[go: up one dir, main page]

CN119854026A - Access request processing method, device, electronic equipment and readable medium - Google Patents

Access request processing method, device, electronic equipment and readable medium Download PDF

Info

Publication number
CN119854026A
CN119854026A CN202510295662.4A CN202510295662A CN119854026A CN 119854026 A CN119854026 A CN 119854026A CN 202510295662 A CN202510295662 A CN 202510295662A CN 119854026 A CN119854026 A CN 119854026A
Authority
CN
China
Prior art keywords
service
national
target
communication
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202510295662.4A
Other languages
Chinese (zh)
Other versions
CN119854026B (en
Inventor
彭飞
孙鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Longxin Zhongke Hefei Technology Co ltd
Original Assignee
Longxin Zhongke Hefei Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Longxin Zhongke Hefei Technology Co ltd filed Critical Longxin Zhongke Hefei Technology Co ltd
Priority to CN202510295662.4A priority Critical patent/CN119854026B/en
Publication of CN119854026A publication Critical patent/CN119854026A/en
Application granted granted Critical
Publication of CN119854026B publication Critical patent/CN119854026B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种访问请求处理方法、装置、电子设备及可读介质,涉及网络技术领域,该方法中,中间代理服务接收访问方发送的目标访问请求;目标访问请求用于访问目标服务,目标服务是中间代理服务关联的国密通信服务,访问方记录的国密通信服务的域名预先被同步为中间代理服务的域名。基于第一配置文件中预先配置的国密通信相关信息以及目标地址信息,将目标访问请求以国密通信的方式发送给目标服务;第一配置文件是中间代理服务的配置文件,目标地址信息是目标服务的地址信息。将目标服务返回的响应数据,发送给访问方。这样,确保与目标服务进行交互时采用国密通信的方式,进而确保国密通信服务的访问安全性。

The embodiment of the present invention provides an access request processing method, device, electronic device and readable medium, which relate to the field of network technology. In the method, an intermediate proxy service receives a target access request sent by an accessing party; the target access request is used to access a target service, and the target service is a national secret communication service associated with the intermediate proxy service. The domain name of the national secret communication service recorded by the accessing party is pre-synchronized as the domain name of the intermediate proxy service. Based on the national secret communication related information and target address information pre-configured in a first configuration file, the target access request is sent to the target service in the form of national secret communication; the first configuration file is a configuration file of the intermediate proxy service, and the target address information is the address information of the target service. The response data returned by the target service is sent to the accessing party. In this way, it is ensured that the national secret communication method is adopted when interacting with the target service, thereby ensuring the access security of the national secret communication service.

Description

Access request processing method, device, electronic equipment and readable medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method and apparatus for processing an access request, an electronic device, and a readable medium.
Background
With the continuous development of network technology, container platforms are increasingly used. Multiple containers may be created in the container platform, one container may be used to deploy one application service, each providing a respective enabled function, e.g., a login function, a detection function, a data query function, etc. In actual use, data may be sent to or retrieved from the application service by accessing the application service.
In the prior art, in order to ensure security, some services need to be accessed in a state-to-state communication manner. Accordingly, how to ensure that these services are communicated with each other by means of a national secret communication is a technical problem that needs to be solved.
Disclosure of Invention
The embodiment of the invention provides an access request processing method, an access request processing device, electronic equipment and a readable medium, which can solve the technical problems.
To solve the above-mentioned problems, an embodiment of the present invention discloses an access request processing method applied to any intermediate proxy service in a container platform, where the intermediate proxy service is associated with at least one national secret communication service in the container platform, the method includes:
the method comprises the steps of receiving a target access request sent by an access party, wherein the target access request is used for accessing a target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance;
Based on pre-configured national secret communication related information and target address information in a first configuration file, the target access request is sent to the target service in a national secret communication mode, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service;
And sending the response data returned by the target service to the access party.
In another aspect, an embodiment of the present invention discloses an access request processing apparatus, applied to any intermediate proxy service in a container platform, where the intermediate proxy service is associated with at least one national cryptographic communication service in the container platform, the apparatus includes:
The system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving a target access request sent by an access party, the target access request is used for accessing a target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance;
The first processing module is used for sending the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in a first configuration file, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service;
And the return module is used for sending the response data returned by the target service to the access party.
In yet another aspect, the embodiment of the invention discloses an electronic device, which comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus, and the memory is used for storing executable instructions which enable the processor to execute the method.
Embodiments of the invention also disclose one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the aforementioned methods.
The access request processing method provided by the embodiment of the invention has the advantages that the intermediate proxy service receives the target access request sent by the access party, the target access request is used for accessing the target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance. And transmitting the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in the first configuration file, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service. And sending the response data returned by the target service to the access party. In this way, by associating the national-density communication service with the intermediate proxy service in the container platform in advance, the domain name of the national-density communication service associated with the intermediate proxy service recorded by the visitor is synchronized with the domain name of the intermediate proxy service in advance, so that when the visitor requests to access the target service associated with the intermediate proxy service, the target access request is received by the intermediate proxy service, and the intermediary proxy service interacts with the target service in a national-density communication manner instead of the visitor according to the target access request, thereby ensuring that the target service is accessed in a national-density communication manner when interacting with the target service, and further ensuring the access security of the national-density communication service.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of steps of an access request processing method according to an embodiment of the present invention;
FIG. 2 is a block diagram of an access request processing apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flowchart of steps of an access request processing method provided in an embodiment of the present invention, which is applied to any intermediate proxy service in a container platform, where the intermediate proxy service is associated with at least one national secret communication service in the container platform, and as shown in fig. 1, the access request processing method may include the following steps:
And 101, receiving a target access request sent by an access party, wherein the target access request is used for accessing a target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance.
Step 102, based on pre-configured national secret communication related information and target address information in a first configuration file, the target access request is sent to the target service in a national secret communication mode, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service.
And step 103, sending the response data returned by the target service to the visitor.
The access request processing method provided by the embodiment of the invention can be applied to a container scene, and the access to the Chinese secret communication service of the container platform in a Chinese secret communication mode is realized in the scene. The container platform can be built by using a container arranging platform (kubernetes, K8 s), a plurality of containers are arranged in the container platform, and particularly, containerized deployment is adopted during application deployment so as to facilitate management. An application may be provided with at least one application service, one deployed in a container, one application service may be considered an application instance. The container platform may be a container cloud platform in which internal and external access to application services may be achieved through multiple access types provided, for example, headless services (headless), cluster protocol addresses (clusterip), node ports (nodeport), and the like. The containers in the container cloud platform share the cloud environment host operating system kernel, each container only contains the minimum components required for running the application, the containers are independent and executable software units, contain all contents required for running the application service, such as codes, runtime environments, system tools and system libraries, and run a plurality of containers on the same physical server.
The intermediate proxy service is a proxy service added to the national secret communication service in the container platform, the intermediate proxy service can be operated on a proxy server for providing the national secret communication service with the national secret proxy, and the national secret communication service can be an application service in the container platform which needs to be accessed in a national secret communication mode, and one or more national secret communication services exist in the container platform. In the embodiment of the invention, at least one intermediate proxy service can be added in the container platform in advance, and for any one intermediate proxy service, the intermediate proxy service can execute the access request processing method so as to replace the national secret communication service associated with the intermediate proxy service for interaction in a national secret communication mode. Specifically, the configuration file (i.e., the first configuration file) of the intermediate proxy service may be configured with information related to the national cryptographic communication required for access by the national cryptographic communication, and address information of the national cryptographic communication service associated with the intermediate proxy service. The intermediary proxy service may be accessed in a national cryptographic manner, i.e., the intermediary proxy service may have national cryptographic communication capabilities, and at least one intermediary proxy service may provide proxy services for all national cryptographic communication services in the container platform.
The method comprises the steps of establishing connection with application service according to national secret protocol information, sending an access request encrypted by the national secret protocol information to the application service, executing an operation indicated by the access request, generating response data encrypted by the national secret protocol information for the access request, and returning the encrypted response data to an access party. The national cryptographic algorithm information is used for representing a used national cryptographic algorithm, and the national cryptographic algorithm refers to a domestic cryptographic algorithm.
Specifically, for any one intermediate proxy service, the intermediate proxy service is associated with at least one national cryptographic communication service, and accordingly, the intermediate proxy service provides a proxy service for the associated at least one national cryptographic communication service. All national cryptographic communication services associated with all intermediate proxy services are all national cryptographic communication services included in the container platform. The target service is one of at least one national communication service associated with the intermediate proxy service, and any national communication service associated with the intermediate proxy service can be used as the target service. Illustratively, it is assumed that the intermediate proxy service is associated with a national cryptographic communication service a and a national cryptographic communication service b. The national secret communication service a is the target service when the target access request is used for accessing the national secret communication service a, and the national secret communication service b is the target service when the target access request is used for accessing the national secret communication service b. And processing any received target access request based on the modes from step 102 to step 103.
Further, the access request for accessing the target service is the target access request. The intermediate proxy service provides proxy service for the national secret communication service, which means that an access request for accessing the national secret communication service is submitted to the intermediate proxy service, and the intermediate proxy service is responsible for forwarding a target access request to the national secret communication service in a national secret communication mode, and forwarding response data returned by the national secret communication service to an access party.
Accordingly, in order to ensure that an access request for accessing the target service is submitted to the intermediate proxy service, in the embodiment of the present invention, the domain name of the national secret communication service (including the target service described above) associated with the intermediate proxy service recorded by the accessing party is synchronized in advance to the domain name of the intermediate proxy service. When an access party needs to access a service, an access request is often sent to the application service according to the domain name of the application service recorded in the access party. If the domain name of the national communication service associated with the intermediate proxy service recorded by the visitor is not synchronized to the domain name of the intermediate proxy service, the access request is directly transmitted to the national communication service. Accordingly, the domain name of the national secret communication service associated with the intermediate proxy service recorded by the visitor is synchronized into the domain name of the intermediate proxy service, so that the target access request is actually sent to the intermediate proxy service.
In summary, in the access request processing method provided by the embodiment of the invention, the intermediary proxy service receives the target access request sent by the accessing party, the target access request is used for accessing the target service, the target service is the national secret communication service associated with the intermediary proxy service, and the domain name of the national secret communication service recorded by the accessing party is synchronized into the domain name of the intermediary proxy service in advance. And transmitting the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in the first configuration file, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service. And sending the response data returned by the target service to the access party. In this way, by associating the national-density communication service with the intermediate proxy service in the container platform in advance, the domain name of the national-density communication service associated with the intermediate proxy service recorded by the visitor is synchronized with the domain name of the intermediate proxy service in advance, so that when the visitor requests to access the target service associated with the intermediate proxy service, the target access request is received by the intermediate proxy service, and the intermediary proxy service interacts with the target service in a national-density communication manner instead of the visitor according to the target access request, thereby ensuring that the target service is accessed in a national-density communication manner when interacting with the target service, and further ensuring the access security of the national-density communication service.
Optionally, in the case that the intermediary proxy service associates a plurality of the national cryptographic communication services, the service identifier and address information of each national cryptographic communication service associated with the intermediary proxy service are preconfigured in the first configuration file. Correspondingly, the embodiment of the invention can further comprise the following steps:
And S21, extracting a service identifier of the target service carried in the target access request as a target identifier.
Step S22, obtaining address information of which the corresponding service identifier is consistent with the target identifier from the first configuration file, and taking the address information as the target address information.
Specifically, in the case where the intermediate proxy service is associated with a plurality of national cryptographic communication services, the service identifier and address information of each national cryptographic communication service associated with the intermediate proxy service are preconfigured in the first configuration file, that is, the service identifiers and address information of the plurality of national cryptographic communication services are recorded in the first configuration file. Specifically, the service identifier and address information of the national cryptographic communication service may be recorded correspondingly. Correspondingly, for the target access request received at this time, the content of the bit field used for representing the service identifier in the target access request can be extracted to obtain the target identifier. The bit field for representing the service identifier may be predefined in the development stage, and exemplary, the bit field for representing the service identifier may be bits 5 to 8, which is not limited in the embodiment of the present invention.
Further, for address information of any national secret communication service recorded in the first configuration file, a service identifier corresponding to the address information is compared with a target identifier. If the address information of the communication service is the same, the address information of the communication service which is requested to be accessed at this time is recorded, and accordingly, the address information can be used as target address information.
In the embodiment of the invention, the service identifier and the address information of the cryptographic communication service of each country associated with the intermediate proxy service are preconfigured in the first configuration file. And extracting the service identifier of the target service carried in the target access request as the target identifier. And acquiring address information, corresponding to the service identifier and the target identifier, from the first configuration file, and taking the address information as the target address information. Thus, when the intermediate proxy service is associated with a plurality of national communication services, the address information of the target service accessed at this time can be accurately acquired. Meanwhile, one intermediate proxy service proxies for a plurality of national secret communication services, so that the total number of the intermediate proxy services required by the container platform can be reduced, and the cost can be saved to a certain extent.
Optionally, in the case that the intermediary proxy service associates with one of the cryptographic communication services, address information of the cryptographic communication service associated with the intermediary proxy service is preconfigured in the first configuration file. Correspondingly, the embodiment of the invention further comprises the step of S31, directly reading the address information in the first configuration file to serve as the target address information.
Specifically, in the case where the intermediary proxy service is associated with only one national cryptographic communication service, only one national cryptographic communication service address information is preconfigured in the first configuration file. Correspondingly, for the target access request received at this time, the target address information can be obtained without extracting the target identifier or searching in the first configuration file and directly reading the address information in the first configuration file. Thus, the processing steps can be simplified, and the overall processing efficiency can be improved.
Optionally, in an embodiment of the present invention, the intermediate proxy service is associated with the at least one national secret communication service by the following steps performed in advance by a control service:
and step S41, determining a service requiring access in the national secret communication in the container platform as the national secret communication service.
And step S42, determining the national cryptographic communication service to be associated for the intermediate proxy service.
Step S43, setting address information of the country-secret communication service to be associated in the proxy information configuration item of the first configuration file, where the number of country-secret communication services to be associated is 1.
Step S44, setting service identifiers and address information of the to-be-associated national cryptographic communication services in the proxy information configuration item when the number of to-be-associated national cryptographic communication services is greater than 1.
In the embodiment of the present invention, the control service is a service in the container platform, and the control service may be pre-specified. The control service may first make statistics of services in the container platform that require access in a national cryptographic communication as a national cryptographic communication service. M containers are created in the container platform, preset code files are deployed in the m containers, and m intermediate proxy services are obtained, so that the service is created for the preset code files. Wherein m is an integer, m is not greater than the total number of Chinese secret communication services in the container platform, the preset code file is a code for realizing the function of the intermediate proxy service, and the preset code file may be written by a developer in advance independently or may be a Chinese secret module code provided by open source software directly acquired.
Further, in one implementation, m may be equal to the total number of Chinese secret communication services in the container platform. Thus, by creating the same number of intermediary proxy services, each intermediary proxy service may be assigned a corresponding national cryptographic communication service. In the embodiment of the invention, the intermediate proxy service can be obtained by creating the container and deploying the preset code file in the container, so that the creation cost of a single intermediate proxy service is lower. Accordingly, the same number of intermediate proxy services are created, and each intermediate proxy service is allocated with one national cryptographic communication service to be associated, so that the configuration operation of the proxy information configuration item of the intermediate proxy service can be simplified while the excessive cost is avoided, and the subsequent operation of determining the target address information can be simplified.
For example, an intermediary proxy service may be selected from the unassigned intermediary proxy services, and a cryptographic communication service may be selected from the unassigned cryptographic communication services as the cryptographic communication service to be associated with the intermediary proxy service. Then, the intermediary proxy service is determined to be the allocated intermediary proxy service, the unassigned national cryptographic communication service is determined to be the allocated national cryptographic communication service, and the step of selecting one intermediary proxy service from the unassigned national cryptographic communication service and selecting a corresponding national cryptographic communication service from the unassigned national cryptographic communication service is returned until all the intermediary proxy services are selected for the national cryptographic communication service to be associated. Wherein the unassigned intermediate proxy service in the initial state comprises all intermediate proxy services and the unassigned national cryptographic communication service comprises all national cryptographic communication services in the container platform. When selecting one intermediate proxy service from the unassigned intermediate proxy services, the selection may be performed randomly, or the selection may be performed by selecting the closest national cryptographic communication service to the intermediate proxy service, which is not limited in this embodiment of the present invention.
In another implementation, m may be less than the total number of Chinese-secret communication services in the container platform. Accordingly, the m intermediate proxy services may be sequentially arranged first, for example, the m intermediate proxy services may be randomly arranged in a sequence. And selecting one national secret communication service for the intermediate proxy service in turn according to the arrangement sequence of the intermediate proxy service, and judging whether the residual unselected national secret communication service exists after finishing one round of selection. If so, starting a new round of selection, namely continuing to select a national secret communication service for the intermediate proxy service according to the arrangement sequence of the intermediate proxy service from the residual unselected national secret communication service until the residual unselected national secret communication service does not exist. For any intermediate proxy service, determining the national cryptographic communication service selected for the intermediate proxy service as the national cryptographic communication service to be associated with the intermediate proxy service.
For any intermediate proxy service, a first configuration file can be set for the intermediate proxy service, wherein the first configuration file of the intermediate proxy service comprises a plurality of configuration items, and each configuration item can be used for configuring corresponding information. In the initial state, the values of the configuration items in the first configuration file are all null, and the values of the configuration items are set to be corresponding information after configuration. Specifically, the proxy information configuration item may be address information of a country-secret communication service to be associated for configuring the intermediate proxy service, and the proxy information configuration item may be expressed as location/{ proxy_pass }, for example. The address information of the national secret communication service to be associated of the intermediate proxy service can be used as a specific value of a proxy information configuration item in a first configuration file of the intermediate proxy service, so that the intermediate proxy service is associated with the national secret communication service to be associated, namely the intermediate proxy service is added for the national secret communication service to be associated.
When the number of the national cryptographic communication services to be associated of the intermediate proxy service is 1, only the address information of the national cryptographic communication service is written in the proxy information configuration item, and when the number of the national cryptographic communication services to be associated of the intermediate proxy service is plural, the address information and the service identification of the plurality of national cryptographic communication services are written in the proxy information configuration item. Wherein the service identification may be information for uniquely indicating the national cryptographic communication service. Illustratively, the service identifier may be a number, a name, or the like assigned in advance to the national cryptographic communication service. For any country-secret communication service to be associated of the intermediate proxy service, address information and service identification of the country-secret communication service to be associated can be correspondingly stored. For example, the service identifier may be a key name, the address information may be a key value, and the address information may be stored as a key value pair. Or the service identifier is used as a subfolder name, a subfolder is created, and the address information is stored in the subfolder so as to realize corresponding storage.
The address information of the national cryptographic communication service may be information required to be able to access the national cryptographic communication service, the address information may be regarded as a communication address of the national cryptographic communication service, and the address information may be a domain name of the national cryptographic communication service, for example. Accordingly, the intermediary proxy service may send the target access request to the target service in a state-secret communication manner based on the state-secret communication related information according to the address information of the target service.
In the embodiment of the invention, the service requiring to be accessed by the national secret communication in the container platform is determined to be the national secret communication service in advance. A national cryptographic communication service to be associated is determined for the intermediate proxy service. In the case where the number of the country-secret communication services to be associated is 1, address information of the country-secret communication services to be associated is set in the proxy information configuration item of the first configuration file. Therefore, when the intermediate proxy service proxies the target access request of the access party, the target access request can be accurately forwarded to the corresponding national secret communication service directly based on the configured address information, and the processing efficiency is ensured. In the case that the number of the country-secret communication services to be associated is greater than 1, setting service identification and address information of each country-secret communication service to be associated in the proxy information configuration item. In this way, the total number of required intermediary proxy services can be reduced, thereby reducing costs.
Optionally, the step of determining the service requiring access in the container platform in the national cryptographic communication as the national cryptographic communication service may specifically include step S41a of determining the application service having the specified identification field set in the container platform as the national cryptographic communication service. And/or, step S41b, determining that the service type in the container platform is the application service of the specified type as the national cryptographic communication service. That is, the Chinese secret communication service in the embodiment of the invention can comprise the application service provided with the specified identification field, or comprise the application service with the service type of the specified type, or comprise the application service provided with the specified identification field and the application service with the service type of the specified type.
In an actual application scenario, the container platform may be deployed first, and then each application service of the application may be deployed in the container platform. The manner of deploying the container platform can be selected according to requirements, and the embodiment of the invention is not limited to this. The user may set the specified identification field for the application service on demand in advance. The specific form of the specific identification field can be set according to the requirement. For example, the designation identification field may be a GM, and when the designation identification field is set for the application service, the designation identification field may be set in a configuration file of the application service. Accordingly, in step S41a, the control service may detect whether a specific identification field exists in a configuration file of each application service in the container platform, and if so, determine that the application service is set with the specific identification field, and determine that the application service is a national cryptographic communication service.
Further, the specified type may be set by the user in advance as needed, and the specified type is used for characterizing a service type that requires access in a manner of national communication. By way of example, the data source type may be designated such that all data source type application services are used as national cryptographic communication services, as embodiments of the invention are not limited in this regard. Specifically, a type field for characterizing a specified type may be added in advance in a configuration file for controlling a service. After deploying the application services of the application in the container platform, the type of each application service may be recorded, and a type field may be set in a configuration file of the application service, where the type field is used to characterize the type of the application service. In step S41b, the control service may detect whether the type field in the configuration file of each application service is identical to the type field characterizing the specified type. If the application service is the same, the application service is determined to be the national cryptographic communication service.
In the embodiment of the invention, the national secret communication service in the container platform can be determined by identifying the application service with the appointed identification field and/or the application service with the appointed type in the container platform, so that the determination efficiency of the national secret communication service can be ensured to a certain extent.
In the embodiment of the invention, the domain name of the intermediate proxy service can be pre-synchronized to the visitor as the domain name of the associated national secret communication service. Optionally, the domain name of the above-mentioned intermediate proxy service is synchronized in advance by:
And step S51, determining the service which does not support national secret communication in the container platform as the visitor, and acquiring the domain name of the intermediate proxy service.
And step S52, for any visitor, modifying the domain name of each national secret communication service associated with the intermediate proxy service, which is stored in a second configuration file, into the domain name of the intermediate proxy service, wherein the second configuration file is the configuration file of the visitor.
The steps S51 to S52 may be executed by the control service or may be executed by the intermediate proxy service, which is not limited in the embodiment of the present invention.
In an actual application scenario, an application service in a container platform is accessed through a domain name of the application service when the application service is accessed internally. Some services inside do not support national communications and can only be accessed through hypertext transfer security protocols (Hypertext Transfer Protocol Secure, https). However, some services have higher security requirements, for example, some services involve data with higher security level, and in order to ensure data security, access needs to be performed in a mode of national secret communication, so that the problem that information in the service is easily accessed by network attacker through https access, and data security cannot be ensured is avoided. Wherein https is a secure transfer of data by adding a security protocol (e.g., transport layer security protocol (Transport Layer Security, TLS)/secure socket layer protocol (Secure Sockets Layer, SSL)) to the hypertext transfer protocol (Hypertext Transfer Protocol, http). In the embodiment of the invention, the service which does not support the national cipher communication in the container platform can be collected, and the service list input by the user can be received, wherein the service identifier of the service which does not support the national cipher communication is recorded in the service list. Accordingly, the service characterized by the service identifier recorded in the service list may be determined as the aforementioned visitor. The second configuration file of the accessing party may record the domain names of other application services in the container platform, and for example, the second configuration file of the accessing party may record the service identifier of the application service in correspondence with the domain name of the application service.
The domain name of the intermediate proxy service and the domain name of the national communication service are generated by the domain name proxy service. Among other things, the Domain name proxy service is a component for providing Domain name system (Domain NAME SYSTEM, DNS) proxies for container platforms. After the application service deployment is successful, the domain name proxy service generates a domain name for the application service. Illustratively, the domain name proxy service may be a default DNS service in the container platform, which may be a core DNS (CoreDNS) server. In the embodiment of the invention, after the intermediate proxy service is created, a domain name is generated for the intermediate proxy service by the domain name proxy service. Accordingly, for any intermediate proxy service, the domain name previously generated for that intermediate proxy service may be read. The domain name proxy service may generate a domain name according to a namespace of a service and a service name, and the generated domain name may be used for mutual positioning between services, since the domain name generated by the domain name proxy service is not affected by a change in an internet protocol (Internet Protocol, IP) address of the service, that is, the domain name generated by the domain name proxy service for the service does not change regardless of a change in the service IP address. Therefore, the problem of being unable to locate a service can be avoided as compared to the manner in which the service IP address is used.
Further, the domain name proxy service may generate multiple domain names in different formats for one service. By way of example, generating multiple domain names in different formats for a service may include 3 formats, a short domain name format, a namespace-defined domain name format, and a global domain name format, which may be represented as yourapp, yourapp.
Accordingly, for any national secret communication service associated with the intermediate proxy service, the domain name of each format corresponding to the service identifier of the national secret communication service stored in the second configuration file of the visitor can be modified to the domain name of the same format of the intermediate proxy service. For example, the domain name of the short domain name format of the national cryptographic communication service may be modified to the domain name of the short domain name format of the intermediate proxy service, the domain name of the namespace-limited domain name format of the national cryptographic communication service may be modified to the domain name of the namespace-limited domain name format of the intermediate proxy service, the domain name of the global domain name format of the national cryptographic communication service may be modified to the domain name of the global domain name format of the intermediate proxy service.
Illustratively, assume that a domain name of a global domain name format of one national communication service associated with the intermediary proxy service is kubernetes.
The domain name saved in the second configuration file of the visitor may be modified as kubernetes.
gmproxy.namespace.svc.cluster.local。
Further, the visitor may be restarted after modifying the domain name to cause the visitor to reload the second profile to send the access request at the new domain name. After the visitor has the national-security communication capability, the domain name of the national-security communication service stored in the second configuration file of the visitor can be modified to be the actual domain name of each national-security communication service, so that the switching can be flexibly realized. The access request sent by the access party to the national secret communication service can be directly received by the national secret communication service through switching.
In the embodiment of the invention, the service which does not support national cipher communication in the container platform is determined as the access party, and the domain name of the intermediate proxy service is acquired. And for any visitor, modifying the domain name of each country-specific communication service associated with the intermediate proxy service, which is stored in the second configuration file, into the domain name of the intermediate proxy service, wherein the second configuration file is the configuration file of the visitor. In this way, without modifying the visitor, by modifying the domain name of each national communication service associated with the intermediate proxy service stored in the second configuration file of the service that does not support national communication, the domain name of the intermediate proxy service is synchronized in advance to the visitor as the domain name of the associated national communication service, so that the service that does not support national communication can access the national communication service through the intermediate proxy service. Thus, the communication between the visitor without the communication capability and the communication service is realized, and the visitor interacts with the communication service in a mode of communication.
The service supporting the cryptographic communication in the container platform may be used as the access party, and this corresponds to the further cryptographic process of performing the cryptographic process on the basis of the target access request to which the access party has already performed the cryptographic process.
Optionally, in the embodiment of the invention, the related information of the national encryption communication comprises a storage path of the national encryption information corresponding to the domain name of the intermediate proxy service and national encryption protocol information, and the first configuration file is configured by the following steps of:
Step S61, setting the values of the encryption information item and the protocol information item in the first configuration file as the storage path of the cryptographic information of the country and the cryptographic protocol information, respectively.
Accordingly, the step of sending the target access request to the target service in a manner of national secret communication based on the information related to national secret communication and the target address information pre-configured in the first configuration file may specifically include:
And 1021a, loading the cryptographic information based on the storage path of the cryptographic information.
Step 1021b, establishing connection with the target service based on the state secret protocol information and the target address information, and negotiating a communication key with the target service based on the state secret encryption information.
And 1021c, encrypting the target access request based on the communication key, and sending the encrypted target access request to the target service.
Wherein step S61 may be performed by the control service. The encryption information item and the protocol information item are configuration items for setting a storage path of the cryptographic information of the country and the cryptographic protocol information, respectively. The storage path of the cryptographic information of the country and the protocol information of the country may be set as specific values of the cryptographic information item and the protocol information item, respectively. In this way, by setting the storage path, it is possible to avoid excessively long specific values of the encrypted information item. The cryptographic information may be information necessary for encryption. Specifically, the cryptographic information may include a public key and a private key. The encryption public key is stored in the national encryption certificate, and the storage of the encryption public key can be realized by storing the national encryption certificate. The encrypted private key may also be referred to as a national encryption certificate key. The state-secret protocol information may be a version number of a state-secret protocol, which is a specification described by a state-secret standard technical specification for establishing secure communication using a state-secret algorithm. The intermediate proxy service establishes connection with the corresponding national cipher communication service based on the national cipher protocol information and the address information and performs subsequent interaction, thus being equivalent to modifying TLS communication into national cipher safety communication conforming to the national cipher standard.
In the embodiment of the invention, the first configuration file of the intermediate proxy service may further include an algorithm information item, where the algorithm information item is a configuration item for setting the national secret algorithm information, and the national secret algorithm information may be set as a specific value of the algorithm information item. The cryptographic algorithm information may be the cryptographic algorithm itself or may be an identification for characterizing the cryptographic algorithm, for example, SM1, SM4, SM5, SM6, SM7, SM8, etc., and the cryptographic algorithm information may indicate the cryptographic algorithm that supports use.
Specifically, the intermediate proxy service loads the value of the encrypted information item in the first configuration file, accesses the storage path represented by the value of the encrypted information item, and loads the cryptographic information. The intermediate proxy service may load the value of the protocol information item in the first configuration file, handshake with the target service using the national secret handshake rule defined by the national secret protocol indicated by the value of the protocol information item, and establish connection after handshake is completed. In the process of handshake, the intermediate proxy service synchronizes the supported cryptographic algorithm information to the target service, and the target service selects the cryptographic algorithm used in the interaction and synchronizes the cryptographic algorithm to the intermediate proxy service.
Further, in the handshake process, the communication key is negotiated with the target service based on the cryptographic information. Specifically, the intermediary proxy service sends the encrypted public key to the target service. For example, the intermediary proxy service may send the national cryptographic certificate to the target service such that the target service obtains the encrypted public key in the national cryptographic certificate. The target service encrypts the randomly generated premaster secret based on the encryption public key. And then sent to the intermediate proxy service. Wherein the premaster secret may be a fixed length random byte sequence. The intermediate proxy service decrypts the premaster secret using the encryption private key in the national encryption information. The intermediate proxy service and the target service calculate the master key according to the plaintext premaster key, the random number of the intermediate proxy service and the random number of the target service, respectively. The random number of the intermediate proxy service and the random number of the target service can be synchronized to the opposite party in advance, a plaintext premaster key, the random number of the intermediate proxy service and the random number of the target service can be used as inputs of a pseudo-random function, and output of the pseudo-random function is used as a master key. Then, the master key is used as the input of the key derivation function, the output of the key derivation function is used as the symmetric key, and the symmetric key is the communication key. In this way, both the intermediate proxy service and the target service obtain the communication key.
Further, the intermediate proxy service may encrypt the target access request with the communication key according to the cryptographic algorithm used in the present interaction, and send the encrypted target access request to the target service. In this way, data protection at the time of communication is achieved. Accordingly, the target service may decrypt the received encrypted target access request using the communication key to obtain a plaintext target access request. And executing the operation indicated by the plaintext target access request and generating response data. And then encrypting the response data by using a communication key according to a national encryption algorithm used in the interaction, and returning the encrypted response data to the intermediate proxy service. The intermediate proxy service may decrypt the received encrypted response data using the communication key to obtain plaintext response data and return the plaintext response data to the visitor.
The target access request includes a domain name of an access party, and the intermediary proxy service records the domain name of the access party sending the target access request after receiving the target access request. When the response data is returned, a connection is established with the access party based on the recorded domain name of the access party, and then the plaintext response data is returned to the access party. Illustratively, interactions between the staging service and the visitor may be through https.
In the embodiment of the invention, the storage path of the national encryption information and the national encryption protocol information are configured in the first configuration file in advance, so that the intermediate proxy service can send the target access request to the target service in a national encryption communication mode based on the storage path of the national encryption information and the national encryption protocol information, and smooth national communication between the intermediate proxy service and the target service is ensured.
Optionally, the above information related to the national cryptographic communication further includes a storage path of the national cryptographic signature information corresponding to the domain name of the intermediate proxy service, and the first configuration file is further configured by performing the following steps in advance:
step S71, setting the signature information item in the first configuration file as a storage path of the national cryptographic signature information.
Correspondingly, the embodiment of the invention can also comprise:
Step S81, loading the national cryptographic signature information based on the storage path of the national cryptographic signature information.
And step S82, generating a signature value for the target access request based on the national secret signature information so as to carry out signature verification on the target service.
Wherein step S71 may be performed by the control service. The signature information item is a configuration item for setting a storage path of the national cryptographic signature information. The storage path of the national cryptographic signature information may be set as the signature information item. In this way, by setting the storage path, it is possible to avoid excessively long specific values of the signature information item. The national cryptographic signature information may be information required for signature verification. Specifically, the national cryptographic signature information may include a public signature key and a private signature key. The public signature key is stored in the national secret signature certificate, and the public signature key can be stored by storing the national secret signature certificate. The signature private key may also be referred to as a national cryptographic signature certificate key. In the embodiment of the invention, the national cryptographic algorithm information and the national cryptographic protocol information can be input to the control service by a user, the national cryptographic signature information and the national cryptographic information are generated by calling a certificate issuing service provided by a certificate issuing organization, the certificate issuing service can be realized in a website form, and the corresponding national cryptographic signature information and the corresponding national cryptographic information can be generated for the domain name of the intermediate proxy service by using the certificate issuing service. The country secret signature information corresponding to each domain name of the intermediate proxy service may be the same, or the country secret encryption information corresponding to each domain name of the intermediate proxy service may be different. After obtaining the cryptographic signature information and the cryptographic information, the control service may store the cryptographic signature information and the cryptographic information locally and generate respective storage paths of the cryptographic signature information and the cryptographic information.
Illustratively, the signature information item may include a national cryptographic signature certificate item and a national cryptographic signature certificate key item, and the encryption information item may include a national cryptographic certificate item and a national cryptographic certificate key item. The national cryptographic signature certificate item, the national cryptographic signature certificate key item, the national cryptographic certificate item, and the national cryptographic certificate key item may be respectively expressed as ssl_sign_ CERTIFICATE, SSL _sign_certificate_key, ssl_enc_ CERTIFICATE, SSL _enc_certificate_key.
Assume that the storage paths of the national cryptographic signature certificate, the national cryptographic signature certificate key, the national cryptographic certificate and the national cryptographic certificate key are respectively:
/etc/gmproxy/certs/tls.crt;
/etc/gmproxy/certs/tls.key;
/etc/gmproxy/certs2/tls.crt;
/etc/gmproxy/certs2/tls.key;
Then four configuration items of the national cryptographic signature certificate item, the national cryptographic signature certificate key item, the national cryptographic encryption certificate key item, and the national cryptographic encryption certificate key item may be set as the above-described storage paths, respectively. Further, the protocol information item may be denoted as ssl_ protocols, and the protocol information item may be configured as NTLS.
In the embodiment of the invention, the intermediate proxy service can specifically send the target access request to the target service in a mode of national secret communication based on the national secret communication related information and the target address information which are pre-configured in the first configuration file under the condition that the national secret switch is opened. Correspondingly, the first configuration file can also comprise a national cipher switch item. In the embodiment of the invention, the value of the national cipher switch item can be set as the value representing the opening. For example, the state-close switch item may be represented as enable_ ntls, and the value of the state-close switch item may be set to a value that characterizes on. Thus, the national cipher switch of the intermediate proxy service can be opened, and the intermediate proxy service is controlled to process the target access request. Further, the first configuration file may further include a service domain name item for configuring a domain name of the intermediate proxy service, and a port item for configuring a listening port. The service domain name item and the port item may be denoted as server_name and listen, respectively. Taking kubernetes services with a namespace of k8s of "default" as an example, the service domain name entry may be configured as gmroxy. Where "443 ssl http2" indicates a port used by the visitor by default.
Specifically, the intermediate proxy service may synchronize the national cryptographic signature certificate with the target service during the handshake process, so that the target service obtains the public signature key in the national cryptographic signature certificate. After the intermediate proxy service encrypts the target access request based on the communication key, a signature value is generated for the encrypted target access request based on a signature private key in the national secret signature information, and the signature value is sent to the target service. For example, hash calculation is performed on the encrypted target access request to obtain a hash value, and then the hash value is encrypted by using a signature private key to obtain a signature value.
Accordingly, the target service first uses the public signature key to verify the signature value. And if the verification is passed, performing the operation of decrypting the received encrypted target access request by using the communication key. For example, when signature verification is performed on the signature value by using the signature public key, hash calculation may be performed on the encrypted target access request to obtain a verification hash value. Then, the signature value is decrypted by using the signature public key, and a decrypted hash value is obtained. If the verification hash value is the same as the decrypted hash value, the signature value is determined to pass the signature verification. Otherwise, determining that the signature value fails signature verification.
In the embodiment of the invention, the intermediate proxy service can obtain the national secret signature information based on the storage path of the national secret signature information by configuring the storage path of the national secret signature information in the first configuration file in advance, and perform signature verification based on the national secret signature information and the target service, so that the safety of national secret communication is further improved.
Referring to fig. 2, a block diagram of an access request processing apparatus provided by an embodiment of the present invention may be applied to any intermediate proxy service in a container platform, where the intermediate proxy service is associated with at least one national communication service in the container platform, and as shown in fig. 2, the access request processing apparatus may specifically include:
A receiving module 201, configured to receive a target access request sent by an accessing party, where the target access request is used to access a target service, the target service is the national secret communication service associated with the intermediate proxy service, and a domain name of the national secret communication service recorded by the accessing party is synchronized in advance to a domain name of the intermediate proxy service;
A first processing module 202, configured to send the target access request to the target service in a manner of national secret communication based on the information related to national secret communication and the target address information pre-configured in a first configuration file, where the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service;
And the return module 203 is configured to send response data returned by the target service to the visitor.
Optionally, in the case that the intermediate proxy service associates a plurality of the national cryptographic communication services, the service identifier and address information of each national cryptographic communication service associated with the intermediate proxy service are preconfigured in the first configuration file, and the apparatus further includes:
The extraction module is used for extracting the service identifier of the target service carried in the target access request as a target identifier;
and the acquisition module is used for acquiring the address information of which the corresponding service identifier is consistent with the target identifier from the first configuration file, and taking the address information as the target address information.
Optionally, in the case that the intermediate proxy service associates with one of the national cryptographic communication services, address information of the national cryptographic communication service associated with the intermediate proxy service is preconfigured in the first configuration file, and the apparatus further includes:
and the reading module is used for directly reading the address information in the first configuration file to serve as the target address information.
Optionally, the intermediate proxy service and the at least one national cryptographic communication service are pre-associated by the following modules in the control service:
A first determining module, configured to determine, as a national secret communication service, a service in the container platform that requires access in the national secret communication;
the second determining module is used for determining a national cryptographic communication service to be associated for the intermediate proxy service;
A first setting module, configured to set address information of the country-secret communication service to be associated in an agent information configuration item of the first configuration file, where the number of country-secret communication services to be associated is 1;
And the second setting module is used for setting service identifiers and address information of the to-be-associated national cryptographic communication services in the proxy information configuration item under the condition that the number of the to-be-associated national cryptographic communication services is larger than 1.
Optionally, the first determining module is specifically configured to:
Determining an application service provided with a specified identification field in the container platform as the national cryptographic communication service;
And/or determining the application service with the service type of the container platform being the specified type as the national cryptographic communication service.
Optionally, the domain name of the intermediate proxy service is pre-synchronized by:
The second processing module is used for determining the service which does not support national cipher communication in the container platform as the visitor and acquiring the domain name of the intermediate proxy service;
And the modifying module is used for modifying the domain name of each national secret communication service associated with the intermediate proxy service, which is stored in a second configuration file, into the domain name of the intermediate proxy service for any visitor, wherein the second configuration file is the configuration file of the visitor.
The first configuration file is preconfigured through a third setting module, which is used for setting the values of an encryption information item and a protocol information item in the first configuration file as a storage path of the national encryption information and the national encryption protocol information respectively;
the first processing module 202 is specifically configured to:
loading the cryptographic information based on a storage path of the cryptographic information;
Establishing connection with the target service based on the national encryption protocol information and the target address information, and negotiating a communication key with the target service based on the national encryption information;
encrypting the target access request based on the communication key, and sending the encrypted target access request to the target service.
Optionally, the related information of the national cryptographic communication further comprises a storage path of the national cryptographic signature information corresponding to the domain name of the intermediate proxy service, wherein the first configuration file is also preconfigured by a fourth setting module, which is used for setting the signature information item in the first configuration file as the storage path of the national cryptographic signature information;
The apparatus further comprises:
the loading module is used for loading the national cryptographic signature information based on a storage path of the national cryptographic signature information;
and the generation module is used for generating a signature value for the target access request based on the national secret signature information so as to carry out signature verification on the target service.
In summary, in the access request processing device provided by the embodiment of the invention, the intermediary proxy service receives the target access request sent by the accessing party, the target access request is used for accessing the target service, the target service is the national secret communication service associated with the intermediary proxy service, and the domain name of the national secret communication service recorded by the accessing party is synchronized into the domain name of the intermediary proxy service in advance. And transmitting the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in the first configuration file, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service. And sending the response data returned by the target service to the access party. In this way, by associating the national-density communication service with the intermediate proxy service in the container platform in advance, the domain name of the national-density communication service associated with the intermediate proxy service recorded by the visitor is synchronized with the domain name of the intermediate proxy service in advance, so that when the visitor requests to access the target service associated with the intermediate proxy service, the target access request is received by the intermediate proxy service, and the intermediary proxy service interacts with the target service in a national-density communication manner instead of the visitor according to the target access request, thereby ensuring that the target service is accessed in a national-density communication manner when interacting with the target service, and further ensuring the access security of the national-density communication service.
Referring to fig. 3, a schematic structural diagram of an electronic device according to an embodiment of the present invention is provided. As shown in fig. 3, the electronic device includes a processor, a memory, a communication interface, and a communication bus.
The processor, the memory and the communication interface complete communication with each other through the communication bus, and the memory is used for storing executable instructions which enable the processor to execute the access request processing method of the previous embodiment. The executable instructions may constitute a program. Embodiments of the present invention also provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, enable the processors to perform the access request processing method of the previous embodiments.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
It should be noted that all actions for acquiring signals, information or data in the present application are performed in compliance with the corresponding data protection legislation policy of the country of location and obtaining the authorization granted by the owner of the corresponding device.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
While the present invention has been described in detail with respect to an access request processing method, an access request processing apparatus, an electronic device, and one or more machine readable media, specific examples are set forth herein to illustrate the principles and embodiments of the present invention, and the above examples are provided to facilitate understanding of the method and core ideas of the present invention, and as such, variations in terms of the specific embodiments and application scope will occur to those skilled in the art, and in light of the above, this disclosure should not be construed to limit the invention.

Claims (11)

1. An access request processing method, applied to any intermediate proxy service in a container platform, the intermediate proxy service being associated with at least one national cryptographic communication service in the container platform, the method comprising:
the method comprises the steps of receiving a target access request sent by an access party, wherein the target access request is used for accessing a target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance;
Based on pre-configured national secret communication related information and target address information in a first configuration file, the target access request is sent to the target service in a national secret communication mode, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service;
And sending the response data returned by the target service to the access party.
2. The method of claim 1, wherein in the case where the mediation service associates a plurality of the national communication services, the service identification and address information of each of the national communication services associated with the mediation service are pre-configured in the first configuration file, the method further comprising:
Extracting a service identifier of the target service carried in the target access request as a target identifier;
And acquiring address information of which the corresponding service identifier is consistent with the target identifier from the first configuration file, and taking the address information as the target address information.
3. The method of claim 1, wherein in the case where the intermediary proxy service is associated with one of the national cryptographic communication services, the first configuration file is pre-configured with address information of the national cryptographic communication service associated with the intermediary proxy service, the method further comprising:
And directly reading the address information in the first configuration file to serve as the target address information.
4. A method according to any of claims 1-3, characterized in that the intermediate proxy service is associated with the at least one national cryptographic communication service by the following steps, which are performed in advance by a control service:
determining a service requiring access in the container platform by using national secret communication as the national secret communication service;
determining a national cryptographic communication service to be associated for the intermediate proxy service;
setting address information of the country-secret communication service to be associated in an agent information configuration item of the first configuration file under the condition that the number of the country-secret communication service to be associated is 1;
and setting service identification and address information of each national cryptographic communication service to be associated in the proxy information configuration item under the condition that the number of the national cryptographic communication services to be associated is greater than 1.
5. The method of claim 4, wherein determining a service in the container platform that requires access in a national cryptographic communication as the national cryptographic communication service comprises:
Determining an application service provided with a specified identification field in the container platform as the national cryptographic communication service;
And/or determining the application service with the service type of the container platform being the specified type as the national cryptographic communication service.
6. A method according to any of claims 1-3, characterized in that the domain name of the intermediate proxy service is pre-synchronized by:
Determining a service which does not support national secret communication in the container platform as the visitor, and acquiring a domain name of the intermediate proxy service;
And for any visitor, modifying the domain name of each national secret communication service associated with the intermediate proxy service, which is stored in a second configuration file, into the domain name of the intermediate proxy service, wherein the second configuration file is the configuration file of the visitor.
7. The method according to claim 1, wherein the state-secret communication related information includes a state-secret encryption information storage path and state-secret protocol information corresponding to a domain name of the intermediary proxy service, and wherein the first profile is configured by previously executing the steps of setting values of an encryption information item and a protocol information item in the first profile as the state-secret encryption information storage path and the state-secret protocol information, respectively;
the sending the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in the first configuration file comprises the following steps:
loading the cryptographic information based on a storage path of the cryptographic information;
Establishing connection with the target service based on the national encryption protocol information and the target address information, and negotiating a communication key with the target service based on the national encryption information;
encrypting the target access request based on the communication key, and sending the encrypted target access request to the target service.
8. The method according to claim 7, wherein the national cryptographic communication related information further includes a storage path of national cryptographic signature information corresponding to a domain name of the intermediary proxy service, the first profile is further configured by previously executing the steps of setting a signature information item in the first profile as the storage path of the national cryptographic signature information;
after encrypting the target access request based on the communication key, the method further comprises:
Loading the national cryptographic signature information based on a storage path of the national cryptographic signature information;
and generating a signature value for the target access request based on the national secret signature information so as to carry out signature verification on the target service.
9. An access request processing apparatus for application to any intermediary proxy service in a container platform, the intermediary proxy service being associated with at least one national cryptographic communication service in the container platform, the apparatus comprising:
The system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving a target access request sent by an access party, the target access request is used for accessing a target service, the target service is the national secret communication service associated with the intermediate proxy service, and the domain name of the national secret communication service recorded by the access party is synchronized into the domain name of the intermediate proxy service in advance;
The first processing module is used for sending the target access request to the target service in a mode of national secret communication based on the pre-configured national secret communication related information and target address information in a first configuration file, wherein the first configuration file is a configuration file of the intermediate proxy service, and the target address information is address information of the target service;
And the return module is used for sending the response data returned by the target service to the access party.
10. An electronic device comprising a processor, a memory, a communication interface and a communication bus, the processor, the memory and the communication interface completing communication with each other via the communication bus, the memory for storing executable instructions that cause the processor to perform the method of any one of claims 1-8.
11. One or more machine readable media having instructions stored thereon that, when executed by one or more processors, cause the processors to perform the method of any of claims 1 to 8.
CN202510295662.4A 2025-03-12 2025-03-12 Access request processing method, device, electronic equipment and readable medium Active CN119854026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510295662.4A CN119854026B (en) 2025-03-12 2025-03-12 Access request processing method, device, electronic equipment and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510295662.4A CN119854026B (en) 2025-03-12 2025-03-12 Access request processing method, device, electronic equipment and readable medium

Publications (2)

Publication Number Publication Date
CN119854026A true CN119854026A (en) 2025-04-18
CN119854026B CN119854026B (en) 2025-06-27

Family

ID=95370798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510295662.4A Active CN119854026B (en) 2025-03-12 2025-03-12 Access request processing method, device, electronic equipment and readable medium

Country Status (1)

Country Link
CN (1) CN119854026B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180013729A1 (en) * 2016-07-06 2018-01-11 Adp, Llc Secure Application Communication System
CN111274591A (en) * 2020-01-19 2020-06-12 北京百度网讯科技有限公司 Method, device, electronic equipment and medium for accessing Kubernetes cluster
WO2020253347A1 (en) * 2019-06-17 2020-12-24 深圳前海微众银行股份有限公司 Container cluster management method, device and system
CN113760452A (en) * 2021-08-02 2021-12-07 阿里巴巴新加坡控股有限公司 Container scheduling method, system, equipment and storage medium
CN116566656A (en) * 2023-04-13 2023-08-08 浙江大华技术股份有限公司 Resource access method, device, equipment and computer storage medium
CN118611952A (en) * 2024-06-24 2024-09-06 中电云计算技术有限公司 Network access method, device, equipment and storage medium
CN118921216A (en) * 2024-08-19 2024-11-08 江苏意源科技有限公司 Method for non-national-density browser to access national-density website and national-density website access system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180013729A1 (en) * 2016-07-06 2018-01-11 Adp, Llc Secure Application Communication System
WO2020253347A1 (en) * 2019-06-17 2020-12-24 深圳前海微众银行股份有限公司 Container cluster management method, device and system
CN111274591A (en) * 2020-01-19 2020-06-12 北京百度网讯科技有限公司 Method, device, electronic equipment and medium for accessing Kubernetes cluster
CN113760452A (en) * 2021-08-02 2021-12-07 阿里巴巴新加坡控股有限公司 Container scheduling method, system, equipment and storage medium
CN116566656A (en) * 2023-04-13 2023-08-08 浙江大华技术股份有限公司 Resource access method, device, equipment and computer storage medium
CN118611952A (en) * 2024-06-24 2024-09-06 中电云计算技术有限公司 Network access method, device, equipment and storage medium
CN118921216A (en) * 2024-08-19 2024-11-08 江苏意源科技有限公司 Method for non-national-density browser to access national-density website and national-density website access system

Also Published As

Publication number Publication date
CN119854026B (en) 2025-06-27

Similar Documents

Publication Publication Date Title
EP3720093B1 (en) Resource obtaining method and apparatus and resource distribution method and apparatus
US9219722B2 (en) Unclonable ID based chip-to-chip communication
CN108377272B (en) A method and system for managing IoT terminals
US8693690B2 (en) Organizing an extensible table for storing cryptographic objects
CN111541552B (en) Block chain all-in-one machine and automatic node adding method and device thereof
US10623186B1 (en) Authenticated encryption with multiple contexts
EP3714585A1 (en) Distributed management system for remote devices and methods thereof
CN111740966B (en) Data processing method based on block chain network and related equipment
CN113468599B (en) File certification method, device, system, equipment and storage medium
CN109347839B (en) Centralized password management method and device, electronic equipment and computer storage medium
JP6543743B1 (en) Management program
CN111522809A (en) Data processing method, system and equipment
CN111064569A (en) Cluster key obtaining method and device of trusted computing cluster
EP2429146A1 (en) Method and apparatus for authenticating access by a service
KR101952329B1 (en) Method for generating address information used in transaction of cryptocurrency based on blockchain, electronic apparatus and computer readable recording medium
CN112040025A (en) Method, system and terminal device for server address switching
CN119854026B (en) Access request processing method, device, electronic equipment and readable medium
CN107241341A (en) Access control method and device
CN113946864B (en) Confidential information acquisition method, device, equipment and storage medium
CN116522356A (en) Data query method and device
US20230130457A1 (en) Key management providing high availability without key replication
CN112632487B (en) User identity authentication method and system
CN116599816B (en) A proprietary cloud service authorization method, device, electronic device and storage medium
JP2009500713A (en) Method, system and apparatus for digital content protection
CN113824555B (en) Key processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant