Embodiment
For further setting forth the present invention for the technological means that realizes predetermined goal of the invention and take and effect, below in conjunction with accompanying drawing and preferred embodiment, to according to the specific embodiment of the present invention, structure, feature and effect thereof, be described in detail as follows.
The applied environment figure of the agent communication method that Fig. 1 provides for the embodiment of the present invention and device.As shown in Figure 3, client 100, proxy server 200 and destination server 300 are arranged in wired or wireless network, and by this cable network or wireless network, client 100, by proxy server 200, carries out data interaction with destination server 300.
Wherein, client 100 can comprise network enabled function: smart mobile phone, panel computer, E-book reader, MP3 player (Moving Picture Experts Group Audio Layer III, dynamic image expert compression standard audio frequency aspect 3), MP4 (Moving Picture Experts GroupAudio Layer IV, dynamic image expert compression standard audio frequency aspect 4) player, pocket computer on knee, vehicle-mounted computer, wearable device, desktop computer, Set Top Box, intelligent television, all-in-one etc.
Proxy server 200, for establishing a communications link with client 100; Receive the secure connection request comprising destination server mark that client 100 sends, this secure connection request is used for request and sets up secure connection with destination server 300; According to destination server identifier lookup destination server 300, establish a communications link with destination server 300, and send this secure connection request to destination server 300.
Destination server 300 can be in esse physical server, or is integrated in the virtual server in certain physical server.
Fig. 2 shows a kind of structured flowchart of server, and this structured flowchart goes for proxy server 200, equally also goes for destination server 300.Understandably, the structure shown in Fig. 2 is only signal, and server 200 also can comprise than assembly more or less shown in Fig. 2, or has the configuration different from shown in Fig. 2.Each assembly shown in Fig. 2 can adopt hardware, software or its combination to realize.In addition, the server in the embodiment of the present invention can also comprise the server of multiple concrete difference in functionality.
As shown in Figure 2, server 200 can produce larger difference because of configuration or performance difference, one or more central processing units (central processing units can be comprised, CPU) 222 (such as, one or more processors) and memory 232, one or more store the storage medium 230 (such as one or more mass memory units) of application program 242 or data 244.Wherein, memory 232 and storage medium 230 can be of short duration storages or store lastingly.The program being stored in storage medium 230 can comprise one or more modules (illustrating not shown), and each module can comprise a series of command operatings in server.Further, central processing unit 222 can be set to communicate with storage medium 230, performs a series of command operatings in storage medium 230 on server 200.Server 200 can also comprise one or more power supplys 226, one or more wired or wireless network interfaces 250, one or more input/output interfaces 258, and/or, one or more operating systems 241, such as: Windows Server
tM, Mac OS X
tM, Unix
tM, Linux
tM, FreeBSD
tMetc..
First embodiment
Refer to Fig. 3, the flow chart of the agent communication method that Fig. 3 provides for first embodiment of the invention.The present embodiment can be applicable in the applied environment shown in Fig. 1, realizes the data communication between agent client 100 and destination server 300 by the proxy server 200 shown in Fig. 1.As shown in Figure 3, the agent communication method that the present embodiment provides comprises:
Step S101, establishes a communications link with client;
In the present embodiment, proxy server 200 is set up TCP with client 100 and is connected.
Step S102, receives the secure connection request comprising destination server mark that this client sends;
This secure connection request may be used for request and sets up secure connection with this destination server, wherein comprises the destination server mark for determining destination server.
Further, this secure connection can be HTTPS (Hypertext Transfer Protocol overSecure Socket Layer) secure connection.This destination server is designated HTTP Host.
HTTPS, be take safety as the HTTP passage (the safe version of HTTP) of target, namely add SSL (Secure Sockets Layer, SSL) under HTTP, the foundation for security of HTTPS is SSL, and the process of encryption is completed by SSL.
In http protocol, the domain name of request is placed in HTTP Header as host header (Host), can destination server be found by Host.Wherein a certain computer or calculate the title of unit on the Internet that is made up of the name of a string separation of domain name (Domain Name), for the electronic bearing of the mark computer when transfer of data.Therefore, by HTTP Host information, proxy server 200 can find destination server 300.
Step S103, according to this this destination server of destination server identifier lookup, establishes a communications link with this destination server, and sends this secure connection request to this destination server;
In the present embodiment, proxy server 200 receives the secure connection request comprising destination server mark that client 100 sends, according to the destination server mark in this secure connection request, search corresponding destination server 300, and set up TCP with destination server 300 and be connected, then this secure connection request is transmitted to destination server 300, to make destination server 300 according to this secure connection request, by proxy server 200, the server certificate of destination server 300 is sent to client 100, thus secure connection is set up with client 100 after client 100 has verified this server certificate.
The agent communication method that the embodiment of the present invention provides, the secure connection request comprising destination server mark of client transmission is received by proxy server, according to this destination server identifier lookup destination server, establish a communications link with this destination server, and send this secure connection request to this destination server, effect and the multiplexed port of fictitious host computer can be realized, and because proxy server can directly according to the corresponding destination server of destination server identifier lookup, and by destination server return service device certificate, and need not as certificate and the certificate private key preserving each destination server in the prior art on proxy server, therefore agent communication process can be simplified, accelerate data processing speed.
Second embodiment
Refer to Fig. 4, the flow chart of the agent communication method that Fig. 4 provides for second embodiment of the invention.The present embodiment can be applicable in the applied environment shown in Fig. 1, realizes the data communication between agent client 100 and destination server 300 by the proxy server 200 shown in Fig. 1.As shown in Figure 4, the agent communication method that the present embodiment provides comprises:
Step S201, establishes a communications link with client;
Proxy server 200 and client 100, based on Transmission Control Protocol, through three-way handshake, are set up TCP and are connected.Particularly, as shown in Figure 5, first, client 100 sends to proxy server 200 and comprises synchronous (Synchronize, SYN) TCP message indicated, this sync message can indicate the port of client 100 use and the initial sequence number (ISN) of TCP connection, wherein, ISN by the system random selecting of client 100, and in trace session process from client 100 to the data flow of proxy server 200; Secondly, proxy server 200 receives the SYN message that client 100 sends, and responds the message of confirmation of synchronization (SYNACK) to client 100, and represent that the request of client 100 is accepted, TCP sequence number is added 1 simultaneously; Finally, the SYNACK message that client 100 Receiving Agent server 200 returns, and return confirmation (ACK) message to proxy server 200, same TCP sequence number is added 1, thus sets up TCP with proxy server 200 and be connected.
Step S202, receives the secure connection request comprising destination server mark that this client sends;
This secure connection request may be used for setting up secure connection with destination server 300.Destination server mark may be used for searching destination server 300.
In the present embodiment, this secure connection request may be used for, based on SSL/TLS (Transport Layer Security, Transport Layer Security) agreement, setting up HTTPS secure connection further.
HTTPS, is take safety as the HTTP passage (the safe version of HTTP) of target, namely adds SSL under HTTP.The foundation for security of HTTPS is SSL, and the process of encryption is completed by SSL.
SSL is a kind of security protocol ensureing the data privacy of transfers on network provided on Internet basis, and TLS is the successor of SSL.
SNI (Server Name Indication, server name indicate) is defined in RFC4366, be one for improving the technology of SSL/TLS, be activated in SSLv3/TLSv1.Its permission client, when initiating SSL handshake request, is just submitted the HTTP Host information of request (being also Server Name) to, is made server can be switched to correct territory and return corresponding certificate.
In http protocol, the domain name of request is placed in HTTP Header as host header (Host), can find destination server by Host.Wherein a certain computer or calculate the title of unit on the Internet that is made up of the name of a string separation of domain name (Domain Name), for the electronic bearing of the mark computer when transfer of data.
In the present embodiment, proxy server 200 receive client 100 send comprise by server name instruction (SNI) field with destination server mark secure connection request.
Further, proxy server 200 receives the secure connection request comprising the browse request access network address of HTTP Host information that client 100 sends.By the HTTP Host information comprised in this browse request access network address, proxy server 200 can find destination server 300.
Understandably, secure connection request in this step, i.e. ClientHello request, by this secure connection request, the protocol version (such as TLS1.3 version) that client 100 is provided support to destination server 300 by proxy server 200, the random number that client 100 generates, the encryption method (such as RSA public key encryption) of support, and the compression method supported, the random number that wherein client 100 generates may be used for generating session key.
Step S203, according to this destination server identifier lookup destination server, establishes a communications link with this destination server;
In the present embodiment, proxy server 200 receive client 100 send comprise SNI field with destination server mark secure connection request, according to destination server mark (namely according to HTTP Host information) in this secure connection request, search corresponding destination server 300, with destination server 300 based on Transmission Control Protocol, through three-way handshake, set up TCP and connect.Proxy server 200 and destination server 300 set up the process that TCP is connected, and set up the similar process that TCP is connected, repeat no more herein with client 100 and proxy server 200.Like this, according to SNI field with HTTP Host information determine the destination server that needs to connect thus the effect of fictitious host computer can be realized.
Step S204, sends this secure connection request to this destination server;
Particularly, what the client 100 of reception sent by proxy server 200 comprise by SNI field with the secure connection request of destination server mark be transmitted to destination server 300, make destination server 300 beam back response (SeverHello) information according to this secure connection request.
Step S205, receives the server certificate of this destination server and is transmitted to this client;
In the present embodiment, the secure connection request that destination server 300 forwards according to proxy server 200, sends the echo message comprising the server certificate of destination server 300 to proxy server 200.The echo message comprising the server certificate of destination server 300 that proxy server receiving target server 300 sends, and this echo message is transmitted to client 100.
Understandably, except the server certificate of destination server 300, also can comprise in this echo message: confirm the coded communication protocol version (such as TLS1.3 version) used, the random number that destination server 300 generates, confirm the encryption method (such as RSA public key encryption) used, the random number that wherein destination server 300 generates may be used for producing session key.
Further, can also comprise the request of the client certificate being applied to requesting client 100 in this echo message, such as, financial institution often only allows certification client to be connected into the network of oneself, will provide usb key to formal client, the inside just contains a client certificate.
Step S206, after this client is passed through this server certificate verification, sends to the data retransmission of this destination server to this destination server by this client.
Particularly, the echo message of the destination server 300 that client 100 Receiving Agent server 200 forwards, verifies the server certificate of the destination server 300 comprised in this echo message.If this server certificate be not trust authority promulgate or certificate in domain name and actual domain name is inconsistent or certificate is expired, then confirm this server certificate not by checking, to user's warning, this user is made to select whether also to continue communication according to this warning message; If this server certificate is by checking, then client 100 takes out the PKI of destination server 300 from this server certificate, and by proxy server 200 by a random number (pre-master key), for representing that information subsequently all will change notice with the coding that agreed encryption method and key send, and for representing that client that the handshake phase of client has terminated end notification of shaking hands is transmitted to destination server 300.Wherein, client end notification of shaking hands also is simultaneously Hash (Hash) value of all the elements sent above, for verifying for destination server 300.Further, the request of the client certificate for requesting client 100 that client 100 also can forward according to proxy server 200, is transmitted to destination server 300 by this client certificate by proxy server 200.
The random number that the client 100 of reception sends by proxy server 200, coding change notifies and client is shaken hands, and end notification is transmitted to destination server 300, with the random number making destination server 300 generate according to aforementioned client 100, the random number that destination server 300 generates and pre-master key, calculate and generate this session session key used, and send for representing that the coding sent with agreed encryption method and key is all changed notice by information subsequently by proxy server 200 to client 100, and for representing the server handshaking end notification that the handshake phase of server has terminated, thus set up secure connection with client 100.Wherein, this server handshaking end notification is also the hash value of all the elements sent above simultaneously, for verifying for client 100.
After client 100 sets up secure connection by proxy server 200 and destination server 300, client 100 enters coded communication by proxy server 200 and destination server 300, based on http protocol, carries out data interaction.Wherein mutual data be by aforementioned session key after content, data can be avoided like this to be eavesdropped in transmitting procedure or distort.
The agent communication method that the embodiment of the present invention provides, the secure connection request comprising destination server mark of client transmission is received by proxy server, according to this destination server identifier lookup destination server, establish a communications link with this destination server, and send this secure connection request to this destination server, effect and the multiplexed port of fictitious host computer can be realized, and because proxy server can directly according to the corresponding destination server of destination server identifier lookup, and by destination server return service device certificate, and need not as certificate and the certificate private key preserving each destination server in the prior art on proxy server, therefore agent communication process can be simplified, accelerate data processing speed.
3rd embodiment
Refer to Fig. 6, the sequential chart of the agent communication method that Fig. 6 provides for third embodiment of the invention.The present embodiment can be applicable in the applied environment shown in Fig. 1, realizes the data communication between agent client 100 and destination server 300 by the proxy server 200 shown in Fig. 1.As shown in Figure 6, the agent communication method that the present embodiment provides comprises:
Step S301, proxy server and client establish a communications link;
Particularly, the first step, client 100 sends the TCP message comprising SYN mark to proxy server 200, this SYN message can indicate the port of client 100 use and the initial sequence number (ISN) of TCP connection, wherein, ISN by the system random selecting of client 100, and in trace session process from client 100 to the data flow of proxy server 200;
Second step, proxy server 200 receives the SYN message that client 100 sends, and responds SYNACK message to client 100, and represent that the request of client 100 is accepted, TCP sequence number is added 1 simultaneously;
3rd step, the SYNACK message that client 100 Receiving Agent server 200 returns, and return to proxy server 200 and confirm ACK message, same TCP sequence number is added 1, thus sets up TCP with proxy server 200 and be connected.
Step S302, what this proxy server received that this client sends comprise by SNI field with the secure connection request of HTTP Host information;
This secure connection request may be used for setting up HTTPS secure connection with destination server 300.HTTP Host information may be used for searching destination server 300.
HTTPS, is take safety as the HTTP passage (the safe version of HTTP) of target, namely adds SSL under HTTP.The foundation for security of HTTPS is SSL, and the process of encryption is completed by SSL.SSL is a kind of security protocol ensureing the data privacy of transfers on network provided on Internet basis, and TLS is the successor of SSL.SNI field is activated in SSLv3/TLSv1, and it allows client when initiating SSL handshake request, just submits the HTTP Host information of request to, makes server can be switched to correct territory and return corresponding certificate.In http protocol, the domain name of request is placed in HTTP Header as host header (Host), can find destination server by Host.
Understandably, secure connection request in this step, i.e. ClientHello request, by this secure connection request, the protocol version (such as TLS1.3 version) that client 100 is provided support to destination server 300 by proxy server 200, the random number that client 100 generates, the encryption method (such as RSA public key encryption) of support, and the compression method supported, the random number that wherein client 100 generates may be used for generating session key.
Step S303, this proxy server, according to this HTTP Host information searching destination server, establishes a communications link with this destination server;
In the present embodiment, proxy server 200 receive client 100 send comprise SNI field with destination server mark secure connection request, according to destination server mark (namely according to HTTP Host information) in this secure connection request, search corresponding destination server 300, set up TCP with destination server 300 and be connected.
Particularly, the first step, proxy server 200 sends the TCP message comprising SYN mark to destination server 300, this SYN message can indicate the port of proxy server 200 use and the initial sequence number (ISN) of TCP connection, wherein, ISN by the system random selecting of proxy server 200, and in trace session process from proxy server 200 to the data flow of destination server 300;
Second step, the SYN message that destination server 300 Receiving Agent server 200 sends, responds SYNACK message to proxy server 200, and represent that the request of proxy server 200 is accepted, TCP sequence number is added 1 simultaneously;
3rd step, the SYNACK message that proxy server 200 receiving target server 300 returns, and return to destination server 300 and confirm ACK message, same TCP sequence number is added 1, thus sets up TCP with destination server 300 and be connected.
Like this, according to SNI field with HTTP Host information determine need connect destination server, the effect of fictitious host computer can be realized.
Step S304, this proxy server sends this secure connection request to this destination server;
Particularly, what the client 100 of reception sent by proxy server 200 comprise by SNI field with the secure connection request of HTTP Host information be transmitted to destination server 300, make destination server 300 beam back response (SeverHello) information according to this secure connection request.
Step S305, this proxy server receives the server certificate of this destination server and is transmitted to this client;
In the present embodiment, the secure connection request that destination server 300 forwards according to proxy server 200, sends the echo message comprising the server certificate of destination server 300 to proxy server 200.The echo message comprising the server certificate of destination server 300 that proxy server 200 receiving target server 300 sends, and this echo message is transmitted to client 100.
Understandably, except the server certificate of destination server 300, also can comprise in this echo message: confirm the coded communication protocol version (such as TLS1.3 version) used, the random number that destination server 300 generates, confirm the request of encryption method (such as RSA public key encryption) and the client certificate for requesting client 100 used, such as, financial institution often only allows certification client to be connected into the network of oneself, will provide usb key to formal client, the inside just contains a client certificate.The random number that wherein destination server 300 generates may be used for producing session key.
Step S306, after this client is passed through this server certificate verification, this client sends to the data retransmission of this destination server to this destination server by this proxy server.
Particularly, the echo message of the destination server 300 that client 100 Receiving Agent server 200 forwards, verifies the server certificate of the destination server 300 comprised in this echo message.If this server certificate be not trust authority promulgate or certificate in domain name and actual domain name is inconsistent or certificate is expired, then confirm this server certificate not by checking, to user's warning, this user is made to select whether also to continue communication according to this warning message; If this server certificate is by checking, then client 100 takes out the PKI of destination server 300 from this server certificate, and by proxy server 200 by a random number (pre-master key), for representing that the coding sent with agreed encryption method and key is all changed notice by information subsequently, for representing that client that the handshake phase of client has terminated is shaken hands end notification, and the client certificate of client 100 is transmitted to destination server 300.Wherein, client end notification of shaking hands also is simultaneously Hash (Hash) value of all the elements sent above, for verifying for destination server 300.
The random number that the client 100 of reception sends by proxy server 200, coding changes notice, the shake hands client certificate of end notification and client 100 of client is transmitted to destination server 300, client 100 is verified according to the client certificate received to make destination server 300, and after this client certificate is by checking, according to the random number that aforementioned client 100 generates, the random number that destination server 300 generates and pre-master key, calculate and generate this session session key used, and send for representing that the coding sent with agreed encryption method and key is all changed notice by information subsequently by proxy server 200 to client 100, and for representing the server handshaking end notification that the handshake phase of server has terminated, thus set up secure connection with client 100.Wherein, this server handshaking end notification is also the hash value of all the elements sent above simultaneously, for verifying for client 100.
After client 100 sets up secure connection by proxy server 200 and destination server 300, client 100 enters coded communication by proxy server 200 and destination server 300, based on http protocol, carries out data interaction.Wherein mutual data be by aforementioned session key after content, data can be avoided like this to be eavesdropped in transmitting procedure or distort.
The agent communication method that the embodiment of the present invention provides, the secure connection request comprising destination server mark of client transmission is received by proxy server, according to this destination server identifier lookup destination server, establish a communications link with this destination server, and send this secure connection request to this destination server, effect and the multiplexed port of fictitious host computer can be realized, and because proxy server can directly according to the corresponding destination server of destination server identifier lookup, and by destination server return service device certificate, and need not as certificate and the certificate private key preserving each destination server in the prior art on proxy server, therefore agent communication process can be simplified, accelerate data processing speed.
4th embodiment
The structural representation of the agent communication device that Fig. 7 provides for fourth embodiment of the invention.The agent communication device that the present embodiment provides can run in the proxy server 200 shown in Fig. 1, for realizing the agent communication method in above-described embodiment.As shown in Figure 7, agent communication device 40 comprises: communication connection is set up module 41, first receiver module 42, searched module 43 and the first sending module 44.
Communication connection sets up module 41, for establishing a communications link with client;
First receiver module 42, for receiving the secure connection request comprising destination server mark that this client sends, this secure connection request is used for request and sets up secure connection with this destination server;
Search module 43, for according to this this destination server of destination server identifier lookup;
Communication connection sets up module 41, also for establishing a communications link with this destination server;
First sending module 44, for sending this secure connection request to this destination server.
Each module can be by software code realization above, and now, above-mentioned each module can be stored in memory 232, as shown in Figure 8.Each module can be realized by hardware such as integrated circuit (IC) chip equally above.
The present embodiment, to the detailed process of each Implement of Function Module of agent communication device 40 function separately, refers to the particular content of above-mentioned Fig. 1 to middle description embodiment illustrated in fig. 6, repeats no more herein.
The agent communication device that the embodiment of the present invention provides, by receiving the secure connection request comprising destination server mark that client sends, according to this destination server identifier lookup destination server, establish a communications link with this destination server, and send this secure connection request to this destination server, effect and the multiplexed port of fictitious host computer can be realized, and because proxy server can directly according to the corresponding destination server of destination server identifier lookup, and by destination server return service device certificate, and need not as certificate and the certificate private key preserving each destination server in the prior art on proxy server, therefore agent communication process can be simplified, accelerate data processing speed.
5th embodiment
The structural representation of the agent communication device that Fig. 9 provides for fifth embodiment of the invention.The agent communication device that the present embodiment provides can run in the proxy server 200 shown in Fig. 1, for realizing the agent communication method in above-described embodiment.As shown in Figure 9, agent communication device 50 comprises: communication connection is set up module 41, first receiver module 42, searched module 43, first sending module 44, second receiver module 55, second sending module 56 and the 3rd sending module 57.
Communication connection sets up module 41, for establishing a communications link with client;
First receiver module 42, for receiving the secure connection request comprising destination server mark that this client sends, this secure connection request is used for request and sets up secure connection with this destination server;
Search module 43, for according to this this destination server of destination server identifier lookup;
Communication connection sets up module 41, also for establishing a communications link with this destination server;
First sending module 44, for sending this secure connection request to this destination server;
Second receiver module 55, for receiving the server certificate of this destination server;
Second sending module 56, the server certificate for this destination server received by the first receiver module 55 is transmitted to this client;
3rd sending module 57, for after this client is passed through this server certificate verification, sends to the data retransmission of this destination server to this destination server by this client.
Preferably, the first receiver module 42, also for receive this client send comprise by server name indication field with destination server mark secure connection request.
Preferably, the first receiver module 42, also for receiving the secure connection request comprising the browse request access network address of HTTP Host information that this client sends.
The present embodiment, to the detailed process of each Implement of Function Module of agent communication device 50 function separately, refers to the particular content of above-mentioned Fig. 1 to middle description embodiment illustrated in fig. 6, repeats no more herein.
The agent communication device that the embodiment of the present invention provides, by receiving the secure connection request comprising destination server mark that client sends, according to this destination server identifier lookup destination server, establish a communications link with this destination server, and send this secure connection request to this destination server, effect and the multiplexed port of fictitious host computer can be realized, and because proxy server can directly according to the corresponding destination server of destination server identifier lookup, and by destination server return service device certificate, and need not as certificate and the certificate private key preserving each destination server in the prior art on proxy server, therefore agent communication process can be simplified, accelerate data processing speed.
It should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or device and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or device.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the device comprising described key element and also there is other identical element.
It will be appreciated by those skilled in the art that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The above, it is only preferred embodiment of the present invention, not any pro forma restriction is done to the present invention, although the present invention discloses as above with preferred embodiment, but and be not used to limit the present invention, any those skilled in the art, do not departing within the scope of technical solution of the present invention, make a little change when the technology contents of above-mentioned announcement can be utilized or be modified to the Equivalent embodiments of equivalent variations, in every case be do not depart from technical solution of the present invention content, according to any simple modification that technical spirit of the present invention is done above embodiment, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.