WO2022257931A1 - Deployment method and apparatus for secure acceleration service, and medium and device - Google Patents

Deployment method and apparatus for secure acceleration service, and medium and device Download PDF

Info

Publication number
WO2022257931A1
WO2022257931A1 PCT/CN2022/097417 CN2022097417W WO2022257931A1 WO 2022257931 A1 WO2022257931 A1 WO 2022257931A1 CN 2022097417 W CN2022097417 W CN 2022097417W WO 2022257931 A1 WO2022257931 A1 WO 2022257931A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
target domain
certificate
security
security acceleration
Prior art date
Application number
PCT/CN2022/097417
Other languages
French (fr)
Chinese (zh)
Inventor
卢江滨
Original Assignee
贵州白山云科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 贵州白山云科技股份有限公司 filed Critical 贵州白山云科技股份有限公司
Publication of WO2022257931A1 publication Critical patent/WO2022257931A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • H04L41/083Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability for increasing network speed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments of the present disclosure relate to but are not limited to a security acceleration service deployment method, device, medium and equipment.
  • HTTPS Hyper Text Transfer Protocol over SecureSocket Layer
  • HTTPS Hypertext Transfer Security Protocol
  • SSL Secure Sockets Layer
  • the client browser enables mandatory HTTPS access for the domain name and forcibly converts HTTP (Hyper Text Transfer Protocol, Hypertext Transfer Protocol) protocol format requests to HTTPS protocol format requests, the client will not be able to obtain the requested content from the CDN network.
  • the present disclosure provides a method, device, medium and equipment for secure accelerated service deployment.
  • a security acceleration service deployment method is provided, which is applied to a certificate management platform, including:
  • the domain name information includes at least one of the top-level domain type and business type;
  • the operation information includes at least one of the historical times of accessing the security acceleration service of the target domain name and the access trend of the security acceleration service of the target domain name.
  • the security acceleration service deployment method further includes:
  • the security acceleration policy includes:
  • the security acceleration service is enabled for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access trend to the security acceleration service of the target domain name becomes larger.
  • the security acceleration service deployment method further includes:
  • the applying to the CA for the certificate of the target domain name, and deploying the certificate of the target domain name to the edge node includes:
  • the method for deploying the security acceleration service further includes:
  • the applying to the CA institution for a new certificate of the target domain name includes:
  • the method for deploying the security acceleration service further includes:
  • the security acceleration service includes HTTPS acceleration service or QUIC acceleration service.
  • a security acceleration service deployment method is provided, which is applied to a configuration center, including:
  • the configuration information of the target domain name is used to configure the security acceleration service for the target domain name, including: domain name, domain name owner or administrator related information.
  • a security acceleration service deployment device which is applied to a certificate management platform, including:
  • the security acceleration service opening module is configured to enable the security acceleration service for the target domain name when the domain name information or operation information of the target domain name meets the security acceleration policy, or receives the detection result that the security acceleration service is enabled for the target domain name;
  • the certificate management module is configured to apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node.
  • the security acceleration service deployment device further includes:
  • the configuration information request module is configured to send request information for obtaining configuration information of the target domain name to the configuration center, and receive configuration information of the target domain name.
  • an apparatus for deploying a security acceleration service which is applied to a configuration center, including:
  • the information management module is configured to receive instruction information for enabling the security acceleration service for the target domain name, and send the detection result of enabling the security acceleration service for the target domain name to the certificate management platform;
  • the configuration information sending module is configured to send the configuration information to the certificate management platform.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed, the steps of the security acceleration service deployment method are realized.
  • a computer device including a processor, a memory, and a computer program stored on the memory.
  • the processor executes the computer program, the steps of the security acceleration service deployment method are implemented.
  • this disclosure can automatically implement the HTTPS or QUIC security acceleration function for the content provider’s website that only provides HTTP services for its users, and does not require the content provider to apply for a domain name certificate, nor does it require the content provider to Operations such as certificate management and renewal speed up the deployment of content provider domain name security acceleration services.
  • the certificate management platform decides whether to provide security acceleration service according to the security acceleration policy. If necessary, the certificate management platform independently applies for the certificate to the CA institution, and this process does not require content provision Supplier participation, fully transparent to content providers.
  • Fig. 1 is a flow chart of a security acceleration service deployment method according to an exemplary embodiment.
  • Fig. 2 is a flowchart showing a method for deploying a security acceleration service according to an exemplary embodiment.
  • Fig. 3 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • Fig. 4 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • Fig. 5 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • Fig. 6 is a block diagram of a computer device according to an exemplary embodiment.
  • HTTPS also known as HTTP over TLS
  • HTTPS uses HTTP to communicate, but uses TLS/SSL to encrypt data packets during communication
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • the server When using a security protocol to provide security services, the server needs to deploy the certificate of the target domain name for the client to authenticate.
  • the edge node when the edge node receives the HTTPS protocol format request from the client Protocol format request, if the HTTPS protocol format request is for the content of a website that only provides HTTP services for its users, since the edge node does not have the certificate of the website domain name, it cannot establish an encrypted connection with the client, and cannot send information to the client.
  • the HTTPS protocol format request at the end responds with the correct content.
  • the content provider hopes that the CDN manufacturer can use HTTPS or QUIC to provide secure acceleration services when the CDN manufacturer provides CDN acceleration services
  • the content provider needs to provide the SSL certificate of the website domain name to the CDN manufacturer.
  • the process is roughly as follows : Take the security acceleration service as an HTTPS service as an example.
  • the content provider creates the server public key and private key related to the domain name, and then submits the public key and personal or organizational information to the CA (certificate authority) institution for certification application ; After the CA organization passes the audit information, it generates a digital certificate, which includes the applicant's public key, applicant information, CA signature and other information; after receiving the digital certificate, the content provider sends the certificate to the CDN manufacturer.
  • the CDN vendor is responsible for deploying the certificate to the edge nodes.
  • the edge node When the client sends a request in the HTTPS protocol format to the CDN edge node, the edge node will send the certificate to the client. After the client authenticates the certificate, it will conduct key negotiation, and then continue to process the request in the HTTPS protocol format. It can be seen that in order to provide the HTTPS service function, the content provider needs to go through tedious procedures.
  • the present disclosure provides a method for safely accelerating service deployment.
  • Fig. 1 shows a flowchart of a security acceleration service deployment method according to an exemplary embodiment of the present disclosure.
  • the security acceleration service deployment method is applied to the certificate management platform.
  • the security acceleration service deployment method includes at least step S11 to step S12, which are described in detail as follows:
  • Step S11 may be step S11a, when the domain name information or operation information of the target domain name satisfies the security acceleration policy, it is determined to enable the security acceleration service for the target domain name.
  • the certificate management platform is set up by the CDN manufacturer, and it is set as a device for managing the certificate of the service domain name. It can be a dedicated device or a general server, on which software or codes for certificate management are installed.
  • the certificate management platform can determine whether the domain name information or operation information of the target domain name meets the security acceleration policy preset on the certificate management platform. If the domain name information or operation information meets the security acceleration policy, it is determined to enable the security acceleration service for the target domain name.
  • Domain name information includes at least one of top-level domain type and business type.
  • security acceleration policies include but are not limited to:
  • the security acceleration policy is: provide acceleration services for domain names whose top-level domain type is GOV. Then the top-level domain type in the target domain name information satisfies the security acceleration policy, and the certificate management platform determines to enable the security acceleration service for the target domain name WWW.ABC.GOV. Or, determine the business type corresponding to the domain name according to the second-level domain name ABC in the target domain name. For example, if the business type corresponding to the domain name is a financial business, the security acceleration strategy is: to provide acceleration services for domain names whose business type is financial, then: Enable the security acceleration service for the target domain name. In practical applications, it can also be determined based on whether the type of the top-level domain name and the business type corresponding to the second-level domain name satisfy the acceleration policy. Domain name information includes but is not limited to top-level domain type and business type.
  • the operation information includes at least one of historical times of accessing the security acceleration service of the target domain name and an access trend of accessing the security acceleration service of the target domain name.
  • the security acceleration policy includes: enabling the security acceleration service for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access tendency to the security acceleration service of the target domain name becomes larger.
  • the security acceleration policy is to enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times.
  • the certificate management platform queries the management equipment of the CDN system and obtains the operation log of the target domain name.
  • the edge nodes in the CDN system receive HTTPS://WWW.B.COM requests more than 100 times. Enable the security acceleration service for the target domain name.
  • Another example is to enable the security acceleration service for a domain name whose access tendency to access the security acceleration service becomes larger. By querying the operation log of the target domain name, the edge node in the CDN system receives 80 HTTPS://WWW.B.COM requests.
  • the access trend may also be determined according to the ratio of the number of times of accessing the security acceleration service to the total number of times of access in a continuous period of time.
  • the total number of visits to WWW.B.COM on the first day is 1000, of which HTTPS visits account for 1%, and the total number of visits to WWW.B.COM on the first day is 1580 times, of which HTTPS visits accounted for 1.5%, and the total number of visits to WWW.B.COM on the third day was 1050, of which HTTPS visits accounted for 2%, indicating that access to the HTTPS security acceleration service of the target domain name The access trend of the domain name becomes larger, and the security acceleration service is enabled for the domain name WWW.B.COM.
  • the security acceleration service deployment method further includes:
  • the certificate management center can obtain the security acceleration policy set by the management personnel from the CDN management device, and can also obtain the safe driving policy set directly in the certificate management center by the management personnel.
  • the certificate management platform When the certificate management platform obtains the security acceleration policy and confirms that the security acceleration policy is configured, the certificate management platform will start the judgment mechanism of whether the domain name information or operation information of the target domain name meets the security acceleration policy, so as to judge whether it is enabled for the target domain name in a timely manner. Security acceleration service.
  • the security acceleration service deployment method further includes:
  • the edge node After receiving the certificate acquisition request of the target domain name sent by the edge node, it is determined whether the domain name information or operation information of the target domain name satisfies the security acceleration policy.
  • the certificate management platform When the certificate management platform obtains the security acceleration policy and determines that the security acceleration policy of the target domain name has been configured, the certificate management platform does not start the judging mechanism for whether the domain name information or operation information meets the security acceleration policy, but waits for the edge node to receive the user After sending a secure connection request to the certificate management platform and sending the certificate acquisition request of the target domain name to the certificate management platform, the judgment mechanism of whether the domain name information or operation information of the target domain name meets the security acceleration policy is started to reduce redundancy without actual access requirements operation to avoid waste of certificate application resources.
  • the security acceleration service deployment method when the domain name information of the target domain name satisfies the security acceleration policy and it is determined to enable the security acceleration service for the target domain name, the security acceleration service deployment method further includes:
  • the configuration information includes the domain name, domain name owner or manager related information, the configuration information is the information required to apply for the certificate of the target domain name, and is used to apply for the certificate of the target domain name and enable the security acceleration service for the target domain name.
  • Content providers provide network content and have their own website domain names for Internet users to visit.
  • the content provider can use the CDN network of the CDN manufacturer to accelerate the website.
  • CDN manufacturers can pre-obtain relevant information such as the content provider's domain name, domain name owner or manager information, etc., in order to configure the CDN network, such as setting the corresponding edge server to provide HTTP acceleration services for the content provider's domain name.
  • the edge node that deploys the certificate of the target domain name can provide the client with the certificate of the target domain name when receiving the HTTPS protocol format request for the target domain name, and communicate with the client after the certificate of the target domain name is verified. Establish an HTTPS connection.
  • the CDN manufacturer can according to the actual network environment or receive the content provider instructing the CDN manufacturer to provide HTTPS service for the target domain name
  • the CDN manufacturer can obtain the configuration information of the content provider in advance or on demand when configuring the HTTP acceleration service for the target domain name, so that when the acceleration service for the target domain name needs to be provided, the certificate management platform can independently apply for the target domain name for the content provider. certificate, and provide security acceleration services for the target domain name.
  • the CDN manufacturer may store the acquired configuration information of the target domain name in the configuration center.
  • the certificate management platform determines to enable the security acceleration service for the target domain name, in order to apply for the certificate of the target domain name from the CA institution, it can request the configuration information of the target domain name from the configuration center. Agency sends application information.
  • the security acceleration service includes but is not limited to HTTPS acceleration service or QUIC acceleration service.
  • the security acceleration service can be an HTTPS acceleration service or a QUIC service.
  • QUIC Quick UDP Internet Connection
  • the security acceleration service can be an HTTPS acceleration service or a QUIC service.
  • QUIC Quick UDP Internet Connection
  • the transport layer protocol includes TCP and UDP protocols.
  • QUIC combines the features of protocols including TCP, TLS, HTTP/2, etc., but based on UDP transmission, it is a fast and secure transmission protocol.
  • the security acceleration service can also be in the form of other protocols.
  • the security acceleration service provided by this disclosure can be applied to the scenarios where the server needs to provide a certificate during authentication.
  • the CDN manufacturer determines to provide security for the target domain name.
  • the certificate management platform applies for a certificate for the target domain name, and deploys the certificate of the target domain name to the edge node to realize the secure acceleration service for the target domain name.
  • step S12 apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node.
  • the certificate management platform After the certificate management platform determines to enable the security acceleration service for the target domain name, it actively applies for the certificate of the target domain name from the CA institution, and deploys the certificate of the target domain name to the edge node.
  • the edge node that has deployed the certificate of the target domain name can feed back the certificate of the target domain name to the client when receiving the client’s secure connection request for the target domain name for client authentication, and establish encryption with the client after the authentication is passed. secure connection to improve the security of data content.
  • the CDN system For website domain names that do not support security protocols, for example, a website only provides HTTP services for its users, the CDN system can judge according to the preset security acceleration policy, and only provide HTTP services for its users if the conditions of the security acceleration policy are met. Serving website content, providing security acceleration services.
  • the process of applying for the certificate of the target domain name by the certificate management center does not require the participation of the content provider at all, reducing the workload of the content provider.
  • the certificate management platform actively acquires the domain name information or operation information of the target domain name, and determines to enable the security acceleration service for the target domain name when the domain name information or operation information meets the security acceleration policy.
  • step S11 may be step S11b.
  • the certificate management platform receives the detection result that the security acceleration service is enabled for the target domain name, and determines to enable the security acceleration service for the target domain name.
  • the configuration center in addition to storing the configuration information of the target domain name used to apply for the certificate, is also configured to store related data.
  • the customer of the CDN service platform (the content provider or the representative of the content provider) checks the option of enabling the security acceleration service for the target domain name through the configuration page, and the configuration data will be stored in the database of the configuration center.
  • the CDN manufacturer determines to enable the security acceleration service for the target domain name according to the network environment, and configures it through the management page, and the configured data will be stored in the database of the configuration center.
  • the configuration center can obtain the configuration data input by the customer of the above-mentioned CDN service platform, or the data set by the CDN manufacturer, and generate a detection result.
  • the detection result is used to instruct the security acceleration service to be enabled for the target domain name.
  • the certificate management center receives the detection result that the security acceleration service is enabled for the target domain name from the configuration center, it can directly determine that the security acceleration service is enabled for the target domain name, and execute step S12 to apply for the certificate of the target domain name from the CA institution, and send the certificate of the target domain name Deploy to edge nodes.
  • security acceleration policies include but are not limited to:
  • the security acceleration service is enabled for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access trend to the security acceleration service of the target domain name becomes larger.
  • the security acceleration policy is formulated by the CDN manufacturer, and can be formulated according to the specific network environment, or according to the instruction information of the customer of the service platform (the content provider or the representative of the content provider). There can be one or more security acceleration policies. When there are multiple security acceleration policies, if any of the security acceleration policies meets the conditions, it can be determined to enable the security acceleration service for the target domain name.
  • a CDN manufacturer formulates multiple security acceleration policies, it can also specify a priority for each security acceleration policy. For example, a sequence number can be programmed for each security acceleration policy, and the sequence of the sequence numbers is used as the priority sequence, and the priority of the security acceleration policy with a small sequence number is higher than that of the security acceleration policy with a large sequence number.
  • a CDN vendor has formulated two security acceleration policies and assigned priorities.
  • Strategy 1 Enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times.
  • Strategy 2 Enable the security acceleration service for the domain name whose top-level domain name is GOV.
  • the target domain name is WWW.ABC.GOV
  • the number of accesses to the security acceleration service of HTTPS://WWW.ABC.GOV at the current moment is 55 times.
  • policy 1 Because the priority of policy 1 is higher than that of policy 2, when judging whether to enable the security acceleration service for the target domain name, firstly, according to policy 1, the number of query access security acceleration services is 55 times, less than 100 times, and the conditions of policy 1 Not satisfied. Then according to strategy 2, the top-level domain name of the query target domain name is GOV, and the conditions of strategy 2 are met. Make sure to enable the security acceleration service for the target domain name.
