CN113905030B - Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium - Google Patents
Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium Download PDFInfo
- Publication number
- CN113905030B CN113905030B CN202111162500.1A CN202111162500A CN113905030B CN 113905030 B CN113905030 B CN 113905030B CN 202111162500 A CN202111162500 A CN 202111162500A CN 113905030 B CN113905030 B CN 113905030B
- Authority
- CN
- China
- Prior art keywords
- server
- intranet
- address
- proxy server
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure at least provides an intranet and extranet communication method, an intranet and extranet communication device, an intranet terminal and a proxy server, relates to the field of communication and data safety, and can be applied to the fields of intelligent medical treatment and the like. The specific implementation scheme comprises the following steps: responding to a hypertext transfer security protocol https request from an intranet terminal, and acquiring Server Name Identifier (SNI) information from a client hello message of the intranet terminal; determining an application layer domain name according to the SNI information; acquiring a corresponding IP address according to the application layer domain name; and forwarding the https request to a target server of the external network according to the acquired IP address. The technical scheme of the present disclosure can realize forward proxy based on the proxy server, thereby getting through the communication between the internal network and the external network.
Description
Technical Field
The present disclosure relates to the field of computer technology, and more particularly, to the field of communication and data security in application scenarios such as smart medical care.
Background
With the development of hospital informatization, doctors and patients need to have online video calls with out-hospital patients for more convenient doctor-patient communication. However, in order to ensure absolute safety of application operation, most hospitals adopt a mode of physically isolating an internal network from an external network, and the mode theoretically separates the core application of the hospital to the maximum extent, so that the safety is high, but a barrier which is difficult to exceed is added for data interaction between doctors and patients.
Disclosure of Invention
The present disclosure provides an intranet and extranet communication method, an intranet terminal, a proxy server, a computer-readable storage medium, and a computer program product.
According to a first aspect of the present disclosure, there is provided an intranet and extranet communication method applied to a proxy server, the method including:
responding to a hypertext transfer security protocol https request from an intranet terminal, and acquiring Server Name Identifier (SNI) information from a client hello message of the intranet terminal;
determining an application layer domain name according to the SNI information;
acquiring a corresponding IP address according to the application layer domain name;
and forwarding the https request to a target server of the external network according to the acquired IP address.
According to a second aspect of the present disclosure, there is provided an intranet and extranet communication method, applied to an intranet terminal, the method including:
sending a client hello message to the proxy server based on the security protocol handshake request, wherein the client hello message comprises server name identification information;
and responding to handshake success information returned by the proxy server, and sending a hypertext transfer security protocol (https) request to the proxy server.
According to a third aspect of the present disclosure, there is provided an intranet and extranet communication apparatus applied to a proxy server, the apparatus comprising:
the system comprises an SNI information acquisition module, a Server Name Identification (SNI) module and a Server Name Identification (SNI) module, wherein the SNI information acquisition module is used for responding to a hypertext transfer security protocol (https) request from an intranet terminal and acquiring Server Name Identification (SNI) information from a client hello message of the intranet terminal;
the domain name determining module is used for determining the domain name of the application layer according to the SNI information;
the IP address acquisition module is used for acquiring a corresponding IP address according to the application layer domain name;
and the https request forwarding module is used for forwarding the https request to a target server of the external network according to the acquired IP address.
According to a fourth aspect of the present disclosure, there is provided an intranet and extranet communication apparatus, applied to an intranet terminal, the apparatus comprising:
a client hello message sending module, which is used for sending a client hello message to the proxy server based on the handshake request of the security protocol, wherein the client hello message comprises the server name identification information;
and the https request sending module is used for sending a hypertext transfer security protocol https request to the proxy server in response to the handshake success information returned by the proxy server.
According to a fifth aspect of the present disclosure, there is provided a proxy server comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to cause the at least one processor to perform a method applied to a proxy server in any of the embodiments of the present disclosure.
According to a sixth aspect of the present disclosure, there is provided an intranet terminal, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method applied to the intranet terminal in any of the embodiments of the present disclosure.
According to a seventh aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method provided by any of the embodiments of the present disclosure.
According to an eighth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method provided by any of the embodiments of the present disclosure.
