Summary of the invention
The technical problem to be solved in the present invention is, overcomes traditional positive supply and the deficiency of reversed proxy server, provides a kind of Realization Method of Communication of layer transparent agent skill group, and the agent skill group realizing all-transparent is broken through.Needing, by the system of agent skill group solution and product, not need any configuration adjusting client and service end, comparatively perfectly solution can be realized.
For solving its technical problem, solution of the present invention is:
A kind of Realization Method of Communication of layer transparent agent skill group is provided, comprises:
(1) communication of client and agency service realizes, and comprising:
(1) client is to service end initiating communication connection request;
(2) agency service main frame intercepts and captures this connection by data link layer, and this connection steering proxy directional association module;
(3) acting on behalf of directional association module by receives data packets is local packets, and the Virtual Service itself and agency service monitored carries out being connected association process;
(4) agency service Virtual Service confirms as the packet associated with self, and notice ICP/IP protocol stack and client are responded and connected, and binds using service end IP address as the source IP address responded;
(5) respond bag to be forwarded by data link layer, lead to client;
(6) client receives and responds bag, and transmission connection confirms;
(7) confirmation that agency service responds this confirmation bag is wrapped to client;
So far, the connection establishment process of client and agency service terminates;
(2) communication of agency service and service end realizes, and comprising:
(1), after agency service is that client sets up complete TCP connection, client ip address is carried out this locality binding as source IP address, sends connection establishment request by ICP/IP protocol stack to service end;
(2) connection request packet is forwarded by data link layer and is transferred to service end;
(3) after service end receives connection request, carry out response process, then send to connect and respond bag;
(4) data link layer that bag arrives agency service main frame is responded in the connection of service end, and data link layer is by this response bag steering proxy directional association resume module;
(5) acting on behalf of directional association module by receives data packets is local packets, and it be associated with agency service send connection request connection carry out association process;
(6) agency service Virtual Service carries out connecting the response responding bag, sends to service end;
So far, the connection procedure of agency service and service end is set up complete;
(3) after agency service is by above-mentioned two establishment of connections success, follow-up needs by perfect connection, carries out the round forwarding of packet, can realize the miscellaneous service demand for services based on Transparent Proxy.
In the present invention, only to needing the business datum carrying out agency to perform transparent agent service, and to the mode that other business datums adopt network protocol stack two layers to forward.
In the present invention, to the business data packet that agency forwards and network protocol stack two layers forwards, do not change its content, directly execution transparent agent service or network protocol stack two layers forward original client and service end data bag.
Relative to prior art, beneficial effect of the present invention is:
Under Transparent Proxy technology model, Transparent Proxy only needs to pay close attention to the application layer business needing to provide agency service, as only served FTP, then other services can arrive service end by the mode of network two layers of transparent forwarding, and the Transparent Proxy that Transparent Proxy only processes FTP forwards.The great like this flexibility meeting business relevant treatment, more embodies the independence of transparent agent service mode with advanced.
Embodiment
First it should be noted that, the present invention is that computer software is applied in the one of communication technical field.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: agency service, act on behalf of directional association module etc., and this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
To produce ambiguity or unclear for guaranteeing to understand accurately, avoiding, first make an explanation as follows to the part term that the present invention relates to:
Virtual Service: refer in agent skill group, local TCP connecting analog real service end carries out monitoring the Connection Service provided, and the request service of his client of analog service end process simultaneously, again with the identity of client, sends request service to service end
Agency service: in communication connection with the process of transfer of data, as the intermediary entity communicating to connect foundation and transfer of data, the independence participating in connecting is set up, and realizes the isolation (namely directly not establishing a communications link) of connection establishment to communication connection and the two ends of transfer of data
Below in conjunction with accompanying drawing, implementation procedure of the present invention is described in detail.
For the naive model that the typical client shown in accompanying drawing 1 communicates with service end, the enforcement of transparent agent service embeds any position of client and service end communication link.
(1) according to business and actual O&M demand, the chain waypoint access transparent agent service main frame that suitable is selected;
(2) agency service main frame must possess two network interface unit, for the communicating of client and service end, be configured to network bridge mode between these two interface cards;
(3) by the Transparent Proxy directional association module shown in accompanying drawing 2, configuration needs the business of carrying out Transparent Proxy, is generally service end IP address and adds connectivity port;
(4) communication connection test is carried out.Based on the Virtual Service of Transparent Proxy, the safety detection of miscellaneous service demand can be realized, value-added service demand etc. simultaneously.
The implementation framework of transparent forwarding model is shown in shown in accompanying drawing 2.
The Realization Method of Communication of layer transparent agent skill group, comprising:
(1) communication of client and agency service realizes, and comprising:
(1) client is to service end initiating communication connection request;
(2) agency service main frame intercepts and captures this connection by data link layer, and this connection steering proxy directional association module;
(3) acting on behalf of directional association module by receives data packets is local packets, and the Virtual Service itself and agency service monitored carries out being connected association process;
(4) agency service Virtual Service confirms as the packet associated with self, and notice ICP/IP protocol stack and client are responded and connected, and binds using service end IP address as the source IP address responded;
(5) respond bag to be forwarded by data link layer, lead to client;
(6) client receives and responds bag, and transmission connection confirms;
(7) confirmation that agency service responds this confirmation bag is wrapped to client;
So far, the connection establishment process of client and agency service terminates;
(2) communication of agency service and service end realizes, and comprising:
(1), after agency service is that client sets up complete TCP connection, client ip address is carried out this locality binding as source IP address, sends connection establishment request by ICP/IP protocol stack to service end;
(2) connection request packet is forwarded by data link layer and is transferred to service end;
(3) after service end receives connection request, carry out response process, then send to connect and respond bag;
(4) data link layer that bag arrives agency service main frame is responded in the connection of service end, and data link layer is by this response bag steering proxy directional association resume module;
(5) acting on behalf of directional association module by receives data packets is local packets, and it be associated with agency service send connection request connection carry out association process;
(6) agency service Virtual Service carries out connecting the response responding bag, sends to service end;
So far, the connection procedure of agency service and service end is set up complete;
(3) after agency service is by above-mentioned two establishment of connections success, follow-up needs by perfect connection, carries out the round forwarding of packet, can realize the miscellaneous service demand for services based on Transparent Proxy.
In the present invention, only to needing the business datum carrying out agency to perform transparent agent service, and to the mode that other business datums adopt network protocol stack two layers to forward.To the business data packet that agency forwards and network protocol stack two layers forwards, do not change its content, directly execution transparent agent service or network protocol stack two layers forward original client and service end data bag.
The difference of the present invention and other Proxy Signature Schemes is:
1, Transparent Proxy forwarding mechanism is realized in application layer
In traditional network data Packet forwarding implementation, it is the forwarding of pure packet, typical case is as the packet routing forwarding implementation of switch, router, although accomplished the transparency, but do not act on behalf of, namely not setting up TCP with the two ends of communication to be respectively connected, is only the Packet forwarding of network protocol stack data link layer and network layer.
In traditional agency mechanism, be no matter that the agency of application layer or network protocol stack bottom forwards, all cannot accomplish the transparency.No matter be positive supply or reverse proxy, agency service all needs independently IP address, is connected and carries out effective data packet transmission communicate in this, as setting up TCP with client and service end.These two kinds of modes, opaque for client, opaque for service end, if in the basic deploy agency service of original client and service end communication construction, then cannot accomplish seamless insertion, and need configuration that client or service end are correlated with, could successful implementation agency service.
Transparent Proxy mechanism of the present invention, then fully demonstrate the two-way transparent characteristic of client and service end, independently can not only set up TCP with two ends to be connected, realize the transparent forwarding of packet, and in the network topology environment to communicate with service end in original ripe client, can as increase network two-layer switching equipment, seamlessly must insert transparent agent service.This invention supports in complex network environment the maintainability and scalability scheme that increase miscellaneous service greatly.
2, unique innovation realization mechanism
Transparent Proxy main frame does not need to possess the IP address communicated with service end with client, seems just as network Layer2 switching forwarding unit.As everyone knows, object IP address is not the network communication data bag of this host IP address, cannot arrive application layer by transport network layer, because this locality does not provide service TCP serve port and connection.Reverse proxy and positive supply technology, they need to configure the IP address of carrying out service communication, carry out conventional TCP connection so can follow a well mapped-out plan and communicate; Equally, for the forwarding unit of two layers, network and three layers, do not need to set up TCP and connect, only transmission network packet, does not need the rule running counter to any ICP/IP protocol stack yet.
Transparent Proxy technology, needs to break through the restriction that reception IP address is the packet of non-host local ip address, and sets up virtual TCP connection monitoring service port.When the packet of client-access arrives agency service host data link layer, by the connection directional association of packet to local monitoring service port, local monitoring service port now adopts the IP address of service end as source address, set up TCP with client to be connected, such client be connected with the TCP between agency service just set up complete.In like manner, agency service and client have been set up after TCP is connected, and need to set up TCP with service end and be connected, now, agency service, using the original ip address of client as source IP address, is set up TCP with service end and is connected.After two-way connection establishment terminates, client and service end just can carry out transfer by agency service, realize the data communication connected based on TCP.
For UDP communication send a letter here, reliable connection need not be set up, therefore in the process of communications, just eliminate the TCP establishment of connection process of foregoing description, and use by means of only the exchange of IP address the object reaching transparent transmission.
3, the data service needing agency is only concerned about
Traditional positive supply based on application layer and reversed proxy server, owing to being configured with the IP address of direct communication, IP address is as the direct target of communication, and therefore it occupies an independently communication entity.When service end provides multiple application service, as and provide HTTP service, also comprise FTP, SSH service etc., then under traditional agent framework, the configuration of proxy server, not only need to support HTTP, must FTP be supported, SSH etc., otherwise the service that service end provides just cannot obtain normal communications access.
Transparent Proxy technology, mainly based on the shortcoming of positive supply and reversed proxy server, carries out a kind of improvement implementation completely newly, thus realizes client and all transparent mode of service end.Under Transparent Proxy technology, the object IP address of client-access is the direct IP address of service end, after entering transparent agent service, and the IP address of the original access IP address client not yet that service end is seen.Under so a kind of technic relization scheme, in the network topology structure of disposing transparent agent service, any network configuration need not be changed, just can realize the application deployment of transparent agent service.