  • a CDN vendor has formulated two security acceleration policies and assigned priorities.
  • Strategy 1 Enable the security acceleration service for the domain name whose top-level domain name is GOV.
  • Strategy 2 Enable the security acceleration service for domain names whose access times to the security acceleration service are greater than or equal to the preset threshold.
  • the target domain name is WWW.ABC.GOV
  • the number of accesses to the HTTPS://WWW.ABC.GOV security acceleration service at the current moment is 55 times.
  • policy 1 Since the priority of policy 1 is higher than that of policy 2, when judging whether to enable the security acceleration service for the target domain name, first, according to policy 1, the top-level domain name of the query target domain name is GOV, and the conditions of policy 1 are met. Make sure to enable the security acceleration service for the target domain name. It is no longer necessary to query the number of accesses to the security acceleration service according to policy 2.
  • CDN manufacturers can formulate relevant security acceleration policies at the initial stage of providing services for target domain names, or formulate new security acceleration policies according to actual network environments or management decisions during the process of providing services for target domain names, or, for Adjust or delete the established security acceleration policies.
  • security acceleration policies can also be formulated.
  • applying for the certificate of the target domain name from a CA institution, and deploying the certificate of the target domain name to the edge node includes:
  • the certificate management platform Before applying for a certificate for the target domain name, the certificate management platform generates the public key and private key of the target domain name.
  • the certificate management platform generates the corresponding public key and private key for the target domain name in order to apply for a domain name certificate for the target domain name.
  • the certificate management platform sends the public key and related information of the target domain name to the CA, and then it can apply for the certificate of the target domain name from the CA.
  • the certificate management platform can directly receive the certificate of the target domain name from the CA institution, or can receive the certificate of the target domain name from the CDN management device after the CA institution provides the certificate of the target domain name to the CDN manufacturer.
  • the certificate management platform After receiving the certificate of the target domain name issued by the CA institution, the certificate management platform stores the certificate of the target domain name locally, and sends the certificate and private key of the target domain name to the edge node, so that the edge node starts the security acceleration service of the target domain name.
  • the certificate management platform can send the certificate and private key of the target domain name to all edge nodes in the system. Realize the deployment of security acceleration services on all edge nodes in the system, and any edge node can provide security acceleration services for the target domain name.
  • edge nodes in a specified range can also be implemented as The target domain name provides security acceleration services.
  • the certificate management platform receives the certificate acquisition request of the domain name sent by the edge node, and sends the certificate and private key of the target domain name to the edge node.
  • the certificate management platform receives the certificate acquisition request of the domain name sent by the edge node, and sends the certificate and private key of the target domain name to the edge node.
  • only the certificate of the target domain name is fed back to the edge node that sends the certificate acquisition request segment, and there is no need to deploy the certificate of the target domain name to all edge nodes, reducing the workload and cost of security acceleration service deployment.
  • the edge node After the edge node obtains the certificate and private key of the target domain name from the certificate management platform, it stores the certificate and private key of the target domain name in this node. After receiving the secure connection request from the client for the target domain name, the edge node sends the certificate of the target domain name to the client.
  • the certificate of the target domain name includes the public key of the target domain name, applicant information, CA signature and other information.
  • the client has the public key of the target domain name
  • the edge node has the private key of the target domain name.
  • the two parties can conduct key negotiation and encrypt a secure connection, and the edge node responds to the client's request through a secure connection.
  • the certificate management platform obtains the configuration information of the target domain name, and uses the public key of the target domain name and related information to apply for a domain name certificate for the target domain name.
  • the content provider only needs to provide the configuration information of the target domain name to the CDN manufacturer, and when the target domain name needs to provide security acceleration services, the certificate management platform of the CDN manufacturer can apply for a domain name certificate for the target domain name, avoiding the need for the content provider to apply for a domain name The cumbersome process of certificates.
  • the CDN manufacturer's certificate management platform can automatically deploy the certificate of the target domain name to the edge node, and the edge node provides security acceleration services for the content provider's target domain name, even if the content provider's website domain name If the provider has not applied for a certificate for the domain name of the website, when the CDN manufacturer provides CDN acceleration services for it, it can still provide security acceleration services for content providers and improve website security. For clients using mandatory HTTPS or QUIC browsers, normal services can also be provided, further improving the service quality of content providers and improving the experience of visiting users.
  • the security acceleration service deployment method further includes:
  • the certificate of the domain name is set to have a valid period, and the certificate of the domain name within the valid period can be trusted by the client browser, verified as a valid certificate by the browser, and then establish a secure connection with the server that owns the certificate of the domain name. Once the domain name's certificate expires, the client browser will not be able to establish a connection with the server that has the domain name's certificate. Therefore, the certificate management platform needs to manage the domain name certificate obtained from the CA organization, monitor the validity period of the domain name certificate, and apply for a new certificate for the target domain name within the preset period before the target domain name certificate expires.
  • the preset time period may be 1 day, 2 days, or other lengths, which may be determined according to the period of applying for a domain name certificate.
  • applying to a CA institution for a new certificate of the target domain name includes:
  • the certificate management platform can generate a new public key and a new private key for the target domain name within the preset period before the target certificate expires, send the new public key and the relevant information of the target domain name to the CA organization, and apply to the CA organization Certificate for the new domain name.
  • the certificate of the domain name is managed by the certificate management platform of the CDN manufacturer, and the renewal of the certificate is completed by the CDN manufacturer independently, reducing the workload of the content provider.
  • the security acceleration service deployment method further includes:
  • a revocation request is sent to the CA institution, so that the CA institution revokes the certificate of the target domain name.
  • the private key of the target domain name is lost, and the server with the certificate will not be able to negotiate the key with the client and establish an HTTPS connection; or, the private key of the target domain name Key leakage, when the private key generated by the CDN manufacturer for the target domain name is leaked, it will threaten the security of the website or CDN system.
  • the certificate management platform can send a certificate revocation request to the CA at any time.
  • the CA After the CA revokes the certificate of the target domain name, the certificate of the domain name will no longer be trusted , even if the domain name's certificate is within the validity period, it is still unavailable. In this way, the security risks caused to the website after the private key of the target domain name is leaked are avoided.
  • the certificate management platform applies for the certificate of the target domain name, it is responsible for managing the certificate of the target domain name, further reducing the work of the content provider.
  • Fig. 2 is a flowchart of a method for deploying a security acceleration service according to an exemplary embodiment.
  • the security acceleration service deployment method is applied to the configuration center, and the security acceleration service deployment method includes at least steps S21-step S22, which are described in detail as follows:
  • step S21 receiving the instruction information of enabling the security acceleration service of the target domain name, and sending the detection result of enabling the security acceleration service of the target domain name to the certificate management platform.
  • the certificate management center can obtain the content provider's configuration information for the target domain name from the configuration center, such as the content provider's company name, Manager information, etc. of the content provider.
  • the acquired configuration information of the target domain name may be used to configure security acceleration services for the target domain name, including: domain name, domain name owner or manager related information.
  • the CDN manufacturer can provide the customer with a configuration page, and set it so that the customer can send the instruction information to the CDN manufacturer at any time.
  • the configuration page is connected to the configuration center, and the information entered by the customer through the configuration page can be stored in the database of the configuration center.
  • the CDN manufacturer can also set the management page to issue instructions to the configuration center.
  • the configuration center receives an instruction message to enable the security acceleration service of the target domain name, for example, the customer of the CDN system (the content provider or the representative of the content provider) checks the corresponding option on the platform provided by the configuration center to send a request to the configuration center.
  • command information it can also send command information to the management personnel of the CDN manufacturer through other means, and then the management personnel enter the command information into the configuration center; it can also be that the CDN management personnel conduct a security assessment on the target domain name and find that there may be network attacks Risk, determine to enable the security acceleration service for the target domain name, and send instruction information to the configuration center through the management device.
  • the configuration center can obtain data related to the instruction information through the detection database, and generate corresponding detection results, which are used to instruct the target domain name to enable the security acceleration service.
  • the configuration center sends the detection result of enabling the security acceleration service for the target domain name to the certificate management platform, so as to notify the certificate management platform to enable the security acceleration service for the target domain name.
  • step S22 the request information for acquiring the configuration information of the target domain name is received from the certificate management platform, and the configuration information of the target domain name is sent to the certificate management platform.
  • the certificate management platform determines to enable the security acceleration service for the target domain name according to the security acceleration policy, or the certificate management platform receives the detection result of the target domain name’s security acceleration service from the configuration center, it will send the configuration information to the configuration center to obtain the target domain name so that the configuration information of the target domain name can be used to apply for a certificate from the CA.
  • the configuration center receives the request information from the certificate management platform to obtain the target domain name, it sends the configuration information to the certificate management platform.
  • the configuration center After the configuration center determines that the security acceleration service needs to be enabled for the target domain name, it sends the configuration information of the target domain name to the certificate management platform, so that the certificate management platform applies for a domain name certificate from the CA institution.
  • the configuration center is configured to manage the configuration information of the target domain name, and provide the configuration information to the certificate management platform when the certificate management platform needs to apply for a certificate for the target domain name, so as to prevent configuration information leakage.
  • the configuration center is also set to receive instruction information from the customer or the CDN management platform, and provide detection results related to the instruction information to the certificate management platform, so that the certificate management platform determines to enable the security acceleration service for the target domain name, and applies for a certificate of the target domain name.
  • the certificate management platform does not receive external information to ensure the security of the certificate.
  • Companies A and B are content providers, and their website domain names are domain name A and domain name B respectively.
  • the companies are not sensitive to the security of website content and only provide HTTP services for their users.
  • the user can only get the content of the response by sending an HTTP request to the website. If a request in the HTTPS protocol format is sent, the website will disconnect from the client. For example: the user accesses the file 1.jpg on the website of company A, and the user accesses HTTP://A/1.jpg through the browser, and the user can obtain the 1.jpg file; if the user enters HTTPS://A/1.jpg , the user cannot get the requested content.
  • Companies A and B accelerate website content through the CDN network, and will provide domain name configuration information to the CDN manufacturer in advance, such as the domain name of the website, company name of the content provider, administrator information, etc. This allows CDN vendors to independently apply for domain name certificates when they determine to provide secure acceleration services for domain names.
  • the CDN manufacturer stores the configuration information of domain name A and domain name B in the configuration center.
  • CDN vendors formulate security acceleration strategies:
  • Strategy 1 Enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times.
  • Strategy 2 Provide security acceleration services for financial business domain names.
  • Policy 2 has a higher priority than Policy 1.
  • the certificate management platform first judges whether domain names A and B are financial business types. If the domain name information of domain name A and domain name B does not meet the preset security acceleration policy, the security acceleration service will not be enabled for domain name A and domain name B.
  • the certificate management platform obtains the operation data of domain name A and domain name B.
  • the operation data of domain name A the number of visits to the security acceleration service HTTPS://A is greater than 100 times, the conditions of policy 1 are met, and the certificate management platform determines that domain name A Enable the security acceleration service.
  • the certificate management platform sends a request to obtain the configuration information of the domain name A to the configuration center, and receives the configuration information of the domain name A fed back by the configuration center. Then the certificate management platform starts to apply for the certificate of domain name A from the CA institution.
  • the certificate management platform generates a public key and a private key for domain name A, and sends the public key of domain name A and the configuration information of domain name A to the CA organization to apply for a domain name certificate for domain name A.
  • the number of accesses to the security acceleration service HTTPS://B is less than 100 times, and for domain name B, the conditions of policy 1 are not met.
  • the certificate management platform determines not to enable the security acceleration service for domain name B.
  • Company B believes that it is necessary to enable the security acceleration service for domain name B based on the operation of the website. After logging in to the configuration page provided by the CDN manufacturer, and checking the option of enabling security acceleration service for domain name B on the configuration page, it submits the command information. After the configuration center detects the corresponding data, it sends the detection result to the certificate management platform, and the detection result indicates that the security acceleration service is enabled for the domain name B. The certificate management platform determines to enable the security acceleration service for domain name B after receiving the detection result that domain name B has enabled the security acceleration service. The certificate management platform sends a request to obtain the configuration information of the domain name B to the configuration center, and receives the configuration information of the domain name B fed back by the configuration center. Then the certificate management platform starts to apply for the certificate of domain name B from the CA institution.
  • the configuration center after obtaining the configuration information of the domain name B, the configuration center synchronizes the domain name, domain name owner or manager related information therein to the certificate management platform.
  • the certificate management platform generates a public key and a private key for domain name B, and sends the public key of domain name B and the configuration information of domain name B to the CA organization to apply for a domain name certificate for domain name B.
  • the security acceleration service deployment method provided by the present disclosure can automatically provide security acceleration services for the domain name of the content provider by the certificate management platform of the CDN manufacturer according to the security acceleration policy, without requiring the content provider to carry out cumbersome Certificate application.
  • Fig. 3 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • the security acceleration service deployment device is applied to a certificate management platform, and includes a security acceleration service opening module 301 and a certificate management module 302 .
  • the security acceleration service activation module 301 is configured to determine that the security acceleration service is enabled for the target domain name when the domain name information or operation information of the target domain name meets the security acceleration policy, or receives the detection result that the security acceleration service is enabled for the target domain name.
  • the certificate management module 302 is configured to apply for a certificate of the target domain name from a CA institution, and deploy the certificate of the target domain name to the edge node.
  • Fig. 4 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • the security acceleration service deployment device further includes a configuration information request module 401 .
  • the configuration information request module 401 is configured to send request information for obtaining configuration information of the target domain name to the configuration center, and receive configuration information of the target domain name.
  • Fig. 5 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
  • the security acceleration service deployment device is applied to a configuration center, and includes: an information management module 501 and a configuration information sending module 502 .
  • the information management module 501 is configured to receive the instruction information of enabling the security acceleration service of the target domain name, and send the detection result of enabling the security acceleration service of the target domain name to the certificate management platform.
  • the configuration information sending module 502 is configured to send the configuration information to the certificate management platform.
  • Fig. 6 is a block diagram of a computer device 600 for deploying a security acceleration service according to an exemplary embodiment.
  • computer device 600 may be provided as a server.
  • a computer device 600 includes a processor 601 , and the number of processors can be set to one or more as required.
  • the computer device 600 also includes a memory 602 configured to store instructions executable by the processor 601 , such as application programs. The number of memories can be set to one or more as required. It can store one or more applications.
  • the processor 601 is configured to execute instructions, so as to execute the above security acceleration service deployment method.
  • the embodiments of the present disclosure may be provided as a method, an apparatus (device), or a computer program product. Accordingly, the present disclosure can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology arranged to store information, such as computer readable instructions, data structures, program modules, or other data, including but not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic Desired information and any other media that can be accessed by a computer, etc.
  • communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
  • the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
  • HTTPS or QUIC security acceleration functions can be automatically implemented for the content provider’s website that only provides HTTP services for its users, without requiring the content provider to apply for a domain name
  • the certificate does not require the content provider to manage and update the certificate, so as to speed up the deployment of security acceleration services for the domain name of the content provider; after the content provider deploys HTTP services on the certificate management platform, the certificate management platform will use the security acceleration policy It is decided whether to provide security acceleration services, and if necessary, the certificate management platform will independently apply for a certificate from the CA institution, and this process does not require the participation of the content provider and is completely transparent to the content provider.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to a deployment method and apparatus for a secure acceleration service, and a medium and a device. The deployment method for a secure acceleration service is applied to a certificate management platform, and comprises: when domain name information or operation information of a target domain name meets a secure acceleration policy, or when a detection result of a secure acceleration service being started for a target domain name is received, determining to start the secure acceleration service for the target domain name (S11); and applying for a certificate of the target domain name from a CA, and deploying the certificate of the target domain name on an edge node (S12).

Description

安全加速服务部署方法、装置、介质及设备Security Acceleration Service Deployment Method, Device, Medium and Equipment
本公开基于2021年6月9日提交中国专利局、申请号为202110645788.1,发明名称为“安全加速服务部署方法、装置、介质及设备”的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本公开作为参考。This disclosure is based on the Chinese patent application submitted to the China Patent Office on June 9, 2021, with the application number 202110645788.1, and the title of the invention is "Security Acceleration Service Deployment Method, Device, Medium, and Equipment", and claims the priority of the Chinese patent application , the entire content of this Chinese patent application is hereby incorporated by reference into this disclosure.
技术领域technical field
本公开实施例涉及但不限于一种安全加速服务部署方法、装置、介质及设备。Embodiments of the present disclosure relate to but are not limited to a security acceleration service deployment method, device, medium and equipment.
背景技术Background technique
安全协议如HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer,超文本传输安全协议)被广泛应用,如果网站内容采用安全协议提供安全连接,对访问数据进行加密保护,需要首先申请域名的SSL(Secure Sockets Layer,安全套接字协议)证书,再对SSL证书进行部署,使用过程中,还需要对SSL证书进行管理,导致内容提供商的工作量增加。如果内容提供商的网站未提供安全连接服务,由于没有域名的证书,当CDN(Content Delivery Network,内容分发网络)厂商为网站提供加速服务时,CDN厂商也无法提供安全加速服务。在客户端浏览器开启域名强制HTTPS访问,强制将HTTP(Hyper Text Transfer Protocol,超文本传输协议)协议格式的请求转换为HTTPS协议格式的请求时,客户端将无法从CDN网络获取请求的内容。Security protocols such as HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer, Hypertext Transfer Security Protocol) are widely used. If the website content uses a security protocol to provide a secure connection and encrypt and protect access data, it is necessary to apply for an SSL (Secure Sockets Layer) domain name first. , Secure Socket Protocol) certificate, and then deploy the SSL certificate. During the use process, the SSL certificate also needs to be managed, resulting in an increase in the workload of the content provider. If the content provider's website does not provide a secure connection service, because there is no domain name certificate, when the CDN (Content Delivery Network, Content Distribution Network) manufacturer provides acceleration services for the website, the CDN manufacturer cannot provide security acceleration services. When the client browser enables mandatory HTTPS access for the domain name and forcibly converts HTTP (Hyper Text Transfer Protocol, Hypertext Transfer Protocol) protocol format requests to HTTPS protocol format requests, the client will not be able to obtain the requested content from the CDN network.
现有技术方案不能自动为只提供HTTP服务的内容提供商的域名根据实际网络环境或实际需求实现安全加速服务。Existing technical solutions cannot automatically implement security acceleration services for domain names of content providers that only provide HTTP services according to actual network environments or actual needs.
发明内容Contents of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.
为克服相关技术中存在的问题,本公开提供一种安全加速服务部署方法、装置、介质及设备。In order to overcome the problems existing in related technologies, the present disclosure provides a method, device, medium and equipment for secure accelerated service deployment.
根据本公开的第一方面,提供一种安全加速服务部署方法,应用于证书管理平台,包括:According to the first aspect of the present disclosure, a security acceleration service deployment method is provided, which is applied to a certificate management platform, including:
当目标域名的域名信息或运营信息满足安全加速策略,或者,接收到目标域名开启安全加速服务的检测结果,确定为目标域名开启安全加速服务;When the domain name information or operation information of the target domain name satisfies the security acceleration policy, or receives the detection result of enabling the security acceleration service for the target domain name, determine to enable the security acceleration service for the target domain name;
向CA机构申请目标域名的证书,并将所述目标域名的证书部署到边缘节点;Apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node;
其中,域名信息包括顶级域类型、业务类型中的至少一种;运营信息包括访问目标域名的安全加速服务的历史次数、访问目标域名的安全加速服务的访问趋势中的至少一种。Wherein, the domain name information includes at least one of the top-level domain type and business type; the operation information includes at least one of the historical times of accessing the security acceleration service of the target domain name and the access trend of the security acceleration service of the target domain name.
在一些示例性的实施例中,所述安全加速服务部署方法还包括:In some exemplary embodiments, the security acceleration service deployment method further includes:
获取安全加速策略;Obtain security acceleration policy;
判断目标域名的域名信息或运营信息是否满足安全加速策略;或者,接收到边缘节点发送的目标域名的证书获取请求后,判断目标域名的域名信息或运营信息是否满足所述安全加速策略。Judging whether the domain name information or operation information of the target domain name satisfies the security acceleration policy; or, after receiving the certificate acquisition request of the target domain name sent by the edge node, determining whether the domain name information or operation information of the target domain name satisfies the security acceleration policy.
在一些示例性的实施例中,所述安全加速策略包括:In some exemplary embodiments, the security acceleration policy includes:
为预设顶级域类型和/或预设业务类型的域名提供安全加速服务;或者,Provide security acceleration services for domain names of preset top-level domain types and/or preset business types; or,
为访问安全加速服务的次数大于等于预设阈值的域名和/或访问目标域名的安全加速服务的访问趋势变大的域名开启安全加速服务。The security acceleration service is enabled for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access trend to the security acceleration service of the target domain name becomes larger.
在一些示例性的实施例中,在所述确定为目标域名开启安全加速服务之后,所述安全加速服务部署方法还包括:In some exemplary embodiments, after the determination that the security acceleration service is enabled for the target domain name, the security acceleration service deployment method further includes:
向配置中心发送获取目标域名的配置信息的请求信息,并接收目标域名的配置信息。Send request information to obtain the configuration information of the target domain name to the configuration center, and receive the configuration information of the target domain name.
在一些示例性的实施例中,所述向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点包括:In some exemplary embodiments, the applying to the CA for the certificate of the target domain name, and deploying the certificate of the target domain name to the edge node includes:
为目标域名生成公钥和私钥;Generate public and private keys for the target domain name;
发送公钥和配置信息至所述CA机构;Send the public key and configuration information to the CA;
接收CA机构签发的目标域名的证书;Receive the certificate of the target domain name issued by the CA institution;
发送目标域名的证书和私钥至边缘节点,以使边缘节点提供目标域名的安全加速服务。Send the certificate and private key of the target domain name to the edge node, so that the edge node can provide the security acceleration service of the target domain name.
在一些示例性的实施例中,在所述获取CA机构签发的目标域名的证书之后,所述安全加速服务部署方法还包括:In some exemplary embodiments, after obtaining the certificate of the target domain name issued by the CA institution, the method for deploying the security acceleration service further includes:
在目标域名的证书过期时刻前的预设时段内,向CA机构申请目标域名的新的证书。Apply for a new certificate of the target domain name from the CA within the preset time period before the certificate expiration time of the target domain name.
在一些示例性的实施例中,所述向CA机构申请目标域名的新的证书包括:In some exemplary embodiments, the applying to the CA institution for a new certificate of the target domain name includes:
重新生成目标域名的新的公钥和新的私钥;Regenerate a new public key and a new private key for the target domain name;
发送新的公钥及目标域名的配置信息至CA机构,向CA机构申请目标域名的证书。Send the new public key and the configuration information of the target domain name to the CA organization, and apply for the certificate of the target domain name from the CA organization.
在一些示例性的实施例中,在所述获取CA机构签发的目标域名的证书之后,所述安全加速服务部署方法还包括:In some exemplary embodiments, after obtaining the certificate of the target domain name issued by the CA institution, the method for deploying the security acceleration service further includes:
若目标域名的证书存在安全隐患,向CA机构发送吊销申请。If the certificate of the target domain name has a security risk, send a revocation request to the CA.
在一些示例性的实施例中,所述安全加速服务包括HTTPS加速服务或QUIC加速服务。In some exemplary embodiments, the security acceleration service includes HTTPS acceleration service or QUIC acceleration service.
根据本公开的第二方面,提供一种安全加速服务部署方法,应用于配置中心,包括:According to the second aspect of the present disclosure, a security acceleration service deployment method is provided, which is applied to a configuration center, including:
接收目标域名开启安全加速服务的指令信息,发送目标域名开启安全加速服务的检测结果至证书管理平台;Receive the instruction information of enabling the security acceleration service of the target domain name, and send the detection result of enabling the security acceleration service of the target domain name to the certificate management platform;
从证书管理平台接收获取目标域名的配置信息的请求信息,并发送目标域名的配置信息至证书管理平台。Receive the request information for acquiring the configuration information of the target domain name from the certificate management platform, and send the configuration information of the target domain name to the certificate management platform.
在一些示例性的实施例中,所述目标域名的配置信息用于为目标域名配置安全加速服务,包括:域名名称、域名所有人或管理人相关信息。In some exemplary embodiments, the configuration information of the target domain name is used to configure the security acceleration service for the target domain name, including: domain name, domain name owner or administrator related information.
根据本公开的第三方面,提供一种安全加速服务部署装置,应用于证书管理平台,包括:According to a third aspect of the present disclosure, a security acceleration service deployment device is provided, which is applied to a certificate management platform, including:
安全加速服务开启模块,设置为当目标域名的域名信息或运营信息满足安全加速策略,或者,接收到目标域名开启安全加速服务的检测结果,确定为目标域名开启安全加速服务;The security acceleration service opening module is configured to enable the security acceleration service for the target domain name when the domain name information or operation information of the target domain name meets the security acceleration policy, or receives the detection result that the security acceleration service is enabled for the target domain name;
证书管理模块,设置为向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点。The certificate management module is configured to apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node.
在一些示例性的实施例中,所述安全加速服务部署装置还包括:In some exemplary embodiments, the security acceleration service deployment device further includes:
配置信息请求模块,设置为向配置中心发送获取目标域名的配置信息的请求信息,并接收目标域名的配置信息。The configuration information request module is configured to send request information for obtaining configuration information of the target domain name to the configuration center, and receive configuration information of the target domain name.
根据本公开的第四方面,提供一种安全加速服务部署装置,应用于配置中心,包括:According to a fourth aspect of the present disclosure, there is provided an apparatus for deploying a security acceleration service, which is applied to a configuration center, including:
信息管理模块,设置为接收目标域名开启安全加速服务的指令信息,发送目标域名开启安全加速服务的检测结果至证书管理平台;The information management module is configured to receive instruction information for enabling the security acceleration service for the target domain name, and send the detection result of enabling the security acceleration service for the target domain name to the certificate management platform;
配置信息发送模块,设置为发送配置信息至证书管理平台。The configuration information sending module is configured to send the configuration information to the certificate management platform.
根据本公开的第五方面,提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被执行时实现安全加速服务部署方法的步骤。According to a fifth aspect of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the steps of the security acceleration service deployment method are realized.
根据本公开的第六方面,提供一种计算机设备,包括处理器、存储器和存储于所述存储器上的计算机程序,处理器执行所述计算机程序时实现安全加速服务部署方法的步骤。According to a sixth aspect of the present disclosure, there is provided a computer device, including a processor, a memory, and a computer program stored on the memory. When the processor executes the computer program, the steps of the security acceleration service deployment method are implemented.
本公开通过安全加速服务部署方法,可以自动为仅为其用户提供HTTP服务的内容提供商的网站实现HTTPS或QUIC安全加速功能,不需要内容提供商申请域名的证书,也不需要内容提供商进行证书的管理、更新等操作,加快内容提供商域名的安全加速服务的部署。Through the security acceleration service deployment method, this disclosure can automatically implement the HTTPS or QUIC security acceleration function for the content provider’s website that only provides HTTP services for its users, and does not require the content provider to apply for a domain name certificate, nor does it require the content provider to Operations such as certificate management and renewal speed up the deployment of content provider domain name security acceleration services.
内容提供商在证书管理平台部署HTTP服务后,由证书管理平台根据安全加速策略决策是否需要提供安全加速服务,如果需要,由证书管理平台自主向CA机构进行证书申请,且该过程不需要内容提供商参与,对内容提供商完全透明。After the content provider deploys the HTTP service on the certificate management platform, the certificate management platform decides whether to provide security acceleration service according to the security acceleration policy. If necessary, the certificate management platform independently applies for the certificate to the CA institution, and this process does not require content provision Supplier participation, fully transparent to content providers.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制 本公开。在阅读并理解了附图和详细描述后,可以明白其他方面。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure. Other aspects will be apparent to others upon reading and understanding the drawings and detailed description.
附图说明Description of drawings
构成本公开的一部分的附图用来提供对本公开的进一步理解,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The accompanying drawings constituting a part of the present disclosure are used to provide a further understanding of the present disclosure, and the schematic embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute improper limitations to the present disclosure. In the attached picture:
图1是根据一示例性实施例示出的一种安全加速服务部署方法的流程图。Fig. 1 is a flow chart of a security acceleration service deployment method according to an exemplary embodiment.
图2是根据一示例性实施例示出的一种安全加速服务部署方法的流程图。Fig. 2 is a flowchart showing a method for deploying a security acceleration service according to an exemplary embodiment.
图3是根据一示例性实施例示出的一种安全加速服务部署装置的框图。Fig. 3 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
图4是根据一示例性实施例示出的一种安全加速服务部署装置的框图。Fig. 4 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
图5是根据一示例性实施例示出的一种安全加速服务部署装置的框图。Fig. 5 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment.
图6是根据一示例性实施例示出的一种计算机设备的框图。Fig. 6 is a block diagram of a computer device according to an exemplary embodiment.
具体实施方式Detailed ways
为使本公开实施例的目的、技术方案和优点更加清楚,下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the described embodiments It is a part of the embodiments of the present disclosure, but not all of them. Based on the embodiments in the present disclosure, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present disclosure. It should be noted that, in the case of no conflict, the embodiments in the present disclosure and the features in the embodiments can be combined arbitrarily with each other.
随着网络发展,出现了多种以安全为目的传输协议,例如:With the development of the network, a variety of security-oriented transmission protocols have emerged, such as:
HTTPS又称HTTP over TLS,即采用HTTP方式通讯,但利用TLS/SSL来加密通讯过程中的数据包,SSL(Secure Sockets Layer安全套接字协议),及传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的安全协议。TLS与SSL在传输层与应用层之间对网络连接进行加密。HTTPS是如今互联网领域中,确保网站真实、保护用户隐私以及信息安全的重要方式。HTTPS, also known as HTTP over TLS, uses HTTP to communicate, but uses TLS/SSL to encrypt data packets during communication, SSL (Secure Sockets Layer) and Transport Layer Security (TLS) It is a security protocol that provides security and data integrity for network communications. TLS and SSL encrypt network connections between the transport layer and the application layer. HTTPS is an important way to ensure the authenticity of websites, protect user privacy and information security in the Internet field today.
使用安全协议提供安全服务时,服务端需要部署目标域名的证书,供客户端进行认证。When using a security protocol to provide security services, the server needs to deploy the certificate of the target domain name for the client to authenticate.
然而,现实中仍有大量网站采用普通协议(例如HTTP)提供服务,其原因为内容提供商对网站资源的安全性不敏感。在CDN厂商为内容提供商的网站提供加速服务时,由于内容提供商未提供网站的域名相关的证书给CDN厂商,CDN厂商的CDN边缘节点也不能向客户端提供网站域名的证书,进而CDN不能提供使用安全协议的加速服务,本公开将CDN系统使用安全协议向用户提供的加速服务定义为安全加速服务。另外,在客户端浏览器开启域名强制 HTTPS访问时,客户端浏览器会将用户输入的HTTP协议格式的请求转换为HTTPS协议格式的请求,对于边缘节点来说,当边缘节点接收到客户端的HTTPS协议格式的请求,该HTTPS协议格式的请求如果是针对仅为其用户提供HTTP服务的网站的内容的请求时,由于边缘节点没有该网站域名的证书,不能与客户端建立加密连接,不能对客户端的HTTPS协议格式的请求响应正确的内容。However, in reality, there are still a large number of websites using common protocols (such as HTTP) to provide services, and the reason is that content providers are not sensitive to the security of website resources. When a CDN manufacturer provides acceleration services for a content provider's website, because the content provider does not provide the certificate related to the domain name of the website to the CDN manufacturer, the CDN edge node of the CDN manufacturer cannot provide the client with the certificate of the website domain name, and the CDN cannot To provide acceleration services using security protocols, this disclosure defines the acceleration services provided to users by the CDN system using security protocols as security acceleration services. In addition, when the client browser enables domain name mandatory HTTPS access, the client browser will convert the HTTP protocol format request entered by the user into an HTTPS protocol format request. For the edge node, when the edge node receives the HTTPS protocol format request from the client Protocol format request, if the HTTPS protocol format request is for the content of a website that only provides HTTP services for its users, since the edge node does not have the certificate of the website domain name, it cannot establish an encrypted connection with the client, and cannot send information to the client. The HTTPS protocol format request at the end responds with the correct content.
另外一个方面,如果内容提供商希望在CDN厂商提供CDN加速服务时,CDN厂商能够采用HTTPS或者QUIC提供安全的加速服务,内容提供商需要将网站域名的SSL证书提供给CDN厂商,其过程大致如下:以安全加速服务为HTTPS服务为例进行说明,内容提供商创建域名相关的服务端公钥以及私钥,然后提交该公钥以及个人或组织信息等至CA(权威证书颁发)机构进行认证申请;CA机构审核信息通过后,生成数字证书,该数字证书包申请者的公钥、申请者信息、CA签名等信息;内容提供商收到该数字证书后,将该证书发送给CDN厂商,由CDN厂商负责部署该证书至边缘节点。当客户端的HTTPS协议格式的请求至CDN边缘节点时,边缘节点便会将证书发送给客户端,客户端认证该证书通过后,进行密钥协商,后续便可继续HTTPS协议格式的请求处理。可见,为了提供HTTPS服务功能,内容提供商需要经历繁琐的过程。On the other hand, if the content provider hopes that the CDN manufacturer can use HTTPS or QUIC to provide secure acceleration services when the CDN manufacturer provides CDN acceleration services, the content provider needs to provide the SSL certificate of the website domain name to the CDN manufacturer. The process is roughly as follows : Take the security acceleration service as an HTTPS service as an example. The content provider creates the server public key and private key related to the domain name, and then submits the public key and personal or organizational information to the CA (certificate authority) institution for certification application ; After the CA organization passes the audit information, it generates a digital certificate, which includes the applicant's public key, applicant information, CA signature and other information; after receiving the digital certificate, the content provider sends the certificate to the CDN manufacturer. The CDN vendor is responsible for deploying the certificate to the edge nodes. When the client sends a request in the HTTPS protocol format to the CDN edge node, the edge node will send the certificate to the client. After the client authenticates the certificate, it will conduct key negotiation, and then continue to process the request in the HTTPS protocol format. It can be seen that in order to provide the HTTPS service function, the content provider needs to go through tedious procedures.
为解决传统技术中存在的问题,本公开提供一种安全加速服务部署方法。In order to solve the problems existing in the traditional technology, the present disclosure provides a method for safely accelerating service deployment.
图1示出了根据本公开一示例性实施例的安全加速服务部署方法的流程图。参考图1,安全加速服务部署方法应用于证书管理平台,安全加速服务部署方法至少包括步骤S11至步骤S12,详细介绍如下:Fig. 1 shows a flowchart of a security acceleration service deployment method according to an exemplary embodiment of the present disclosure. Referring to Figure 1, the security acceleration service deployment method is applied to the certificate management platform. The security acceleration service deployment method includes at least step S11 to step S12, which are described in detail as follows:
步骤S11可以为步骤S11a,当目标域名的域名信息或运营信息满足安全加速策略,确定为目标域名开启安全加速服务。Step S11 may be step S11a, when the domain name information or operation information of the target domain name satisfies the security acceleration policy, it is determined to enable the security acceleration service for the target domain name.
证书管理平台是CDN厂商设置的,设置为对服务的域名的证书进行管理的设备,可以为专用设备,也可以为一般服务器,其上安装用于证书管理的软件或代码。The certificate management platform is set up by the CDN manufacturer, and it is set as a device for managing the certificate of the service domain name. It can be a dedicated device or a general server, on which software or codes for certificate management are installed.
证书管理平台可以判断目标域名的域名信息或运营信息是否满足预设于证书管理平台的安全加速策略,如果域名信息或运营信息满足安全加速策略,确定为目标域名开启安全加速服务。The certificate management platform can determine whether the domain name information or operation information of the target domain name meets the security acceleration policy preset on the certificate management platform. If the domain name information or operation information meets the security acceleration policy, it is determined to enable the security acceleration service for the target domain name.
域名信息包括顶级域类型、业务类型中的至少一种。Domain name information includes at least one of top-level domain type and business type.
在一示例性实施例中,安全加速策略包括但不限于:In an exemplary embodiment, security acceleration policies include but are not limited to:
为预设顶级域类型和/或预设业务类型的域名提供安全加速服务。Provide security acceleration services for domain names of preset top-level domain types and/or preset business types.
例如,目标域名为WWW.ABC.GOV,安全加速策略为:为顶级域类型为GOV的域名提供加速 服务。则目标域名信息中的顶级域类型满足安全加速策略,证书管理平台确定为目标域名WWW.ABC.GOV开启安全加速服务。或者,根据目标域名中的二级域名ABC确定该域名对应的业务类型,例如域名对应的业务类型为财经类型的业务,安全加速策略为:为业务类型为财经类的域名提供加速服务,则为目标域名开启安全加速服务。实际应用中,也可以综合顶级域的类型和二级域名对应的业务类型是否满足加速策略来确定。域名信息包括但不限于顶级域类型、业务类型。For example, if the target domain name is WWW.ABC.GOV, the security acceleration policy is: provide acceleration services for domain names whose top-level domain type is GOV. Then the top-level domain type in the target domain name information satisfies the security acceleration policy, and the certificate management platform determines to enable the security acceleration service for the target domain name WWW.ABC.GOV. Or, determine the business type corresponding to the domain name according to the second-level domain name ABC in the target domain name. For example, if the business type corresponding to the domain name is a financial business, the security acceleration strategy is: to provide acceleration services for domain names whose business type is financial, then: Enable the security acceleration service for the target domain name. In practical applications, it can also be determined based on whether the type of the top-level domain name and the business type corresponding to the second-level domain name satisfy the acceleration policy. Domain name information includes but is not limited to top-level domain type and business type.
运营信息包括访问目标域名的安全加速服务的历史次数、访问目标域名的安全加速服务的访问趋势中的至少一种。The operation information includes at least one of historical times of accessing the security acceleration service of the target domain name and an access trend of accessing the security acceleration service of the target domain name.
在一示例性实施例中,安全加速策略包括:为访问安全加速服务的次数大于等于预设阈值的域名和/或访问目标域名的安全加速服务的访问趋势变大的域名开启安全加速服务。In an exemplary embodiment, the security acceleration policy includes: enabling the security acceleration service for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access tendency to the security acceleration service of the target domain name becomes larger.
例如,安全加速策略为,为访问安全加速服务的次数大于等于100次的域名开启安全加速服务。针对目标域名WWW.B.COM,证书管理平台查询CDN系统的管理设备,获得目标域名的运行日志,CDN系统中的边缘节点接收到HTTPS://WWW.B.COM的请求次数超过100次,为目标域名开启安全加速服务。再如,为访问安全加速服务的访问趋势变大的域名开启安全加速服务,通过查询目标域名的运行日志,CDN系统中的边缘节点接收到HTTPS://WWW.B.COM的请求次数为80次,但连续3天内的请求次数分别为10次,13次,17次,说明访问目标域名的HTTPS安全加速服务的访问趋势变大,为域名WWW.B.COM开启安全加速服务。访问趋势还可以根据连续时间段内的访问安全加速服务的次数与总访问次数多占比确定。例如,连续3天中,第一天针对WWW.B.COM的总访问次数为1000次,其中HTTPS的访问次数占比为1%,第一天针对WWW.B.COM的总访问次数为1580次,其中HTTPS的访问次数占比为1.5%,第三天针对WWW.B.COM的总访问次数为1050次,其中HTTPS的访问次数占比为2%,说明访问目标域名的HTTPS安全加速服务的访问趋势变大,为域名WWW.B.COM开启安全加速服务。For example, the security acceleration policy is to enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times. For the target domain name WWW.B.COM, the certificate management platform queries the management equipment of the CDN system and obtains the operation log of the target domain name. The edge nodes in the CDN system receive HTTPS://WWW.B.COM requests more than 100 times. Enable the security acceleration service for the target domain name. Another example is to enable the security acceleration service for a domain name whose access tendency to access the security acceleration service becomes larger. By querying the operation log of the target domain name, the edge node in the CDN system receives 80 HTTPS://WWW.B.COM requests. times, but the number of requests within 3 consecutive days were 10, 13, and 17 respectively, indicating that the access trend of the HTTPS security acceleration service for the target domain name became larger, and the security acceleration service was enabled for the domain name WWW.B.COM. The access trend may also be determined according to the ratio of the number of times of accessing the security acceleration service to the total number of times of access in a continuous period of time. For example, in 3 consecutive days, the total number of visits to WWW.B.COM on the first day is 1000, of which HTTPS visits account for 1%, and the total number of visits to WWW.B.COM on the first day is 1580 times, of which HTTPS visits accounted for 1.5%, and the total number of visits to WWW.B.COM on the third day was 1050, of which HTTPS visits accounted for 2%, indicating that access to the HTTPS security acceleration service of the target domain name The access trend of the domain name becomes larger, and the security acceleration service is enabled for the domain name WWW.B.COM.
在一示例性实施例中,安全加速服务部署方法还包括:In an exemplary embodiment, the security acceleration service deployment method further includes:
获取安全加速策略。证书管理中心可以从CDN管理设备获取由管理人员设置完毕的安全加速策略,也可以获取由管理人员直接在证书管理中心设置的安全驾驶策略。Get security acceleration policies. The certificate management center can obtain the security acceleration policy set by the management personnel from the CDN management device, and can also obtain the safe driving policy set directly in the certificate management center by the management personnel.
判断所述目标域名的域名信息或运营信息是否满足所述安全加速策略。Judging whether the domain name information or operation information of the target domain name satisfies the security acceleration policy.
当证书管理平台获取到安全加速策略,确定安全加速策略被配置完毕,证书管理平台即启动对目标域名的域名信息或运营信息是否满足安全加速策略的判断机制,以便于及时判断是否为目标域名开启安全加速服务。When the certificate management platform obtains the security acceleration policy and confirms that the security acceleration policy is configured, the certificate management platform will start the judgment mechanism of whether the domain name information or operation information of the target domain name meets the security acceleration policy, so as to judge whether it is enabled for the target domain name in a timely manner. Security acceleration service.
在一示例性实施例中,安全加速服务部署方法还包括:In an exemplary embodiment, the security acceleration service deployment method further includes:
获取安全加速策略;Obtain security acceleration policy;
接收到边缘节点发送的所述目标域名的证书获取请求后,判断所述目标域名的域名信息或运营信息是否满足所述安全加速策略。After receiving the certificate acquisition request of the target domain name sent by the edge node, it is determined whether the domain name information or operation information of the target domain name satisfies the security acceleration policy.
当证书管理平台获取到安全加速策略,确定目标域名的安全加速策略被配置完毕,证书管理平台暂不启动对域名信息或运营信息是否满足安全加速策略的判断机制,而是等待边缘节点接收到用户发送的安全连接请求,并向证书管理平台发送目标域名的证书获取请求后,再启动对目标域名的域名信息或运营信息是否满足该安全加速策略的判断机制,以减少无实际访问需求的冗余操作,避免证书申请资源的浪费。When the certificate management platform obtains the security acceleration policy and determines that the security acceleration policy of the target domain name has been configured, the certificate management platform does not start the judging mechanism for whether the domain name information or operation information meets the security acceleration policy, but waits for the edge node to receive the user After sending a secure connection request to the certificate management platform and sending the certificate acquisition request of the target domain name to the certificate management platform, the judgment mechanism of whether the domain name information or operation information of the target domain name meets the security acceleration policy is started to reduce redundancy without actual access requirements operation to avoid waste of certificate application resources.
在一示例性实施例中,当目标域名的域名信息满足安全加速策略,确定为目标域名开启安全加速服务之后,安全加速服务部署方法还包括:In an exemplary embodiment, when the domain name information of the target domain name satisfies the security acceleration policy and it is determined to enable the security acceleration service for the target domain name, the security acceleration service deployment method further includes:
向配置中心发送获取目标域名的配置信息的请求信息,并接收目标域名的配置信息。Send request information to obtain the configuration information of the target domain name to the configuration center, and receive the configuration information of the target domain name.
配置信息包括域名名称、域名所有人或管理人相关信息,配置信息为申请目标域名的证书所需要的信息,用于申请目标域名的证书并为目标域名开启安全加速服务。The configuration information includes the domain name, domain name owner or manager related information, the configuration information is the information required to apply for the certificate of the target domain name, and is used to apply for the certificate of the target domain name and enable the security acceleration service for the target domain name.
内容提供商提供网络内容,拥有自己的网站域名,供网民访问。内容提供商可以使用CDN厂商的CDN网络,对网站进行加速。CDN厂商可以预先获取内容提供商的域名、域名所有人或管理人相关信息等相关信息,以便对CDN网络进行配置,例如设置相应的边缘服务器对该内容提供商的域名进行HTTP加速服务。再如,如果内容提供商事先决定采用HTTPS服务,且已申请了域名的证书,在CDN网络提供加速服务前,需要将域名及域名的证书提供给CDN厂商,CDN厂商将域名的证书部署至边缘节点中,部署了目标域名的证书的边缘节点,可以在接收到针对目标域名的HTTPS协议格式的请求时,向客户端提供目标域名的证书,并在目标域名的证书验证通过后,与客户端建立HTTPS连接。如果内容提供商本身不提供HTTPS服务,或者,内容提供商未申请域名的证书提供给CDN厂商,CDN厂商可以根据实际的网络环境,或接收到内容提供商指示CDN厂商为目标域名提供HTTPS服务的情况下,CDN厂商可以预先或按需获取内容提供商在为目标域名配置HTTP加速服务时的配置信息,以便在需要为目标域名提供加速服务时,由证书管理平台自主为内容提供商申请目标域名的证书,并针对目标域名提供安全加速服务。Content providers provide network content and have their own website domain names for Internet users to visit. The content provider can use the CDN network of the CDN manufacturer to accelerate the website. CDN manufacturers can pre-obtain relevant information such as the content provider's domain name, domain name owner or manager information, etc., in order to configure the CDN network, such as setting the corresponding edge server to provide HTTP acceleration services for the content provider's domain name. For another example, if the content provider decides to use HTTPS service in advance and has applied for a domain name certificate, before the CDN network provides acceleration services, it needs to provide the domain name and domain name certificate to the CDN manufacturer, and the CDN manufacturer deploys the domain name certificate to the edge Among the nodes, the edge node that deploys the certificate of the target domain name can provide the client with the certificate of the target domain name when receiving the HTTPS protocol format request for the target domain name, and communicate with the client after the certificate of the target domain name is verified. Establish an HTTPS connection. If the content provider itself does not provide HTTPS service, or the content provider does not apply for a domain name certificate to provide to the CDN manufacturer, the CDN manufacturer can according to the actual network environment or receive the content provider instructing the CDN manufacturer to provide HTTPS service for the target domain name In this case, the CDN manufacturer can obtain the configuration information of the content provider in advance or on demand when configuring the HTTP acceleration service for the target domain name, so that when the acceleration service for the target domain name needs to be provided, the certificate management platform can independently apply for the target domain name for the content provider. certificate, and provide security acceleration services for the target domain name.
CDN厂商可以将获取的目标域名的配置信息存储在配置中心。The CDN manufacturer may store the acquired configuration information of the target domain name in the configuration center.
证书管理平台确定为目标域名开启安全加速服务后,为了向CA机构申请目标域名的证书,可以向配置中心请求目标域名的配置信息,只有接收到目标域名的配置信息后,证书管理平台才能向CA机构发送申请信息。After the certificate management platform determines to enable the security acceleration service for the target domain name, in order to apply for the certificate of the target domain name from the CA institution, it can request the configuration information of the target domain name from the configuration center. Agency sends application information.
在一示例性实施例中,安全加速服务包括但不限于HTTPS加速服务或QUIC加速服务。In an exemplary embodiment, the security acceleration service includes but is not limited to HTTPS acceleration service or QUIC acceleration service.
安全加速服务可以是HTTPS加速服务,也可以是QUIC服务。QUIC(Quick UDP Internet Connection)是谷歌制定的一种基于UDP的低时延的互联网传输层协议,其中传输层协议包括TCP和UDP协议。QUIC融合了包括TCP,TLS,HTTP/2等协议的特性,但基于UDP传输,是一种快速安全的传输协议。The security acceleration service can be an HTTPS acceleration service or a QUIC service. QUIC (Quick UDP Internet Connection) is a UDP-based low-latency Internet transport layer protocol developed by Google, where the transport layer protocol includes TCP and UDP protocols. QUIC combines the features of protocols including TCP, TLS, HTTP/2, etc., but based on UDP transmission, it is a fast and secure transmission protocol.
除上述安全协议的加速服务外,安全加速服务也可以是其他的协议形式,认证时需要服务端提供证书的场景都可以应用本公开提供的安全加速服务,由CDN厂商在确定为目标域名提供安全加速服务时,由证书管理平台为目标域名申请证书,并将目标域名的证书部署到边缘节点中,实现对目标域名的安全加速服务。In addition to the acceleration services of the above-mentioned security protocols, the security acceleration service can also be in the form of other protocols. The security acceleration service provided by this disclosure can be applied to the scenarios where the server needs to provide a certificate during authentication. The CDN manufacturer determines to provide security for the target domain name. When accelerating the service, the certificate management platform applies for a certificate for the target domain name, and deploys the certificate of the target domain name to the edge node to realize the secure acceleration service for the target domain name.
在步骤S12中,向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点。In step S12, apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node.
证书管理平台确定为目标域名开启安全加速服务后,主动向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点。部署了目标域名的证书的边缘节点,在接收到客户端针对目标域名的安全连接请求时,可以向客户端反馈目标域名的证书,供客户端认证,并在认证通过后,与客户端建立加密的安全连接,提高数据内容的安全性。对于不支持安全协议的网站域名,例如某网站仅为其用户提供HTTP服务,CDN系统可以根据预设的安全加速策略进行判断,在安全加速策略条件满足的情况下,为仅为其用户提供HTTP服务的网站内容,提供安全加速服务。证书管理中心申请目标域名的证书的过程完全不需要内容提供商的参与,降低内容提供商的工作量。After the certificate management platform determines to enable the security acceleration service for the target domain name, it actively applies for the certificate of the target domain name from the CA institution, and deploys the certificate of the target domain name to the edge node. The edge node that has deployed the certificate of the target domain name can feed back the certificate of the target domain name to the client when receiving the client’s secure connection request for the target domain name for client authentication, and establish encryption with the client after the authentication is passed. secure connection to improve the security of data content. For website domain names that do not support security protocols, for example, a website only provides HTTP services for its users, the CDN system can judge according to the preset security acceleration policy, and only provide HTTP services for its users if the conditions of the security acceleration policy are met. Serving website content, providing security acceleration services. The process of applying for the certificate of the target domain name by the certificate management center does not require the participation of the content provider at all, reducing the workload of the content provider.
本示例性实施例中,证书管理平台主动获取目标域名的域名信息或运营信息,在域名信息或运营信息满足安全加速策略时,确定为目标域名开启安全加速服务。In this exemplary embodiment, the certificate management platform actively acquires the domain name information or operation information of the target domain name, and determines to enable the security acceleration service for the target domain name when the domain name information or operation information meets the security acceleration policy.
在一示例性实施例中,步骤S11可以为步骤S11b,在步骤S11b中,证书管理平台接收到目标域名开启安全加速服务的检测结果,确定为目标域名开启安全加速服务。In an exemplary embodiment, step S11 may be step S11b. In step S11b, the certificate management platform receives the detection result that the security acceleration service is enabled for the target domain name, and determines to enable the security acceleration service for the target domain name.
本示例性实施例中,配置中心除了存储用于申请证书的目标域名的配置信息,还设置为存储相关的数据。例如,CDN服务平台的客户(内容提供商或内容提供商的代表)通过配置页面,勾选了为目标域名开启安全加速服务的选项,配置数据会存储到配置中心的数据库中。或者,CDN厂商根据网络环境,确定为目标域名开启安全加速服务,通过管理页面进行设置,设置好的数据会存储在配置中心的数据库中。配置中心通过检测数据库中的数据,可以获取上述CDN服务平台的客户输入的配置数据,或者CDN厂商设置的数据,生成检测结果,检测结果用于指示为目标域名开启安全加速服务。证书管理中心如果从配置中心接收到目标域名开启安全加速服务的检测结果,可以直接确定为目标域名开启安全加速服务,并执行步骤S12, 向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点。In this exemplary embodiment, in addition to storing the configuration information of the target domain name used to apply for the certificate, the configuration center is also configured to store related data. For example, the customer of the CDN service platform (the content provider or the representative of the content provider) checks the option of enabling the security acceleration service for the target domain name through the configuration page, and the configuration data will be stored in the database of the configuration center. Alternatively, the CDN manufacturer determines to enable the security acceleration service for the target domain name according to the network environment, and configures it through the management page, and the configured data will be stored in the database of the configuration center. By detecting the data in the database, the configuration center can obtain the configuration data input by the customer of the above-mentioned CDN service platform, or the data set by the CDN manufacturer, and generate a detection result. The detection result is used to instruct the security acceleration service to be enabled for the target domain name. If the certificate management center receives the detection result that the security acceleration service is enabled for the target domain name from the configuration center, it can directly determine that the security acceleration service is enabled for the target domain name, and execute step S12 to apply for the certificate of the target domain name from the CA institution, and send the certificate of the target domain name Deploy to edge nodes.
在一示例性实施例中,安全加速策略包括但不限于:In an exemplary embodiment, security acceleration policies include but are not limited to:
为预设顶级域类型和/或预设业务类型的域名提供安全加速服务;或者,Provide security acceleration services for domain names of preset top-level domain types and/or preset business types; or,
为访问安全加速服务的次数大于等于预设阈值的域名和/或访问目标域名的安全加速服务的访问趋势变大的域名开启安全加速服务。The security acceleration service is enabled for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access trend to the security acceleration service of the target domain name becomes larger.
安全加速策略由CDN厂商制定,可以根据具体的网络环境制定,或者根据服务平台的客户(内容提供商或内容提供商的代表)的指示信息进行制定。安全加速策略可以有一条,也可以为多条,当有多条安全加速策略时,其中任一安全加速策略条件满足时,都可以确定为目标域名开启安全加速服务。The security acceleration policy is formulated by the CDN manufacturer, and can be formulated according to the specific network environment, or according to the instruction information of the customer of the service platform (the content provider or the representative of the content provider). There can be one or more security acceleration policies. When there are multiple security acceleration policies, if any of the security acceleration policies meets the conditions, it can be determined to enable the security acceleration service for the target domain name.
当CDN厂商制定了多条安全加速策略时,还可以为每条安全加速策略指定优先级。例如,可以为每条安全加速策略编制序号,将序号的排列顺序作为优先级的排列顺序,序号小的安全加速策略的优先级高于序号大的安全加速策略的优先级。When a CDN manufacturer formulates multiple security acceleration policies, it can also specify a priority for each security acceleration policy. For example, a sequence number can be programmed for each security acceleration policy, and the sequence of the sequence numbers is used as the priority sequence, and the priority of the security acceleration policy with a small sequence number is higher than that of the security acceleration policy with a large sequence number.
例如,CDN厂商制定了两条安全加速策略,并指定优先级。For example, a CDN vendor has formulated two security acceleration policies and assigned priorities.
策略1:为访问安全加速服务的次数大于等于100次的域名开启安全加速服务。Strategy 1: Enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times.
策略2:为顶级域名为GOV的域名开启安全加速服务。Strategy 2: Enable the security acceleration service for the domain name whose top-level domain name is GOV.
假设,目标域名为WWW.ABC.GOV,当前时刻访问HTTPS://WWW.ABC.GOV的安全加速服务的次数为55次。Assume that the target domain name is WWW.ABC.GOV, and the number of accesses to the security acceleration service of HTTPS://WWW.ABC.GOV at the current moment is 55 times.
由于策略1的优先级高于策略2的优先级,在判断是否为目标域名开启安全加速服务时,首先根据策略1,查询访问安全加速服务的次数为55次,小于100次,策略1的条件不满足。再根据策略2,查询目标域名的顶级域名为GOV,策略2的条件满足。确定为目标域名开启安全加速服务。Because the priority of policy 1 is higher than that of policy 2, when judging whether to enable the security acceleration service for the target domain name, firstly, according to policy 1, the number of query access security acceleration services is 55 times, less than 100 times, and the conditions of policy 1 Not satisfied. Then according to strategy 2, the top-level domain name of the query target domain name is GOV, and the conditions of strategy 2 are met. Make sure to enable the security acceleration service for the target domain name.
再如,CDN厂商制定了两条安全加速策略,并指定优先级。For another example, a CDN vendor has formulated two security acceleration policies and assigned priorities.
策略1:为顶级域名为GOV的域名开启安全加速服务。Strategy 1: Enable the security acceleration service for the domain name whose top-level domain name is GOV.
策略2:为访问安全加速服务的次数大于等于预设阈值的域名开启安全加速服务。Strategy 2: Enable the security acceleration service for domain names whose access times to the security acceleration service are greater than or equal to the preset threshold.
假设,目标域名为WWW.ABC.GOV,当前时刻访问HTTPS://WWW.ABC.GOV安全加速服务的次数为55次。Assume that the target domain name is WWW.ABC.GOV, and the number of accesses to the HTTPS://WWW.ABC.GOV security acceleration service at the current moment is 55 times.
由于策略1的优先级高于策略2的优先级,在判断是否为目标域名开启安全加速服务时,首先根据策略1,查询目标域名的顶级域名为GOV,策略1的条件满足。确定为目标域名开启安全加速服务。不需要再根据策略2查询访问安全加速服务的次数。Since the priority of policy 1 is higher than that of policy 2, when judging whether to enable the security acceleration service for the target domain name, first, according to policy 1, the top-level domain name of the query target domain name is GOV, and the conditions of policy 1 are met. Make sure to enable the security acceleration service for the target domain name. It is no longer necessary to query the number of accesses to the security acceleration service according to policy 2.
可见,为多条安全加速策略指定不同的优先级,在判断是否为目标域名开启安全加速服 务时,可以按优先级从高到底的顺序,依次根据每条安全策略查询对应的条件是否满足,直到某条安全策略的条件满足或者查询完每条安全策略对应的条件。另外,相同条件下,多条安全加速策略的优先级顺序不同,查询的过程不同,消耗的查询时间也可能不同。因此实际应用中,可以根据不同的应用环境,为多条安全加速策略制定合理的优先级顺序,达到缩短查询过程,减少查询耗时的效果。It can be seen that different priorities are specified for multiple security acceleration policies. When judging whether to enable the security acceleration service for the target domain name, you can query whether the corresponding conditions are met according to each security policy in order of priority from high to low, until The conditions of a security policy are met or the conditions corresponding to each security policy are queried. In addition, under the same conditions, the priorities of multiple security acceleration policies are different, the query process is different, and the query time consumed may also be different. Therefore, in practical applications, a reasonable priority order can be formulated for multiple security acceleration policies according to different application environments, so as to shorten the query process and reduce the time-consuming query.
CDN厂商可以在为目标域名提供服务的初始阶段制定相关的安全加速策略,也可以在为目标域名提供服务的过程中,根据实际的网络环境或管理决策,制定新的安全加速策略,或者,对已经制定的安全加速策略进行调整或删除。本领域技术人员应该明白,除以上安全加速策略外,还可以制订其他安全加速策略。CDN manufacturers can formulate relevant security acceleration policies at the initial stage of providing services for target domain names, or formulate new security acceleration policies according to actual network environments or management decisions during the process of providing services for target domain names, or, for Adjust or delete the established security acceleration policies. Those skilled in the art should understand that, in addition to the above security acceleration policies, other security acceleration policies can also be formulated.
在一示例性实施例中,向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点包括:In an exemplary embodiment, applying for the certificate of the target domain name from a CA institution, and deploying the certificate of the target domain name to the edge node includes:
为目标域名生成公钥和私钥;Generate public and private keys for the target domain name;
发送公钥和配置信息至所述CA机构;Send the public key and configuration information to the CA;
接收CA机构签发的目标域名的证书;Receive the certificate of the target domain name issued by the CA institution;
发送目标域名的证书和私钥至边缘节点,以使边缘节点提供目标域名的安全加速服务。Send the certificate and private key of the target domain name to the edge node, so that the edge node can provide the security acceleration service of the target domain name.
为目标域名申请证书前,证书管理平台生成目标域名的公钥和私钥。Before applying for a certificate for the target domain name, the certificate management platform generates the public key and private key of the target domain name.
证书管理平台为目标域名生成相应的公钥和私钥,以便为目标域名申请域名的证书。The certificate management platform generates the corresponding public key and private key for the target domain name in order to apply for a domain name certificate for the target domain name.
发送公钥及目标域名的配置信息至CA机构,向CA机构申请目标域名的证书。证书管理平台生成目标域名的公钥和私钥后,将目标域名的公钥和相关信息发送至CA机构,即可向CA机构申请目标域名的证书。Send the public key and the configuration information of the target domain name to the CA organization, and apply for the certificate of the target domain name from the CA organization. After the certificate management platform generates the public key and private key of the target domain name, it sends the public key and related information of the target domain name to the CA, and then it can apply for the certificate of the target domain name from the CA.
接收CA机构签发的所述目标域名的证书。Receive the certificate of the target domain name issued by the CA institution.
证书管理平台可以从CA机构直接接收目标域名的证书,也可以在CA机构将目标域名的证书提供给CDN厂商后,从CDN管理设备接收目标域名的证书。The certificate management platform can directly receive the certificate of the target domain name from the CA institution, or can receive the certificate of the target domain name from the CDN management device after the CA institution provides the certificate of the target domain name to the CDN manufacturer.
证书管理平台接收CA机构签发的目标域名的证书后,将目标域名的证书存储在本地,并将目标域名的证书和私钥发送至边缘节点,以使边缘节点开启目标域名的安全加速服务。After receiving the certificate of the target domain name issued by the CA institution, the certificate management platform stores the certificate of the target domain name locally, and sends the certificate and private key of the target domain name to the edge node, so that the edge node starts the security acceleration service of the target domain name.
在一示例性实施例中,证书管理平台可以将目标域名的证书和私钥向系统中所有的边缘节点发送。实现在系统中的全部边缘节点部署安全加速服务,任一边缘节点都可以为目标域名提供安全加速服务,在另一示例性实施例中,根据部署策略,也可以实现由指定范围的边缘节点为目标域名提供安全加速服务。In an exemplary embodiment, the certificate management platform can send the certificate and private key of the target domain name to all edge nodes in the system. Realize the deployment of security acceleration services on all edge nodes in the system, and any edge node can provide security acceleration services for the target domain name. In another exemplary embodiment, according to the deployment strategy, edge nodes in a specified range can also be implemented as The target domain name provides security acceleration services.
在一示例性实施例中,证书管理平台接收边缘节点发送的域名的证书获取请求,将目标 域名的证书和私钥发送至该边缘节点。本示例性实施例中,只向发送证书获取请求段边缘节点反馈目标域名的证书,不需要将目标域名的证书部署到全部边缘节点中,降低安全加速服务部署的工作量及成本。In an exemplary embodiment, the certificate management platform receives the certificate acquisition request of the domain name sent by the edge node, and sends the certificate and private key of the target domain name to the edge node. In this exemplary embodiment, only the certificate of the target domain name is fed back to the edge node that sends the certificate acquisition request segment, and there is no need to deploy the certificate of the target domain name to all edge nodes, reducing the workload and cost of security acceleration service deployment.
边缘节点从证书管理平台获取到目标域名的证书和私钥后,将目标域名的证书和私钥存储在本节点中。当接收到客户端针对目标域名的安全连接请求后,边缘节点将目标域名的证书发送给客户端,目标域名的证书包含目标域名的公钥,申请者信息,CA签名等信息。由此,客户端拥有目标域名的公钥,边缘节点拥有目标域名的私钥,随后,双方可以进行密钥协商,并加密的安全连接,边缘节点通过安全连接响应客户端的请求。After the edge node obtains the certificate and private key of the target domain name from the certificate management platform, it stores the certificate and private key of the target domain name in this node. After receiving the secure connection request from the client for the target domain name, the edge node sends the certificate of the target domain name to the client. The certificate of the target domain name includes the public key of the target domain name, applicant information, CA signature and other information. Thus, the client has the public key of the target domain name, and the edge node has the private key of the target domain name. Afterwards, the two parties can conduct key negotiation and encrypt a secure connection, and the edge node responds to the client's request through a secure connection.
本示例性实施例中,证书管理平台获取目标域名的配置信息,并使用目标域名的公钥和相关信息为目标域名申请域名的证书。内容提供商只需将目标域名的配置信息提供给CDN厂商,即可在目标域名需要提供安全加速服务时,由CDN厂商的证书管理平台为目标域名申请域名的证书,避免了内容提供商申请域名的证书的繁琐过程。In this exemplary embodiment, the certificate management platform obtains the configuration information of the target domain name, and uses the public key of the target domain name and related information to apply for a domain name certificate for the target domain name. The content provider only needs to provide the configuration information of the target domain name to the CDN manufacturer, and when the target domain name needs to provide security acceleration services, the certificate management platform of the CDN manufacturer can apply for a domain name certificate for the target domain name, avoiding the need for the content provider to apply for a domain name The cumbersome process of certificates.
CDN厂商的证书管理平台可以自动将目标域名的证书部署到边缘节点中,边缘节点为内容提供商的目标域名提供安全加速服务,即使内容提供商的网站域名不提供安全协议的服务,或者内容提供商未申请网站域名的证书,在CDN厂商为其提供CDN加速服务时,仍可为内容提供商提供安全加速服务,提高网站安全性。对于使用强制HTTPS或QUIC的浏览器的客户端,也能为其提供正常的服务,进一步提高内容提供商的服务质量,提高访问用户的体验。The CDN manufacturer's certificate management platform can automatically deploy the certificate of the target domain name to the edge node, and the edge node provides security acceleration services for the content provider's target domain name, even if the content provider's website domain name If the provider has not applied for a certificate for the domain name of the website, when the CDN manufacturer provides CDN acceleration services for it, it can still provide security acceleration services for content providers and improve website security. For clients using mandatory HTTPS or QUIC browsers, normal services can also be provided, further improving the service quality of content providers and improving the experience of visiting users.
在一示例性实施例中,在获取CA机构签发的目标域名的证书之后,安全加速服务部署方法还包括:In an exemplary embodiment, after obtaining the certificate of the target domain name issued by the CA institution, the security acceleration service deployment method further includes:
在目标域名的证书过期时刻前的预设时段内,向CA机构申请目标域名的新的证书。Apply for a new certificate of the target domain name from the CA within the preset time period before the certificate expiration time of the target domain name.
域名的证书设置有有效期,在有效期内的域名的证书才能被客户端浏览器信任,被浏览器验证为有效证书,进而与拥有该域名的证书的服务器建立安全连接。一旦域名的证书过期,客户端浏览器将不能与拥有该域名的证书的服务器建立连接。因此,证书管理平台需要对从CA机构获取的域名的证书进行管理,监测域名的证书的有效期,在目标域名的证书过期时刻前的预设时段内,为目标域名申请新的证书。在本示例性实施例中,预设时段可以为1天、2天、或其他时长,可以根据申请域名的证书的周期确定。The certificate of the domain name is set to have a valid period, and the certificate of the domain name within the valid period can be trusted by the client browser, verified as a valid certificate by the browser, and then establish a secure connection with the server that owns the certificate of the domain name. Once the domain name's certificate expires, the client browser will not be able to establish a connection with the server that has the domain name's certificate. Therefore, the certificate management platform needs to manage the domain name certificate obtained from the CA organization, monitor the validity period of the domain name certificate, and apply for a new certificate for the target domain name within the preset period before the target domain name certificate expires. In this exemplary embodiment, the preset time period may be 1 day, 2 days, or other lengths, which may be determined according to the period of applying for a domain name certificate.
在一示例性实施例中,向CA机构申请所述目标域名的新的证书包括:In an exemplary embodiment, applying to a CA institution for a new certificate of the target domain name includes:
重新生成目标域名的新的公钥和新的私钥;Regenerate a new public key and a new private key for the target domain name;
发送新的公钥及目标域名的配置信息至CA机构,向CA机构申请目标域名的证书。Send the new public key and the configuration information of the target domain name to the CA organization, and apply for the certificate of the target domain name from the CA organization.
证书管理平台可以在目标证书过期时刻前的预设时段内,为目标域名生成新的公钥和新 的私钥,将新的公钥和目标域名的相关信息发送至CA机构,向CA机构申请新的域名的证书。The certificate management platform can generate a new public key and a new private key for the target domain name within the preset period before the target certificate expires, send the new public key and the relevant information of the target domain name to the CA organization, and apply to the CA organization Certificate for the new domain name.
域名的证书由CDN厂商的证书管理平台进行管理,证书的更新工作,由CDN厂商自主完成,减少内容提供商的工作量。The certificate of the domain name is managed by the certificate management platform of the CDN manufacturer, and the renewal of the certificate is completed by the CDN manufacturer independently, reducing the workload of the content provider.
在一示例性实施例中,在获取所述CA机构签发的目标域名的证书之后,安全加速服务部署方法还包括:In an exemplary embodiment, after obtaining the certificate of the target domain name issued by the CA institution, the security acceleration service deployment method further includes:
在所述目标域名的证书存在安全隐患时,向所述CA机构发送吊销申请,以使所述CA机构吊销所述目标域名的证书。When the certificate of the target domain name has security risks, a revocation request is sent to the CA institution, so that the CA institution revokes the certificate of the target domain name.
在目标域名的证书使用过程中,可能存在各种风险,例如:目标域名的私钥丢失,拥有证书的服务方,将不能与客户端进行密钥协商并建立HTTPS连接;或者,目标域名的私钥泄露,当CDN厂商为目标域名生成的私钥泄露,会威胁网站或CDN系统的安全性。或者,CA机构或CDN厂商考虑目标域名的私钥可能存在破解风险等情况,证书管理平台可以随时向CA机构发送证书吊销申请,CA机构吊销目标域名的证书后,该域名的证书不再被信任,即使该域名的证书在有效期内,仍然不可用。从而避免目标域名的私钥泄露后,对网站造成的安全隐患。In the process of using the certificate of the target domain name, there may be various risks, for example: the private key of the target domain name is lost, and the server with the certificate will not be able to negotiate the key with the client and establish an HTTPS connection; or, the private key of the target domain name Key leakage, when the private key generated by the CDN manufacturer for the target domain name is leaked, it will threaten the security of the website or CDN system. Alternatively, if the CA or CDN considers that the private key of the target domain name may be cracked, the certificate management platform can send a certificate revocation request to the CA at any time. After the CA revokes the certificate of the target domain name, the certificate of the domain name will no longer be trusted , even if the domain name's certificate is within the validity period, it is still unavailable. In this way, the security risks caused to the website after the private key of the target domain name is leaked are avoided.
证书管理平台申请目标域名的证书后,负责对目标域名的证书进行管理,进一步减轻内容提供商的工作。After the certificate management platform applies for the certificate of the target domain name, it is responsible for managing the certificate of the target domain name, further reducing the work of the content provider.
图2是根据一示例性实施例示出的安全加速服务部署方法的流程图。参考图2,安全加速服务部署方法应用于配置中心,安全加速服务部署方法至少包括步骤S21-步骤S22,详细介绍如下:Fig. 2 is a flowchart of a method for deploying a security acceleration service according to an exemplary embodiment. Referring to FIG. 2, the security acceleration service deployment method is applied to the configuration center, and the security acceleration service deployment method includes at least steps S21-step S22, which are described in detail as follows:
在步骤S21中,接收目标域名开启安全加速服务的指令信息,发送目标域名开启安全加速服务的检测结果至证书管理平台。In step S21, receiving the instruction information of enabling the security acceleration service of the target domain name, and sending the detection result of enabling the security acceleration service of the target domain name to the certificate management platform.
如果内容提供商本身不提供安全连接服务,或者,内容提供商未申请域名的证书,证书管理中心可以从配置中心处获取内容提供商对目标域名的相关配置信息,例如内容提供商的公司名称,内容提供商的管理人信息等。If the content provider itself does not provide a secure connection service, or the content provider does not apply for a domain name certificate, the certificate management center can obtain the content provider's configuration information for the target domain name from the configuration center, such as the content provider's company name, Manager information, etc. of the content provider.
在一示例性实施例中,获取的目标域名的配置信息可用于为目标域名配置安全加速服务,包括:域名名称、域名所有人或管理人相关信息。In an exemplary embodiment, the acquired configuration information of the target domain name may be used to configure security acceleration services for the target domain name, including: domain name, domain name owner or manager related information.
通过获取存储在本地的目标域名的配置信息,以便CDN厂商在为目标域名提供加速服务的过程中,根据实际的网络环境,或接收到内容提供商指示CDN厂商为目标域名提供安全加速服务的情况下,需要对目标域名提供安全加速服务时,可以利用目标域名的相关配置信息向CA机构申请证书,为目标域名提供安全加速服务,不会对内容提供商提出额外的信息获取 需求,也不需要内容提供商的参与。By obtaining the configuration information of the target domain name stored locally, so that the CDN manufacturer can provide acceleration services for the target domain name, according to the actual network environment, or receive the situation that the content provider instructs the CDN manufacturer to provide security acceleration services for the target domain name Under the following circumstances, when it is necessary to provide security acceleration services for the target domain name, you can use the relevant configuration information of the target domain name to apply for a certificate from the CA organization to provide security acceleration services for the target domain name. Involvement of Content Providers.
为了能及时接收内容提供商的指令信息,CDN厂商可以向客户提供配置页面,设置为客户随时向CDN厂商发送指令信息。配置页面连接到配置中心,客户通过配置页面输入的信息,可以存储在配置中心的数据库中。CDN厂商还可以设置管理页面,设置为向配置中心发出指令。In order to receive the instruction information from the content provider in time, the CDN manufacturer can provide the customer with a configuration page, and set it so that the customer can send the instruction information to the CDN manufacturer at any time. The configuration page is connected to the configuration center, and the information entered by the customer through the configuration page can be stored in the database of the configuration center. The CDN manufacturer can also set the management page to issue instructions to the configuration center.
如果配置中心接收到目标域名开启安全加速服务的指令信息,例如,CDN系统的客户(内容提供商或内容提供商的代表)在配置中心提供的平台上通过勾选相应的选项,向配置中心发出的指令信息;也可以是通过其他方式向CDN厂商的管理人员发出指令信息,再由管理人员将指令信息输入配置中心;还可以是CDN管理人员通过对目标域名进行安全评估,可能存在网络攻击的风险,确定为目标域名开启安全加速服务,并通过管理设备向配置中心发出指令信息。配置中心通过检测数据库,可以获取与指令信息相关的数据,并生成相应的检测结果,该检测结果用于指示目标域名开启安全加速服务。If the configuration center receives an instruction message to enable the security acceleration service of the target domain name, for example, the customer of the CDN system (the content provider or the representative of the content provider) checks the corresponding option on the platform provided by the configuration center to send a request to the configuration center. command information; it can also send command information to the management personnel of the CDN manufacturer through other means, and then the management personnel enter the command information into the configuration center; it can also be that the CDN management personnel conduct a security assessment on the target domain name and find that there may be network attacks Risk, determine to enable the security acceleration service for the target domain name, and send instruction information to the configuration center through the management device. The configuration center can obtain data related to the instruction information through the detection database, and generate corresponding detection results, which are used to instruct the target domain name to enable the security acceleration service.
配置中心发送目标域名开启安全加速服务的检测结果至证书管理平台,以便通知证书管理平台为目标域名开启安全加速服务。The configuration center sends the detection result of enabling the security acceleration service for the target domain name to the certificate management platform, so as to notify the certificate management platform to enable the security acceleration service for the target domain name.
在步骤S22中,从证书管理平台接收获取目标域名的配置信息的请求信息,并发送目标域名的配置信息至证书管理平台。In step S22, the request information for acquiring the configuration information of the target domain name is received from the certificate management platform, and the configuration information of the target domain name is sent to the certificate management platform.
当证书管理平台根据安全加速策略确定为目标域名开启安全加速服务时,或者,证书管理平台接收到配置中心发送的目标域名开启安全加速服务的检测结果,会向配置中心发送获取目标域名的配置信息的请求,以便能够使用目标域名的配置信息向CA机构申请证书。在配置中心接收到证书管理平台获取目标域名的请求信息时,发送配置信息至证书管理平台。When the certificate management platform determines to enable the security acceleration service for the target domain name according to the security acceleration policy, or the certificate management platform receives the detection result of the target domain name’s security acceleration service from the configuration center, it will send the configuration information to the configuration center to obtain the target domain name so that the configuration information of the target domain name can be used to apply for a certificate from the CA. When the configuration center receives the request information from the certificate management platform to obtain the target domain name, it sends the configuration information to the certificate management platform.
在配置中心确定目标域名需要开启安全加速服务后,将目标域名的配置信息发送给证书管理平台,以使证书管理平台向CA机构申请域名证书。After the configuration center determines that the security acceleration service needs to be enabled for the target domain name, it sends the configuration information of the target domain name to the certificate management platform, so that the certificate management platform applies for a domain name certificate from the CA institution.
在本示例性实施例中,配置中心设置为管理目标域名的配置信息,并在证书管理平台需要为目标域名申请证书时,将配置信息提供给证书管理平台,防止配置信息泄露。配置中心还设置为接收客户或CDN管理平台的指令信息,并将指令信息相关的检测结果提供至证书管理平台,以使证书管理平台确定为目标域名开启安全加速服务,并申请目标域名的证书。证书管理平台不对外接收信息,确保证书的安全性。In this exemplary embodiment, the configuration center is configured to manage the configuration information of the target domain name, and provide the configuration information to the certificate management platform when the certificate management platform needs to apply for a certificate for the target domain name, so as to prevent configuration information leakage. The configuration center is also set to receive instruction information from the customer or the CDN management platform, and provide detection results related to the instruction information to the certificate management platform, so that the certificate management platform determines to enable the security acceleration service for the target domain name, and applies for a certificate of the target domain name. The certificate management platform does not receive external information to ensure the security of the certificate.
基于上述示例性实施例的技术方案,以下介绍本公开实施例的一个具体应用场景:Based on the technical solutions of the above exemplary embodiments, a specific application scenario of the embodiments of the present disclosure is introduced as follows:
公司A、B为内容提供商,其网站域名分别为域名A、域名B,公司对网站内容的安全性不敏感,仅为其用户提供HTTP服务。用户只能向网站发送HTTP的请求才能获取响应的内容, 如果发送HTTPS协议格式的请求,网站将断开与客户端的连接。例如:用户访问公司A网站中的文件1.jpg,用户通过浏览器访问HTTP://A/1.jpg,用户能够获取1.jpg文件;如果用户输入的HTTPS://A/1.jpg,用户无法获取请求的内容。Companies A and B are content providers, and their website domain names are domain name A and domain name B respectively. The companies are not sensitive to the security of website content and only provide HTTP services for their users. The user can only get the content of the response by sending an HTTP request to the website. If a request in the HTTPS protocol format is sent, the website will disconnect from the client. For example: the user accesses the file 1.jpg on the website of company A, and the user accesses HTTP://A/1.jpg through the browser, and the user can obtain the 1.jpg file; if the user enters HTTPS://A/1.jpg , the user cannot get the requested content.
公司A、B通过CDN网络对网站内容进行加速,会预先将域名的配置信息提供给CDN厂商,例如网站的域名,内容提供商的公司名称、管理人信息等。以使CDN厂商在确定为域名提供安全加速服务时,由CDN厂商自主申请域名的证书。Companies A and B accelerate website content through the CDN network, and will provide domain name configuration information to the CDN manufacturer in advance, such as the domain name of the website, company name of the content provider, administrator information, etc. This allows CDN vendors to independently apply for domain name certificates when they determine to provide secure acceleration services for domain names.
CDN厂商将域名A和域名B的配置信息存储在配置中心。The CDN manufacturer stores the configuration information of domain name A and domain name B in the configuration center.
CDN厂商制定安全加速策略:CDN vendors formulate security acceleration strategies:
策略1:为访问安全加速服务的次数大于等于100次的域名开启安全加速服务。Strategy 1: Enable the security acceleration service for domain names that access the security acceleration service more than or equal to 100 times.
策略2:为财经业务类型的域名提供安全加速服务。Strategy 2: Provide security acceleration services for financial business domain names.
策略2的优先级高于策略1的优先级。Policy 2 has a higher priority than Policy 1.
证书管理平台首先判断域名A、B是否为财经类业务类型,结果域名A和域名B的域名信息都不满足预设的安全加速策略,则不为域名A、域名B开启安全加速服务。The certificate management platform first judges whether domain names A and B are financial business types. If the domain name information of domain name A and domain name B does not meet the preset security acceleration policy, the security acceleration service will not be enabled for domain name A and domain name B.
证书管理平台获取域名A和域名B的运营数据,其中,域名A的运营数据中,访问安全加速服务HTTPS://A的次数大于100次,策略1的条件满足,证书管理平台确定为域名A开启安全加速服务。证书管理平台向配置中心发送获取域名A的配置信息的请求信息,并接收配置中心反馈的域名A的配置信息。然后证书管理平台开始向CA机构申请域名A的证书。证书管理平台为域名A生成公钥和私钥,并将域名A的公钥和域名A的配置信息发送至CA机构,为域名A申请域名证书。The certificate management platform obtains the operation data of domain name A and domain name B. In the operation data of domain name A, the number of visits to the security acceleration service HTTPS://A is greater than 100 times, the conditions of policy 1 are met, and the certificate management platform determines that domain name A Enable the security acceleration service. The certificate management platform sends a request to obtain the configuration information of the domain name A to the configuration center, and receives the configuration information of the domain name A fed back by the configuration center. Then the certificate management platform starts to apply for the certificate of domain name A from the CA institution. The certificate management platform generates a public key and a private key for domain name A, and sends the public key of domain name A and the configuration information of domain name A to the CA organization to apply for a domain name certificate for domain name A.
域名B的运营数据中,访问安全加速服务HTTPS://B的次数小于100次,对于域名B,策略1的条件也不满足。证书管理平台确定不为域名B开启安全加速服务。In the operational data of domain name B, the number of accesses to the security acceleration service HTTPS://B is less than 100 times, and for domain name B, the conditions of policy 1 are not met. The certificate management platform determines not to enable the security acceleration service for domain name B.
运营过程中,B公司根据网站运营情况,认为需要为域名B开启安全加速服务,通过登录CDN厂商提供的配置页面,并勾选了配置页面中为域名B开启安全加速服务的选项后,提交了指令信息。配置中心检测到相应的数据后,将检测结果发送至证书管理平台,该检测结果指示为域名B开启安全加速服务。证书管理平台接收到域名B开启安全加速服务的检测结果后,确定为域名B开启安全加速服务。证书管理平台向配置中心发送获取域名B的配置信息的请求信息,并接收配置中心反馈的域名B的配置信息。然后证书管理平台开始向CA机构申请域名B的证书。During the operation process, Company B believes that it is necessary to enable the security acceleration service for domain name B based on the operation of the website. After logging in to the configuration page provided by the CDN manufacturer, and checking the option of enabling security acceleration service for domain name B on the configuration page, it submits the command information. After the configuration center detects the corresponding data, it sends the detection result to the certificate management platform, and the detection result indicates that the security acceleration service is enabled for the domain name B. The certificate management platform determines to enable the security acceleration service for domain name B after receiving the detection result that domain name B has enabled the security acceleration service. The certificate management platform sends a request to obtain the configuration information of the domain name B to the configuration center, and receives the configuration information of the domain name B fed back by the configuration center. Then the certificate management platform starts to apply for the certificate of domain name B from the CA institution.
在一个示例性实施例中,配置中心在获取到域名B的配置信息后,将其中的域名名称、域名所有人或管理人相关信息同步至证书管理平台。In an exemplary embodiment, after obtaining the configuration information of the domain name B, the configuration center synchronizes the domain name, domain name owner or manager related information therein to the certificate management platform.
证书管理平台为域名B生成公钥和私钥,并将域名B的公钥和域名B的配置信息发送至CA机构,为域名B申请域名证书。The certificate management platform generates a public key and a private key for domain name B, and sends the public key of domain name B and the configuration information of domain name B to the CA organization to apply for a domain name certificate for domain name B.
根据以上示例性实施例,本公开提供的安全加速服务部署方法,可以由CDN厂商的证书管理平台根据安全加速策略,自动为内容提供商的域名提供安全加速服务,不需要内容提供商进行繁琐的证书申请。According to the above exemplary embodiments, the security acceleration service deployment method provided by the present disclosure can automatically provide security acceleration services for the domain name of the content provider by the certificate management platform of the CDN manufacturer according to the security acceleration policy, without requiring the content provider to carry out cumbersome Certificate application.
图3是根据一示例性实施例示出的安全加速服务部署装置的框图。参考图3,安全加速服务部署装置应用于证书管理平台,包括安全加速服务开启模块301,证书管理模块302。Fig. 3 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment. Referring to FIG. 3 , the security acceleration service deployment device is applied to a certificate management platform, and includes a security acceleration service opening module 301 and a certificate management module 302 .
该安全加速服务开启模块301设置为当目标域名的域名信息或运营信息满足安全加速策略,或者,接收到目标域名开启安全加速服务的检测结果,确定为目标域名开启安全加速服务。The security acceleration service activation module 301 is configured to determine that the security acceleration service is enabled for the target domain name when the domain name information or operation information of the target domain name meets the security acceleration policy, or receives the detection result that the security acceleration service is enabled for the target domain name.
该证书管理模块302设置为向CA机构申请目标域名的证书,并将目标域名的证书部署到边缘节点。The certificate management module 302 is configured to apply for a certificate of the target domain name from a CA institution, and deploy the certificate of the target domain name to the edge node.
图4是根据一示例性实施例示出的安全加速服务部署装置的框图。参考图4,安全加速服务部署装置还包括配置信息请求模块401。Fig. 4 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment. Referring to FIG. 4 , the security acceleration service deployment device further includes a configuration information request module 401 .
该配置信息请求模块401设置为向配置中心发送获取目标域名的配置信息的请求信息,并接收目标域名的配置信息。The configuration information request module 401 is configured to send request information for obtaining configuration information of the target domain name to the configuration center, and receive configuration information of the target domain name.
图5是根据一示例性实施例示出的安全加速服务部署装置的框图。参考图5,安全加速服务部署装置应用于配置中心,包括:信息管理模块501,配置信息发送模块502。Fig. 5 is a block diagram of an apparatus for deploying a security acceleration service according to an exemplary embodiment. Referring to FIG. 5 , the security acceleration service deployment device is applied to a configuration center, and includes: an information management module 501 and a configuration information sending module 502 .
该信息管理模块501设置为接收目标域名开启安全加速服务的指令信息,发送目标域名开启安全加速服务的检测结果至证书管理平台。The information management module 501 is configured to receive the instruction information of enabling the security acceleration service of the target domain name, and send the detection result of enabling the security acceleration service of the target domain name to the certificate management platform.
该配置信息发送模块502设置为发送配置信息至证书管理平台。The configuration information sending module 502 is configured to send the configuration information to the certificate management platform.
图6是根据一示例性实施例示出的一种用于安全加速服务部署的计算机设备600的框图。例如,计算机设备600可以被提供为一服务器。参照图6,计算机设备600包括处理器601,处理器的个数可以根据需要设置为一个或者多个。计算机设备600还包括存储器602,设置为存储可由处理器601的执行的指令,例如应用程序。存储器的个数可以根据需要设置一个或者多个。其存储的应用程序可以为一个或者多个。处理器601被配置为执行指令,以执行上述安全加速服务部署方法。Fig. 6 is a block diagram of a computer device 600 for deploying a security acceleration service according to an exemplary embodiment. For example, computer device 600 may be provided as a server. Referring to FIG. 6 , a computer device 600 includes a processor 601 , and the number of processors can be set to one or more as required. The computer device 600 also includes a memory 602 configured to store instructions executable by the processor 601 , such as application programs. The number of memories can be set to one or more as required. It can store one or more applications. The processor 601 is configured to execute instructions, so as to execute the above security acceleration service deployment method.
本领域技术人员应明白,本公开的实施例可提供为方法、装置(设备)、或计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可 用存储介质上实施的计算机程序产品的形式。计算机存储介质包括设置为存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质,包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以设置为存储期望的信息并且可以被计算机访问的任何其他的介质等。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those skilled in the art should understand that the embodiments of the present disclosure may be provided as a method, an apparatus (device), or a computer program product. Accordingly, the present disclosure can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology arranged to store information, such as computer readable instructions, data structures, program modules, or other data, including but not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic Desired information and any other media that can be accessed by a computer, etc. In addition, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .
本公开是参照根据本公开实施例的方法、装置(设备)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the present disclosure. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
在本公开中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括……”限定的要素,并不排除在包括所述要素的物品或者设备中还存在另外的相同要素。In this disclosure, the terms "comprises", "comprises" or any other variation thereof are intended to cover a non-exclusive inclusion such that an article or device comprising a series of elements includes not only those elements but also items not expressly listed. Other elements, or also include elements inherent in the article or equipment. Without further limitations, an element defined by the phrase "comprising..." does not exclude the presence of additional identical elements in the article or device comprising said element.
尽管已描述了本公开的示例性实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括示例性实施例以及落入本公开范围的所有变更和修改。Having described exemplary embodiments of the present disclosure, additional changes and modifications may be made to these embodiments by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be interpreted to cover the exemplary embodiments and all changes and modifications that fall within the scope of the present disclosure.
显然,本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范 围。这样,倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内,则本公开的意图也包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the present disclosure. In this way, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies thereof, the intent of the present disclosure is to also include these modifications and variations.
工业实用性Industrial Applicability
本公开提供的一种安全加速服务部署方法、装置、介质及设备中,可以自动为仅为其用户提供HTTP服务的内容提供商的网站实现HTTPS或QUIC安全加速功能,不需要内容提供商申请域名的证书,也不需要内容提供商进行证书的管理、更新等操作,加快内容提供商域名的安全加速服务的部署;内容提供商在证书管理平台部署HTTP服务后,由证书管理平台根据安全加速策略决策是否需要提供安全加速服务,如果需要,由证书管理平台自主向CA机构进行证书申请,且该过程不需要内容提供商参与,对内容提供商完全透明。In the security acceleration service deployment method, device, medium and equipment provided by the present disclosure, HTTPS or QUIC security acceleration functions can be automatically implemented for the content provider’s website that only provides HTTP services for its users, without requiring the content provider to apply for a domain name The certificate does not require the content provider to manage and update the certificate, so as to speed up the deployment of security acceleration services for the domain name of the content provider; after the content provider deploys HTTP services on the certificate management platform, the certificate management platform will use the security acceleration policy It is decided whether to provide security acceleration services, and if necessary, the certificate management platform will independently apply for a certificate from the CA institution, and this process does not require the participation of the content provider and is completely transparent to the content provider.

Claims (16)

  1. 一种安全加速服务部署方法,应用于证书管理平台,包括:A security accelerated service deployment method applied to a certificate management platform, including:
    当目标域名的域名信息或运营信息满足安全加速策略,或者,接收到所述目标域名开启安全加速服务的检测结果,确定为所述目标域名开启安全加速服务;When the domain name information or operation information of the target domain name satisfies the security acceleration policy, or, upon receiving the detection result of enabling the security acceleration service for the target domain name, determine to enable the security acceleration service for the target domain name;
    向CA机构申请目标域名的证书,并将所述目标域名的证书部署到边缘节点;Apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node;
    其中,所述域名信息包括顶级域类型、业务类型中的至少一种;所述运营信息包括访问所述目标域名的安全加速服务的历史次数、访问所述目标域名的安全加速服务的访问趋势中的至少一种。Wherein, the domain name information includes at least one of the top-level domain type and business type; the operation information includes the historical number of accesses to the security acceleration service of the target domain name, the access trend of the security acceleration service of the target domain name at least one of .
  2. 如权利要求1所述的安全加速服务部署方法,还包括:The security acceleration service deployment method according to claim 1, further comprising:
    获取所述安全加速策略;Obtain the security acceleration policy;
    判断所述目标域名的域名信息或运营信息是否满足所述安全加速策略;或者,接收到边缘节点发送的所述目标域名的证书获取请求后,判断所述目标域名的域名信息或运营信息是否满足所述安全加速策略。Judging whether the domain name information or operation information of the target domain name satisfies the security acceleration policy; or, after receiving the certificate acquisition request of the target domain name sent by the edge node, judging whether the domain name information or operation information of the target domain name satisfies The security acceleration strategy.
  3. 如权利要求1所述的安全加速服务部署方法,其中,所述安全加速策略包括:The security acceleration service deployment method according to claim 1, wherein the security acceleration policy comprises:
    为预设顶级域类型和/或预设业务类型的域名提供安全加速服务;或者,Provide security acceleration services for domain names of preset top-level domain types and/or preset business types; or,
    为访问安全加速服务的次数大于等于预设阈值的域名和/或访问目标域名的安全加速服务的访问趋势变大的域名开启安全加速服务。The security acceleration service is enabled for domain names whose access times to the security acceleration service are greater than or equal to a preset threshold and/or domain names whose access trend to the security acceleration service of the target domain name becomes larger.
  4. 如权利要求1所述的安全加速服务部署方法,其中,所述确定为所述目标域名开启安全加速服务之后,还包括:The security acceleration service deployment method according to claim 1, wherein after said determining to enable the security acceleration service for the target domain name, further comprising:
    向所述配置中心发送获取所述目标域名的配置信息的请求信息,并接收所述目标域名的配置信息。Sending request information for acquiring configuration information of the target domain name to the configuration center, and receiving configuration information of the target domain name.
  5. 如权利要求1所述的安全加速服务部署方法,其中,所述向CA机构申请目标域名的证书,并将所述目标域名的证书部署到边缘节点包括:The security acceleration service deployment method according to claim 1, wherein said applying for the certificate of the target domain name from a CA institution, and deploying the certificate of the target domain name to the edge node comprises:
    为所述目标域名生成公钥和私钥;generating a public key and a private key for the target domain name;
    发送所述公钥和所述配置信息至所述CA机构;Send the public key and the configuration information to the CA institution;
    接收所述CA机构签发的所述目标域名的证书;receiving the certificate of the target domain name issued by the CA;
    发送所述目标域名的证书和所述私钥至边缘节点,以使所述边缘节点提供所述目标域名的安全加速服务。Sending the certificate of the target domain name and the private key to the edge node, so that the edge node provides the security acceleration service of the target domain name.
  6. 如权利要求1所述的安全加速服务部署方法,其中,在所述获取所述CA机构签发的 所述目标域名的证书之后,还包括:The security acceleration service deployment method according to claim 1, wherein, after obtaining the certificate of the target domain name issued by the CA institution, further comprising:
    在所述目标域名的证书过期时刻前的预设时段内,向所述CA机构申请所述目标域名的新的证书。Applying to the CA institution for a new certificate of the target domain name within a preset period before the expiration time of the certificate of the target domain name.
  7. 如权利要求6所述安全加速服务部署方法,其中,所述向所述CA机构申请所述目标域名的新的证书包括:The security acceleration service deployment method according to claim 6, wherein said applying to said CA institution for a new certificate of said target domain name comprises:
    重新生成所述目标域名的新的公钥和新的私钥;regenerate a new public key and a new private key for said target domain name;
    发送所述新的公钥及所述目标域名的配置信息至CA机构,向所述CA机构申请目标域名的证书。Send the new public key and configuration information of the target domain name to a CA institution, and apply for a certificate of the target domain name from the CA institution.
  8. 如权利要求1所述的安全加速服务部署方法,其中,在所述获取所述CA机构签发的所述目标域名的证书之后,还包括:The security acceleration service deployment method according to claim 1, wherein, after obtaining the certificate of the target domain name issued by the CA institution, further comprising:
    若所述目标域名的证书存在安全隐患,向所述CA机构发送吊销申请。If the certificate of the target domain name has security risks, send a revocation request to the CA institution.
  9. 如权利要求1-8任意一项所述的安全加速服务部署方法,其中,所述安全加速服务包括HTTPS加速服务或QUIC加速服务。The security acceleration service deployment method according to any one of claims 1-8, wherein the security acceleration service includes HTTPS acceleration service or QUIC acceleration service.
  10. 一种安全加速服务部署方法,应用于配置中心,包括:A method for safely accelerating service deployment, applied to a configuration center, including:
    接收所述目标域名开启安全加速服务的指令信息,发送所述目标域名开启安全加速服务的检测结果至证书管理平台;receiving the instruction information of enabling the security acceleration service for the target domain name, and sending the detection result of enabling the security acceleration service for the target domain name to the certificate management platform;
    从证书管理平台接收获取所述目标域名的配置信息的请求信息,并发送所述目标域名的配置信息至所述证书管理平台。Receive request information for acquiring configuration information of the target domain name from the certificate management platform, and send configuration information of the target domain name to the certificate management platform.
  11. 如权利要求10所述的安全加速服务部署方法,其中,所述目标域名的配置信息用于为所述目标域名配置安全加速服务,包括:域名名称、域名所有人或管理人相关信息。The security acceleration service deployment method according to claim 10, wherein the configuration information of the target domain name is used to configure the security acceleration service for the target domain name, including: domain name, domain name owner or manager related information.
  12. 一种安全加速服务部署装置,应用于证书管理平台,包括:A security acceleration service deployment device, applied to a certificate management platform, comprising:
    安全加速服务开启模块,设置为当目标域名的域名信息或运营信息满足安全加速策略,或者,接收到所述目标域名开启安全加速服务的检测结果,确定为所述目标域名开启安全加速服务;The security acceleration service opening module is configured to enable the security acceleration service for the target domain name when the domain name information or operation information of the target domain name satisfies the security acceleration policy, or receives the detection result that the target domain name opens the security acceleration service;
    证书管理模块,设置为向CA机构申请目标域名的证书,并将所述目标域名的证书部署到边缘节点。The certificate management module is configured to apply for the certificate of the target domain name from the CA institution, and deploy the certificate of the target domain name to the edge node.
  13. 如权利要求12所述的安全加速服务部署装置,还包括:The security acceleration service deployment device according to claim 12, further comprising:
    配置信息请求模块,设置为向所述配置中心发送获取所述目标域名的配置信息的请求信息,并接收所述目标域名的配置信息。The configuration information requesting module is configured to send request information for obtaining configuration information of the target domain name to the configuration center, and receive configuration information of the target domain name.
  14. 一种安全加速服务部署装置,应用于配置中心,包括:A security acceleration service deployment device, applied to a configuration center, comprising:
    信息管理模块,设置为接收所述目标域名开启安全加速服务的指令信息,发送所述目标域名开启安全加速服务的检测结果至证书管理平台;The information management module is configured to receive instruction information for enabling the security acceleration service of the target domain name, and send the detection result of enabling the security acceleration service for the target domain name to the certificate management platform;
    配置信息发送模块,设置为发送所述配置信息至所述证书管理平台。The configuration information sending module is configured to send the configuration information to the certificate management platform.
  15. 一种计算机可读存储介质,其上存储有计算机程序,其中,所述计算机程序被执行时实现如权利要求1-11中任意一项所述方法的步骤。A computer-readable storage medium, on which a computer program is stored, wherein when the computer program is executed, the steps of the method according to any one of claims 1-11 are realized.
  16. 一种计算机设备,包括处理器、存储器和存储于所述存储器上的计算机程序,其中,所述处理器执行所述计算机程序时实现如权利要求1-11中任意一项所述方法的步骤。A computer device, comprising a processor, a memory and a computer program stored on the memory, wherein the steps of the method according to any one of claims 1-11 are implemented when the processor executes the computer program.
PCT/CN2022/097417 2021-06-09 2022-06-07 Deployment method and apparatus for secure acceleration service, and medium and device WO2022257931A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110645788.1 2021-06-09
CN202110645788.1A CN115460084B (en) 2021-06-09 2021-06-09 Security acceleration service deployment method, device, medium and equipment

Publications (1)

Publication Number Publication Date
WO2022257931A1 true WO2022257931A1 (en) 2022-12-15

Family

ID=84295290

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/097417 WO2022257931A1 (en) 2021-06-09 2022-06-07 Deployment method and apparatus for secure acceleration service, and medium and device

Country Status (2)

Country Link
CN (1) CN115460084B (en)
WO (1) WO2022257931A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116684382B (en) * 2023-07-28 2023-10-20 深圳市豪斯莱科技有限公司 Domain name detection and automation application domain name certificate method, system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105846996A (en) * 2016-03-17 2016-08-10 上海携程商务有限公司 Automatic server certificate deployment system and method
CN106230782A (en) * 2016-07-20 2016-12-14 腾讯科技(深圳)有限公司 A kind of information processing method based on content distributing network and device
CN107733882A (en) * 2017-09-30 2018-02-23 亚数信息科技(上海)有限公司 SSL certificate automatically dispose method and apparatus
US20190014088A1 (en) * 2017-07-06 2019-01-10 Citrix Systems, Inc. Method for ssl optimization for an ssl proxy
CN109818946A (en) * 2019-01-11 2019-05-28 网宿科技股份有限公司 The method and system of CA certificate application and deployment

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10110592B2 (en) * 2013-10-09 2018-10-23 Digicert, Inc. Reducing latency for certificate validity messages using private content delivery networks
EP3443721A4 (en) * 2016-04-15 2020-03-18 Qualcomm Incorporated Techniques for managing secure content transmissions in a content delivery network
CN109660578B (en) * 2017-10-11 2022-01-21 阿里巴巴集团控股有限公司 CDN back-to-source processing method, device and system
CN108401011B (en) * 2018-01-30 2021-09-24 网宿科技股份有限公司 Acceleration method and device for handshake request in content distribution network and edge node
US10810279B2 (en) * 2018-02-07 2020-10-20 Akamai Technologies, Inc. Content delivery network (CDN) providing accelerated delivery of embedded resources from CDN and third party domains
CN108200104A (en) * 2018-03-23 2018-06-22 网宿科技股份有限公司 The method and system that a kind of progress SSL shakes hands
CN110324347B (en) * 2019-07-08 2022-02-25 秒针信息技术有限公司 Information integration method and device and electronic equipment
CN111064795B (en) * 2019-12-20 2021-05-14 腾讯科技(深圳)有限公司 Web page access acceleration method, system, computer equipment, server and medium
CN112491859B (en) * 2020-11-20 2023-06-20 上海连尚网络科技有限公司 Domain name certificate detection method, device, electronic equipment and computer readable medium
CN112702175A (en) * 2020-12-28 2021-04-23 上海七牛信息技术有限公司 Method and system for one-key application and deployment of target server certificate

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105846996A (en) * 2016-03-17 2016-08-10 上海携程商务有限公司 Automatic server certificate deployment system and method
CN106230782A (en) * 2016-07-20 2016-12-14 腾讯科技(深圳)有限公司 A kind of information processing method based on content distributing network and device
US20190014088A1 (en) * 2017-07-06 2019-01-10 Citrix Systems, Inc. Method for ssl optimization for an ssl proxy
CN107733882A (en) * 2017-09-30 2018-02-23 亚数信息科技(上海)有限公司 SSL certificate automatically dispose method and apparatus
CN109818946A (en) * 2019-01-11 2019-05-28 网宿科技股份有限公司 The method and system of CA certificate application and deployment

Also Published As

Publication number Publication date
CN115460084A (en) 2022-12-09
CN115460084B (en) 2024-05-24

Similar Documents

Publication Publication Date Title
WO2020143470A1 (en) Method for issuing digital certificate, digital certificate issuing center, and medium
US7752443B2 (en) Method and system for a single-sign-on operation providing grid access and network access
US8549157B2 (en) Transparent secure socket layer
US8296828B2 (en) Transforming claim based identities to credential based identities
O’Malley et al. Hadoop security design
US8788811B2 (en) Server-side key generation for non-token clients
EP2200217B1 (en) Server certificate issuance system
EP2842258B1 (en) Multi-factor certificate authority
US8261080B2 (en) System and method for managing digital certificates on a remote device
US20090290715A1 (en) Security architecture for peer-to-peer storage system
CN107637044B (en) Secure in-band service detection
US20110296171A1 (en) Key recovery mechanism
KR20080053298A (en) Creating secure interactive connections with remote resources
US10257171B2 (en) Server public key pinning by URL
US8806195B2 (en) User interface generation in view of constraints of a certificate profile
WO2022257931A1 (en) Deployment method and apparatus for secure acceleration service, and medium and device
CN112261068B (en) Dynamic TLS authentication method, device and storage medium in local area network
JP2012181662A (en) Account information cooperation system
WO2023093772A1 (en) Request scheduling method and apparatus, electronic device, and storage medium
JP2006301831A (en) Management device
JP2004151942A (en) Web service providing device, web service providing method and web service providing program
WO2022257928A1 (en) Secure accelerated service deployment method and apparatus, medium and device
JP2008287359A (en) Authentication apparatus and program
JP2024501752A (en) Attribute-based cryptographic keys as keying material for keyed hash message authentication codes User authentication and authorization
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22819529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE