CN116260621A - Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment - Google Patents

Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment Download PDF

Info

Publication number
CN116260621A
CN116260621A CN202211698092.6A CN202211698092A CN116260621A CN 116260621 A CN116260621 A CN 116260621A CN 202211698092 A CN202211698092 A CN 202211698092A CN 116260621 A CN116260621 A CN 116260621A
Authority
CN
China
Prior art keywords
http request
mode
processing
calculation result
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211698092.6A
Other languages
Chinese (zh)
Inventor
庞帆栋
江雪峰
曾立宁
范程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202211698092.6A priority Critical patent/CN116260621A/en
Publication of CN116260621A publication Critical patent/CN116260621A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • H04L41/0273Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP]
    • H04L41/0286Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP] for search or classification or discovery of web services providing management functionalities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a method and a device for processing an HTTP request, a storage medium and electronic equipment. Wherein the method comprises the following steps: receiving an HTTP request sent by a client; determining a target Web site corresponding to the HTTP request and a processing mode of the target Web site, wherein the target Web site is a site requested by a client, and the processing mode is one of the following steps: the method comprises a first mode and a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than that in the first mode; under the condition that the processing mode is the first mode, calculating an MD5 message abstract of the HTTP request to obtain a calculation result; and determining whether to directly forward the HTTP request according to the calculation result. The invention solves the technical problem of low HTTP request processing efficiency of the Web application firewall in the prior art.

Description

Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a storage medium, and an electronic device for processing an HTTP request.
Background
The Web application firewall (Web Application Firewall, WAF) is mainly used for carrying out deep analysis on the HTTP traffic of the application layer of the Web site and intercepting threats, so that the safety of the Web site is ensured. The security protection processing of the HTTP traffic of the application layer involves a large amount of analysis and calculation, and has the greatest influence on the processing performance of the WAF.
Currently, in the related art, a mode of manually setting the protection level of a firewall is generally adopted, that is, an administrator performs security protection of different levels on different websites or different resources of the same website through WAF equipment configuration, for example, a higher level of security protection is configured only for websites or resources which are considered by the administrator to possibly have a larger security risk, and for other websites or resources, a lower level of security protection is configured, and compared with the lower level of security protection, the higher level of security protection consumes more CPU resources. Therefore, the administrator subjectively configures the security level, so that the situation that security protection of a higher level is too much is caused, more CPU resources are occupied, and the problem of low efficiency of processing HTTP requests exists. Moreover, the accuracy of the configuration security level is not high, which may lead to more threat missing reports, so that the real server faces security risks.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a storage medium and electronic equipment for processing an HTTP request, which at least solve the technical problem of low HTTP request processing efficiency of a Web application firewall in the prior art.
According to an aspect of an embodiment of the present invention, there is provided a method for processing an HTTP request, applied to a Web application firewall, including: receiving an HTTP request sent by a client; determining a target Web site corresponding to the HTTP request and a processing mode of the target Web site, wherein the target Web site is a site requested by a client, and the processing mode is one of the following steps: the method comprises a first mode and a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than that in the first mode; under the condition that the processing mode is the first mode, calculating an MD5 message abstract of the HTTP request to obtain a calculation result; and determining whether to directly forward the HTTP request according to the calculation result.
Further, the method for processing the HTTP request further includes: according to the calculation result, inquiring in the MD5 message digest data table; if the calculation result is inquired, directly forwarding the HTTP request; if the calculation result is not queried, carrying out security check processing on the HTTP request, and forwarding the HTTP request under the condition that the HTTP request passes the security check.
Further, the method for processing the HTTP request further includes: if the calculation result is queried, the HTTP request is forwarded to the server, so that a response of the server to the HTTP request is received, and the response is sent to the client.
Further, the method for processing the HTTP request further includes: if the calculation result is not queried, switching the current processing mode from the first mode to the second mode; and carrying out security verification processing on the HTTP request according to a preset verification rule in the second mode, and forwarding the HTTP request under the condition that the HTTP request passes the security verification.
Further, the method for processing the HTTP request further includes: determining whether a calculation result is stored in the HTTP request; and under the condition that the calculation result is stored in the HTTP request, storing the calculation result into an MD5 message digest data table.
Further, the method for processing the HTTP request further includes: acquiring attribute information of a Web site from an HTTP request, wherein the attribute information at least comprises address information and port information; determining a target Web site from the plurality of Web sites based on the attribute information; and determining a processing mode according to the configuration file of the target Web site.
Further, the method for processing the HTTP request further includes: calculating the length of a character string corresponding to the HTTP request; and switching the current processing mode from the first mode to the second mode in the case that the length of the character string is greater than the first threshold.
According to another aspect of the embodiment of the present invention, there is also provided an apparatus for processing an HTTP request, including: the receiving module is used for receiving the HTTP request sent by the client; the first determining module is configured to determine a target website corresponding to the HTTP request and a processing mode of the target website, where the target website is a website requested by the client, and the processing mode is one of the following: the method comprises a first mode and a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than that in the first mode; the processing module is used for calculating the MD5 message abstract of the HTTP request under the condition that the processing mode is the first mode to obtain a calculation result; and the second determining module is used for determining whether to directly forward the HTTP request according to the calculation result.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described method of processing HTTP requests when run.
According to another aspect of an embodiment of the present invention, there is also provided an electronic device including one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the method of processing HTTP requests described above when run.
In the embodiment of the invention, a mode of determining whether to directly forward an HTTP request according to an MD5 message digest of the HTTP request is adopted, the HTTP request sent by a client is received first, then a target Web site corresponding to the HTTP request and a processing mode of the target Web site are determined, under the condition that the processing mode is a first mode, the MD5 message digest of the HTTP request is calculated to obtain a calculation result, and then whether to directly forward the HTTP request is determined according to the calculation result. Wherein the target Web site is a site requested by the client, and the processing mode is one of the following: the first mode and the second mode, and the complexity of processing the HTTP request in the second mode is higher than that in the first mode.
In the process, by receiving the HTTP request sent by the client, a data base is provided for the MD5 message digest of the HTTP request to be calculated subsequently; by determining the processing mode of the target Web site and the target Web site corresponding to the HTTP request, whether to calculate the MD5 message digest of the HTTP request can be determined, so that the MD5 message digest of the HTTP request is calculated under the condition that the processing mode is the first mode, and whether to directly forward the HTTP request can be determined. In addition, by storing the MD5 message digest of the HTTP request, the MD5 message digest data table can be searched in the subsequent process of processing the HTTP request, if the same MD5 message digest is searched, the HTTP request is directly forwarded after the same HTTP request is processed before, the safety protection processing is not performed any more, the application layer safety protection processing with larger WAF equipment performance consumption is skipped, the WAF processing performance can be obviously improved and the client delay is reduced on the premise of ensuring the safety protection capability. Meanwhile, the saved CPU resource can support more Web site protection.
Therefore, the technical scheme of the invention achieves the aim of improving the processing performance of WAF, thereby realizing the technical effect of improving the efficiency of processing HTTP requests, and further solving the technical problem of low efficiency of processing HTTP requests by a Web application firewall in the prior art.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flow chart of an alternative method of processing HTTP requests according to an embodiment of the present invention;
FIG. 2 is a workflow diagram of an alternative Web application firewall according to an embodiment of the invention;
fig. 3 is a schematic diagram of an alternative apparatus for processing HTTP requests, according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present invention are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
Example 1
According to an embodiment of the present invention, there is provided an embodiment of a method of processing HTTP requests, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
Fig. 1 is a flowchart of an alternative method of processing HTTP requests, according to an embodiment of the present invention, as shown in fig. 1, including the steps of:
step S101, receiving an HTTP request sent by a client.
In the above steps, the HTTP request sent by the client is received through the Web application firewall (Web Application Firewall, WAF). Wherein the HTTP request includes at least one of: request line, request header, request body.
Alternatively, there will typically be more requests in all HTTP requests of the Web site that are identical for "request line + request header" or identical for "request line + request header + request body". Among them, some HTTP requests have no request body, for example, for HTTP requests whose request method is Get or the like, there is no request body, and for HTTP requests whose request method is POST or the like, there is a request body.
Optionally, for the WAF of the Web site, each of these large numbers of identical HTTP requests and corresponding HTTP responses is subjected to security protection processing, which occupies more CPU resources. In this embodiment, if one HTTP request and its corresponding HTTP response in the plurality of identical HTTP requests and its corresponding HTTP responses are found to have no security threat after security protection processing, then other identical HTTP requests may not be directly forwarded to the real server, and the corresponding HTTP responses may not be directly forwarded to the client, thereby improving the performance of WAF processing.
Fig. 2 is a flowchart of an alternative Web application firewall according to an embodiment of the invention, as shown in fig. 2, where the WAF receives the request line and header of the HTTP request sent by the client, and if a request body (e.g., POST request, etc.) is present, also receives the request body.
Step S102, determining a target Web site corresponding to the HTTP request and a processing mode of the target Web site, wherein the target Web site is a site requested by a client, and the processing mode is one of the following steps: the first mode and the second mode, and the complexity of processing the HTTP request in the second mode is higher than that in the first mode.
In the above step, the first mode may be a performance mode, and the second mode may be a normal mode. For WAF-protected Web sites, if there are a large number of identical HTTP requests in the traffic of the site and the corresponding HTTP responses are also identical, then the "performance mode" of the site may be turned on.
Optionally, the corresponding relation of the Web sites protected by the WAF is configured on the WAF, and the target Web site corresponding to the HTTP request can be determined by receiving the HTTP request sent by the client, so that the processing mode of the target Web site is determined.
Step S103, under the condition that the processing mode is the first mode, calculating the MD5 message abstract of the HTTP request to obtain a calculation result.
In the above step, when the processing mode is the first mode, that is, the processing mode of the target Web site corresponding to the current HTTP request is the first mode, that is, the performance mode, the MD5 message digest of the HTTP request is calculated, and a calculation result is obtained. The MD5 message abstract is a calculation result and is a string of character strings with fixed length.
Optionally, in the case that the processing mode is the second mode, that is, the processing mode of the target Web site corresponding to the current HTTP request is the second mode, that is, the normal mode, the security protection processing is performed on the HTTP request.
Step S104, determining whether to directly forward the HTTP request according to the calculation result.
In the above step, after calculating the MD5 message digest of the HTTP request, it may be determined whether to directly forward the HTTP request. Optionally, the MD5 message digest is queried in the data table, if found, indicating that the WAF has previously processed the same HTTP request, and the request and the response have passed the security protection (e.g., security check, etc.), and no security threat exists, then the current HTTP request is forwarded directly without further security protection. If not, this indicates that the request is first processed by the WAF and requires secure protection.
Based on the above-defined schemes in steps S101 to S104, it can be known that, in the embodiment of the present invention, a manner of determining whether to directly forward the HTTP request according to the MD5 message digest of the HTTP request is adopted, first, the HTTP request sent by the client is received, then, the processing mode of the target Web site and the target Web site corresponding to the HTTP request is determined, and under the condition that the processing mode is the first mode, the MD5 message digest of the HTTP request is calculated, so as to obtain a calculation result, and then, whether to directly forward the HTTP request is determined according to the calculation result. Wherein the target Web site is a site requested by the client, and the processing mode is one of the following: the first mode and the second mode, and the complexity of processing the HTTP request in the second mode is higher than that in the first mode.
It is easy to note that in the above process, by receiving the HTTP request sent by the client, a data base is provided for the MD5 message digest of the HTTP request to be calculated subsequently; by determining the processing mode of the target Web site and the target Web site corresponding to the HTTP request, whether to calculate the MD5 message digest of the HTTP request can be determined, so that the MD5 message digest of the HTTP request is calculated under the condition that the processing mode is the first mode, and whether to directly forward the HTTP request can be determined. In addition, by storing the MD5 message digest of the HTTP request, the MD5 message digest data table can be searched in the subsequent process of processing the HTTP request, if the same MD5 message digest is searched, the HTTP request is directly forwarded after the same HTTP request is processed before, the safety protection processing is not performed any more, the application layer safety protection processing with larger WAF equipment performance consumption is skipped, the WAF processing performance can be obviously improved and the client delay is reduced on the premise of ensuring the safety protection capability. Meanwhile, the saved CPU resource can support more Web site protection.
Therefore, the technical scheme of the invention achieves the aim of improving the processing performance of WAF, thereby realizing the technical effect of improving the efficiency of processing HTTP requests, and further solving the technical problem of low efficiency of processing HTTP requests by a Web application firewall in the prior art.
In an alternative embodiment, in the process of determining whether to directly forward the HTTP request according to the calculation result, query processing is performed in the MD5 message digest data table according to the calculation result, if the calculation result is queried, the HTTP request is directly forwarded, if the calculation result is not queried, security check processing is performed on the HTTP request, and if the HTTP request passes the security check, the HTTP request is forwarded.
Optionally, as shown in fig. 2, after the MD5 message digest of the HTTP request is calculated, query processing is performed in the MD5 message digest data table, that is, the MD5 digest Hash table, and if the MD5 message digest of the HTTP request is queried, it indicates that the same HTTP request has been processed before the WAF, and the request and the response have passed the security protection processing (e.g., security verification, etc.), and no security threat exists, the HTTP request is directly forwarded.
Optionally, if the calculation result is not queried, indicating that the request is processed by the WAF for the first time, performing security check processing on the HTTP request, that is, performing security protection processing on the request direction, then sending the request to the real server, receiving a response from the real server, performing security protection processing on the response direction, and sending the response to the client, thereby implementing a forwarding process of the HTTP request.
In an alternative embodiment, if the calculation result is queried, the HTTP request is forwarded to the server to receive a response from the server to the HTTP request, and the response is sent to the client.
Optionally, as shown in fig. 2, if the calculation result is queried, the HTTP request is sent to the real server, so as to receive a response of the real server to the HTTP request, and the response is sent to the client.
In an alternative embodiment, if the calculation result is not queried, the current processing mode is switched from the first mode to the second mode, then the HTTP request is subjected to security verification according to a verification rule preset in the second mode, and the HTTP request is forwarded under the condition that the HTTP request passes the security verification.
Optionally, as shown in fig. 2, if the calculation result is not queried, the current processing mode is switched from the first mode, that is, the performance mode, to the second mode, that is, the normal mode, and then the HTTP request is subjected to security verification according to a verification rule preset in the normal mode, and if the HTTP request passes the security verification, the HTTP request is forwarded. The preset verification rule may be a verification rule such as security verification.
Specifically, security verification processing is performed on the HTTP request, namely security protection processing is performed on the request direction, then the request is sent to the real server, a response of the real server is received, security protection processing is performed on the response direction, the response is sent to the client, and the forwarding process of the HTTP request is realized.
In an alternative embodiment, after the HTTP request is forwarded in the case that the HTTP request passes the security check, it is determined whether a calculation result is stored in the HTTP request, and in the case that the calculation result is stored in the HTTP request, the calculation result is stored in the MD5 message digest data table.
Optionally, as shown in fig. 2, it is determined whether the current HTTP request generates the MD5 digest. Alternatively, if the HTTP request is processed according to the normal mode flow in the foregoing process, the MD5 message digest of the HTTP request is not calculated. In the foregoing process, if the MD5 message digest of the HTTP request is calculated, the MD5 message digest is temporarily stored in the HTTP request. And under the condition that the HTTP request passes the security check, after the HTTP request is forwarded, determining whether an MD5 message digest is stored in the HTTP request, and if the MD5 digest is generated, namely, the MD5 message digest is stored in the HTTP request, storing the MD5 message digest in an MD5 message digest data table for use in the subsequent processing of the HTTP request.
In an alternative embodiment, in determining the target Web site corresponding to the HTTP request and the processing mode of the target Web site, attribute information of the Web site is obtained from the HTTP request, where the attribute information includes at least address information and port information, then the target Web site is determined from the multiple Web sites according to the attribute information, and then the processing mode is determined according to the configuration file of the target Web site.
Alternatively, the attribute information of the Web site may be IP, that is, address information of the Web site, port, that is, port information of the Web site, or may be a domain name of the Web site. Optionally, the WAF is configured with a corresponding relation of the protected Web sites, and the WAF receives the HTTP request sent by the client, and can obtain attribute information of the Web sites from the HTTP request, so that a target Web site can be determined from a plurality of Web sites according to the attribute information, and further, a processing mode of the target Web site can be determined according to a configuration file of the target Web site.
In an alternative embodiment, before calculating the MD5 message digest of the HTTP request to obtain the calculation result, the length of the string corresponding to the HTTP request is calculated, and if the length of the string is greater than the first threshold, the current processing mode is switched from the first mode to the second mode.
Optionally, the configuration file of the target Web site further includes, in addition to the processing mode, a first threshold, which is a length limit of the HTTP request that can be calculated by the HTTP request. As shown in fig. 2, before calculating the MD5 message digest of the HTTP request, it is determined whether the length of the HTTP request exceeds the length limit of the calculated MD5 message digest. Optionally, calculating the length of the string corresponding to the HTTP request, and when the length of the string is greater than the first threshold, that is, the length of the HTTP request exceeds the length limit of calculating the MD5 message digest, failing to calculate the MD5 message digest, switching the current processing mode from the first mode, that is, the performance mode, to the second mode, that is, the normal mode.
It should be noted that, the performance mode and the normal mode are configuration of the Web site protected by WAF, and can be selected from the two modes; the length limitation of the MD5 digest is also configured by the Web site, and since the request body is very large (for example, uploading a large file, etc.), the corresponding MD5 digest will consume CPU very much, and the performance will be reduced, so the HTTP request exceeding the length limitation is still processed according to the flow of the normal mode.
In an alternative embodiment, the entries inserted into the MD5 digest Hash table, i.e., the MD5 digest stored in the MD5 digest data table, may be managed by setting a timeout period. For example, after receiving the HTTP request and calculating that the MD5 message digest is to be stored in the MD5 digest Hash table, setting a timeout (for example, 10 minutes) in the MD5 digest Hash table, and deleting the MD5 message digest after the timeout is 10 minutes. After the MD5 abstract corresponding to a certain HTTP request is inserted into the Hash table, the corresponding resource on the server is prevented from being changed, so that the WAF cannot timely perform safety protection treatment on a new response corresponding to the subsequent same HTTP request; it is also possible to avoid that meaningless entries remain in the MD5 digest Hash table when a certain resource is deleted on the server.
Therefore, the technical scheme of the invention achieves the aim of improving the processing performance of WAF, thereby realizing the technical effect of improving the efficiency of processing HTTP requests, and further solving the technical problem of low efficiency of processing HTTP requests by a Web application firewall in the prior art.
Example 2
According to an embodiment of the present invention, there is provided an embodiment of an apparatus for processing HTTP requests, wherein fig. 3 is a schematic diagram of an alternative apparatus for processing HTTP requests according to an embodiment of the present invention, as shown in fig. 3, including: a receiving module 301, configured to receive an HTTP request sent by a client; a first determining module 302, configured to determine a target website corresponding to the HTTP request and a processing mode of the target website, where the target website is a website requested by the client, and the processing mode is one of the following: the method comprises a first mode and a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than that in the first mode; the processing module 303 is configured to calculate an MD5 message digest of the HTTP request to obtain a calculation result when the processing mode is the first mode; the second determining module 304 is configured to determine whether to directly forward the HTTP request according to the calculation result.
It should be noted that the receiving module 301, the first determining module 302, the processing module 303, and the second determining module 304 correspond to steps S101 to S104 in the above embodiment, and the four modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the above embodiment 1.
Optionally, the second determining module includes: the first query unit is used for carrying out query processing in the MD5 message digest data table according to the calculation result; the first processing unit is used for directly forwarding the HTTP request if the calculation result is inquired; and the second processing unit is used for carrying out security check processing on the HTTP request if the calculation result is not inquired, and forwarding the HTTP request under the condition that the HTTP request passes the security check.
Optionally, after the MD5 message digest of the HTTP request is calculated, query processing is performed in the MD5 message digest data table, that is, the MD5 digest Hash table, and if the MD5 message digest of the HTTP request is queried, it indicates that the same HTTP request has been processed before WAF, and the request and the response have passed the security protection processing (e.g., security verification, etc.), and no security threat exists, the HTTP request is directly forwarded.
Optionally, if the calculation result is not queried, indicating that the request is processed by the WAF for the first time, performing security check processing on the HTTP request, that is, performing security protection processing on the request direction, then sending the request to the real server, receiving a response from the real server, performing security protection processing on the response direction, and sending the response to the client, thereby implementing a forwarding process of the HTTP request.
Optionally, the first processing unit includes: and the first forwarding sub-module is used for forwarding the HTTP request to the server if the calculation result is inquired, so as to receive the response of the server to the HTTP request and send the response to the client.
Optionally, if the calculation result is queried, the HTTP request is sent to the real server, so as to receive a response of the real server to the HTTP request, and the response is sent to the client.
Optionally, the second processing unit includes: the first processing sub-module is used for switching the current processing mode from the first mode to the second mode if the calculation result is not queried; and the second processing sub-module is used for carrying out security verification processing on the HTTP request according to a preset verification rule in the second mode and forwarding the HTTP request under the condition that the HTTP request passes the security verification.
Optionally, if the calculation result is not queried, switching the current processing mode from the first mode, namely the performance mode, to the second mode, namely the common mode, then performing security verification processing on the HTTP request according to a preset verification rule in the common mode, and forwarding the HTTP request under the condition that the HTTP request passes the security verification. The preset verification rule may be a verification rule such as security verification.
Specifically, security verification processing is performed on the HTTP request, namely security protection processing is performed on the request direction, then the request is sent to the real server, a response of the real server is received, security protection processing is performed on the response direction, the response is sent to the client, and the forwarding process of the HTTP request is realized.
Optionally, the apparatus for processing HTTP request further includes: a third determining module, configured to determine whether a calculation result is stored in the HTTP request; and the first storage module is used for storing the calculation result into the MD5 message digest data table under the condition that the calculation result is stored in the HTTP request.
Optionally, it is determined whether the current HTTP request generated an MD5 digest. Alternatively, if the HTTP request is processed according to the normal mode flow in the foregoing process, the MD5 message digest of the HTTP request is not calculated. In the foregoing process, if the MD5 message digest of the HTTP request is calculated, the MD5 message digest is temporarily stored in the HTTP request. And under the condition that the HTTP request passes the security check, after the HTTP request is forwarded, determining whether an MD5 message digest is stored in the HTTP request, and if the MD5 digest is generated, namely, the MD5 message digest is stored in the HTTP request, storing the MD5 message digest in an MD5 message digest data table for use in the subsequent processing of the HTTP request.
Optionally, the first determining module includes: a first obtaining unit, configured to obtain attribute information of a Web site from an HTTP request, where the attribute information includes at least address information and port information; a fourth determining unit configured to determine a target Web site from among the plurality of Web sites based on the attribute information; and a fifth determining unit, configured to determine a processing mode according to the configuration file of the target Web site.
Alternatively, the attribute information of the Web site may be IP, that is, address information of the Web site, port, that is, port information of the Web site, or may be a domain name of the Web site. Optionally, the WAF is configured with a corresponding relation of the protected Web sites, and the WAF receives the HTTP request sent by the client, and can obtain attribute information of the Web sites from the HTTP request, so that a target Web site can be determined from a plurality of Web sites according to the attribute information, and further, a processing mode of the target Web site can be determined according to a configuration file of the target Web site.
Optionally, the apparatus for processing HTTP request further includes: the calculation module is used for calculating the length of the character string corresponding to the HTTP request; and the switching module is used for switching the current processing mode from the first mode to the second mode under the condition that the length of the character string is larger than the first threshold value.
Optionally, the configuration file of the target Web site further includes, in addition to the processing mode, a first threshold, which is a length limit of the HTTP request that can be calculated by the HTTP request. Before calculating the MD5 message digest of the HTTP request, judging whether the length of the HTTP request exceeds the length limit of the MD5 message digest. Optionally, calculating the length of the string corresponding to the HTTP request, and when the length of the string is greater than the first threshold, that is, the length of the HTTP request exceeds the length limit of calculating the MD5 message digest, failing to calculate the MD5 message digest, switching the current processing mode from the first mode, that is, the performance mode, to the second mode, that is, the normal mode.
It should be noted that, the performance mode and the normal mode are configuration of the Web site protected by WAF, and can be selected from the two modes; the length limitation of the MD5 digest is also configured by the Web site, and since the request body is very large (for example, uploading a large file, etc.), the corresponding MD5 digest will consume CPU very much, and the performance will be reduced, so the HTTP request exceeding the length limitation is still processed according to the flow of the normal mode.
In an alternative embodiment, the entries inserted into the MD5 digest Hash table, i.e., the MD5 digest stored in the MD5 digest data table, may be managed by setting a timeout period. For example, after receiving the HTTP request and calculating that the MD5 message digest is to be stored in the MD5 digest Hash table, setting a timeout (for example, 10 minutes) in the MD5 digest Hash table, and deleting the MD5 message digest after the timeout is 10 minutes. After the MD5 abstract corresponding to a certain HTTP request is inserted into the Hash table, the corresponding resource on the server is prevented from being changed, so that the WAF cannot timely perform safety protection treatment on a new response corresponding to the subsequent same HTTP request; it is also possible to avoid that meaningless entries remain in the MD5 digest Hash table when a certain resource is deleted on the server.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described method of processing HTTP requests when run.
Example 4
According to another aspect of an embodiment of the present invention, there is also provided an electronic device including one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the method of processing HTTP requests described above when run.
The device herein may be a server, PC, PAD, cell phone, etc.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A method for processing HTTP requests, applied to a Web application firewall, comprising:
receiving an HTTP request sent by a client;
determining a target Web site corresponding to the HTTP request and a processing mode of the target Web site, wherein the target Web site is the site requested by the client, and the processing mode is one of the following steps: a first mode, a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than the complexity of processing the HTTP request in the first mode;
under the condition that the processing mode is the first mode, calculating an MD5 message abstract of the HTTP request to obtain a calculation result;
and determining whether to directly forward the HTTP request according to the calculation result.
2. The method of claim 1, wherein determining whether to forward the HTTP request directly based on the calculation result comprises:
according to the calculation result, inquiring in the MD5 message digest data table;
if the calculation result is inquired, directly forwarding the HTTP request;
and if the calculation result is not queried, carrying out security check processing on the HTTP request, and forwarding the HTTP request under the condition that the HTTP request passes the security check.
3. The method according to claim 2, wherein if the calculation result is queried, directly forwarding the HTTP request comprises:
and if the calculation result is queried, forwarding the HTTP request to a server to receive a response of the server to the HTTP request, and sending the response to the client.
4. The method according to claim 2, wherein if the calculation result is not queried, performing a security check process on the HTTP request, and forwarding the HTTP request if the HTTP request passes the security check, includes:
if the calculation result is not queried, switching the current processing mode from the first mode to the second mode;
and carrying out security verification processing on the HTTP request according to a preset verification rule in the second mode, and forwarding the HTTP request under the condition that the HTTP request passes the security verification.
5. The method according to claim 4, wherein, in case the HTTP request passes the security check, after forwarding the HTTP request, the method further comprises:
determining whether the calculation result is stored in the HTTP request;
and under the condition that the calculation result is stored in the HTTP request, storing the calculation result into the MD5 message digest data table.
6. The method of claim 1, wherein determining the target Web site and the processing mode of the target Web site for which the HTTP request corresponds comprises:
acquiring attribute information of a Web site from the HTTP request, wherein the attribute information at least comprises address information and port information;
determining the target Web site from a plurality of Web sites according to the attribute information;
and determining the processing mode according to the configuration file of the target Web site.
7. The method of claim 1, wherein prior to computing the MD5 message digest of the HTTP request to obtain a computation result, the method further comprises:
calculating the length of the character string corresponding to the HTTP request;
and switching the current processing mode from the first mode to the second mode under the condition that the length of the character string is larger than a first threshold value.
8. An apparatus for processing an HTTP request, comprising:
the receiving module is used for receiving the HTTP request sent by the client;
the first determining module is configured to determine a target website corresponding to the HTTP request and a processing mode of the target website, where the target website is a website requested by the client, and the processing mode is one of the following: a first mode, a second mode, wherein the complexity of processing the HTTP request in the second mode is higher than the complexity of processing the HTTP request in the first mode;
the processing module is used for calculating the MD5 message abstract of the HTTP request to obtain a calculation result under the condition that the processing mode is the first mode;
and the second determining module is used for determining whether to directly forward the HTTP request according to the calculation result.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the method of processing HTTP requests as claimed in any of the claims 1 to 7 at run-time.
10. An electronic device, the electronic device comprising one or more processors; a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running a program, wherein the program is configured to perform the method of processing HTTP requests as claimed in any one of claims 1 to 7 when run.
CN202211698092.6A 2022-12-28 2022-12-28 Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment Pending CN116260621A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211698092.6A CN116260621A (en) 2022-12-28 2022-12-28 Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211698092.6A CN116260621A (en) 2022-12-28 2022-12-28 Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN116260621A true CN116260621A (en) 2023-06-13

Family

ID=86687117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211698092.6A Pending CN116260621A (en) 2022-12-28 2022-12-28 Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN116260621A (en)

Similar Documents

Publication Publication Date Title
US9900346B2 (en) Identification of and countermeasures against forged websites
CN107341160B (en) Crawler intercepting method and device
US8515918B2 (en) Method, system and computer program product for comparing or measuring information content in at least one data stream
US8910247B2 (en) Cross-site scripting prevention in dynamic content
WO2018121331A1 (en) Attack request determination method, apparatus and server
Borders et al. Quantifying information leaks in outbound web traffic
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
US9147067B2 (en) Security method and apparatus
CN107341395B (en) Method for intercepting reptiles
US9992296B2 (en) Caching objects identified by dynamic resource identifiers
CN112703496B (en) Content policy based notification to application users regarding malicious browser plug-ins
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
EP3253026B1 (en) Cdn-based access control method and relevant device
US20160366176A1 (en) High-level reputation scoring architecture
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
Albasir et al. Smart mobile web browsing
CN105490993B (en) Method and device for preventing Cookie tracking in browser
CN116260621A (en) Method and device for processing HTTP (hyper text transport protocol) request, storage medium and electronic equipment
CN115277080A (en) Content distribution network cache pollution defense method based on Mercker tree
US20190268339A1 (en) Group-based treatment of network addresses
CN113489726B (en) Flow limiting method and device
CN113221053B (en) Anti-crawling method and device, electronic equipment and storage medium
KR102562178B1 (en) Prevention of data manipulation of communication network measurements and protection of user privacy
CN110806902B (en) Data processing method, application portrait method and device
CN106682511A (en) Suspected virus file collection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination