CN114257651A - Request response method, device, network equipment and computer readable storage medium - Google Patents
Request response method, device, network equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114257651A CN114257651A CN202111496297.1A CN202111496297A CN114257651A CN 114257651 A CN114257651 A CN 114257651A CN 202111496297 A CN202111496297 A CN 202111496297A CN 114257651 A CN114257651 A CN 114257651A
- Authority
- CN
- China
- Prior art keywords
- address
- user terminal
- request
- server
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004044 response Effects 0.000 title claims abstract description 139
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000013507 mapping Methods 0.000 claims abstract description 91
- 238000004590 computer program Methods 0.000 claims description 9
- 230000004048 modification Effects 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 238000012545 processing Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 235000013372 meat Nutrition 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The application provides a request response method, a request response device, network equipment and a computer readable storage medium. The method comprises the following steps: receiving a first request sent by a current user terminal for accessing a current website; when an IP address corresponding to the current user terminal exists in a preset address mapping table, acquiring an actual destination address corresponding to the current user terminal and a current website from the preset address mapping table, wherein the preset address mapping table stores the mapping relation between the actual IP address and the virtual IP address of the server and the IP address of the user terminal; modifying the current destination address of the first request into an actual destination address; and sending the modified first request to a response server corresponding to the actual destination address. Therefore, the actual IP address of the response server cannot be exposed, so that the purpose of hiding the actual IP address can be achieved, and the safety of the accessed server is improved.
Description
Technical Field
The present application relates to the technical field of computer data security, and in particular, to a request response method, apparatus, network device, and computer-readable storage medium.
Background
Due to the popularity of portable devices and teleworking, more and more people use portable devices to access corporate networks. The security of these devices themselves is not controlled by the corporate IT (Internet Technology) administrator, and may become hacked meat machines, which may pose a security risk to the corporate intranet, for example, a security risk to the corporate server. For example, an accessor may detect an IP address of a server of a company intranet and an opened service through a port scanning tool and then launch an attack based on the detected information, thereby posing a threat to the company network.
Disclosure of Invention
An object of the embodiments of the present application is to provide a request response method, apparatus, network device, and computer-readable storage medium, which can improve the security of an accessed server.
In order to achieve the above object, embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides a request response method, where the method includes: receiving a first request sent by a current user terminal for accessing a current website; when the IP address of the current user terminal exists in a preset address mapping table, acquiring an actual destination address corresponding to the current user terminal and the current website from the preset address mapping table, wherein the mapping relation between the actual IP address and the virtual IP address of the server and the IP address of the user terminal is stored in the preset address mapping table; modifying the current destination address of the first request into the actual destination address; and sending the modified first request to a response server corresponding to the actual destination address.
In the foregoing embodiment, the preset address mapping table is utilized to convert the destination address in the first request into the actual IP address of the response server as the actual destination address, so that the actual IP address of the response server is not exposed, thereby achieving the purpose of hiding the actual IP address, and further facilitating improvement of the security of the accessed server.
With reference to the first aspect, in some optional embodiments, the method further comprises:
receiving first response data sent by the response server based on the first request;
and packaging the current destination address as a source address of the first response data, and sending the packaged first response data to the current user terminal.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and when all response data corresponding to the first request are sent to the current user terminal, deleting the virtual IP address of the response server and the mapping relation corresponding to the virtual IP address from the preset address mapping table.
With reference to the first aspect, in some optional embodiments, before receiving a first request from a current user terminal to access a current website, the method further includes:
forwarding a DNS request initiated by the current user terminal when accessing the current website to a DNS server;
receiving second response data sent by the DNS server for the DNS request;
generating a virtual IP address corresponding to the actual IP address of the response server according to the second response data;
and establishing a mapping relation between the virtual IP address and the actual IP address of the response server and the IP address of the current user terminal, and recording the mapping relation in the preset address mapping table.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and when the storage duration of the virtual IP address reaches a specified duration, deleting the virtual IP address and the mapping relation corresponding to the virtual IP address from the preset address mapping table.
With reference to the first aspect, in some optional embodiments, before forwarding the DNS request initiated by the current user terminal when accessing the current website to the DNS server, the method further includes:
judging whether the current user terminal has an access right to access the current website or the response server, wherein a DNS request initiated by the current user terminal when accessing the current website is forwarded to a DNS server, and the method comprises the following steps:
and when the current user terminal has the access right, forwarding the DNS request initiated by the current user terminal when accessing the current website to the DNS server.
With reference to the first aspect, in some optional embodiments, the IP address of the current user terminal is within a specified IP address range.
In a second aspect, the present application further provides a request response apparatus, including:
the receiving unit is used for receiving a first request sent by a current user terminal for accessing a current website;
an address obtaining unit, configured to obtain an actual destination address corresponding to the current user terminal and the current website from a preset address mapping table when the IP address of the current user terminal exists in the preset address mapping table, where a mapping relationship between an actual IP address and a virtual IP address of a server and an IP address of the user terminal is stored in the preset address mapping table;
an address modification unit, configured to modify a current destination address of the first request into the actual destination address;
and the sending unit is used for sending the modified first request to a response server corresponding to the actual destination address.
In a third aspect, the present application further provides a network device, which includes a processor and a memory coupled to each other, and the memory stores a computer program, and when the computer program is executed by the processor, the network device is caused to perform the method described above.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the method described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic view of an application scenario of a request response method provided in an embodiment of the present application.
Fig. 2 is a flowchart illustrating a request response method according to an embodiment of the present application.
Fig. 3 is a second flowchart of a request response method according to an embodiment of the present application.
Fig. 4 is a block diagram of a request response device according to an embodiment of the present application.
Icon: 10-a network device; 21-a user terminal; 22-a user terminal; 31-a response server; 32-DNS server; 41-a switch; 42-a switch; 200-request response means; 210-a receiving unit; 220-an address acquisition unit; 230-address modification unit; 240-transmit unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, the present application provides a network device 10, which may be used as a gateway device in a network and can hide a real IP address of an accessed server, so as to improve security of the accessed server.
Of course, the network device 10 may also include other modules, for example, the network device 10 may also include a communication module for establishing communication connections with other devices.
Illustratively, referring again to fig. 1, it is assumed that in a network system of a company or an organization, the network device 10, the user terminal 21, the user terminal 22, the response Server 31, a DNS (Domain Name Server), the switch 41, and the switch 42 are included. Network device 10 may be communicatively coupled to response server 31 and DNS server 32 via switch 41. In addition, the network device 10 may also be communicatively connected to the user terminal 21 and the user terminal 22 through the switch 42. Network device 10 may also be communicatively coupled to external devices. The external device can be a server or a terminal device in a public network and can be flexibly determined according to actual conditions.
The DNS server 32 is a server that converts a domain name of a web site and an IP address corresponding to the domain name. The response server 31 can be understood as a server responding to the request of the user terminal, and can be flexibly set according to the actual situation. For example, response server 31 may include, but is not limited to, a Web server, a code server, and the like. The Web server can provide Web services for users, and the code server can be used for research personnel to edit or manage source codes of the response system. The response server 31 such as a Web server and a code server and the DNS server 32 are well known to those skilled in the art.
The user terminal may be, but is not limited to, a personal computer, a smart phone, a host device, etc.
Referring to fig. 2, the present application further provides a request response method, which can be applied to the network device 10, where the network device 10 executes or implements each step of the method, and the method may include the following steps:
step S110, receiving a first request sent by a current user terminal for accessing a current website;
step S120, when the IP address of the current user terminal exists in a preset address mapping table, acquiring an actual destination address corresponding to the current user terminal and the current website from the preset address mapping table, wherein the preset address mapping table stores the mapping relation between the actual IP address and the virtual IP address of the server and the IP address of the user terminal;
step S130, modifying the current destination address of the first request into the actual destination address;
step S140, sending the modified first request to the response server 31 corresponding to the actual destination address.
In the above embodiment, the preset address mapping table is utilized to convert the destination address in the first request into the actual IP address of the response server 31 as the actual destination address, so that the actual IP address of the response server 31 is not exposed, thereby achieving the purpose of hiding the actual IP address, and further facilitating to improve the security of the accessed server.
The individual steps in the process are explained in detail below, as follows:
prior to step S110, the method may include the step of creating, on the network device 10, a virtual IP address, actual IP address mapping corresponding to the server for the request. For example, prior to step S110, the method may comprise:
step 101, forwarding a DNS request initiated by the current user terminal when accessing the current website to the DNS server 32;
step 102, receiving second response data sent by the DNS server 32 for the DNS request;
step 103, generating a virtual IP address corresponding to the actual IP address of the response server 31 according to the second response data;
step 104, establishing a mapping relationship between the virtual IP address and the actual IP address of the response server 31 and the IP address of the current user terminal, and recording the mapping relationship in the preset address mapping table.
In this embodiment, the current user terminal is the user terminal that initiates the request to access the corresponding website. The current website is the website or domain name to be accessed by the user terminal, and can be flexibly determined according to the actual situation.
When a user needs to access corresponding web content in the response server 31 by using a user terminal, a DNS request may be initiated to the DNS server 32 through the user terminal. In the DNS request, a domain name of a website to be accessed by the user terminal is carried.
Referring again to fig. 1, during transmission, the DNS request generally needs to be forwarded to the network device 10 through the switch 42, and then the network device 10 forwards the DNS request to the DNS server 32 through the switch 41.
After receiving the DNS request, the DNS server 32 may find the actual IP address of the server corresponding to the website accessed by the user terminal based on the correspondence between the domain name and the actual IP address recorded in advance. Then, the DNS server 32 returns the actual IP address to the network device 10 as second response data. After receiving the second response data, the network device 10 may randomly generate a virtual IP address different from the actual IP address based on the actual IP address carried in the second response data, where the virtual IP address is a destination IP address to be accessed by the user terminal.
In step S103, the manner of generating the virtual IP address of the response server 31 may be flexibly determined according to the actual situation, as long as the generated IP address is different from the actual IP address of the response server 31 and conforms to the format of the IP address.
In this embodiment, an administrator may configure DNS rewrite rules on network device 10. The network device 10 stores a network segment mapping relationship table for the IP network segment of the user terminal, the real IP network segment of the response server, and the virtual IP network segment of the response server. The network segment mapping relation table can be understood as a preset DNS rewriting rule and can be flexibly set according to actual conditions. Illustratively, the network segment mapping relationship table may be as follows:
in the network segment mapping table, the IP network segments "192.168.0.0/16", "10.100.0.0/16" and "192.168.254.0/24" are IP address ranges well known to those skilled in the art. The user terminal IP network segment may be understood as the range of IP addresses of the user terminal that are allowed to access the response server. In the process of generating the virtual IP address of the response server 31, the virtual IP address is only required to be within the range of the virtual IP network segment and different from the real IP address. In other embodiments, the user can flexibly set the range of the IP network segment according to the requirement.
In step S104, the network device 10 may establish a mapping relationship between a website (domain name), an actual IP address of the server, a virtual IP address of the server, and an IP address of the user terminal, and record the mapping relationship in an address mapping table as a preset address mapping table. The address mapping relation in the preset address mapping table can be dynamically updated based on the DNS request.
Exemplarily, referring again to fig. 1, assume that:
the current IP address of the user terminal 21 is: 192.168.1.10;
the response server 31 is a Web server and the actual (real) IP address is: 10.100.2.100, the corresponding domain name is: www.portal.com are provided.
When the user terminal 21 needs to access the website "www.portal.com" as described above, a DNS request may be initiated to the DNS server 32 through the network device 10, and then the DNS server 32 may return second reply data to the network device 10. In the second response data, the actual IP address of the response server 31 corresponding to the web address of "www.portal.com" is included: 10.100.2.100. after receiving the actual IP address of the response server 31, the network device 10 may randomly generate an address different from the actual IP address as a virtual IP address, for example: 192.168.254.100. and then, establishing a mapping relation between the virtual IP address and the actual IP address, the IP address of the user terminal and the accessed website.
Similarly, if the user terminal 22 with the IP address of 192.168.1.11 also requests to access the website "www.portal.com", the gateway device may randomly generate a new virtual IP address for the actual IP address of the response server 31, such as: 192.168.254.101, as the destination IP address for access by the user terminal 22. The network device 10 may generate an address mapping table based on the user terminal 21 and the user terminal 22, which may be as follows:
the network device 10 may store the above-described address mapping table in order to perform address translation on data transmitted between the user terminal and the response server 31.
As an optional implementation manner, before step S101, the method may further include:
it is determined whether the current user terminal has an access right to access the current website or to access the response server 31. Wherein, when the current user terminal has the access right, step S101 is executed.
In this embodiment, the network device 10 may preliminarily detect whether the user terminal has an access right to access a corresponding website or a corresponding server. For example, for a specific website, a user terminal with corresponding access authority is required to request access. And if the user terminal does not have the access right, intercepting the request initiated by the user terminal.
The mode of detecting whether the user terminal has the access right by the network device 10 can be determined flexibly according to the actual situation. For example, the network device 10 may use a user terminal having an IP address within a specified IP address range as a user terminal having an access right. Alternatively, the network device 10 may record in advance an address table of the IP address of the user terminal having the access authority. The designated IP address range can be flexibly set according to actual conditions.
When the network device 10 receives a request from the user terminal, it may compare the IP address of the user terminal with the specified IP address range, or compare the IP address with a preset address table. If the current user terminal IP address is in the designated IP address range or the IP address same as the IP address of the current user terminal exists in the preset address table, the user terminal is considered to have the access authority, and then the step S101 is executed; otherwise, the user terminal is considered not to have the access right, and at this time, the network device 10 may intercept the request to improve the security of the access.
As an optional implementation, the method may further include:
and when the storage duration of the virtual IP address reaches a specified duration, deleting the virtual IP address and the mapping relation corresponding to the virtual IP address from the preset address mapping table.
Understandably, in the preset address mapping table, the virtual IP address and the specified time length for the survival of the mapping relationship of the virtual IP address can be flexibly determined according to the actual situation. When the storage time length of the virtual IP address reaches the designated time length, the virtual IP address is automatically deleted from the preset address mapping table, so that the timeliness of the virtual IP address and the mapping relation can be improved.
Generally, the specified duration is slightly longer than the duration from the response server 31 starting to completing the response based on the first request, so as to ensure that the virtual IP address and the mapping relationship of the response server 31 are valid in one request response process.
In this embodiment, after the response server 31 responds to the mapping relationship between the virtual IP address and the corresponding virtual IP address, and has timeliness, the security of the virtual IP address and the security of access can be improved, and information leakage caused by executing the same service by using the same virtual IP address for a long time can be avoided.
In step S110, the first request may be understood as a request initiated by the user terminal to the response server 31 after acquiring the virtual IP address of the response server 31 corresponding to the current website. The request content of the first request may be determined according to actual situations, for example, the request content may represent that the user desires to access the network resource in the response server 31, or represent that the user desires to perform management control operation on the network resource in the response server 31, or the like.
In step S120, after receiving the first request, the network device 10 may detect whether the IP address of the current user terminal exists in the preset address mapping table, and if the IP address of the current user terminal exists, further obtain the actual IP address of the response server 31 corresponding to the IP address and the current website from the preset address mapping table. The preset address mapping table may be dynamically generated based on second response data sent by the DNS server for the DNS request, and the generation manner may refer to the above step S101 to step S104, which is not described herein again.
If the IP address of the user terminal and the actual IP address of the server corresponding to the current website do not exist in the preset address mapping table, the first request is intercepted. At the same time, the network device 10 may return prompt information to the user terminal indicating that the request failed.
If the preset address mapping table contains the actual IP address of the server corresponding to the IP address of the user terminal and the current website, step S130 is performed.
In step S130, the network device 10 may perform address translation on the destination address of the first request. Understandably, the current destination address of the first request is the virtual IP address of the response server 31, and the actual destination address is the actual IP address of the response server 31. The network device 10 may make the modified first request received and responded to normally by the response server 31 by modifying the virtual IP address in the first request to the actual IP address.
In step S140, the network device 10 may send the first request after modifying the destination address to the response server 31 for the response server 31 to parse and respond.
Referring to fig. 3, after step S140, the method may further include:
step S150, receiving first response data sent by the response server 31 based on the first request;
step S160, encapsulating the current destination address as the source address of the first response data, and sending the encapsulated first response data to the current user terminal.
Understandably, the network device 10 receives the first response data, and the source address in the first response data is the actual IP address of the response server 31. The network device 10 needs to convert the actual IP address into the virtual IP address of the response server 31 before sending the first response data to the user terminal, where the virtual IP address is the destination address in the first request sent by the user terminal. And then, forwarding the first answer data after the address conversion to the current user terminal. In this way, the first response data received by the user terminal is the virtual IP address of the response server 31, but not the actual IP address of the response server 31, so that the purpose of hiding the actual IP address of the response server 31 can be achieved, and the access security is improved.
As an optional implementation, the method may further include:
when all the response data corresponding to the first request are sent to the current user terminal, the virtual IP address of the response server 31 and the mapping relationship corresponding to the virtual IP address are deleted from the preset address mapping table.
In this embodiment, the response server 31 may respond to the first request for a long time with one request in the process of responding to the first request. For example, if the data packet transmitted from the response server 31 to the user terminal is large, the data packet needs to be transmitted a plurality of times, which results in a long response processing time. In the one-time response process, it is necessary to ensure that the mapping relationship between the virtual IP address in the preset address mapping table and the response remains unchanged, so as to ensure that the flow of a single response can be completed normally.
When the response server 31 completes the response to the first request, a prompt characterizing the completion response may be sent to the user terminal through the network device 10. After receiving the notification message, the network device 10 modifies the source IP address of the notification message (the source IP address is the actual IP address of the response service) into the virtual IP address of the server, and sends the virtual IP address to the user terminal. Then, the network device 10 may automatically delete the virtual IP address of the response server 31 and the mapping relationship corresponding to the virtual IP address in the preset address mapping table, so as to improve the timeliness and reliability of the virtual IP address.
Based on the design, the administrator can hide the real IP address of the server and minimize the exposure of the server information, thereby achieving the purpose of minimizing the exposure of the attacked surface of the server. An administrator can flexibly adjust the IP network planning of the server area, such as adding a server network segment, changing the IP of the server and the like, and can realize smooth transition of other areas to the server access by simply adjusting the DNS rule of the security gateway.
In addition, in the preset address mapping table, the same server can present different virtual IP addresses to different user terminals. When different user terminals obtain the same virtual IP address, the virtual IP address can correspond to different real servers. When the same host accesses the same domain name at different time intervals, the obtained virtual IP addresses of the server can be different. Before the mapping relation between the domain name and the virtual IP is not obtained, the user can not access the server according to the obtained IP address, so that the safety of the access operation can be improved.
Referring to fig. 4, an embodiment of the present application further provides a request response apparatus 200, which can be applied to the network device 10 described above for executing the steps in the method. The request responding apparatus 200 includes at least one software function module which can be stored in a memory module in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of the network device 10. The processing module is used for executing executable modules stored in the storage module, such as software functional modules and computer programs included in the request response device 200.
The request response device 200 may include a receiving unit 210, an address obtaining unit 220, an address modifying unit 230, and a sending unit 240, and each unit may have the following functions:
a receiving unit 210, configured to receive a first request sent by a current user terminal to access a current website;
an address obtaining unit 220, configured to, when an IP address of the current user terminal exists in a preset address mapping table, obtain an actual destination address corresponding to the current user terminal and the current website from the preset address mapping table, where a mapping relationship between an actual IP address and a virtual IP address of a server and an IP address of the user terminal is stored in the preset address mapping table;
an address modification unit 230, configured to modify a current destination address of the first request into the actual destination address;
a sending unit 240, configured to send the modified first request to the response server 31 corresponding to the actual destination address.
Optionally, the receiving unit 210 is further configured to receive first response data sent by the response server 31 based on the first request; the sending unit 240 is further configured to encapsulate the current destination address as a source address of the first response data, and send the encapsulated first response data to the current user terminal.
Optionally, the request responding apparatus 200 may further include an address deleting unit, configured to delete the virtual IP address of the response server 31 and the mapping relationship corresponding to the virtual IP address from the preset address mapping table when all response data corresponding to the first request are sent to the current user terminal.
Optionally, the request response device 200 may further include a virtual address generation unit and a relationship establishment unit. Before the receiving unit 210 receives a first request sent by a current user terminal to access a current website, the sending unit 240 is further configured to forward a DNS request initiated by the current user terminal when accessing the current website to the DNS server 32; the receiving unit 210 is further configured to receive second response data sent by the DNS server 32 for the DNS request; the virtual address generating unit is configured to generate a virtual IP address corresponding to the actual IP address of the response server 31 according to the second response data; the relationship establishing unit is configured to establish a mapping relationship between the virtual IP address and the actual IP address of the response server 31 and the IP address of the current user terminal, and record the mapping relationship in the preset address mapping table.
Optionally, the address deleting unit is further configured to delete the virtual IP address and the mapping relationship corresponding to the virtual IP address from the preset address mapping table when the storage duration of the virtual IP address reaches a specified duration.
Optionally, the request responding apparatus 200 may further include an access right detecting unit. Before the sending unit 240 forwards the DNS request initiated by the current user terminal when accessing the current website to the DNS server 32, the access right detecting unit is configured to determine whether the current user terminal has an access right to access the current website or to access the response server 31. When the current user terminal has the access right, the sending unit 240 forwards the DNS request initiated by the current user terminal when accessing the current website to the DNS server 32.
In this embodiment, the processing module may be an integrated circuit chip having signal processing capability. The processing module may be a general purpose processor. For example, the processor may be a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module may be configured to store a preset address mapping table and the like. Of course, the storage module may also be used to store a program, and the processing module executes the program after receiving the execution instruction.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the network device 10 and the request responding apparatus 200 described above may refer to the corresponding processes of the steps in the foregoing method, and will not be described in too much detail herein.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the request response method as described in the above embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, in the present solution, the network device may convert the destination address in the first request into the actual IP address of the response server as the actual destination address by using the preset address mapping table, so that the actual IP address of the response server is not exposed, thereby achieving the purpose of hiding the actual IP address, and further facilitating to improve the security of the accessed server.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A request response method, the method comprising:
receiving a first request sent by a current user terminal for accessing a current website;
when the IP address of the current user terminal exists in a preset address mapping table, acquiring an actual destination address corresponding to the current user terminal and the current website from the preset address mapping table, wherein the mapping relation between the actual IP address and the virtual IP address of the server and the IP address of the user terminal is stored in the preset address mapping table;
modifying the current destination address of the first request into the actual destination address;
and sending the modified first request to a response server corresponding to the actual destination address.
2. The method of claim 1, further comprising:
receiving first response data sent by the response server based on the first request;
and packaging the current destination address as a source address of the first response data, and sending the packaged first response data to the current user terminal.
3. The method of claim 2, further comprising:
and when all response data corresponding to the first request are sent to the current user terminal, deleting the virtual IP address of the response server and the mapping relation corresponding to the virtual IP address from the preset address mapping table.
4. The method of claim 1, wherein prior to receiving the first request from the current user terminal to access the current website, the method further comprises:
forwarding a DNS request initiated by the current user terminal when accessing the current website to a DNS server;
receiving second response data sent by the DNS server for the DNS request;
generating a virtual IP address corresponding to the actual IP address of the response server according to the second response data;
and establishing a mapping relation between the virtual IP address and the actual IP address of the response server and the IP address of the current user terminal, and recording the mapping relation in the preset address mapping table.
5. The method of claim 4, further comprising:
and when the storage duration of the virtual IP address reaches a specified duration, deleting the virtual IP address and the mapping relation corresponding to the virtual IP address from the preset address mapping table.
6. The method according to claim 4, wherein before forwarding the DNS request initiated by the current user terminal when accessing the current web address to a DNS server, the method further comprises:
judging whether the current user terminal has an access right to access the current website or the response server, wherein a DNS request initiated by the current user terminal when accessing the current website is forwarded to a DNS server, and the method comprises the following steps:
and when the current user terminal has the access right, forwarding the DNS request initiated by the current user terminal when accessing the current website to the DNS server.
7. The method of claim 4, wherein the IP address of the current user terminal is within a specified range of IP addresses.
8. A request response apparatus, characterized in that the apparatus comprises:
the receiving unit is used for receiving a first request sent by a current user terminal for accessing a current website;
an address obtaining unit, configured to obtain an actual destination address corresponding to the current user terminal and the current website from a preset address mapping table when the IP address of the current user terminal exists in the preset address mapping table, where a mapping relationship between an actual IP address and a virtual IP address of a server and an IP address of the user terminal is stored in the preset address mapping table;
an address modification unit, configured to modify a current destination address of the first request into the actual destination address;
and the sending unit is used for sending the modified first request to a response server corresponding to the actual destination address.
9. A network device, characterized in that the network device comprises a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the network device to perform the method according to any one of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111496297.1A CN114257651A (en) | 2021-12-09 | 2021-12-09 | Request response method, device, network equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111496297.1A CN114257651A (en) | 2021-12-09 | 2021-12-09 | Request response method, device, network equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114257651A true CN114257651A (en) | 2022-03-29 |
Family
ID=80791856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111496297.1A Pending CN114257651A (en) | 2021-12-09 | 2021-12-09 | Request response method, device, network equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257651A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379015A (en) * | 2022-08-19 | 2022-11-22 | 中国银行股份有限公司 | Data processing method, device and system |
| CN115987798A (en) * | 2022-12-29 | 2023-04-18 | 成都新希望金融信息有限公司 | Resource management method and resource management system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100089358A (en) * | 2009-02-03 | 2010-08-12 | 주식회사 파이오링크 | Apparatus and method for network address transformation |
| CN104601742A (en) * | 2014-12-29 | 2015-05-06 | 杭州华三通信技术有限公司 | Message transmission method and device |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| WO2019237813A1 (en) * | 2018-06-15 | 2019-12-19 | 华为技术有限公司 | Method and device for scheduling service resource |
| CN112291363A (en) * | 2020-11-06 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Wireless communication method, device, electronic equipment and computer readable storage medium |
| WO2021051880A1 (en) * | 2019-09-18 | 2021-03-25 | 平安科技(深圳)有限公司 | Resource data acquisition method and apparatus, computer device and storage medium |
| WO2021089169A1 (en) * | 2019-11-08 | 2021-05-14 | Huawei Technologies Co., Ltd. | Private sub-networks for virtual private networks (vpn) clients |
-
2021
- 2021-12-09 CN CN202111496297.1A patent/CN114257651A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100089358A (en) * | 2009-02-03 | 2010-08-12 | 주식회사 파이오링크 | Apparatus and method for network address transformation |
| CN104601742A (en) * | 2014-12-29 | 2015-05-06 | 杭州华三通信技术有限公司 | Message transmission method and device |
| WO2019237813A1 (en) * | 2018-06-15 | 2019-12-19 | 华为技术有限公司 | Method and device for scheduling service resource |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| WO2021051880A1 (en) * | 2019-09-18 | 2021-03-25 | 平安科技(深圳)有限公司 | Resource data acquisition method and apparatus, computer device and storage medium |
| WO2021089169A1 (en) * | 2019-11-08 | 2021-05-14 | Huawei Technologies Co., Ltd. | Private sub-networks for virtual private networks (vpn) clients |
| CN112291363A (en) * | 2020-11-06 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Wireless communication method, device, electronic equipment and computer readable storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379015A (en) * | 2022-08-19 | 2022-11-22 | 中国银行股份有限公司 | Data processing method, device and system |
| CN115987798A (en) * | 2022-12-29 | 2023-04-18 | 成都新希望金融信息有限公司 | Resource management method and resource management system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11075821B2 (en) | Method and apparatus for managing field device based on cloud server | |
| US9300623B1 (en) | Domain name system cache integrity check | |
| JP3454931B2 (en) | Network system | |
| US20070101323A1 (en) | Automatic virtual machine adjustments to network changes | |
| US20120185563A1 (en) | Network system, virtual private connection forming method, static nat forming device, reverse proxy server and virtual connection control device | |
| CN108243143B (en) | Web agent-based gatekeeper penetration method and system | |
| CN114257651A (en) | Request response method, device, network equipment and computer readable storage medium | |
| US20160373459A1 (en) | Virtual desktopaccess control | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN111885123A (en) | Construction method and device of cross-K8 s target service access channel | |
| CN109361574B (en) | JavaScript script-based NAT detection method, system, medium and equipment | |
| CN114731291A (en) | Security service | |
| EP4346185A1 (en) | Method and apparatus for determining compromised host | |
| CN113194099B (en) | Data proxy method and proxy server | |
| CN115913597A (en) | Method and device for determining lost host | |
| CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
| CN111865876B (en) | Network access control method and equipment | |
| CN116320061A (en) | Resource access method, electronic equipment and computer readable storage medium | |
| CN110113243B (en) | User non-inductive VPN access method based on container technology | |
| CN115913583A (en) | Business data access method, device and equipment and computer storage medium | |
| CN113691389A (en) | Configuration method of load balancer, server and storage medium | |
| CN108462670A (en) | Method for authenticating, device and electronic equipment for TCP connection | |
| CN110943962B (en) | Authentication method, network equipment, authentication server and forwarding equipment | |
| CN113329022A (en) | Information processing method of virtual firewall and electronic equipment | |
| EP3176986A1 (en) | Method, device and system for remote desktop protocol gateway to conduct routing and switching |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |