CN102811225B - A kind of SSL middle-agent accesses method and the switch of WEB resource - Google Patents
A kind of SSL middle-agent accesses method and the switch of WEB resource Download PDFInfo
- Publication number
- CN102811225B CN102811225B CN201210301728.9A CN201210301728A CN102811225B CN 102811225 B CN102811225 B CN 102811225B CN 201210301728 A CN201210301728 A CN 201210301728A CN 102811225 B CN102811225 B CN 102811225B
- Authority
- CN
- China
- Prior art keywords
- ssl
- web server
- switch
- service device
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a kind of SSL middle-agent and accesses method and the switch of WEB resource, the method includes, WEB server and SSL service device are set on switch, by the way of SSL middle-agent, between client and WEB server, directly set up SSL connect, it is transmitted after data are encrypted, substantially increases the security of data, confidentiality and reliability;Additionally, technical scheme is not in the case of original WEB server does any variation, supports SSL secure connection and TCP connected reference WEB resource simultaneously, improve the flexibility of access.
Description
Technical field
The present invention relates to field of computer network communication, particularly relate to a kind of SSL middle-agent and access WEB money
The method in source and switch.
Background technology
SSL (Secure Sockets Layer is called for short SSL), is to carry on the basis of Internet
A kind of security protocol of the data privacy ensureing transfers on network of confession.It can make client-server application it
Between communication be not hacked person's eavesdropping, and all the time server is carried out authenticity verification, also optional to visitor
Family end carries out true identity certification.
Ssl protocol requires to set up on reliable transport layer protocol (such as: TCP).The advantage of ssl protocol
It is that it and application layer protocol are independent unrelated.High-rise application layer protocol (such as: HTTP, FTP, TELNET)
Can transparent building on ssl protocol.Ssl protocol was just complete encryption before application layer protocol communication
Algorithm, the negotiation of communication key and server authentication work.The number that application layer protocol is transmitted after this
According to all can be encrypted, thus ensure the privacy of communication.
Switch in network is the most all supported to be conducted interviews by WEB mode, managed at present.When in exchange
When running WEB server function on machine, client user uses HTTP mode and switch to build by browser
After vertical TCP connects, swapping reading and the configuration of machine data, this access mode is based on common TCP
Connecting, data are plaintext transmission, and security exists certain hidden danger, if there being malice in transmitting procedure
User carries out stealing of data, then be readily available significant data and attack.
The effect of SSL middle-agent be exactly for computer between communication provide a security intensity high safety
Passage.SSL middle-agent can be a set of independent software, can co-exist in one with client and server
On computer;If independently installed on one computer, then can become SSL service device.Generation in the middle of SSL
Reason is the agency of WEB server, is also the agency of client.
SSL middle-agent's security mechanism in web services, need between server and client side user mutually to
The other side confirms oneself authenticity.SSL middle-agent's certification real method of the other side's identity is by verifying the number of the other side
Word certificate realizes, and client, SSL middle-agent, server are required for certificate authority application each
Digital certificate.Certificate authority can send out a corresponding password when issuing digital certificate simultaneously, is used for testing
Card digital certificate, the password of this correspondence is the corresponding private key of digital certificate.
In order to improve the security by WEB access switch, a kind of SSL middle-agent is needed to access WEB
The method, system and device of resource.
Summary of the invention
In order to overcome defect of the prior art and deficiency, the present invention proposes a kind of SSL middle-agent and accesses WEB
The method, system and device of resource, directly build in client and switch by the way of SSL middle-agent
Vertical SSL connects, and data are transmitted after encryption, substantially increase the security of data, confidentiality and
Reliability.
The present invention discloses a kind of method that SSL middle-agent accesses WEB resource, and the method includes:
S1: the logging request message of switch monitoring users client, described switch pre-sets WEB
Server and SSL service device;
S2: judge the logging request mode of subscription client, as HTTPS secure log mode, then performs
Step S3;As for HTTP login mode, then perform step S4;
S3: subscription client carries out SSL with the WEB server pre-set and is connected and carries out data transmission;
S4: subscription client carries out TCP with the WEB server pre-set and is connected and carries out data transmission.
Correspondingly, invention additionally discloses a kind of SSL middle-agent and access the switch of WEB resource, described friendship
Pre-set WEB server and SSL service device on changing planes, realize subscription client by middle-agent's mode
And the data transmission between WEB server, described switch includes that message monitoring module, login mode judge mould
Block, SSL connect execution module, TCP connects execution module, wherein,
Described message monitoring module is for the logging request message of monitoring users client;
Described login mode judge module is for judging the type of login mode of subscription client, as HTTPS
Secure log mode, then connect execution module by SSL and carry out data transmission;As for HTTP login mode,
Then connect execution module by TCP to carry out data transmission;
Described SSL connects execution module for subscription client is carried out SSL with the WEB server being pre-configured with
Connect and carry out data transmission;
Described TCP connects execution module for subscription client is carried out TCP with the WEB server being pre-configured with
Connect and carry out data transmission.
Technical scheme, pre-sets WEB server and SSL service device on switches, passes through
The mode of SSL middle-agent is directly set up SSL between client and switch and is connected, and data are encrypted laggard
Row transmission, substantially increases the security of data, confidentiality and reliability;Additionally, the technical side of the present invention
Case, in the case of original WEB server does not do any variation, supports SSL secure connection and TCP even simultaneously
WEB resource is asked in receiving, improves the flexibility of access.
Accompanying drawing explanation
Fig. 1 is the method flow diagram that the SSL middle-agent of the embodiment of the present invention accesses WEB resource;
Fig. 2 is the particular flow sheet that the SSL middle-agent of the embodiment of the present invention accesses the method for WEB resource;
Fig. 3 is the system schematic that the SSL middle-agent of the embodiment of the present invention accesses WEB resource;
Fig. 4 is the structured flowchart that the SSL middle-agent of the embodiment of the present invention accesses the switch of WEB resource.
Detailed description of the invention
By describing the technology contents of the present invention in detail, being realized purpose and effect, below in conjunction with embodiment also
Accompanying drawing is coordinated to be described in detail.
Fig. 1 is the method flow diagram that the SSL middle-agent of the embodiment of the present invention accesses WEB resource.Such as Fig. 1
Shown in, the method comprises the steps,
S1: the logging request message of switch monitoring users client, described switch pre-sets WEB
Server and SSL service device;
Wherein, the logging request message of the switch port snoop subscription client by being pre-configured with, wherein,
WEB server listening port number is 80, and SSL service device listening port is defaulted as 443.
Described SSL service device listening port can be with manual configuration, the listening port scope of described manual configuration
It is 1025~65535.
S2: judge the logging request mode of subscription client, as HTTPS secure log mode, then performs
Step S3;As for HTTP login mode, then perform step S4;
HTTP(Hypertext Transfer Protocol, HTTP) it is a kind of communication protocol,
HTTP is operated on the Transmission Control Protocol in ICP/IP protocol system.Client-server must all be supported
HTTP, could send and receive html document on the world wide web (www and interact.
HTTPS(Hypertext Transfer Protocol over Secure Socket Layer), be
HTTP passage (the safe version of HTTP) with safety as target, i.e. add SSL layer under HTTP, HTTPS's
Foundation for security is SSL, and the process of encryption is completed by SSL.
S3: subscription client carries out SSL with the WEB server pre-set and is connected and carries out data transmission;
This step specifically includes, and subscription client uses the key obtained in advance and certificate to logging request message
It is attached with the SSL service device pre-set after being encrypted and signing, after successful connection, described SSL
Server is connected with described WEB server and carries out data transmission.
Described SSL service device uses fixing IP(127.0.0.1) and fixed port (80) pass through switch
Internal TCP connected mode is connected with described WEB server and carries out data transmission.
S4: subscription client carries out TCP with the WEB server pre-set and is connected and carries out data transmission.
Switch carries out TCP by fixed port with WEB server and is connected, the port of described WEB server
Number it is 80.
Fig. 2 is the particular flow sheet that the SSL middle-agent of the embodiment of the present invention accesses the method for WEB resource.
As in figure 2 it is shown, be embodied as step it is,
Step S201: arrange SSL service device and WEB server on switches, configuration SSL connects adding of use
Close algorithm and certificate, the logging request message of switch monitoring users client;
Step S202: whether the login mode judging subscription client is HTTPS login mode, if it is,
Then perform step S203, if it is not, then perform step S209;
Step S203: subscription client carries out SSL and shakes hands and be connected with SSL service device, authentication secret;
Step S204: judge that SSL secure connection is the most successful, if it is, perform step S205, if
Not, then step S210 is performed;
Step S205: described SSL service device connects described WEB server;
Step S206:WEB server judges whether it is that the internal SSL of switch connects, if it is, perform
Step S207, if it is not, then perform step S211;
Step S207:WEB server sets up the transmission carrying out data after being connected with SSL service device;
Data are sent back subscription client by step S208:SSL server;
Step S209: subscription client carries out TCP and is connected and carries out data biography with the WEB server pre-set
Defeated;
Step S210: refusal connects;
Step S211: perform the handling process that common HTTP connects.
Fig. 3 is the system schematic that the SSL middle-agent of the embodiment of the present invention accesses WEB resource.Such as Fig. 3
Shown in, described system includes that subscription client and switch, described subscription client are connected with switch, institute
State and on switch, pre-set WEB server and SSL service device;
Described subscription client is used for producing logging request message;
The described switch logging request message for monitoring users client the login according to subscription client
Request message judges the logging request mode of subscription client, as HTTPS secure log mode, Yong Huke
Family end carries out SSL with the WEB server being pre-configured with and is connected and carries out data transmission;As for HTTP login side
Formula, subscription client carries out TCP with the WEB server being pre-configured with and is connected and carries out data transmission.
The sound that switch is returned by the logging request message of port snoop client being pre-configured with and server
Answering message, wherein, WEB server listening port number is 80, and SSL service device listening port is defaulted as 443.
Described SSL service device listening port can be with manual configuration, the listening port scope of described manual configuration
It is 1025~65535.
In the present embodiment, the port Ethernet of Ethernet access devices exchange machine connects three users 1/1 time
(user A, user B, user C), switch starts WEB server and ssl proxy server merit simultaneously
Energy.The user A SSL connected reference switch by HTTPS mode, switch is managed, WEB money
The access in source.Meanwhile, user B is by the WEB resource of the general T CP connected reference switch of HTTP mode.
User C is simultaneously connected with on switches, if user C is intercepted by Malware and switch communication
User A and the data message of user B, owing to user B uses the TCP of HTTP mode to connect, institute
Having data content is all to transmit in clear text manner, and user name that user B uses, the information such as password all can be by
User C obtains.And user A use HTTPS mode SSL connect, all of transmission data be all through
Crossing encryption, the AES of use is the most complicated, is just more difficult to crack, and security is the highest.Even if user is C
Obtain data message also to be difficult to crack, it is impossible to further attacked, be effectively protected the net of user
Network safety.Switch supports the SSL connected reference of user A and the HTTP connected reference of user B simultaneously, spirit
The WEB access mode lived may provide the user with more selection, facilitates the network management of user.
Fig. 4 is the structured flowchart that the SSL middle-agent of the embodiment of the present invention accesses the switch of WEB resource.
As shown in Figure 4, described switch pre-sets WEB server and SSL service device, passes through middle-agent
Mode realizes the data transmission between subscription client and WEB server, and described switch includes message monitoring mould
Block, login mode judge module, SSL connect execution module, TCP connects execution module, wherein,
Described message monitoring module is for the logging request message of monitoring users client;
Described login mode judge module is for judging the type of login mode of subscription client, as HTTPS
Secure log mode, then connect execution module by SSL and carry out data transmission;As for HTTP login mode,
Then connect execution module by TCP to carry out data transmission;
Described SSL connects execution module for subscription client is carried out SSL with the WEB server being pre-configured with
Connect and carry out data transmission;
Described TCP connects execution module for subscription client is carried out TCP with the WEB server being pre-configured with
Connect and carry out data transmission.
The logging request message of the described switch port snoop subscription client by being pre-configured with, wherein,
WEB server listening port number is 80, and SSL service device listening port is defaulted as 443.
Described SSL service device listening port can be with manual configuration, the listening port scope of described manual configuration
It is 1025~65535.
Technical scheme, pre-sets WEB server and SSL service device on switches, passes through
The mode of SSL middle-agent is the most directly set up SSL and is connected, and data are encrypted laggard
Row transmission, substantially increases the security of data, confidentiality and reliability;Additionally, the technical side of the present invention
Case, in the case of original WEB server does not do any variation, supports SSL secure connection and TCP even simultaneously
WEB resource is asked in receiving, improves the flexibility of access.
Above are only presently preferred embodiments of the present invention and institute's application technology principle, any be familiar with the art
Technical staff in the technical scope that the invention discloses, the change that can readily occur in or replacement, all should contain
In protection scope of the present invention.
Claims (8)
1. the method that a SSL middle-agent accesses WEB resource, it is characterised in that the method includes:
S1: the logging request message of switch monitoring users client, described switch pre-sets WEB
Server and SSL service device;
S2: judge the logging request mode of subscription client, as HTTPS secure log mode, then performs
Step S3;As for HTTP login mode, then perform step S4;
S3: subscription client carries out SSL with the WEB server pre-set and is connected and carries out data transmission;
S4: subscription client carries out TCP with the WEB server pre-set and is connected and carries out data transmission;
Wherein, described S3: subscription client carries out SSL and is connected and carries out data with the WEB server pre-set
Transmission includes: subscription client use the key that obtains in advance and certificate that logging request message is encrypted and
It is attached with the SSL service device pre-set after signature, after successful connection, described SSL service device and institute
State WEB server connect and carry out data transmission.
The method that SSL middle-agent the most according to claim 1 accesses WEB resource, it is characterised in that
Described step S3 farther includes, and subscription client uses the key obtained in advance and certificate to logging request report
Literary composition carries out SSL with the SSL service device pre-set after being encrypted and signing and is connected, after successful connection, and institute
State SSL service device be connected with described WEB server and carry out data transmission.
The method that SSL middle-agent the most according to claim 2 accesses WEB resource, it is characterised in that
Described SSL service device uses fixing IP and fixed port by the TCP connected mode within switch and institute
State WEB server connect and carry out data transmission.
The method that SSL middle-agent the most according to claim 1 accesses WEB resource, it is characterised in that
In described step S1, the logging request message of the switch port snoop client by being pre-configured with, wherein,
WEB server listening port number is 80, and SSL service device listening port is defaulted as 443.
The method that SSL middle-agent the most according to claim 4 accesses WEB resource, it is characterised in that
Described SSL service device listening port also includes the port of manual configuration, the listening port model of described manual configuration
Enclose is 1025~65535.
6. a SSL middle-agent accesses the switch of WEB resource, it is characterised in that on described switch
Pre-set WEB server and SSL service device, realize subscription client and WEB by middle-agent's mode
Data transmission between server, described switch includes message monitoring module, login mode judge module, SSL
Connect and perform module, TCP connection execution module, wherein,
Described message monitoring module is for the logging request message of monitoring users client;
Described login mode judge module is for judging the type of login mode of subscription client, as HTTPS
Secure log mode, then connect execution module by SSL and carry out data transmission;As for HTTP login mode,
Then connect execution module by TCP to carry out data transmission;
Described SSL connects execution module for subscription client is carried out SSL with the WEB server being pre-configured with
Connect and carry out data transmission;
Described TCP connects execution module for subscription client is carried out TCP with the WEB server being pre-configured with
Connect and carry out data transmission;
Wherein, described SSL connect perform module specifically for: by subscription client use obtain in advance close
Key and certificate are carried out even with the SSL service device pre-set after logging request message is encrypted and is signed
Connecing, after successful connection, described SSL service device is connected with described WEB server and carries out data transmission.
SSL middle-agent the most according to claim 6 accesses the switch of WEB resource, and its feature exists
In, the logging request message of the described switch port snoop subscription client by being pre-configured with, wherein,
WEB server listening port number is 80, and SSL service device listening port is defaulted as 443.
SSL middle-agent the most according to claim 7 accesses the switch of WEB resource, and its feature exists
In, described SSL service device listening port also includes the port of manual configuration, the monitoring end of described manual configuration
Mouth scope is 1025~65535.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210301728.9A CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210301728.9A CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102811225A CN102811225A (en) | 2012-12-05 |
| CN102811225B true CN102811225B (en) | 2016-08-17 |
Family
ID=47234800
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210301728.9A Active CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102811225B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106856468A (en) * | 2015-12-08 | 2017-06-16 | 中国科学院声学研究所 | A kind of TSM Security Agent device for being deployed in cloud storage service end and TSM Security Agent method |
| CN106254355B (en) * | 2016-08-10 | 2019-04-05 | 武汉信安珞珈科技有限公司 | A kind of security processing and system of the Internet protocol data packet |
| CN109510801B (en) * | 2017-09-15 | 2021-08-31 | 北京华耀科技有限公司 | Explicit forward proxy and SSL interception integrated system and operation method thereof |
| CN109587097A (en) * | 2017-09-29 | 2019-04-05 | 阿里巴巴集团控股有限公司 | A kind of system, method and apparatus for realizing secure access internal network |
| CN111800402B (en) * | 2020-06-28 | 2022-08-09 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN112035851A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | MYSQL database auditing method based on SSL |
| CN112511530B (en) * | 2020-11-26 | 2023-10-31 | 浪潮金融信息技术有限公司 | Method, device and medium for docking SSLSocket communication |
| CN112261068B (en) * | 2020-12-22 | 2021-03-19 | 北京翼辉信息技术有限公司 | Dynamic TLS authentication method, device and storage medium in local area network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
| CN101436933A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | HTTPS encipher access method, system and apparatus |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015725A1 (en) * | 2000-08-07 | 2004-01-22 | Dan Boneh | Client-side inspection and processing of secure content |
| CN100461784C (en) * | 2006-04-10 | 2009-02-11 | 杭州华三通信技术有限公司 | Method and system for communication between gateway device |
-
2012
- 2012-08-22 CN CN201210301728.9A patent/CN102811225B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
| CN101436933A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | HTTPS encipher access method, system and apparatus |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102811225A (en) | 2012-12-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102811225B (en) | A kind of SSL middle-agent accesses method and the switch of WEB resource | |
| Breiling et al. | Secure communication for the robot operating system | |
| CN106790194B (en) | Access control method and device based on SSL (secure socket layer) protocol | |
| Pereira et al. | An authentication and access control framework for CoAP-based Internet of Things | |
| Dacosta et al. | Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties | |
| CN102970299B (en) | File safe protection system and method thereof | |
| CN103685187B (en) | Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control | |
| CN102984127B (en) | User-centered mobile internet identity managing and identifying method | |
| CN109936547A (en) | Identity identifying method, system and calculating equipment | |
| US20140189811A1 (en) | Security enclave device to extend a virtual secure processing environment to a client device | |
| CN107018134A (en) | A kind of distribution terminal secure accessing platform and its implementation | |
| EP3161994A1 (en) | Method of mutual verification between a client and a server | |
| CN104283886A (en) | Web safety access implementation method based on intelligent terminal local authentication | |
| CN105516980A (en) | Token authentication method for wireless sensor network based on Restful architecture | |
| CN107786515B (en) | Certificate authentication method and equipment | |
| WO2013080166A1 (en) | Mutually authenticated communication | |
| CN107018154A (en) | A kind of router and method for routing for being used to connect Intranet and outer net based on application layer | |
| CN106685983A (en) | Data recovery method and device based on SSL protocol | |
| JP2016521029A (en) | Network system comprising security management server and home network, and method for including a device in the network system | |
| CN103716280B (en) | data transmission method, server and system | |
| CN104168565A (en) | Method for controlling safe communication of intelligent terminal under undependable wireless network environment | |
| WO2016112580A1 (en) | Service processing method and device | |
| KR101572598B1 (en) | Secure User Authentication Scheme against Credential Replay Attack | |
| CN201252570Y (en) | Security gateway client end device | |
| CN102629928A (en) | Implementation method for safety link of internet lottery ticket system based on public key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |