CN119382990A - Web application access proxy method and device in heterogeneous network environment - Google Patents
Web application access proxy method and device in heterogeneous network environment Download PDFInfo
- Publication number
- CN119382990A CN119382990A CN202411563740.6A CN202411563740A CN119382990A CN 119382990 A CN119382990 A CN 119382990A CN 202411563740 A CN202411563740 A CN 202411563740A CN 119382990 A CN119382990 A CN 119382990A
- Authority
- CN
- China
- Prior art keywords
- request
- proxy service
- client
- access
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000001914 filtration Methods 0.000 claims abstract description 45
- 230000003068 static effect Effects 0.000 claims description 30
- 230000004044 response Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 20
- 230000007246 mechanism Effects 0.000 claims description 18
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000013519 translation Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本公开的实施例提供一种异构网络环境下的web应用访问代理方法及装置,该方法包括:当监听到客户端发送的访问请求时,基于访问请求对客户端进行身份认证,身份认证通过后对访问请求进行访问控制和内容过滤;将访问请求中的IP地址进行动态转换后转发到目标服务器的反向代理服务;以及接收反向代理服务返回的请求结果,并将请求结果转发给客户端。
The embodiments of the present disclosure provide a web application access proxy method and device in a heterogeneous network environment, the method comprising: when an access request sent by a client is monitored, authenticating the client based on the access request, and performing access control and content filtering on the access request after the authentication is passed; dynamically converting the IP address in the access request and forwarding it to the reverse proxy service of the target server; and receiving the request result returned by the reverse proxy service, and forwarding the request result to the client.
Description
Technical Field
Embodiments of the present disclosure relate to the field of cross-node access of web applications, and in particular, to a web application access proxy method, apparatus, and computer readable storage medium storing a computer program in a heterogeneous network environment.
Background
Application access proxy technology is a technology that manages network communication between a client and a server through a proxy server. It allows users to access corporate internal applications over secure connections (e.g., SSL/TLS) in a Wide Area Network (WAN) environment without directly exposing the IP address of the internal application, thereby reducing security risks. Meanwhile, the access agent has the advantages of access control, load balancing, flow monitoring, content filtering, access acceleration and the like.
In a wide area network distributed heterogeneous environment, computers or application systems of different platforms, different types and different positions are interconnected and intercommunicated, so that data sharing and cooperative work are realized, and meanwhile, interaction needs to be realized among the application systems, between the application systems and users in the heterogeneous environment and across different nodes, so that potential safety risks are increased. At present, access control is generally performed based on a firewall, but content filtering, IP hiding and other functions cannot be realized by simply relying on the firewall.
Disclosure of Invention
Embodiments described herein provide a web application access proxy method, apparatus, and computer readable storage medium storing a computer program in a heterogeneous network environment.
According to a first aspect of the present disclosure, a web application access proxy method in a heterogeneous network environment is provided and applied to a forward proxy service, where the method includes, when an access request sent by a client is monitored, authenticating the client based on the access request, performing access control and content filtering on the access request after the authentication passes, dynamically converting an IP address in the access request, and forwarding the IP address to a reverse proxy service of a target server, and receiving a request result returned by the reverse proxy service and forwarding the request result to the client.
In some embodiments of the disclosure, the method includes authenticating a client according to authentication information of the client in an access request, establishing data connection with the client after authentication passes, waiting for the client to send request data, matching the request data with a policy rule specified in an access control list, prohibiting the client from accessing if the matching fails, and performing content filtering on the request data according to user requirements to obtain filtered request data, wherein the content filtering comprises URL filtering, keyword filtering and file type filtering.
In some embodiments of the disclosure, the filtered request data is compared with the pre-stored static cache data, and the validity of the static cache data is judged, if the filtered request data contains the static cache data and the static cache data is valid, the corresponding static cache data is returned to the client, and the static cache data comprises a picture, a script file, a CSS style and an HTML file.
In some embodiments of the present disclosure, a source IP address in an access request is replaced with a public IP address of a forward proxy service, whether the forward proxy service forwards the access request successfully or not is monitored, and if the forwarding fails, the access request is directly sent to a reverse proxy service of a target server according to a bypass mechanism.
In some embodiments of the present disclosure, the method includes determining an operating state of a forward proxy service according to a success rate and response time of a forwarding request, closing the forward proxy service when an abnormal operation of the forward proxy service is detected, determining whether a detour mechanism is met according to a network delay, a load of the forward proxy service, and the response state of the reverse proxy service, directly transmitting an access request to the reverse proxy service of a target server if the detour mechanism is met, and restarting the forward proxy service when the forward proxy service returns to normal, and forwarding the access request to the reverse proxy service of the target server through the forward proxy service.
In some embodiments of the present disclosure, in response to receiving an access request, a reverse proxy service converts a destination IP address in the access request into a private IP address and port of a target server, based on the private IP address and port, the reverse proxy service forwards the access request to a backend server according to a preset application routing rule and returns a request result to a forward proxy service of a client, and in response to receiving the request result returned by the reverse proxy service, the forward proxy service forwards the request result to the client.
In some embodiments of the present disclosure, a reverse proxy service encrypts request data using a public key of a target server and transmits the encrypted request data to the target server, the target server decrypts the encrypted request data using a private key after receiving the encrypted request data to obtain original request data of a client, the target server processes the original request data to obtain a request result, encrypts the request result using the private key and returns the request result to the reverse proxy service, and the reverse proxy service decrypts the encrypted request result using the public key of the target server and returns the request result to a forward proxy service of the client.
In some embodiments of the present disclosure, the reverse proxy service is configured to distribute requests to multiple back-end servers according to a preset load balancing policy, and redirect requests to other available servers when a back-end server fails.
According to a second aspect of the present disclosure, a web application access proxy apparatus in a heterogeneous network environment is provided. The apparatus includes at least one processor and at least one memory storing a computer program. The computer program, when executed by at least one processor, causes the apparatus to perform, upon monitoring an access request sent by a client, authentication of the client based on the access request, access control and content filtering of the access request after the authentication is passed, forwarding an IP address in the access request to a reverse proxy service of a target server after dynamic conversion, and receiving a request result returned by the reverse proxy service and forwarding the request result to the client.
In some embodiments of the present disclosure, a computer program, when executed by at least one processor, causes an apparatus to access control and content filter an access request by authenticating a client based on authentication information of the client in the access request, establishing a data connection with the client after the authentication passes, waiting for the client to send request data, matching the request data with policy rules specified in an access control list, prohibiting client access if the matching fails, and content filtering the request data based on user requirements, resulting in filtered request data, the content filtering including URL filtering, keyword filtering, and file type filtering.
In some embodiments of the present disclosure, a computer program, when executed by at least one processor, causes an apparatus to cache match an access request by comparing filtered request data with pre-stored static cache data, and if the filtered request data includes static cache data, returning the corresponding static cache data to a client, the static cache data including a picture, a script file, a CSS style, and an HTML file.
In some embodiments of the present disclosure, the computer program, when executed by the at least one processor, causes the apparatus to further forward the IP address in the access request to a reverse proxy service of the target server after dynamic translation by replacing a source IP address in the access request with a public IP address of the forward proxy service, monitoring whether forwarding of the access request forwarded by the forward proxy service is successful, and if forwarding is failed, sending the access request directly to the reverse proxy service of the target server according to a detour mechanism.
In some embodiments of the present disclosure, the computer program, when executed by at least one processor, causes the apparatus to further send an access request directly to a reverse proxy service of the target server by determining an operational state of the forward proxy service based on a success rate and a response time of the forwarding request, shutting down the forward proxy service when an operational anomaly of the forward proxy service is detected, determining whether a detour mechanism is met based on a network delay, a load of the forward proxy service, and the response state of the reverse proxy service, directly sending the access request to the reverse proxy service of the target server if the detour mechanism is met, and restarting the forward proxy service when the forward proxy service returns to normal, forwarding the access request to the reverse proxy service of the target server via the forward proxy service.
In some embodiments of the present disclosure, the computer program, when executed by the at least one processor, causes the apparatus to further receive a request result returned by the reverse proxy service and forward the request result to the client by, in response to receiving the access request, converting a destination IP address in the access request to a private IP address and port of the target server, forwarding the access request to the backend server according to a preset application routing rule based on the private IP address and port by the reverse proxy service and returning the request result to the forward proxy service of the client, and, in response to receiving the request result returned by the reverse proxy service, forwarding the request result to the client by the forward proxy service.
In some embodiments of the present disclosure, the computer program, when executed by the at least one processor, causes the apparatus to further return the request result to the forward proxy service of the client by the reverse proxy service encrypting the request data using the public key of the target server, sending the encrypted request data to the target server, after receiving the encrypted request data, the target server decrypting the encrypted request data using the private key to obtain the original request data of the client, processing the original request data to obtain the request result, encrypting the request result using the private key, and returning the request result to the reverse proxy service, and the reverse proxy service decrypting the encrypted request result using the public key of the target server and returning the encrypted request result to the forward proxy service of the client.
According to a third aspect of the present disclosure, there is provided a computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of a web application access proxy method in a heterogeneous network environment according to the first aspect of the present disclosure.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the following brief description of the drawings of the embodiments will be given, it being understood that the drawings described below relate only to some embodiments of the present disclosure, not to limitations of the present disclosure, in which:
FIG. 1 illustrates a forward proxy service usage pattern schematic diagram in accordance with an embodiment of the present disclosure;
FIG. 2 illustrates a reverse proxy service usage pattern diagram in accordance with an embodiment of the present disclosure;
FIG. 3 illustrates a web application access principle schematic diagram in a heterogeneous network environment according to an embodiment of the present disclosure;
FIG. 4 illustrates an exemplary flow chart of a web application access proxy method 400 in a heterogeneous network environment according to an embodiment of the disclosure;
FIG. 5 illustrates a schematic diagram of a wide area network cross-node application access request interaction flow;
fig. 6 is a schematic block diagram of a web application access proxy apparatus in a heterogeneous network environment according to an embodiment of the present disclosure.
It is noted that the elements in the drawings are schematic and are not drawn to scale.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings. It will be apparent that the described embodiments are some, but not all, of the embodiments of the present disclosure. All other embodiments, which can be made by those skilled in the art based on the described embodiments of the present disclosure without the need for creative efforts, are also within the scope of the protection of the present disclosure.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the presently disclosed subject matter belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the specification and relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein. In addition, terms such as "first" and "second" are used merely to distinguish one component (or portion of a component) from another component (or another portion of a component).
As is well known, both the forward proxy and the reverse proxy are proxy servers located between a client and a server, the forward proxy needs to actively set a proxy IP address or domain name, and the set proxy IP or domain name accesses server content and returns to the client. The reverse proxy receives the request of the client by the proxy server, forwards the request to the server on the internal network, and returns the result returned from the server to the client. That is, the forward proxy is the proxy of the client and the reverse proxy is the proxy of the server.
Fig. 1 illustrates a forward proxy service usage pattern diagram according to an embodiment of the present disclosure. As shown in fig. 1, when a client inside a lan accesses a network server, forwarding of request data and response data is performed through a forward proxy service as an intermediary. Specifically, the client sends an access request, the identity of the client is authenticated by an authorization authentication mechanism, and the authenticated client establishes a data connection with the forward proxy service. The forward proxy service acquires the address and the port of the target server, establishes data connection with the server, waits for the client to send request data, forwards the request data to the server, waits for the server to return response data, and forwards the response data to the client.
Fig. 2 illustrates a reverse proxy service usage pattern diagram according to an embodiment of the present disclosure. As shown in fig. 2, the server application system needs to provide application IP, port, protocol type, etc. information to the reverse proxy service in order to register with the reverse proxy service and assign a unique identification. The reverse proxy service receives the connection request of the client on the wide area network, diverts the request to an internal actual application server according to the application unique identification, and returns the request result to the client.
Aiming at the problems of security, traffic management and availability of cross-node application access in a wide area network distributed heterogeneous environment, the present disclosure provides a web application access proxy method in a heterogeneous network environment. The method realizes safe cross-node access and traffic forwarding by combining proxy service and firewall policy.
Fig. 3 illustrates a web application access principle schematic diagram in a heterogeneous network environment according to an embodiment of the present disclosure. As shown in FIG. 3, the wide area network distributed heterogeneous environment comprises two or more nodes, namely an A node, a B node, a C node, a D node, an E node and the like.
Taking an application system of a node A client accessing a node B across nodes as an example, the proxy direction of the node A is a forward proxy, the source address is a node A proxy service IP, the destination address is a node B proxy service IP, and the port is a node B application port. The node B proxy direction is reverse proxy, the source address is node A proxy service IP, the destination address is node B proxy service IP, and the port is node B application port.
The node a registers the client IP address with the forward proxy service of the node a through user authentication to allow forwarding of the request from the client IP address. The forward proxy service of the A node firstly identifies the IP address of the client, the data authentication service inquires whether the IP address is in a local IP address list, and after the IP address is inquired, the data identification processing is carried out on all access requests of the client, and proxy forwarding is carried out after success. And releasing the traffic for the proxy service IP of the A node with the source IP address and the proxy service IP of other nodes with the destination address.
The node B pair source IP address is other node proxy service IP, and the destination address is the flow of the node B proxy service IP. The node B issues the application to the node B's reverse proxy service and assigns a unique identifier so that the reverse proxy service redirects the request to the internal actual application server based on the application unique identifier.
To further illustrate embodiments of the present disclosure in detail, fig. 4 shows an exemplary flowchart of a web application access proxy method 400 in a heterogeneous network environment according to embodiments of the present disclosure.
At block S402 of fig. 4, when an access request sent by a client is monitored, the client is authenticated based on the access request, and access control and content filtering are performed on the access request after the authentication is passed.
The forward proxy service is arranged at the client, after the access request sent by the client is monitored, the identity authentication is carried out on the client according to the identity authentication information of the client in the access request, and the data connection is established with the client after the authentication is passed. Specifically, the access request of the client generally includes a request method, a URL, a request header, and a request body, where the request header contains client authentication information, such as a user command and password, an API key, a token, and the like. The identity of the client can be verified according to a preset identity verification mechanism. For example, the authentication information is compared with a stored user database (local IP address list), and after the authentication is passed, it is checked whether the client has access to the requested resource. After passing the authentication, a data connection is established with the client, and the forward proxy allocates a unique session ID for the connection.
Then, waiting for the client to send the request data, matching the request data with the policy rules specified in the access control list, and prohibiting access if the matching fails.
Wherein the Access Control List (ACL) includes a plurality of policy rules for defining which clients can access which resources and under what conditions access is allowed or denied, each policy rule including a plurality of conditions such as source address (client IP address), destination address (IP address of destination server), port (port number of destination server), access path, access time, etc.
The matching process comprises the following steps:
sequential matching, namely, the rules in the ACL are sequentially arranged and matched from top to bottom.
Condition checking, for each rule, whether the request satisfies all conditions of the rule.
Hit rules-once a request satisfies a rule, the operation defined by the rule is performed immediately (e.g., access is allowed or denied), and the subsequent checking of the rule is terminated. If the request meets the criteria of a certain rule, the proxy service will forward the request to the target server and return a response to the client. If the request matches a denial rule, an error response (e.g., 403 Forbidden) is returned informing the client that access is denied.
Assume that there are several rules in the ACL:
Rule 1:
Source address 192.168.1.0/24
Target address example. Com
Port 80
Access path:/public/
Access time 9:00-17:00 workday
Operation of allowing Access
Rule 2:
Source address 192.168.1.0/24
Target address example. Com
Port 80
Access path:/private/
Operation of denying access
In this example, if a certain request comes from an IP address of 192.168.1.X, and access/public/resource is allowed. If access/private/resource is attempted, it is denied. ACLs may be periodically reviewed and updated to ensure that they reflect the latest security requirements and business changes. A log of access controls is recorded to track and audit access behavior for potential security threats.
After the access control list is matched, content filtering can be performed on the client request data according to the user requirements, wherein the content filtering comprises URL filtering, keyword filtering, file type filtering and the like.
For example, URL filtering, which parses the requested domain name/IP address/URL and matches the domain name blacklist/IP blacklist/URL blacklist. If the matching is successful, the request is refused.
Keyword filtering, namely setting sensitive keywords to be monitored. The data in the request (e.g., HTTP request body, query parameters, etc.) is analyzed for matching keywords. It is checked whether sensitive keywords are included in the request. If so, executing the refusal request or returning the warning information.
File type filtering-defining file types (e.g., pictures, documents, executable files, etc.) that are either allowed or forbidden. The file Type is determined by analyzing the Content-Type header in the request. And analyzing the Content-Type information in the request header. It is checked whether the file type is in the allow list or the prohibit list. And deciding whether to release or block the request according to the checking result.
In order to reduce the access efficiency to the target server and improve the network access efficiency, the request data after content filtering can be compared with the pre-stored static cache data, and the validity of the static cache data can be judged. If the filtered request data contains static cache data and the static cache data is effective, the static cache data is directly returned to the client. Wherein, the static cache data comprises pictures, script files, CSS styles, HTML files and the like. The validity period of the cache may be set to determine when the cache needs to be updated. For example, conditional requests are made using If-Modified-nonce or If-None-Match headers, ensuring that the cache is updated only when the data changes. Or LRU (least recently used) policy is used to manage cache space, eliminating unusual data. Therefore, if the request data includes the cached static network content, the validity of the cache needs to be determined (usually by the set expiration time). If the cache is valid, the proxy server can directly return the cached data to the client, thereby avoiding the request to the target server.
At block S404 of fig. 4, the IP address in the access request is dynamically translated and then forwarded to the reverse proxy service of the target server.
In some embodiments of the present disclosure, the forward proxy service replaces the source IP address in the client access request with the public network IP address of the forward proxy service. The forward proxy can prevent the target server from acquiring the real IP of the internal user by replacing the source IP address in the request, thereby improving the safety of application access. In particular, each user or group of requests may be dynamically assigned an appropriate external IP address, typically the public network IP of a proxy server, accessible via the internet. If the proxy server has a plurality of public network IP, the proxy server can be flexibly selected according to the current flow and the request characteristics.
In one embodiment of the present disclosure, the forward proxy server may be controlled based on dynamic Bypass technology. Whether the forward proxy works abnormally or not is judged by monitoring whether the access request forwarded by the forward proxy service is successfully forwarded or not. If forwarding fails, the access request is directly sent to the reverse proxy service of the target server according to the detour mechanism.
The method comprises the steps of judging the working state of forward proxy service according to the success rate and response time of forwarding requests, closing the forward proxy service when abnormal working of the forward proxy service is detected, judging whether a bypass mechanism is met according to network delay, the load of the forward proxy service and the response state of the reverse proxy service, directly sending an access request to the reverse proxy service of a target server under the condition that the bypass mechanism is met, restarting the forward proxy service when the forward proxy service is recovered to be normal, and forwarding the access request to the reverse proxy service of the target server through the forward proxy service.
For example, when it is detected that the response time of the forward proxy service becomes too long due to high load, the dynamic Bypass bypasses the forward proxy and lets the access request reach the target server. When the forward proxy returns to normal, the forward proxy service is restarted and the request is forwarded through the forward proxy service.
Therefore, when the network is congested or the proxy service is busy or the performance is reduced, the direct access can reduce the request delay, ensure the continuity of the service and enable the user to obtain better experience. For some contents which are frequently updated and do not need to be cached, the client can directly acquire the latest contents, so that the flexibility of resource utilization is improved.
The reverse proxy service translates the destination IP address in the access request to the private IP address and port of the target server. In reverse proxy, dynamic address translation techniques are mainly used to dynamically translate requests from external users for reverse proxy service public addresses to private addresses of real servers in the internal network. That is, when an external client sends a request to the public network IP address of the reverse proxy service, the reverse proxy receives the request and dynamically forwards the request to the real server in the internal network according to the configured rules and algorithms. In this process, the reverse proxy service will translate the destination IP address (public network IP address) in the request to the private IP address of the real service so that the request can arrive correctly at the internal server.
It can be seen that the dynamic address translation technique can change the source IP address or the destination IP address in the request packet, and when the internal network client accesses the external resource through the proxy, the proxy replaces the source IP address (i.e., the private IP of the client) in the request packet sent by the client with the proxy service's own public network IP address. This is a dynamic engineering that performs IP address translation operations every time a new request is made. From the security perspective, the method can hide the topology structure of the internal network and the real IP address of the client, and effectively prevent the external network from directly attacking the client in the internal network. From the perspective of resource utilization, for proxy service with a plurality of public network IPs, IP addresses can be dynamically allocated according to factors such as flow, request types and the like, so that the IP resources can be utilized more flexibly.
At block S406 of fig. 4, the request result returned by the reverse proxy service is received and forwarded to the client.
In some embodiments of the present disclosure, in order for the reverse proxy to be able to forward requests efficiently, each server node in the service cluster needs to register the back-end application's IP address, port number, and protocol type (e.g., HTTP, HTTPs, or TCP) onto the reverse proxy service. Application routing rules are set to route requests of different paths to the corresponding backend application servers. The reverse proxy service may forward the access request to the backend server according to a preset application routing rule, and return the request result to the forward proxy service of the client.
After the back-end server processes the request, it sends back the response to the reverse proxy service, which returns the response content to the forward proxy service of the client, and it only interacts with the public network address of the reverse proxy service all the time to the client.
In some embodiments of the present disclosure, a reverse proxy service encrypts request data using a public key of a target server and transmits the encrypted request data to the target server, the target server decrypts the encrypted request data using a private key after receiving the encrypted request data to obtain original request data of a client, the target server processes the original request data to obtain a request result, encrypts the request result using the private key and returns the request result to the reverse proxy service, and the reverse proxy service decrypts the encrypted request result using the public key of the target server and returns the request result to a forward proxy service of the client. This ensures the security and integrity of the data when returned to the client.
In addition, the reverse proxy service also supports various load balancing strategies, such as polling, weighted polling, minimum connection weight, IP binding, URL binding and the like, distributes requests to a plurality of back-end servers according to a preset load balancing strategy, and redirects the requests to other available servers when a certain back-end server fails, so that the load balancing, availability and safety of the system are improved.
Referring to fig. 3 in conjunction with the access flow shown in fig. 4, fig. 5 illustrates a schematic diagram of a wide area network cross-node application access request interaction flow.
As shown in fig. 5, the node a client needs to access the application system of the node B, firstly, the forward proxy service of the node a client can obtain the information (IP address, MAC address) of the client through the user identity authentication function, identify the IP address of the client, query whether the IP address is in the local IP address list by the data authentication service, and perform data identification processing on all access requests of the client after the IP address is queried. A node A configures a release strategy in a firewall, the proxy direction is forward proxy, the source address is A node proxy service IP, the destination address is B node proxy service IP, and the port is B node application port. The A node forward proxy service receives the outgoing traffic, identifies all the outgoing traffic, and releases the traffic for the proxy service IP of the node with the source IP address and the proxy service IP traffic of other nodes with the destination address.
The forward proxy service may perform access control, content filtering, cache matching, etc. on the requested data prior to forwarding the request. Specifically, the forward proxy service restricts access to the user by policy conditions specified by an Access Control List (ACL). The access control list is composed of a plurality of policy rules, and can filter various conditions such as source address, target address, port, access path, access time and the like. And after the rule is hit, immediately executing corresponding operation and ending the matching flow.
After the user is allowed to access, content filtering is performed according to the user requirements, and URL filtering, keyword filtering, file type filtering and the like are supported. Such as blocking access to some sensitive web sites or some keywords to enable different access restrictions and controls for different users.
After content filtering is completed, the forward proxy service may match the requested data with cached, commonly used static web content, such as pictures, script files, CSS styles, HTML files, and the like. If the clients have the same data request, the forward proxy service can directly return the cached data to the clients when the response data of the server application has not changed. If not, proxy forwarding is performed.
When forwarding the request, the forward proxy service replaces the source IP address in the access request with the public network IP address of the forward proxy service, monitors whether the forward proxy service forwards the access request successfully, and if the forward proxy service fails, directly sends the access request to the reverse proxy service of the target server according to the bypass mechanism.
The node B configures a release strategy in the firewall, the proxy direction is a reverse proxy, the source address is a node A proxy service IP, the destination address is a node B proxy service IP, and the port is a node B application port. The reverse proxy service of the node B receives the inflow traffic, takes the source IP address as the proxy service IP of other nodes, and takes the destination address as the traffic of the proxy service IP of the node B. The reverse proxy service converts the destination IP address in the access request into the private IP address and port of the target server, matches the routing table, diverts the request to an internal actual application server according to the unique application identifier, returns the request result to the forward proxy service of the client, and forwards the request result to the node A client by the forward proxy service.
In summary, the cooperation of the forward proxy and the reverse proxy between the node a and the node B achieves effective traffic management and security control.
Fig. 6 is a schematic block diagram of a web application access proxy apparatus in a heterogeneous network environment according to an embodiment of the present disclosure. As shown in fig. 6, the apparatus 600 may include a processor 610 and a memory 620 storing a computer program. The computer program, when executed by the processor 610, causes the apparatus 600 to perform the steps of the method 400 as shown in fig. 4. In one example, apparatus 600 may be a computer device or a cloud computing node. The apparatus 600 may authenticate the client based on the access request when listening to the access request sent by the client, and perform access control and content filtering on the access request after the authentication is passed. The device 600 may dynamically translate the IP address in the access request and forward it to the reverse proxy service of the target server. The apparatus 600 may receive the request result returned by the reverse proxy service and forward the request result to the client.
In some embodiments of the present disclosure, the apparatus 600 may authenticate the client according to the authentication information of the client in the access request, establish a data connection with the client after the authentication is passed, wait for the client to send the request data, match the request data with the policy rule specified in the access control list, prohibit the client from accessing if the matching fails, and perform content filtering on the request data according to the user requirement to obtain filtered request data, where the content filtering includes URL filtering, keyword filtering, and file type filtering.
In some embodiments of the present disclosure, the apparatus 600 may compare the filtered request data with the pre-stored static cache data, and determine validity of the static cache data, and if the filtered request data includes the static cache data and the static cache data is valid, return the corresponding static cache data to the client, where the static cache data includes a picture, a script file, a CSS style, an HTML file, and the like.
In some embodiments of the present disclosure, the apparatus 600 may replace a source IP address in an access request with a public network IP address of a forward proxy service, monitor whether the forward proxy service forwarded access request is forwarded successfully, and if so, send the access request directly to a reverse proxy service of a target server according to a bypass mechanism.
In some embodiments of the present disclosure, the apparatus 600 may determine an operation state of a proxy service according to a success rate and a response time of a forwarding request, close the forward proxy service when an abnormal operation of the forward proxy service is detected, determine whether a detour mechanism is met according to a network delay, a load of the forward proxy service, and the response state of the reverse proxy service, directly send an access request to the reverse proxy service of a target server if the detour mechanism is met, and restart the forward proxy service when the forward proxy service returns to normal, and forward the access request to the reverse proxy service of the target server through the forward proxy service.
In some embodiments of the present disclosure, the apparatus 600 may convert a destination IP address in an access request into a private IP address and a port of a target server in response to receiving the access request, forward the access request to a backend server according to a preset application routing rule based on the private IP address and the port, and return a request result to a forward proxy service of a client, and forward the request result to the client in response to receiving the request result returned by the reverse proxy service.
In some embodiments of the present disclosure, the apparatus 600 may encrypt the request data using a public key of the target server in the reverse proxy service, and send the encrypted request data to the target server, after receiving the encrypted request data, the target server decrypts the encrypted request data using a private key to obtain the original request data of the client, the target server processes the original request data to obtain a request result, encrypts the request result using the private key and returns the request result to the reverse proxy service, and the reverse proxy service decrypts the encrypted request result using the public key of the target server and returns the request result to the forward proxy service of the client.
In embodiments of the present disclosure, processor 610 may be, for example, a Central Processing Unit (CPU), a microprocessor, a Digital Signal Processor (DSP), a processor of a multi-core based processor architecture, or the like. Memory 620 may be any type of memory implemented using data storage technology including, but not limited to, random access memory, read only memory, semiconductor-based memory, flash memory, disk storage, and the like.
Furthermore, in embodiments of the present disclosure, the apparatus 600 may also include an input device 630, such as a keyboard, mouse, etc., for example. In addition, the apparatus 600 may further comprise an output device 640, such as a display or the like, for output.
In other embodiments of the present disclosure, there is also provided a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, is capable of implementing the steps of the web application access proxy method 400 in a heterogeneous network environment as shown in fig. 4.
In summary, according to the web application access proxy method and device in the heterogeneous network environment of the embodiment of the disclosure, a user in the wide area network can remotely access an application system of an enterprise at any position without installing additional software or performing complex configuration on local equipment, and powerful security protection is provided for the application system by means of encryption transmission data, authentication, access control, content filtering and the like, so that risks of data leakage and unauthorized access are reduced, and sensitive information and assets of the enterprise are protected.
With the expansion of the enterprise scale, whether the number of users is increased or the access speed of an application system is improved or not, the system can be realized through simple configuration without large-scale system transformation, and the enterprise can flexibly expand the users and the applications while keeping high efficiency and safety. The scheme realizes high security, high availability and flexibility of configuration and expansion of cross-node application access in a wide area network distributed heterogeneous environment.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus and methods according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As used herein and in the appended claims, the singular forms of words include the plural and vice versa, unless the context clearly dictates otherwise. Thus, when referring to the singular, the plural of the corresponding term is generally included. Similarly, the terms "comprising" and "including" are to be construed as being inclusive rather than exclusive. Likewise, the terms "comprising" and "or" should be interpreted as inclusive, unless such an interpretation is expressly prohibited herein. Where the term "example" is used herein, particularly when it follows a set of terms, "example" is merely exemplary and illustrative and should not be considered exclusive or broad.
Further aspects and scope of applicability will become apparent from the description provided herein. It is to be understood that various aspects of the application may be implemented alone or in combination with one or more other aspects. It should also be understood that the description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
While several embodiments of the present disclosure have been described in detail, it will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present disclosure without departing from the spirit and scope of the disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (10)
1. A web application access proxy method in a heterogeneous network environment, the method comprising:
When an access request sent by a client is monitored, carrying out identity authentication on the client based on the access request, and carrying out access control and content filtering on the access request after the identity authentication is passed;
A reverse proxy service for dynamically converting the IP address in the access request and forwarding the IP address to the target server, and
And receiving a request result returned by the reverse proxy service, and forwarding the request result to the client.
2. The web application access proxy method in heterogeneous network environment according to claim 1, wherein when an access request sent by a client is monitored, performing identity authentication on the client based on the access request, and performing access control and content filtering on the access request after the identity authentication is passed comprises:
carrying out identity authentication on the client according to the identity authentication information of the client in the access request, and establishing data connection with the client after passing the authentication;
Waiting for the client to send request data, matching the request data with the strategy rules specified in the access control list, prohibiting the client from accessing if the matching fails, and
And if the matching is successful, carrying out content filtering on the request data according to the user demand data to obtain filtered request data, wherein the content filtering comprises URL filtering, keyword filtering and file type filtering.
3. The web application access proxy method in heterogeneous network environment according to claim 2, wherein when an access request sent by a client is monitored, the identity authentication is performed on the client based on the access request, and after the identity authentication is passed, access control and content filtering are performed on the access request, the method comprises the following steps:
comparing the filtered request data with pre-stored static cache data, and judging the validity of the static cache data;
And if the filtered request data contains the static cache data and the static cache data is effective, returning the corresponding static cache data to the client, wherein the static cache data comprises pictures, script files, CSS patterns and HTML files.
4. The web application access proxy method in heterogeneous network environment according to claim 1, wherein the reverse proxy service for forwarding the IP address in the access request to the target server after dynamically converting the IP address comprises:
Replacing the source IP address in the access request with a public network IP address of the forward proxy service;
monitoring whether the access request forwarded to the proxy service is forwarded successfully, and
If the forwarding fails, the access request is directly sent to a reverse proxy service of the target server according to a detour mechanism.
5. The web application access proxy method in a heterogeneous network environment of claim 4, wherein monitoring whether an access request forwarded to a proxy service is forwarded successfully comprises:
Judging the working state of the forward proxy service according to the success rate and response time of the forwarding request, and closing the forward proxy service when the abnormal working of the forward proxy service is detected;
Judging whether the bypass mechanism is met according to the network delay, the load of the forward proxy service and the response state of the reverse proxy service, and directly sending the access request to the reverse proxy service of the target server under the condition that the bypass mechanism is met
And restarting the forward proxy service when the forward proxy service is recovered to be normal, and forwarding the access request to the reverse proxy service of the target server through the forward proxy service.
6. The method according to claim 1, wherein the receiving the request result returned by the reverse proxy service and forwarding the request result to the client comprises:
in response to receiving the access request, the reverse proxy service converts a destination IP address in the access request into a private IP address and port of a target server;
Based on the private IP address and port, the reverse proxy service forwards the access request to a back-end server according to a preset application routing rule and returns the request result to the forward proxy service of the client side, and
And in response to receiving the request result returned by the reverse proxy service, forwarding the request result to the client by the forward proxy service.
7. The web application access proxy method in heterogeneous network environment according to claim 6, wherein the forward proxy service forwarding the access request to a back-end server according to a preset application routing rule and returning the request result to the client based on the private IP address and port comprises:
The reverse proxy service encrypts request data by using a public key of a target server and sends the encrypted request data to the target server;
after receiving the encryption request data, the target server decrypts the encryption request data by using a private key to obtain the original request data of the client;
Processing the original request data to obtain a request result, encrypting the request result by using a private key and returning to the reverse proxy service, and
And the reverse proxy service decrypts the encrypted request result by using the public key of the target server and returns the encrypted request result to the forward proxy service of the client.
8. The web application access proxy method in heterogeneous network environment of claim 6, wherein the reverse proxy service is configured to distribute requests to a plurality of back-end servers according to a preset load balancing policy, and redirect requests to other available back-end servers when a back-end server fails.
9. A web application access proxy apparatus in a heterogeneous network environment, the apparatus comprising:
at least one processor, and
At least one memory storing a computer program;
Wherein the computer program, when executed by the at least one processor, causes the apparatus to perform the steps of the web application access proxy method in a heterogeneous network environment according to any of claims 1 to 8.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the web application access proxy method in a heterogeneous network environment according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411563740.6A CN119382990A (en) | 2024-11-05 | 2024-11-05 | Web application access proxy method and device in heterogeneous network environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411563740.6A CN119382990A (en) | 2024-11-05 | 2024-11-05 | Web application access proxy method and device in heterogeneous network environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119382990A true CN119382990A (en) | 2025-01-28 |
Family
ID=94328730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411563740.6A Pending CN119382990A (en) | 2024-11-05 | 2024-11-05 | Web application access proxy method and device in heterogeneous network environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119382990A (en) |
-
2024
- 2024-11-05 CN CN202411563740.6A patent/CN119382990A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10050792B1 (en) | Providing cross site request forgery protection at an edge server | |
| US11595385B2 (en) | Secure controlled access to protected resources | |
| JP5714078B2 (en) | Authentication for distributed secure content management systems | |
| US9843590B1 (en) | Method and apparatus for causing a delay in processing requests for internet resources received from client devices | |
| EP1634175B1 (en) | Multilayer access control security system | |
| US8549112B2 (en) | Computer-readable medium storing access control program, access control method, and access control device | |
| US8769128B2 (en) | Method for extranet security | |
| US10911485B2 (en) | Providing cross site request forgery protection at an edge server | |
| US12034769B2 (en) | Systems and methods for scalable zero trust security processing | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| JP5864598B2 (en) | Method and system for providing service access to a user | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| RU2601147C2 (en) | System and method for detection of target attacks | |
| CN115603932A (en) | Access control method, access control system and related equipment | |
| KR20110059963A (en) | Harmful traffic blocking device and method and harmful traffic blocking system using the same | |
| KR102362320B1 (en) | System and method for communicating of network address mutation on dynamic network security | |
| CN115913583A (en) | Business data access method, device and equipment and computer storage medium | |
| CN117938962A (en) | Network request scheduling method, device, equipment and medium for CDN | |
| WO2012163587A1 (en) | Distributed access control across the network firewalls | |
| CN116760595A (en) | Access method, computing device and computer storage medium | |
| CN119382990A (en) | Web application access proxy method and device in heterogeneous network environment | |
| CN115130116A (en) | Business resource access method, device, equipment, readable storage medium and system | |
| US20170331838A1 (en) | Methods and computing devices to regulate packets in a software defined network | |
| US20240414159A1 (en) | Systems and methods for multi-tenant segmentation to virtualize ztna processing | |
| US20250039173A1 (en) | Techniques for managing cookies through a secure web gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |