施或具备所有示出的装置。可以替代地实施或具备更多或更少的装置。图5中示出的每个方框可以代表一个装置，也可以根据需要代表多个装置。Generally, the following devices may be connected to the I/O interface 505: input devices 506 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; including, for example, a liquid crystal display (LCD), speakers, vibration An output device 507 such as a computer; a storage device 508 including a magnetic tape, a hard disk, etc.; and a communication device 509. Communication device 509 may allow electronic device 500 to communicate wirelessly or wiredly with other devices to exchange data. Although FIG. 5 illustrates electronic device 500 with various means, it should be understood that implementation or availability of all illustrated means is not required. More or fewer means may alternatively be implemented or provided. Each block shown in Figure 5 may represent one device, or may represent multiple devices as needed.

特别地，根据本公开的实施例，上文参考流程图描述的过程可以被实现为计算机软件程序。例如，本公开的实施例包括一种计算机程序产品，其包括承载在计算机可读介质上的计算机程序，该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中，该计算机程序可以通过通信装置509从网络上被下载和安装，或者从存储装置508被安装，或者从ROM 502被安装。在该计算机程序被处理装置501执行时，执行本公开的实施例的方法中限定的上述功能。需要说明的是，本公开的实施例所述的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件，或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于：具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开的实施例中，计算机可读存储介质可以是任何包含或存储程序的有形介质，该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本公开的实施例中，计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号，其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式，包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读信号介质还可以是计算机可读存储介质以外的任何计算机可读介质，该计算机可读信号介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输，包括但不限于：电线、光缆、RF(射频)等等，或者上述的任意合适的组合。In particular, according to embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product including a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such embodiments, the computer program may be downloaded and installed from the network via communication device 509, or from storage device 508, or from ROM 502. When the computer program is executed by the processing device 501, the above-described functions defined in the method of the embodiment of the present disclosure are performed. It should be noted that the computer-readable medium described in the embodiments of the present disclosure may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples of computer readable storage media may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (ROM), removable Programmed read-only memory (EPROM or flash memory), fiber optics, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In embodiments of the present disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device. In embodiments of the present disclosure, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, in which computer-readable program code is carried. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device . Program code embodied on a computer-readable medium may be transmitted using any suitable medium, including but not limited to: wire, optical cable, RF (radio frequency), etc., or any suitable combination of the above.

上述计算机可读介质可以是上述电子设备中所包含的；也可以是单独存在，而未装配入该电子设备中。上述计算机可读介质承载有一个或者多个程序，当上述一个或者多个程序被该电子设备执行时，使得该电子设备：响应于接收到网络请求，获取网络请求的目标地址，其中，目标地址包括互联网协议地址和/或网关地址，网络请求来源于发布订阅模型中的发布者，发布订阅模型包括发布者和订阅者，发布者将消息发送到主题中，订阅者对所订阅的主题中的消息进行消费；对目标地址进行预设运算得到索引值，确定是否存在目标主题，其中，目标主题是与索引值对应的主题；若存在，则将网络请求的请求信息发送到目标主题中，以供目标订阅者获取请求信息并确定是否对网络请求进行拦截，其中，目标订阅者为订阅目标主题的订阅者。The above-mentioned computer-readable medium may be included in the above-mentioned electronic device; it may also exist independently without being assembled into the electronic device. The computer-readable medium carries one or more programs. When the one or more programs are executed by the electronic device, the electronic device: in response to receiving the network request, obtains the target address of the network request, where the target address Including Internet protocol address and/or gateway address, the network request originates from the publisher in the publish-subscribe model. The publish-subscribe model includes publishers and subscribers. The publisher sends messages to the topic, and the subscriber responds to the subscribed topic. The message is consumed; perform a preset operation on the target address to obtain the index value, and determine whether the target topic exists, where the target topic is the topic corresponding to the index value; if it exists, the request information of the network request is sent to the target topic to For the target subscriber to obtain the request information and determine whether to intercept the network request, where the target subscriber is the subscriber who subscribes to the target topic.

可以以一种或多种程序设计语言或其组合来编写用于执行本公开的实施例的操作的计算机程序代码，所述程序设计语言包括面向对象的程序设计语言—诸如Java、Smalltalk、C++，还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中，远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)——连接到用户计算机，或者，可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing operations of embodiments of the present disclosure may be written in one or more programming languages, including object-oriented programming languages—such as Java, Smalltalk, C++, or a combination thereof, Also included are conventional procedural programming languages—such as the "C" language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as an Internet service provider). connected via the Internet).

附图中的流程图和框图，图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上，流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分，该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意，在有些作为替换的实现中，方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如，两个接连地表示的方框实际上可以基本并行地执行，它们有时也可以按相反的顺序执行，这依所涉及的功能而定。也要注意的是，框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合，可以用执行规定的功能或操作的专用的基于硬件的系统来实现，或者可以用专用硬件与计算机指令的组合来实现。The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagram may represent a module, segment, or portion of code that contains one or more logic functions that implement the specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations. , or can be implemented using a combination of specialized hardware and computer instructions.

描述于本公开的实施例中所涉及到的单元可以通过软件的方式实现，也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中，例如，可以描述为：一种处理器包括获取单元、确定单元和拦截单元。其中，这些单元的名称在某种情况下并不构成对该单元本身的限定，例如，接收单元还可以被描述为“响应于接收到网络请求，获取网络请求的目标地址的单元”。The units involved in the embodiments of the present disclosure may be implemented in software or hardware. The described unit may also be provided in a processor. For example, it may be described as follows: a processor includes an acquisition unit, a determination unit and an interception unit. The names of these units do not constitute a limitation on the unit itself under certain circumstances. For example, the receiving unit can also be described as "a unit that obtains the target address of the network request in response to receiving the network request."

以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解，本公开的实施例中所涉及的发明范围，并不限于上述技术特征的特定组合而成的技术方案，同时也应涵盖在不脱离上述发明构思的情况下，由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本公开的实施例中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a description of the preferred embodiments of the present disclosure and the technical principles applied. Persons skilled in the art should understand that the scope of the invention involved in the embodiments of the present disclosure is not limited to technical solutions composed of specific combinations of the above technical features, and should also cover the above-mentioned technical solutions without departing from the above-mentioned inventive concept. Other technical solutions formed by any combination of technical features or their equivalent features. For example, a technical solution is formed by replacing the above features with technical features with similar functions disclosed in the embodiments of the present disclosure (but not limited to).

Claims

1. A network request interception method, comprising:

in response to receiving a network request, acquiring a target address of the network request, wherein the target address comprises an Internet protocol address and/or a gateway address, the network request is sourced from a publisher in a publish-subscribe model, the publish-subscribe model comprises the publisher and a subscriber, the publisher sends a message to a topic, and the subscriber consumes the message in the subscribed topic;

performing preset operation on the target address to obtain an index value, and determining whether a target theme exists, wherein the target theme is a theme corresponding to the index value;

If so, sending the request information of the network request to the target topic so as to enable a target subscriber to acquire the request information and determine whether to intercept the network request, wherein the target subscriber is a subscriber subscribed to the target topic.

2. The method of claim 1, wherein the target subscriber determines whether to intercept the network request by:

determining whether the target address exists in a preset address set to be intercepted;

if the network request does not exist in the address set to be intercepted, determining whether the network request accords with a preset interception rule;

if the interception rule is met, determining whether the target address exists in a preset suspicious address set;

if the target address exists in the suspicious address set, the target address is added into the address set to be intercepted.

3. The method of claim 2, wherein the adding the target address to the set of addresses to be intercepted comprises:

determining whether a target field corresponding to the target address in the suspicious address set is a first numerical value, wherein the target field represents whether the target address is added to the address set to be intercepted or not, and the first numerical value represents that the address is the suspicious address;

If the target field is the first value, modifying the value of the target field to a second value, wherein the second value representation is not added to the address set to be intercepted;

and in response to detecting that the value of the target field is a second value, adding the target address to the set of addresses to be intercepted.

4. A method according to claim 3, wherein said adding the target address to the set of addresses to be intercepted in response to detecting that the value of the target field is a second value comprises:

in response to receiving a timed task execution instruction, retrieving an address of which the target field is the second numerical value in the suspicious address set;

and adding the retrieved address to the address set to be intercepted, and modifying the value of the target field corresponding to the retrieved address to be a third value, wherein the third value represents that the third value is added to the address set to be intercepted.

5. The method of claim 2, wherein after said determining whether said target address is present in a preset set of suspicious addresses, said steps further comprise:

If not present in the set of suspicious addresses, storing the target address into the set of suspicious addresses, and setting the target field to the first value.

6. The method of claim 2, wherein after said determining whether the target address is in a preset set of addresses to be intercepted, said steps further comprise:

and if the network request exists in the address set to be intercepted, intercepting the network request.

7. The method of claim 2, wherein the correspondence between index values and topics is determined by:

acquiring a preset address library;

and aiming at each address in the address library, carrying out preset operation on the address to obtain an index value, and matching the index value with one topic in the publish-subscribe model to generate a corresponding relation between the index value and the topic, wherein the index value corresponding to the address from the same area is matched with the same topic.

8. The method of claim 1, wherein the performing a preset operation on the target address to obtain an index value includes:

and carrying out hash operation on the target address to obtain a hash code as an index value.

9. The method according to one of claims 1 to 8, wherein the publish-subscribe model is a kaff card system.

10. A network request intercepting apparatus, comprising:

the acquisition unit is used for responding to a received network request and acquiring a target address of the network request, wherein the target address comprises an Internet protocol address and/or a gateway address, the network request is sourced from a publisher in a publish-subscribe model, the publish-subscribe model comprises the publisher and a subscriber, the publisher sends a message to a topic, and the subscriber consumes the message in the subscribed topic;

the determining unit is used for carrying out preset operation on the target address to obtain an index value and determining whether a target theme exists, wherein the target theme is a theme corresponding to the index value;

the interception unit is used for sending the request information of the network request to the target topic if the request information exists, so that a target subscriber can acquire the request information and determine whether to intercept the network request, wherein the target subscriber is a subscriber subscribed to the target topic.

11. An electronic device, comprising:

One or more processors;

a storage device having one or more programs stored thereon,

when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-9.

12. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1-9.