Connect public, paid and private patent data with Google Patents Public Datasets

Method for improving treatment efficiency of SSL gateway and SSL gateway

Info

Publication number
CN100571188C
CN100571188C CN 200710121688 CN200710121688A CN100571188C CN 100571188 C CN100571188 C CN 100571188C CN 200710121688 CN200710121688 CN 200710121688 CN 200710121688 A CN200710121688 A CN 200710121688A CN 100571188 C CN100571188 C CN 100571188C
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
ssl
gateway
treatment
efficiency
method
Prior art date
Application number
CN 200710121688
Other languages
Chinese (zh)
Other versions
CN101119274A (en )
Inventor
飓 王
Original Assignee
杭州华三通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

本发明提供了一种提高SSL网关处理效率的方法,该方法包括:在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同,或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址;SSL网关收到client发起的访问server的web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于server发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 The present invention provides a method for improving the processing efficiency of the SSL gateway, the method comprising: SSL gateway provided on a virtual IP address in the same network server IP address of the virtual IP address and the gateway SSL protected, or the SSL gateway IP address is set to the server IP address corresponding to the domain name; SSL gateway receives the client sends a request to access a web server, the web does not replace the URL in the request, according to the rules directly to the web in its configuration requests received processing; and, URL information sent to the server for the client, the gateway does not perform the SSL URL alternatively, directly to the client to send the original URL information. 另外,本发明还提供了一种SSL网关。 Further, the present invention also provides a SSL gateway. 采用本发明所提供的技术方案,能够减轻SSL网关的处理负担,提高SSL网关的处理效率。 The technical solution provided by the invention, it is possible to reduce the processing load of the gateway SSL, SSL gateway improve the processing efficiency.

Description

一种提高SSL网关处理效率的方法及SSL网关 A method for improving the processing efficiency and the gateway SSL SSL gateway

技术领域 FIELD

本发明涉及网络通信技术,尤其涉及一种提高安全套接层(SSL, Secure Sockets Layer)网关处理效率的方法及SSL网关。 The present invention relates to network communication technology, particularly to a method for improving the processing efficiency of a gateway Secure Sockets Layer (SSL, Secure Sockets Layer) and SSL gateway.

背景技术 Background technique

SSL协议是一种在两台设备之间提供安全通道的协议,通过加密方式保护在互联网上传输的数据安全性,SSL的诞生为基于超文本传输协议(HTTP, Hypertext Transfer Protocol)的网络传输提供了安全保障。 SSL is a protocol to provide a secure channel between two devices protocol to protect data transmission security on the Internet through encryption, SSL birth to provide a hypertext transfer protocol (HTTP, Hypertext Transfer Protocol) based network transport safety and security. 虚拟专用网络(VPN, Virtual Private Network )则主要应用于虚拟连接网络,它可以确保数据的机密性并且具有一定的访问控制功能。 Virtual private network (VPN, Virtual Private Network) is mainly applied to the virtual network connection, it can ensure the confidentiality of the data and has some access control functions. 以HTTPS (以SSL为基础的HTTP )为基础的VPN称为SSL VPN, SSL的独特性以及VPN所能提供的安全远程访问控制能力,使得SSL VPN成为解决远程用户访问敏感企业数据的最简单最安全的解决技术。 With HTTPS (SSL-based HTTP) based VPN called SSL VPN, secure remote access control capabilities of SSL VPN is unique and can offer so that part of the solution SSL VPN remote user access to sensitive corporate data is the simplest and most security technology solutions.

支持SSL VPN功能的设备称为SSL网关,图1示出了典型的SSL网关組网图,受保护的局域网通过SSL网关与广域网连接。 Support SSL VPN device called the SSL gateway functions, FIG. 1 shows a typical networking diagram of the SSL gateway, connected via a protected LAN and WAN gateway SSL. SSL网关的工作原理如图2所示,对于用户(client)侧,SSL网关模拟一个服务器(server)的行为,为client提供服务;对于server侧,SSL网关才莫拟——个client的4亍为, 从server获取信息并传递给真正的client。 SSL gateway principle shown in Figure 2, the user (client) side, the SSL gateway simulate the behavior of a server (server), the client for the service; for the server side, the SSL gateway Mo was proposed - a client's right foot 4 to obtain information from the server and passed to the real client. 当外网中的client想要访问受保护的server上的web应用时,首先client需要和SSL网关建立SSL连接并进行身份认证,然后再将相关web请求发给SSL网关;SSL网关收到client 发起的web请求后,根据自身配置的过滤及转换规则,对client的web请求进行处理。 When the client outside the network wants to access web applications on the protected server, the first client needs and SSL gateway and establish an SSL connection for authentication, then the relevant web requests to SSL gateways; gateway receives a client initiates SSL after the web request, according to the configuration of the filter itself and the conversion rule, for web client request is processed. 如果用户权限不够,SSL网关则直接拒绝用户的web请求;如果用户有足够的权限,SSL网关则根据收到的web请求向真正的server发起请求,获取相应的数据,然后再通过已经建立的SSL连接将获取的数据发送 If not enough user rights, SSL gateway refused to web directly requesting user; if the user has sufficient rights, according to the web SSL gateway received a request to the real server initiates a request to get the appropriate data, and then through the established SSL transmitting the acquired data connection

给client。 To the client. 为了保证数据传输的安全性,SSL网关与client之间的通讯使用SSL协议进行加密,采用密文传输。 To ensure the security of data transmission, the communication between the gateway and the client using SSL SSL encryption protocol, is transmitted in ciphertext.

其中,SSL网关在将server提供的数据发送给client时,需要将server 开发给client的web页面上的所有统一资源定位符(URL, Uniform Resource Locator)全部搜索出来,并对这些URL进行转换,以保证client下次使用这些URL访问server时,访问请求会经过SSL网关,而不是直接被发送到server上。 Which, SSL gateway server provides when sending data to the client, need all the uniform resource locator (URL, Uniform Resource Locator) on the web page server to client developed out of all of the search, and the URL of these converts to when the next time you use these URL to ensure that client access server, the access request will go through SSL gateway, instead of being sent directly to the server. 比如,SSL网关将server提供给client的URL连接http:〃101.3.205.1/defect/defectList.do?fileID=930 替换为 For example, SSL gateway server provides the connection to the URL client http:? 〃101.3.205.1 / defect / defectList.do fileID = 930 replaced

https:〃U.3.202/http/p/101.3.205.1/defect/defectList.do?fileID=930;或者,将http:〃www.myspace.com/defect/defectList.do?fileID=930 替换为https:Z/svpn.myspace.com/http/0/www.myspace.com/defect/defectList.do?filelD =930。 ? Https: 〃U.3.202 / http / p / 101.3.205.1 / defect / defectList.do fileID = 930; Or, http: 〃www.myspace.com / defect / defectList.do fileID = 930 is replaced with https:? Z / svpn.myspace.com / http / 0 / www.myspace.com / defect / defectList.do? filelD = 930. 其中,SSL网关在URL替换中添加的1.1.3.202或svpn.myspace.com 为SSL网关的IP地址或域名。 Which, 1.1.3.202 or svpn.myspace.com SSL gateways added in to replace the URL for the SSL gateway IP address or domain name. 一个URL通常由前缀、域名/IP地址、后缀三部分組成,在SSL网关的转换过程中,后缀一般保持不变。 A URL prefix typically consists of three parts, the domain name / IP address, a suffix, the conversion process in the SSL gateway suffix generally unchanged. 如果server 提供给client的URL是相对URL,即只有后缀而不包括前缀和域名/IP地址的URL,则SSL网关无需进行转换,因为client在访问时会自动添加上次访问时使用的前缀和域名/IP地址。 If the server URL provided to the client is a relative URL, that is, only the suffix without including the URL prefix and domain name / IP address, the SSL gateway without the need for conversion, because the client will automatically add a prefix and domain name used last time to access when access / IP address.

本文为便于描述,将server提供的URL称作原始URL,将经SSL网关转换后的URL称作网关URL。 For ease of description herein, the URL is referred to the original URL provided Server, the gateway will be referred to by the URL of SSL URL after conversion gateway. 当client使用网关URL来访问server上的资源时,SSL网关需要将client发起的网关URL替换成server能够认识的原始URL;对于访问后获得的server向client推出的web页面,SSL网关需要将web页面上的所有URL全部搜索出来,并将这些原始URL替换成网关URL, 然后再将替换后的网关URL发送给client。 When the client using the gateway URL to access resources on the server, SSL gateways need to be client-initiated gateway URL replaced the original URL server can know; server for later access available to the client launch of the web pages, SSL gateway needs a web page All URL on all of the search out, and replace these original URL to the gateway URL, and then replace the gateway URL sent to the client.

可见,在现有的SSL网关处理过程中,SSL网关需要进行大量的替换工作,不仅需要将client发来的网关URL替换成原始URL,还需要将server 发给client的web页面中的所有原始URL全部搜索出来替换成网关URL,这些替换工作将耗费大量的处理资源。 Seen in the existing SSL gateway processing, SSL gateway needs to replace a lot of work, not only the client sent to the gateway URL replaced the original URL, but also all of the original URL server needs to be sent to the client's web page all search out replace gateway URL, the replacement work takes a lot of processing resources. 由于SSL网关本身做SSL加密认证及用户规则匹配就已经负担很重了,因此,再增加这些URL替换操作,会导致SSL网关处理效率的降低。 Because SSL gateways themselves do SSL encryption and user authentication rule matching has been a heavy burden, and therefore, to add the replacement operation of these URL, SSL gateway process will lead to lower efficiency.

发明内容 SUMMARY

有鉴于此,本发明的主要目的在于提供一种提高SSL网关处理效率的方法及SSL网关,以提高SSL网关的处理效率。 In view of this, the main object of the present invention is to provide a method for improving the processing efficiency and the gateway SSL SSL gateway, to improve processing efficiency SSL gateway. 为达到上述目的,本发明提供的技术方案如下: 一种提高SSL网关处理效率的方法,包括: To achieve the above object, the present invention provides the following technical solution: A method for improving the processing efficiency SSL gateway, comprising:

在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同;或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址; SSL gateway provided on a virtual IP address, the same IP address of the network server and the virtual IP address of the gateway SSL protected; or SSL gateway IP address is set to the IP address corresponding to the domain name server;

SSL网关收到client发起的访问server的web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于servsr 发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 SSL gateway receives the web server access request initiated by the client, not the replacement web URL in the request, according to the rules directly to the web itself configured to process requests received; and transmitting information to the client's URL for servsr, SSL gateway URL nor replacement will be sent directly to the original URL information to the client.

当SSL网关旁路在自身所保护网络与外网连接的路径上时,该方法进一步包括: When the bypass path SSL gateway itself protected network and external network connections, the method further comprising:

所述路径上的转发设备收到client发起的访问server的web请求后,将该 After forwarding device on the path receives access client sends a web request of the server, the

web请求重定向给SSL网关。 SSL gateway redirects the request to the web.

所迷将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 在向域名服务器申请所述server域名对应的IP地址时,直接将SSL网关的 The fans SSL gateway IP address is set to the server IP address corresponding to the domain name comprising: a domain name server in the application of the IP address corresponding to the domain name server, SSL gateway directly

IP地址申请为与所述server域名对应的IP地址。 IP address of the application server to the IP address corresponding to the domain name.

所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 当SSL网关所保护网络内存在内网域名服务器时,SSL网关截取内网域名 The SSL gateway IP address set to the IP address corresponding to the domain name server comprising: memory, including when the network domain name server SSL protected gateways, the domain name of the SSL gateway taken

服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server DNS server outside the domain name of the message sent by the server, which will be carried by the server and domain server

IP地址的对应关系修改为server 域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 Correspondence between the IP address of the server modifies the correspondence between domain names and SSL gateway IP address and DNS packet to the server outside the domain name after modification.

当SSL网关旁路在内网域名服务器与外网域名服务器连接的路径上时, 所述SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文包 When the bypass path including the domain name of the SSL gateway server outside the domain name server connection, DNS domain name server domain name server emitted outwardly within the SSL gateway packet intercepting packets

括:所述路径上的转发设备收到内网域名服务器发往外网域名服务器的DNS报 Comprising: forwarding device on the path receives the domain name server sends out the domain name server DNS packet

文后,将该DNS报文重定向给SSL网关。 Later, the DNS packet redirection to the SSL gateway.

所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 当SSL网关所保护网络内存在内网域名服务器时,内网域名服务器与外网 The SSL gateway IP address set to the IP address corresponding to the domain name server comprising: memory, including when the network domain name server SSL protected gateways for the domain name of the server and the external network

域名服务器相连的必经路径上的域名服务器代理截取内网域名服务器向外网域 The domain name server on the path must pass through the domain name server connected to the Internet domain name server agent intercepts outwardly domain

名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关 DNS name server sends a message, which will be carried in correspondence with the server domain name server IP addresses

系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文 Department revised to correspondence between domain names and SSL server gateway IP address, and modify the DNS packets

发送给外网域名服务器。 Sent outside the domain name server.

所述server上的声斤有URL连才妻^卩孑吏用https作为前缀。 Acoustic kg on the URL of the server even before his wife with officials larvae ^ Jie https prefix.

当所述client发起的访问server的web请求中的URL以http为前缀时,该 When a web client requests access to the server initiated the URL prefixed with http, the

方法进一步包括: The method further includes:

SSL网关在收到所述以http作为URL前缀的web请求后,向所述cilent发送http重定向报文,引导该client以https作为URL的前缀发起web请求。 SSL gateway after receiving the prefix as the URL to http web request, send the packet to redirect http cilent, https directing the client to initiate a web request URL prefix.

IP地址相同,或者,该SSL网关的IP地址与所述server的域名相对应,并且, 该SSL网关包括: The same IP address, or, the IP address and the domain name server of the gateway corresponding to the SSL, and the SSL gateway comprising:

HTTP报文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换; HTTP packets forward processing unit for receiving the external network web request initiated by client accessing the server, and the web of the received request according to the rules of their configuration, no replacement of the URL of the web request;

HTTP报文反向处理单元,用于接收server发送给所述client的URL信息, 并直接将该原始URL信息转发给所述client,不进行URL替换。 Reverse HTTP packet processing unit for receiving the server URL information sent to the client, and the original URL and forwards the information to the client, not URL replacement.

该SSL网关进一步包括:DNS报文修改单元,用于在所迷SSL网关所保护网络内存在内网域名服务器时,截取所述内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的与所述server域名对应的IP地址修改 The SSL gateway further comprising: DNS packet modification unit including a memory when the network domain name server fans SSL protected gateways, intercepting the domain name server within the DNS domain name of the server packet sent out, in which carrying the IP address corresponding to the domain name server modifications

8为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 8 is the IP address of the SSL gateway, DNS and the modified packet to the external domain name server.

由此可见,本发明通过在SSL网关上设置与server IP地址相同的虚拟IP地址,或者将与server域名对应的IP地址设置为SSL网关IP地址的方式, 使得SSL网关无需进行原始URL与网关URL的替换操作,就可以拦截广域网用户发起的访问server的web请求,从而避免了由于大量的URL替换操作而造成的SSL网关处理负担增加的问题,提高了SSL网关的处理效率。 Thus, the present invention is provided by the same IP address on the server SSL gateway the virtual IP address, or domain name server corresponding to the IP address set to the IP address of the SSL gateway way that the original URL without SSL gateway with the gateway URL the replacement operation, it can intercept WAN users to access server-initiated web requests, thus avoiding the SSL gateway handling problems due to the increased burden of replacing a large number of operations caused by URL, improving the processing efficiency of the SSL gateway.

附图说明 BRIEF DESCRIPTION

图1为现有技术中典型的SSL网关组网图。 FIG. 1 is a typical prior art networking gateway SSL FIG. 图2为现有技术中SSL网关的应用示意图。 FIG 2 is a schematic prior art SSL application gateway. 图3为本发明实施例中SSL网关的组网示意图。 Figure 3 a schematic diagram of networking SSL gateway embodiment of the present invention. 图4为本发明实施例中旁路方式下SSL网关的组网示意图。 FIG 4 the SSL gateway networking diagram of the bypass mode in the embodiment of the present invention. 图5为本发明实施例中SSL网关守护的网络内部有DNS服务器的组网示意图。 FIG 5 is a schematic diagram of the internal network gateway SSL daemon network has a DNS server embodiment of the present invention.

具体实施方式 detailed description

为使本发明的目的、技术方案及优点更加清楚明白,下面参照附图并举实施例,对本发明作进一步详细说明。 For purposes of this invention, the technical solution and merits thereof more apparent, with reference to the accompanying drawings and the following embodiments, the present invention is described in further detail.

由背景技术描述可见,在现有技术中,SSL网关不仅需要将server提供给client的原始URL替换成网关URL,还需要将client发来的网关URL替换成原始URL,这种原始URL与网关URL之间的替换会耗费SSL网关大量的处理资源,导致SSL网关处理效率的降低。 BACKGROUND seen from the description, in the prior art, the SSL server needs to provide not only the gateway to replace the original URL of the gateway client URL, the client needs to send URL of the gateway replace the original URL, which the original URL and the gateway URL Alternatively between the SSL processing will spend a lot of resources to the gateway, the gateway SSL resulting in reduced processing efficiency.

为了克服上述问题,本发明提供了两种不同的解决方案。 To overcome the above problems, the present invention provides two different solutions.

一、在SSL网关上设置一个虚拟的IP地址,使其等于server的IP地址, 以保证外网中的client发起的以server IP地址作为URL或者以server域名作为URL的访问server的web请求都被路由到SSL网关处理。 First, set up a virtual IP address on the SSL gateway, so that it is equal to the IP address of the server to ensure external network of client-initiated web requests to server IP address as the URL or URL to the server as a domain name server access have been SSL processing routed to the gateway. 比如,图3 中,server的域名为www.myspace.com, IP地址为202.31.99.6; SSL网关的域名为svpn.myspace.com, IP地址为202.31.75.2。 For example, in FIG. 3, server name as www.myspace.com, IP address 202.31.99.6; SSL domain gateway is svpn.myspace.com, IP address 202.31.75.2. 这里,可以在SSL网关上设置一个虚拟IP地址202.31.99.6。 Here, you can set up a virtual IP address 202.31.99.6 on the SSL gateway.

如果SSL网关串联在内网与外网连通的唯一路径上,那么,所有来自外网侧的报文首先被SSL网关截取这一点显然可以保证。 If the only path serially including SSL gateway communication network and the external network, then all messages from the external network side is first taken that the SSL gateway obviously be guaranteed. 如图3中,client 发出的http:〃202.31.99.6/这样的web请求必然会被SSL网关处理。 As shown in 3, http client issued: 〃202.31.99.6 / are bound to such a web request SSL gateway handles.

如果SSL网关不是串联在内网与外网连接的唯一路径上,而只是旁路在这条路径上,如图4所示,那么,则需要对应关键路径上的路由器(router) 或交换机等转发设备做策略路由,将来自外网的到server上的报文重定向给SSL网关,而不是直接发送给server。 If SSL gateway is not the only route network and external network including the series connection, but only pass on this path, shown in Figure 4, then the corresponding router is required on the critical path, etc. (Router) or switch forwards equipment to do policy routing the packets from the external network to the server to redirect to SSL gateway, instead of being sent directly to the server. 这样,client访问server的数据同样会先被SSL网关所截取。 Thus, client access to server data will also be taken before the SSL gateway. 其中,所述关键路径上的转发设备是指内网与外网通信时必经的转发设备。 Wherein said forwarding device on the critical path refers to a device within the network and forwards the network communication must pass through the outer.

二、通过修改域名服务器(DNS)上的域名和IP地址之间的对应关系, 使得对外界网络而言,server域名所对应的IP地址就是SSL网关的IP地址, 而不是真实的server 地址。 Second, by modifying the correspondence between domain names on the (DNS) and IP address of the DNS server so that the outside world in terms of network, server domain name corresponding to the IP address is the IP address of the SSL gateway, rather than an actual server address. 这样,client发起的以server i或名作为URL的i方问server的web请求就会^皮发送《会SSL网关处理。 In this way, client initiated to server i i square or name as a URL request will ask the web server sends ^ skin "will deal with SSL gateway.

比如,在图3 中,将www.myspace.com对应的IP地址修改为202.31.75.2,而不是真实的server地址202.31.99.6,这样可以使client发向www.myspace.com的报文被发送给SSL网关。 For example, in FIG. 3, the corresponding IP address www.myspace.com modify 202.31.75.2, instead of the real server address 202.31.99.6, so that the client can send packets to be sent to the www.myspace.com SSL gateway. 要达到这一目的,可以在向DNS申请server域名对应的IP地址时,直接就使用SSL网关的IP地址进行申请,而不是使用server的IP地址,也就是说,将SSL网关的IP地址申请为与server域名相对应的IP地址。 To achieve this purpose, you can apply for the corresponding domain name server IP addresses to DNS, application directly on the use of SSL gateway IP address, instead of using the server's IP address, that is, the IP address for the SSL gateway application the domain name server IP address should be the opposite.

另外,当SSL网关守护的网络内部有DNS服务器时,对外界的DNS 欺骗还可以通过拦截穿越SSL网关的DNS报文,并1^改其中的server域名所对应的IP地址来实现。 In addition, when the internal SSL gateway guarded network has DNS server, DNS spoofing the outside world can pass through DNS packets by intercepting SSL gateway, and 1 ^ change which server domain name corresponding to the IP address to achieve. 比如,参见图5所示,在外网中有一个外网域名服务器Foreign Name Server,在SSL网关守护的网络内部有一个内网域名服务器Name Server, SSL网关串联在内外网域名服务器Name Server和Foreign Name Server相连的唯一路径上。 For example, referring to FIG. 5, a foreign network domain name server has an outer Foreign Name Server, a domain name server within Name Server guard inside the SSL gateway network, the SSL gateway and outside the domain name of the server are connected in series and Foreign Name Name Server the only path connected to the Server. 其中,Name Server上保存的与server域名www.myspace.com对应的IP地址是server的IP地址202.31.99.6。 Among them, saved on the server domain name www.myspace.com Name Server and the corresponding IP address is the IP address of the server is 202.31.99.6. 在图5中, SSL网关拦截内部Name Server向外部Foreign Name Server发出的DNS报文,如维护请求(maintenance queries)报文,并修改其中携带的域名和IP 地址的只于应关系,将与server i或名www.myspace.com对应的IP地iM奮改为SSL网关的IP地址,然后再将if改后的DNS ^艮文发送纟合Foreign Name Server。 In FIG. 5, the DNS packet SSL gateway knockdown internal Name Server emitted to the outside Foreign Name Server, such as the maintenance request (maintenance queries) message, and modify its domain name and IP address only to the corresponding relationship, to the server i www.myspace.com name or the IP corresponding to the IP address iM Fen SSL gateway, then if DNS changed after sending Gen ^ Si bonding Foreign name Server. 这样,夕卜网域名服务器Foreign Name Server上所记录的域名和IP 地址的对应关系就是被SSL网关修改过的,所有的外部访问都会指向SSL 网关。 In this way, Xi Bu domain name server Name Server on Foreign correspondence between the recorded domain name and IP address of the SSL gateway is to be modified, all external access will point to the SSL gateway.

如果SSL网关不是串联在内外网域名服务器相连的唯一路径上,而只是旁路在这条路径上,那么,则需要在对应关键路径的路由器或交换机等转发设备上做策略路由,由该转发设备将Name Server发往Foreign Name Server的DNS报文重定向到SSL网关上。 If the SSL gateway is not the only path connected in series with the internal and external domain name server, but only pass on this path, then you need to make the corresponding routing strategy on the critical path such as a router or switch forwarding device from the forwarding device Name Server will be sent to the Foreign Name Server's DNS packets are redirected to the SSL gateway. SSL网关收到后,将与server域名对应的IP地址修改为SSL网关的IP地址,然后再将修改后的DNS报文发送给Foreign Name Server。 After the SSL gateway receives, corresponding to the domain name server IP address changes for the IP address of the SSL gateway, DNS and then the modified packet to the Foreign Name Server.

另外,上述修改域名与IP地址对应关系的功能,还可以由一个独立的位于Name Server与Foreign Name Server相连的必经路径上的域名服务器代理(DNS Proxy )来实现,而不是由SSL网关来实现。 Further, the modified domain names and IP addresses corresponding to functional relationships, may also be independently located on the domain name server agent (DNS Proxy) to be implemented on a necessary path Name Server and Foreign Name Server connected by one, rather than be realized by SSL gateway . 也就是说,所述DNS Proxy截取Name Server发往Foreign Name Server的DNS报文,并将其中携带的与server域名对应的IP地址修改为SSL网关的IP地址,然后再将修改后的DNS才艮文发送纟合Foreign Name Server。 That is, the DNS intercept the Proxy Name Server DNS packet sent Foreign Name Server, and carrying the IP address corresponding to the domain name server to modify the IP address of the SSL gateway, and then modified until the DNS Gen Si bonding sending Foreign Name Server.

可见,无论是采用上述第一种方式还是第二种方式都可以让访问server 的web请求被路由到SSL网关处理。 Visible, whether it is a way of using the first or the second approach can allow web access server requests are routed to the SSL gateway process.

在本发明所提供的技术方案中,SSL网关在收到外网client发起的访问 In the aspect of the present invention is provided, SSL gateway receives external network initiated access client

server的web请求后,无需对该web请求中的URL进行转换,可以直接根 After the web server requests the web without converting the URL request, the root can be directly

据自身配置的规则对client发起的web请求进行处理,比如,根据用户权限 According to its own web request rule configuration for client-initiated processing, for example, based on user permissions

判定是否拒绝或转发client的web请求。 Determining whether to reject or forward the client's web request. 对于server提供给client的web页 For the server to the client to provide a web page

面,SSL网关也无需将该web页面中的全部URL都搜索出来进行转换,SSL Face, SSL gateway does not need the entire URL web page will search out the conversion, SSL

li网关直接将server提供给client的原始URL信息转发给client即可。 li gateway directly to the server to the client provided the original URL information can be forwarded to the client. 其中, 所述SSL网关根据自身配置的规则对client发起的web请求进行处理的具体过程与现有技术一致,这里不再赘述。 Wherein said SSL gateway configured according to the rules of its own client sends a web request is consistent with the specific process of the prior art, it is not repeated here.

另外,为了保证数据传输的安全性, 一般要求所有的访问都是加密的, 即前缀应该是https,而不是http。 In addition, to ensure the security of data transmission, access to all the general requirements are encrypted, that prefix should be https, not http. 这可以通过以下两种方式解决: This can be solved in two ways:

1、 要求server上的所有URL连接都使用https作为前缀,而不是http。 1, all URL connections on the server are required to use as a prefix https, not http. 这样不仅client和SSL网关之间使用SSL加密,且SSL网关和server之间也使用SSL加密。 Not only using the SSL encryption gateway between the client and SSL, SSL encryption and SSL be used between the gateway and the server. 但由于并不是所有的server都支持SSL加密,因此,这种方式一般较少采用,通常可以采用第2种方式。 However, not all of the SSL server supports encryption, this approach is generally less used, typically the second aspect may be employed.

2、 在SSL网关上同时开启http服务,SSL网关收到client发起的以http 作为URL前缀的访问server的web请求后,向client发送http重定向报文, 引导client以https作为URL前缀发起web请求。 2, while turning on SSL gateway http service, SSL gateway after receiving the client initiated with http prefix as the URL of the web server access request, send http redirect packets to the client, in order to guide the client as https URL prefix to initiate a web request . 比如,图3中,SSL网关在收到client发起的URL为http:〃www.myspace.com,'的web请求后,需要向client发送http重定向报文;client收到重定向报文后,以https作为URL 前缀发起URL为https:〃www.myspace.com/的web i奮求,这才羊就会在力口密通道中传输了。 For example, FIG. 3, the gateway receives the SSL client sends the URL is http: After 〃www.myspace.com 'web request, needs to send a http redirect packets to the client; client receives the redirect packet, URL as the URL to initiate https prefix https: 〃www.myspace.com / Fen the web i seek, this will be transmitted in sheep adhesion force opening the passage.

另外,本发明还提供了一种SSL网关,该SSL网关的虚拟IP地址与SSL 网关所保护网络中的server IP地址相同,或者,该SSL网关的IP地址与所述server的域名相对应,并且,该SSL网关还包括:HTTP冲艮文正向处理单元和HTTP报文反向处理单元。 Further, the present invention also provides a SSL gateway in the same network server IP address of the virtual IP address of the gateway and SSL SSL protected gateways, or, the IP address of the gateway server's domain name corresponding to the SSL, and the SSL gateway further comprises: Burgundy red HTTP packet processing unit forward and reverse HTTP packet processing unit. 其中, among them,

HTTP l艮文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换; HTTP l Gen forward message processing unit, for receiving external network web request initiated by client accessing the server, and the web of the received request according to the rules of their configuration, no replacement of the URL of the web request;

HTTP报文反向处理单元,用于接收server发送给所述client的URL信息,并直接将该原始URL信息转发给所述client,不进行URL替换。 Reverse HTTP packet processing unit for receiving the server URL information sent to the client, and the original URL and forwards the information to the client, not URL replacement.

该SSL网关还可进一步包括:DNS报文修改单元,用于在所述SSL网关所保护网络内存在内网域名服务器时,截取所述内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的与所述server域名对应的IP地址修改为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 The SSL gateway may further comprise: DNS packet modification unit, when the domain name for the server memory including the network protected by SSL gateway, the domain name of the DNS packet interception server domain name server emitted outwardly of the inner, the carried in the IP address corresponding to the domain name server to modify the IP address of the SSL gateway, and DNS packet transmitted to the external domain name server is modified. 总而言之,釆用本发明所提供的技术方案后,SSL网关无需进行原始URL与网关URL的替换,从而減轻了SSL网关的处理负担,提高了SSL 网关的处理效率。 In summary, the technical solutions with the present invention Bian provided, the SSL gateway without replacement of the original URL and the gateway URL to reduce the processing load of the SSL gateway, the processing efficiency of the SSL gateway.

以上所述对本发明的目的、技术方案和有益效果进行了进一步的详细说明,所应理解的是,以上所述并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above has been described in detail further objectives, technical solutions, and beneficial effects of the present invention, It should be understood that the foregoing is not intended to limit the present invention, all within the spirit and principle of the present invention, made any modifications, equivalent substitutions and improvements should be included within the scope of the present invention.

Claims (10)

1、一种提高SSL网关处理效率的方法,其特征在于,包括: 在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同;或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址; Client发起的以Server IP地址作为URL或者以Server域名作为URL的访问Server的Web请求被路由到SSL网关,SSL网关收到该web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于server发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 A processing method for improving the efficiency of the SSL gateway, characterized by, comprising: SSL gateway provided on a virtual IP address in the same network server IP address of the virtual IP address and the gateway SSL protected; or the SSL gateway IP address to the IP address corresponding to the domain name server; Client to Server initiated web URL or IP address to a domain Name Server Server as the URL of the access request is routed to the gateway SSL, the SSL gateway after receiving the web request, without the replacement web URL in the request, according to the rules directly to the web in its configuration request received for processing; and, URL information sent to the server for the client, the gateway does not perform the SSL URL Alternatively, information is transmitted directly to the original URL to the client.
2、 根据权利要求1所述的方法,其特征在于,当SSL网关旁路在自身所保护网络与外网连接的路径上时,所述Client发起的Web请求被路由到SSL网关包括:所述^4圣上的转发设备收到client发起的访问server的web请求后, 将该web请求重定向给SSL网关。 2. The method according to claim 1, wherein, when the SSL gateway bypass path itself protected network connected to the external network, the Client initiates a Web request is routed to the SSL gateway comprising: after forwarding device ^ 4 on the holy receive web client sends a request to access the server, the web redirects the request to the SSL gateway.
3、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:在向域名服务器申请所述server域名对应的IP地址时,直接将SSL网关的IP地址申请为与所述server域名对应的IP地址。 3. The method according to claim 1, characterized in that said SSL gateway IP address is set to the IP address corresponding to the domain name server comprising: a server domain name in the application of the IP address corresponding to the domain name server direct SSL gateway IP address to the application server with the IP address corresponding to the domain name.
4、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:当SSL网关所保护网络内存在内网域名服务器时,SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 4. The method according to claim 1, wherein the IP address of the SSL gateway server provided to the IP address corresponding to the domain name comprises: when the domain name of the gateway server network memory including SSL protected, DNS DNS packet domain name server domain name server emitted outwardly within the SSL gateway taken, in which the correspondence relationship carried in the server domain name server IP address to a correspondence relationship modified SSL server domain names and IP addresses of the gateway, and the modified packet to the outside of your domain name server.
5、 根据权利要求4所述的方法,其特征在于,当SSL网关旁路在内网域名服务器与外网域名服务器连接的路径上时,所述SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文包括:所述路径上的转发设备收到内网域名服务器发往外网域名服务器的DNS报文后,将该DNS报文重定向给SSL网关。 5. The method according to claim 4, wherein, when the bypass path including the domain name of the SSL gateway server outside the domain name of the server connection, said domain name server SSL gateway taken out domain name server DNS packets sent comprises: forwarding device on the path receives the domain name server sends out the domain name server DNS packet, the DNS packet redirection to the SSL gateway.
6、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:当SSL网关所保护网络内存在内网域名服务器时,内网域名服务器与外网域名服务器相连的必经路径上的域名服务器代理截取内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 6. The method of claim 1, wherein the IP address of the SSL gateway to the IP address corresponding to the domain name server comprising: a network server when the domain name included in the SSL gateway protected memory, the proxy server intercepting the domain name of the server domain must pass through the path on the server domain name domain name of the server connected to the outer outwardly domain name DNS packet sent by the server, wherein the modified correspondence relationship carried in the server IP address and the domain name server is correspondence between domain names and SSL server gateway IP address and DNS packet to the server outside the domain name after modification.
7、 根据权利要求1至6任一项所述的方法,其特征在于,所述server上的所有URL连接都使用https作为前缀。 7. The method according to any one of claims 1 to 6, characterized in that all the connections on the server URL use https prefix.
8、 根据权利要求1至6任一项所述的方法,其特征在于,当所述client发起的访问server的web请求中的URL以http为前缀时,该方法进一步包括:SSL网关在收到所述以http作为URL前缀的web请求后,向所述cilent发送http重定向报文,引导该client以https作为URL的前缀发起web请求。 8. A method according to any one of claims 1 to 6, wherein, when the web server access request initiated by the client to the URL http prefix, the method further comprising: SSL gateway receives after the web at URL http as prefix request, it transmits the packet to redirect http cilent, https directing the client to initiate a web request URL prefix.
9、 一种SSL网关,其特征在于,该SSL网关的虚拟IP地址与SSL网关所保护网络中的server IP地址相同,或者,该SSL网关的IP地址与所述server 的域名相对应,并且,该SSL网关包括:HTTP报文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换;HTTP报文反向处理单元,用于接收server发送给所迷client的URL信息, 并直接将该原始URL信息转发给所述client,不进行URL替换。 9. A SSL gateway, wherein the same virtual IP address of the gateway and SSL SSL protected network gateway server IP address, or, the IP address of the SSL gateway server domain name corresponds to, and, the SSL gateway comprising: HTTP packet forward processing unit for receiving external network server accessing the client sends a web request, and according to the rules of the configuration of their own web processes the received request is not the request of the web Alternatively the URL; reverse the HTTP packet processing unit for receiving client server transmits URL information to the fans, and the original URL and forwards the information to the client, not URL replacement.
10、 根据权利要求9所述的SSL网关,其特征在于,该SSL网关进一步包括:DNS报文修改单元,用于在所述SSL网关所保护网络内存在内网域名服务带的与所述server域名对应的IP地址修改为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 10, according to SSL gateway according to claim 9, characterized in that the SSL gateway further comprising: DNS packet modifying unit, SSL gateway for the protected network, including the Internet domain name service with the memory and the server the corresponding IP address changes to the IP address of the SSL gateway, and DNS packet transmitted to the external domain name server is modified.
CN 200710121688 2007-09-12 2007-09-12 Method for improving treatment efficiency of SSL gateway and SSL gateway CN100571188C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710121688 CN100571188C (en) 2007-09-12 2007-09-12 Method for improving treatment efficiency of SSL gateway and SSL gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710121688 CN100571188C (en) 2007-09-12 2007-09-12 Method for improving treatment efficiency of SSL gateway and SSL gateway

Publications (2)

Publication Number Publication Date
CN101119274A true CN101119274A (en) 2008-02-06
CN100571188C true CN100571188C (en) 2009-12-16

Family

ID=39055219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710121688 CN100571188C (en) 2007-09-12 2007-09-12 Method for improving treatment efficiency of SSL gateway and SSL gateway

Country Status (1)

Country Link
CN (1) CN100571188C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546594A (en) * 2011-12-07 2012-07-04 北京星网锐捷网络技术有限公司 Network resource access control method, device and related equipment

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103168450B (en) * 2011-10-14 2015-11-25 华为技术有限公司 Virtual private network access methods, apparatus and the gateway device
CN103167006B (en) * 2011-12-19 2016-08-03 中国电信股份有限公司 Virtual machine provides a Web service method, system and virtual machine monitor
CN102638346B (en) * 2012-05-12 2014-09-10 杭州迪普科技有限公司 Method and device for authorizing subscriber digital certificate
CN102932359B (en) * 2012-11-08 2015-07-29 华为软件技术有限公司 Streaming media service request method, apparatus and system for
CN103220289A (en) * 2013-04-15 2013-07-24 北京京东尚科信息技术有限公司 Resource verification system and resource verification method based on web application
CN106063232A (en) * 2013-12-10 2016-10-26 华为技术有限公司 Method and apparatus for optimizing web access
CN103685284A (en) * 2013-12-18 2014-03-26 上海普华诚信软件技术有限公司 Data interception and conversion method and system
CN103701928B (en) * 2014-01-02 2017-03-01 山东大学 Applied to the load balancer servers and improve operational efficiency ssl gateway method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081900A (en) 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
CN1422468A (en) 2000-02-07 2003-06-04 内特里公司 Method for high-performance delivery of web content

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081900A (en) 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
CN1422468A (en) 2000-02-07 2003-06-04 内特里公司 Method for high-performance delivery of web content

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546594A (en) * 2011-12-07 2012-07-04 北京星网锐捷网络技术有限公司 Network resource access control method, device and related equipment
CN102546594B (en) 2011-12-07 2014-07-02 北京星网锐捷网络技术有限公司 Network resource access control method, device and related equipment

Also Published As

Publication number Publication date Type
CN101119274A (en) 2008-02-06 application

Similar Documents

Publication Publication Date Title
Laganier et al. Host identity protocol (HIP) rendezvous extension
US6003084A (en) Secure network proxy for connecting entities
US7114008B2 (en) Edge adapter architecture apparatus and method
US20020069356A1 (en) Integrated security gateway apparatus
US20070174454A1 (en) Method and apparatus for accessing Web services and URL resources for both primary and shared users over a reverse tunnel mechanism
US20040128538A1 (en) Method and apparatus for resource locator identifier rewrite
US20080034410A1 (en) Systems and Methods for Policy Based Triggering of Client-Authentication at Directory Level Granularity
US20060182103A1 (en) System and method for routing network messages
US20130103834A1 (en) Multi-Tenant NATting for Segregating Traffic Through a Cloud Service
US7032031B2 (en) Edge adapter apparatus and method
US20030177384A1 (en) Efficient transmission of IP data using multichannel SOCKS server proxy
US20070214505A1 (en) Methods, media and systems for responding to a denial of service attack
US20100186079A1 (en) Remote access to private network resources from outside the network
US6742039B1 (en) System and method for connecting to a device on a protected network
US7333990B1 (en) Dynamic reverse proxy
US7657940B2 (en) System for SSL re-encryption after load balance
US20100125903A1 (en) Traffic redirection in cloud based security services
US6598083B1 (en) System and method for communicating over a non-continuous connection with a device on a network
US8019868B2 (en) Method and systems for routing packets from an endpoint to a gateway
US20100071048A1 (en) Service binding
US6751677B1 (en) Method and apparatus for allowing a secure and transparent communication between a user device and servers of a data access network system via a firewall and a gateway
US20020161904A1 (en) External access to protected device on private network
US20100082979A1 (en) Method for the provision of a network service
US20020169953A1 (en) Content provider secure and tracable portal
US6950936B2 (en) Secure intranet access

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CP03