The technical scheme of the embodiment of the disclosure can realize forward proxy based on the proxy server, thereby getting through the communication between the internal network and the external network.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of an Intranet and Intranet communication method applied to a proxy server according to an embodiment of the present disclosure;
fig. 3 is a flowchart of an intranet-intranet communication method applied to an intranet terminal according to an embodiment of the present disclosure;
FIG. 4 is a diagram of one example of an application according to an embodiment of the present disclosure;
FIG. 5 is a diagram of yet another example of an application according to an embodiment of the present disclosure;
FIG. 6 is a diagram of yet another example application according to an embodiment of the present disclosure;
FIG. 7 is a block diagram of an Intranet and Intranet communication device for use with a proxy server according to an embodiment of the present disclosure;
fig. 8 is a block diagram of an intranet and extranet communication apparatus applied to an intranet terminal according to an embodiment of the present disclosure;
FIG. 9 is a block diagram of an electronic device used to implement methods of embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of embodiments of the present disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic view of an application scenario of the embodiment of the present disclosure. As shown in fig. 1, the intranet is also called Local Area Network (LAN), and the intranet terminal 101 may be hardware, such as an electronic device with a display screen, such as a mobile phone, a tablet, a portable computer, or a desktop computer. The intranet terminal 101 may be software, and when the intranet terminal 101 is software, it may be installed in the electronic device. The intranet terminals 101 are usually multiple and communicate through the intranet to ensure data privacy and security. The public network is an external network with respect to the internal network, and the target server 103 provides services to users (e.g., external network terminals 104) based on the public network. Wherein any number of terminals, networks, and servers may be configured for implementation.
According to the intranet and extranet communication method disclosed by the embodiment of the disclosure, a proxy server is provided, and a request of an intranet terminal 101 can be forwarded to a target server 103, so that forward proxy is realized, and further, the intranet and extranet are opened.
Illustratively, the intranet and extranet communication method of the embodiment of the disclosure can be applied to an intelligent medical scene. For example: intranet terminal 101 may be a doctor client and public network terminal 104 may be a patient client. The internal and external network communication method based on the embodiment of the disclosure can realize the video call between the doctor client and the patient client.
Specifically, an embodiment of the present disclosure provides an intranet and extranet communication method, which is applied to a proxy server, and as shown in fig. 2, the method may include:
step S201: responding to a hypertext transfer security protocol (https) request from an intranet terminal, and acquiring Server Name Identification (SNI) information from a Client Hello message of the intranet terminal;
step S202: determining an application layer domain name according to the SNI information;
step S203: acquiring a corresponding IP address according to the application layer domain name;
step S204: and forwarding the https request to a target server of the external network according to the acquired IP address.
For audio/video media streams, https protocol is required to be used for data transmission, so that when forwarding, the proxy server needs to apply for configuration of a certificate issued by an additional Certificate Authority (CA), that is, a CA certificate, and also needs to decrypt the CA certificate.
In the method of the embodiment of the disclosure, the application layer domain name is obtained based on the SNI information without independently applying for the CA certificate of the proxy server, and then the IP address of the external network target server is obtained. That is to say, in the method according to the embodiment of the present disclosure, the proxy server does not need to decrypt the Uniform Resource Locator (URL) file of the encrypted http destination server (the target server in this embodiment), and can obtain the domain name to be accessed, thereby achieving the communication between the internal network and the external network, having a simple flow and automatic deployment, and greatly saving manpower.
Wherein, the SNI information comes from the intranet terminal in the client greeting message. Exemplarily, the method further includes, before the step S202: the intranet terminal sends a security protocol handshake request to the proxy server, and then sends a Client Hello message to the proxy server. Therefore, the SNI information acquisition module of the proxy server acquires the SNI information from the first Client Hello message, and resolves the domain name to be accessed based on the SNI information.
Illustratively, for an Nginx server, the SNI information acquisition module is an ngx _ stream _ ssl _ preread _ module.
In one embodiment, step S203 may include: and forwarding the https request to the target server through the firewall.
The forward proxy allows clients to access any website through it, so data security measures are important to ensure that authorized clients are served. And the data security in the communication process can be ensured based on the physical firewall, so that the safety of intranet data (such as video call between a doctor end and a patient end) is ensured while the interaction between an intranet and an intranet is opened.
Illustratively, a firewall may be configured to support protection against multiple Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks; the method supports the quick filtering of the message through a black and white list based on the IP address; the method supports control of application behaviors of http protocol files, such as uploading and downloading, POST, webpage browsing, http proxy and the like. The method supports control of application behaviors such as File uploading and downloading of a File Transfer Protocol (FTP).
Specifically, the firewall may be set in advance, including:
in one embodiment, the proxy server is configured in advance. The configuration information may include: transmission Control (TCP) signaling proxy information, 443 port monitoring information, and User Datagram Protocol (UDP) media service proxy information, thereby implementing a forward proxy for a media stream data Transmission service.
The proxy server may be a reverse proxy server, such as a Nginx server. Since the 1.12.X version of the Nginx server has a problem during UDP forwarding, specifically, the source port of the UDP may change, and thus there is no stable source port, the version of the Nginx in this embodiment is more than 1.16, and a UDP forwarding module is added and started. Further, 443 port listening information, TCP signaling proxy information, and UDP media service (10010) proxy information are configured by editing the nginx.conf file under the conf directory.
For reverse proxy servers, a reverse proxy is primarily provided, e.g., servers behind firewalls are provided for Internet (Internet) users to access; load balancing is provided for a plurality of servers at the back end, or buffer service is provided for the server at the slower back end; advanced URL policy and management techniques are enabled so that web pages on different web server systems exist simultaneously under the same URL space.
In the method of the embodiment, the forward proxy can be provided based on the reverse proxy server, a way for accessing the Internet is provided for a local area network client in the firewall, the communication between the internal network and the external network is realized, and the proxy server is not required to independently configure corresponding certificates and establish request connection with the target server.
Specifically, when the proxy server is used as a forward proxy to process an https request, a URL file to be accessed is encrypted and packaged in a Transport Layer protocol/Secure Socket Layer (TLS/SSL), the proxy server does not obtain a domain name to be accessed by the client by decrypting the URL file, only does the proxy server perform transparent transmission, and performs direct TLS/SSL interaction between the intranet terminal and the target server.
In one embodiment, the method may further comprise: and configuring the hosts file so that the intranet terminal acquires the intranet IP address of the proxy server by downloading the hosts file.
Fig. 3 shows an intranet/extranet communication method according to an embodiment of the present disclosure, which is applied to an intranet terminal, and as shown in fig. 3, the method includes:
step S301: sending a Client Hello message to a proxy server based on the handshake request of the security protocol, wherein the Client Hello message comprises SNI information;
step S302: and responding to handshake success information returned by the proxy server, and sending an https request to the proxy server.
In one embodiment, the intranet terminal obtains the intranet IP address of the proxy Server based on an intranet Domain Name Server (DNS) Server. Specifically, step S302 may include: acquiring an intranet IP address of a proxy server based on an intranet DNS server; and sending the https request to a proxy server according to the intranet IP address.
In another embodiment, if there is no intranet DNS server, the intranet IP address of the proxy server may be determined according to a domain name IP address association (hosts) file pre-stored by the intranet terminal. Specifically, step S302 may include: determining an intranet IP address of the proxy server according to hosts files in the intranet terminal; and sending an https request to the proxy server according to the intranet IP address.
Wherein the hosts file can be downloaded from the proxy server. For example, an executable file can be written in the proxy server in advance, then the executable file can be downloaded by inputting a link address at the intranet terminal, and the hosts file configuration can be written in the intranet terminal by clicking.
An example of interaction between the intranet terminal and the proxy server in the embodiment of the disclosure is described below with reference to fig. 4. As shown in fig. 4, the method of this example includes:
step S401: an intranet terminal sends a request to an intranet DNS server;
step S402: the DNS server returns the intranet IP address of the proxy server to the intranet terminal;
step S403: the intranet terminal sends an https request to the proxy server based on the intranet IP address;
step S404: the proxy server obtains the domain name of the application layer by obtaining the SNI information in the first Client Hello message, and sends a request to an external network DNS server;
step S405: the outer network DNS server obtains the IP address of the target server by analyzing the application layer domain name and returns the IP address of the target server to the proxy server;
step S406: the proxy server forwards the https request to the target server through a firewall based on the IP address of the target server, thereby completing information circulation of the internal and external networks; the target server transmits the https request to the target server, wherein the https request is transmitted together with the URL file so that the target server distinguishes data needing to be returned;
step S407: the target server returns corresponding data according to the https request;
step S408: and the proxy server forwards the data returned by the target server to the intranet terminal.
Since it is a forward proxy and the domain name is acquired using SNI information, there is no need to configure a CA certificate of the proxy server.
As described above, the intranet and extranet communication method of the embodiment of the present disclosure can be applied to an intelligent medical scenario for a call between a doctor end and a patient end. In this scenario, as shown in fig. 5, the intranet is a hospital intranet, the intranet terminal is a doctor end, such as a doctor computer 100, the extranet terminal is a patient end, the target server is a service server, and the intranet DNS server is an in-hospital service 200, and performs a video call between the patient end and the doctor end based on an RTC service (e.g., hundred RTC service) provided by a Real Time Communication (RTC) server.
An example of realizing communication between an internal network and a public network of a hospital based on the intranet and extranet communication method according to the embodiment of the disclosure is described below with reference to fig. 6.
In this example, some information may be preconfigured at the client's RTC Software Development Kit (SDK) and the hospital internal DNS server. For example: (1) The candidate IP (candidateip) is set in the hundredth RTC SDK as a proxy server IP of the hospital intranet. In web sdk, setting a candidateip parameter of a BRTC _ Start () function as an IP address of a proxy server, and if candidateip is null, not walking the proxy; (2) Setting mediaserver ip in the SDK as a target ip address of a Baidu cloud video server, wherein the configuration of the mediaserver ip needs to be consistent with that of a UDP (user Datagram protocol) data stream target ip in Nginx of an intranet of a hospital; (3) Downloading the programming files (JavaScript and JS) used in h5 to the local server as much as possible, and avoiding the excessive configuration of the proxy server; (4) Configuring corresponding domain name pointing proxy server on the internal DNS server, so that the RTC signaling server and the doctor end or patient end video call request can be proxied by the proxy server (without the internal DNS server, the hosts file is configured on each doctor computer).
As shown in fig. 6, the example method may include:
step 1 and step 2: a doctor client initiates a video request to an internal DNS (domain name system) server, and acquires an IP (Internet protocol) address of a proxy server in an intranet through a configured intranet DNS server or hosts file;
and step 3: a doctor Client sends an https request to a proxy server Ngnix, and Nginx acquires SNI information in a Client Hello message through an ngx _ stream _ ssl _ read _ module, so that an application layer domain name is obtained;
and 4, step 5: the proxy server sends the application layer domain name to an external DNS server to obtain an IP address analyzed by the external DNS server, namely the IP address of the service server;
step 6: the proxy server forwards the https request to the service server through a firewall based on the IP address of the service server, thereby completing information circulation of the internal network and the external network;
and 7, steps 8: and the business server returns corresponding data to the doctor client through the proxy server. For example: and the doctor client sends an https request to the service server, hopes to inquire the call state of the patient client, and then the service server returns the call state to the doctor client through the proxy server.
When the doctor client inquires that the call state of the patient client is idle, the doctor client establishes connection with the patient client through the proxy server and the hundred-degree RTC server.
Therefore, the scheme that the proxy server forwards the signaling and the audio and video media stream can meet the requirement that the intelligent screen is used by the internal and external networks of the hospital for video call, and the data safety of the hospital cannot be influenced.
Fig. 7 illustrates an intranet and extranet communication device applied to a proxy server according to an embodiment of the present disclosure. As shown in fig. 7, the apparatus includes:
an SNI information obtaining module 701, configured to obtain SNI information from a client hello message of an intranet terminal in response to an https request from the intranet terminal;
a domain name determining module 702, configured to determine an application layer domain name according to the SNI information;
an IP address obtaining module 703, configured to obtain a corresponding IP address according to the application layer domain name;
and an https request forwarding module 704, configured to forward the https request to a target server of the external network according to the obtained IP address.
In one embodiment, the https request forwarding module is specifically configured to:
the https request is forwarded to the target server through the firewall.
In one embodiment, the https request forwarding module is specifically configured to:
and forwarding the https request to a target server of the external network according to configuration information of the proxy server, wherein the configuration information comprises transmission control signaling proxy information, 443 port monitoring information and user datagram protocol media service proxy information.
In one embodiment, the proxy server is a reverse proxy server.
In one embodiment, the apparatus further comprises:
and the domain name IP address associated file configuration module is used for configuring the domain name IP address associated file so that the intranet terminal acquires the intranet IP address of the proxy server by downloading the domain name IP address associated file.
Fig. 8 shows an intranet/extranet communication device according to an embodiment of the present disclosure, which is applied to an intranet terminal. As shown in fig. 8, the apparatus includes:
a client hello message sending module 801, configured to send a client hello message to the proxy server based on the security protocol handshake request, where the client hello message includes server name identification information;
an https request sending module 802, configured to send an https request to the proxy server in response to the handshake success information returned by the proxy server.
In one embodiment, the https request sending module includes:
the first intranet IP address acquisition submodule is used for acquiring the intranet IP address of the proxy server based on the intranet domain name server;
and the first https request sending submodule is used for sending the https request to the proxy server according to the intranet IP address.
In one embodiment, the https request module includes:
the second intranet IP address obtaining submodule is used for determining the intranet IP address of the proxy server according to a domain name IP address associated file in the intranet terminal, wherein the domain name IP address associated file is obtained by downloading from the proxy server;
and the second https request sending submodule is used for sending the https request to the proxy server according to the intranet IP address.
The functions of the modules in the apparatuses according to the embodiments of the present disclosure may refer to the corresponding descriptions in the above methods, and are not described herein again.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure. The electronic device may be an intranet terminal or a proxy server.
FIG. 9 shows a schematic block diagram of an example electronic device that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 9, the electronic apparatus includes a computing unit 901, which can perform various appropriate actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 902 or a computer program loaded from a storage unit 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the electronic apparatus can also be stored. The calculation unit 901, ROM 902, and RAM 903 are connected to each other via a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.
A plurality of components in the electronic device are connected to the I/O interface 905, including: an input unit 906 such as a keyboard, a mouse, and the like; an output unit 907 such as various types of displays, speakers, and the like; a storage unit 908 such as a magnetic disk, optical disk, or the like; and a communication unit 909 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 909 allows the electronic device to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 901 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 901 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 901 performs the respective methods and processes described above. For example, in some embodiments, the various methods described above may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 908. In some embodiments, part or all of a computer program may be loaded onto and/or installed onto the electronic device via the ROM 902 and/or the communication unit 909. When loaded into RAM 903 and executed by computing unit 901, may perform one or more steps of the respective methods described above. Alternatively, in other embodiments, the computing unit 901 may be configured to perform the various methods described above in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a lane ball) through which a user may provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (19)
1. An intranet and extranet communication method is applied to a proxy server, and the method comprises the following steps:
responding to a hypertext transfer security protocol (https) request from an intranet terminal, and acquiring Server Name Identifier (SNI) information from a client hello message of the intranet terminal;
determining an application layer domain name according to the SNI information;
acquiring the IP address of a target server of an external network according to the application layer domain name;
forwarding the https request to a target server of the external network according to the acquired IP address;
the acquiring the IP address of the target server of the external network according to the application layer domain name comprises the following steps:
sending the application layer domain name to an external network DNS server;
and acquiring the IP address obtained by analyzing the application layer domain name by the external network DNS server.
2. The method of claim 1, wherein forwarding the https request to a target server of an extranet comprises:
and forwarding the https request to the target server through a firewall.
3. The method of claim 1, wherein forwarding the https request to a target server of an extranet comprises:
and forwarding the https request to a target server of an external network according to configuration information of the proxy server, wherein the configuration information comprises transmission control signaling proxy information, 443 port monitoring information and user datagram protocol media service proxy information.
4. A method according to any one of claims 1 to 3, wherein the proxy server is a reverse proxy server.
5. The method of any of claims 1 to 3, further comprising:
and configuring a domain name IP address association file so that the intranet terminal acquires the intranet IP address of the proxy server by downloading the domain name IP address association file.
6. An intranet and extranet communication method is applied to an intranet terminal, and comprises the following steps:
sending a client hello message to a proxy server based on a security protocol handshake request so that the proxy server acquires Server Name Identifier (SNI) information from the client hello message, determining an application layer domain name according to the SNI information, and sending the application layer domain name to an outer network DNS server so as to acquire an IP address of a target server of an outer network obtained by analyzing the application layer domain name by the outer network DNS server;
and responding to handshake success information returned by the proxy server, and sending a hypertext transfer security protocol (https) request to the proxy server so that the proxy server forwards the https request to a target server of the extranet.
7. The method of claim 6, wherein sending a hypertext transfer security protocol, https, request to the proxy server comprises:
acquiring an intranet IP address of the proxy server based on an intranet domain name server;
and sending the https request to the proxy server according to the intranet IP address.
8. The method of claim 6, wherein sending an https request to the proxy server comprises:
determining the intranet IP address of the proxy server according to a domain name IP address associated file in the intranet terminal, wherein the domain name IP address associated file is downloaded from the proxy server;
and sending the https request to the proxy server according to the intranet IP address.
9. An intranet and extranet communication device applied to a proxy server, the device comprising:
the system comprises an SNI information acquisition module, a Server Name Identification (SNI) acquisition module and a Server Name Identification (SNI) acquisition module, wherein the SNI information acquisition module is used for responding to a hypertext transfer security protocol (https) request from an intranet terminal and acquiring Server Name Identification (SNI) information from a client hello message of the intranet terminal;
the domain name determining module is used for determining the domain name of the application layer according to the SNI information;
the IP address acquisition module is used for acquiring the IP address of a target server of the outer network according to the application layer domain name;
the https request forwarding module is used for forwarding the https request to a target server of an external network according to the acquired IP address;
the IP address obtaining module is specifically configured to:
sending the application layer domain name to an external network DNS server;
and acquiring the IP address obtained by analyzing the application layer domain name by the external network DNS server.
10. The apparatus according to claim 9, wherein the https request forwarding module is specifically configured to:
and forwarding the https request to the target server through a firewall.
11. The apparatus according to claim 9, wherein the https request forwarding module is specifically configured to:
and forwarding the https request to a target server of an external network according to configuration information of the proxy server, wherein the configuration information comprises transmission control signaling proxy information, 443 port monitoring information and user datagram protocol media service proxy information.
12. The apparatus of any of claims 9 to 11, wherein the proxy server is a reverse proxy server.
13. The apparatus of any of claims 9 to 11, further comprising:
and the domain name IP address associated file configuration module is used for configuring a domain name IP address associated file so that the intranet terminal acquires the intranet IP address of the proxy server by downloading the domain name IP address associated file.
14. The utility model provides an intranet and extranet communication device, is applied to intranet terminal, the device includes:
a client hello message sending module, configured to send a client hello message to a proxy server based on a security protocol handshake request, so that the proxy server obtains server name identifier SNI information from the client hello message, determines an application layer domain name according to the SNI information, and sends the application layer domain name to an extranet DNS server to obtain an IP address of an extranet target server obtained by analyzing the application layer domain name by the extranet DNS server;
and the https request sending module is configured to send an https request to the proxy server in response to the handshake success information returned by the proxy server, so that the proxy server forwards the https request to a target server of the external network.
15. The apparatus of claim 14, wherein the https request sending module comprises:
a first intranet IP address obtaining submodule, configured to obtain an intranet IP address of the proxy server based on an intranet domain name server;
and the first https request sending submodule is used for sending the https request to the proxy server according to the intranet IP address.
16. The apparatus of claim 14, wherein the https request module comprises:
a second intranet IP address obtaining submodule, configured to determine an intranet IP address of the proxy server according to a domain name IP address association file in the intranet terminal, where the domain name IP address association file is obtained by downloading from the proxy server;
and the second https request sending submodule is used for sending the https request to the proxy server according to the intranet IP address.
17. A proxy server, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 5.
18. An intranet terminal comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 6 to 8.
19. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111162500.1A CN113905030B (en) | 2021-09-30 | 2021-09-30 | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111162500.1A CN113905030B (en) | 2021-09-30 | 2021-09-30 | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113905030A CN113905030A (en) | 2022-01-07 |
| CN113905030B true CN113905030B (en) | 2022-11-22 |
Family
ID=79189949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111162500.1A Active CN113905030B (en) | 2021-09-30 | 2021-09-30 | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113905030B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114401133B (en) * | 2022-01-13 | 2023-12-01 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114500510B (en) * | 2022-01-28 | 2024-04-16 | 深圳市优必选科技股份有限公司 | Request information response method, apparatus, communication device and storage medium |
| CN114629832A (en) * | 2022-03-17 | 2022-06-14 | 广州超云科技有限公司 | Remote automatic test method, system, electronic equipment and storage medium |
| CN115150467B (en) * | 2022-09-01 | 2022-12-06 | 武汉绿色网络信息服务有限责任公司 | Data access method and device and electronic equipment |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270379B (en) * | 2014-10-14 | 2017-11-10 | 北京蓝汛通信技术有限责任公司 | HTTPS agency retransmission methods and device based on transmission control protocol |
| CN105634904B (en) * | 2016-01-19 | 2019-02-19 | 深圳前海达闼云端智能科技有限公司 | SSLVPN proxy method, server, client and processing method thereof |
| US20190068556A1 (en) * | 2017-08-31 | 2019-02-28 | Check Point Software Technologies Ltd. | Method to avoid inspection bypass due to dns poisoning or http host header spoofing |
| EP3544310A1 (en) * | 2018-03-23 | 2019-09-25 | Deutsche Telekom AG | Method for an improved operation of a telecommunications network being operated as a multi-operator sliced network, telecommunications network, system, provider infrastructure control center, network of a service provider, program and computer-readable medium |
| CN108390955B (en) * | 2018-05-09 | 2021-06-04 | 网宿科技股份有限公司 | Domain name acquisition method, website access method and server |
| CN110049022B (en) * | 2019-03-27 | 2021-10-08 | 深圳市腾讯计算机系统有限公司 | Domain name access control method and device and computer readable storage medium |
| CN113037855B (en) * | 2021-03-22 | 2022-07-22 | 北京爱奇艺科技有限公司 | Multimedia access system, method, device, terminal and medium |
-
2021
- 2021-09-30 CN CN202111162500.1A patent/CN113905030B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113905030A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113905030B (en) | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium | |
| EP3716108A1 (en) | Cloud-based web content processing system providing client threat isolation and data integrity | |
| RU2498520C2 (en) | Method of providing peer-to-peer communication on web page | |
| CN109218368B (en) | Method, device, electronic equipment and readable medium for realizing Http reverse proxy | |
| EP3300331A1 (en) | Response method, apparatus and system in virtual network computing authentication, and proxy server | |
| US9185077B2 (en) | Isolation proxy server system | |
| US9413560B2 (en) | Differentiated quality of service using security as a service | |
| CN112165480B (en) | Information acquisition method and device and electronic equipment | |
| CN109450766B (en) | Access processing method and device for work area level VPN | |
| CN113382062A (en) | Data transmission method, device and system | |
| US11240202B2 (en) | Message processing method, electronic device, and readable storage medium | |
| CN115134105A (en) | Resource configuration method and device of private network, electronic equipment and storage medium | |
| JP7277563B2 (en) | Hybrid cloud computing network management | |
| CN111726400A (en) | Reverse connection method, device and server-side system | |
| CN113328877B (en) | Method and device for determining port protocol | |
| CN113438256A (en) | Data transmission method, system and proxy server based on double-layer SSL | |
| WO2018032953A1 (en) | Windows window sharing method, gateway server, system, storage media | |
| US11736516B2 (en) | SSL/TLS spoofing using tags | |
| CN111786932B (en) | Account login method and device, electronic equipment and computer storage medium | |
| US11277379B2 (en) | Modification of application-provided turn servers | |
| CN114520780A (en) | Access method and device for proxy server | |
| CN115941766A (en) | Operation and maintenance data processing method and device | |
| US20190052681A1 (en) | Shared terminal detection method and device therefor | |
| EP3176986A1 (en) | Method, device and system for remote desktop protocol gateway to conduct routing and switching | |
| CN111866100A (en) | Method, device and system for controlling data transmission rate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |