CN105791451B

CN105791451B - Message response method and device

Info

Publication number: CN105791451B
Application number: CN201410810775.5A
Authority: CN
Inventors: 田旭
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-12-22
Filing date: 2014-12-22
Publication date: 2020-02-21
Anticipated expiration: 2034-12-22
Also published as: CN105791451A; WO2016101591A1

Abstract

The embodiment of the invention relates to the technical field of communication, and discloses a message response method and a device, wherein the method comprises the following steps: the access equipment receives a target message sent by a client, acquires and stores a target IP address of the target message; the access equipment processes the target message to obtain a response message of the target message; the access device replaces the source IP address of the response message with the stored destination IP address of the target message, and sends the response message to the client; and the access equipment receives a page acquisition request sent by the client, processes the page acquisition request, and returns a page response to the page acquisition request to the client, wherein the page response comprises the URL of the first server. By implementing the invention, the preset URL of the server can be obtained according to the target message of the client, so that the client can access the webpage corresponding to the URL.

Description

Message response method and device

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a message response method and apparatus.

Background

At present, the internet has entered into the aspects of user life, and users can browse web pages through the internet to obtain various information. When a user accesses a webpage through a client, the client sends a request message to a website server, wherein a source Internet Protocol (IP) address of the request message is an IP address of the client, and a destination IP address of the request message is an IP address of the website server. When the website server receives the target message, a response message of the target message is returned to the client, wherein the source IP address of the response message is the IP address of the remote equipment, and the destination IP address of the response message is the IP address of the client.

Before accessing the internet, the client needs to access the network through the access device, and forward the request message and the response message through the access device. However, in practical applications, a communication failure may exist between the access device and the web server, so that the client cannot receive the response message of the target message and cannot access any web page.

Disclosure of Invention

The embodiment of the invention provides a message response method and a message response device, which can acquire a pre-configured URL of a server according to a target message of a client so that the client accesses a webpage corresponding to the URL, and solve the problem that the client cannot access any webpage after sending the target message.

In a first aspect, a method for responding to a message is provided, including:

the method comprises the steps that an access device receives a target message sent by a client, obtains and stores a target Internet Protocol (IP) address of the target message, wherein the target message comprises a source IP address, a source port number and the target IP address;

the access equipment processes the target message to obtain a response message of the target message, wherein a target IP address and a target port number of the response message are a source IP address and a source port number of the target message;

the access device replaces the source IP address of the response message with the stored destination IP address of the target message, and sends the response message to the client;

the access device receives a page obtaining request sent by the client, processes the page obtaining request, and returns a page response to the page obtaining request to the client, wherein the page response comprises a Uniform Resource Locator (URL) of the first server.

With reference to the first aspect, in a first possible implementation manner of the first aspect,

the access device processes the target packet to obtain a response packet of the target packet, including:

the access device replaces the destination IP address of the target message with the IP address of the access device, responds to the target message, and obtains a response message of the target message, wherein the source IP address of the response message is the IP address of the access device;

correspondingly, the step of receiving, by the access device, a page acquisition request sent by the client and processing the page acquisition request includes:

and the access equipment receives a page acquisition request sent by the client, responds to the page acquisition request and obtains a page response of the page acquisition request.

With reference to the first aspect, in a second possible implementation manner of the first aspect,

the access equipment acquires an IP address of a second server;

the access device replaces the destination IP address of the target message with the IP address of the second server and sends the target message to the second server so that the second server responds to the target message and generates a response message of the target message;

the access equipment receives the response message returned by the second server, and the source IP address of the response message is the IP address of the second server;

the access equipment receives the page acquisition request and forwards the page acquisition request to the second server so that the second server responds to the page acquisition request to obtain a page response of the page acquisition request;

and the access equipment receives the page response returned by the second server.

With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, before the access device receives a page obtaining request sent by the client and processes the page obtaining request, the method further includes:

the access equipment and the client perform Secure Socket Layer (SSL) negotiation, and a secret key for communication with the client is determined;

correspondingly, the step of receiving, by the access device, a page acquisition request sent by the client, processing the page acquisition request, and returning a page response to the page acquisition request to the client includes:

the access equipment receives an HTTP GET request which is sent by the client and encrypted by the key, and decrypts the HTTP GET request according to the key;

the access equipment responds to the HTTP GET request after decryption processing to obtain a page response of the page acquisition request, and encrypts the page response according to the secret key;

and the access equipment returns the page response encrypted by the key to the client so that the client communicates with the first server according to the URL of the first server.

With reference to the first aspect, or the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, or the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect,

the access device receives a target message sent by a client, acquires and stores a destination IP address of the target message, and comprises:

the access equipment receives a target message sent by a client, and acquires a source IP address, a source port number and a destination IP address of the target message;

the access device takes the source IP address and the source port number of the target message as key values and takes the target IP address of the target message as a result value to create a data table;

correspondingly, the step of the access device replacing the source IP address of the response packet with the stored destination IP address of the target packet, and sending the response packet to the client includes:

the access equipment takes the destination IP address and the destination port number of the response message as key values and searches a data table corresponding to the key values;

and the access equipment acquires the IP address serving as a result value from the searched data table, takes the IP address as the source IP address of the response message, and sends the response message to the client.

In a second aspect, a message response apparatus is provided, where the apparatus is disposed in an access device, and includes:

the storage module is used for receiving a target message sent by a client, acquiring and storing a target IP address of the target message, wherein the target message comprises a source IP address, a source port number and the target IP address;

a message processing module, configured to process the target message to obtain a response message of the target message, where a destination IP address and a destination port number of the response message are a source IP address and a source port number of the target message;

the message sending module is used for replacing the source IP address of the response message by the stored destination IP address of the target message and sending the response message to the client;

and the response module is used for receiving the page acquisition request sent by the client, processing the page acquisition request and returning a page response to the page acquisition request to the client, wherein the page response comprises the URL of the first server.

With reference to the second aspect, in a first possible implementation manner of the second aspect,

the message processing module is specifically configured to:

replacing the target IP address of the target message by the IP address of the access equipment, responding to the target message to obtain a response message of the target message, wherein the source IP address of the response message is the IP address of the access equipment;

the response module is specifically configured to:

and receiving a page acquisition request sent by the client, responding to the page acquisition request, obtaining a page response of the page acquisition request, and returning the page response to the client.

With reference to the second aspect, in a second possible implementation manner of the second aspect,

the message processing module comprises:

an IP obtaining unit configured to obtain an IP address of the second server;

a first sending unit, configured to replace a destination IP address of the target packet with an IP address of the second server, and send the target packet to the second server, so that the second server responds to the target packet and generates a response packet of the target packet;

a first receiving unit, configured to receive the response packet returned by the second server, where a source IP address of the response packet is an IP address of the second server;

the response module includes:

the request processing unit is used for receiving the page acquisition request and forwarding the page acquisition request to the second server so that the second server responds to the page acquisition request to obtain a page response of the page acquisition request;

and the response processing unit is used for receiving the page response returned by the second server and returning the page response to the client.

With reference to the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the apparatus further includes:

the SSL negotiation module is used for carrying out SSL negotiation with the client and determining a key for communication with the client;

the response module includes:

a second receiving unit, configured to receive an HTTP GET request encrypted with the key and sent by the client, and perform decryption processing on the HTTP GET request according to the key;

the response acquisition unit is used for responding to the HTTP GET request after decryption processing, acquiring a page response of the page acquisition request, and encrypting the page response according to the secret key;

and the second sending unit is used for returning the page response encrypted by the key to the client so as to enable the client to communicate with the first server according to the URL of the first server.

With reference to the second aspect, or the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, or the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect,

the memory module includes:

the system comprises an IP acquisition unit, a source IP address acquisition unit and a destination IP address acquisition unit, wherein the IP acquisition unit is used for receiving a target message sent by a client and acquiring the source IP address, the source port number and the destination IP address of the target message;

a creating unit, configured to create a data table by using the source IP address and the source port number of the target packet as key values and using the destination IP address of the target packet as a result value;

the message sending module comprises:

the searching unit is used for taking the destination IP address and the destination port number of the response message as key values and searching a data table corresponding to the key values;

and the IP conversion unit is used for acquiring an IP address serving as a result value from the data table searched by the searching unit, taking the IP address as a source IP address of the response message, and sending the response message to the client.

Compared with the prior art, the embodiment of the invention has the following beneficial effects:

the embodiment of the invention can obtain and store the destination IP address of the target message when receiving the target message sent by the client, obtain the response message of the target message, carry out IP address conversion by replacing the source IP address of the response message with the stored destination IP address of the target message, send the response message to the client, and return the page response comprising the URL of the first server to the client when receiving the page obtaining request sent by the client according to the response message, so that the client can access the page corresponding to the URL.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic flowchart of a message response method according to an embodiment of the present invention;

fig. 2 is an interaction diagram of a message response method according to an embodiment of the present invention;

fig. 3 is an interaction diagram of another message response method according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a message response apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of another message response apparatus according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of another message response apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an access device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, fig. 1 is a schematic flow chart of a message response method according to an embodiment of the present invention, including:

s101: and the access equipment receives a target message sent by the client, acquires and stores a target IP address of the target message.

In a specific embodiment, a client inputs a Uniform Resource Locator (URL) of a website that the client wants to access through a browser, sends a DNS request to a Domain Name System (DNS) server corresponding to the website, and receives an IP address of the website returned by the DNS server in response to the DNS request. Optionally, the access device proxy may also respond to the DNS request and return the IP address of the website, which is not limited in the embodiment of the present invention.

The access device in the embodiment of the present invention may be a switch or a router, and the like.

And the client sends the target message after acquiring the IP address of the website, namely the destination IP address. And the access equipment receives a target message sent by the client. The target message includes a source IP address, a source port number, and the destination IP address.

It should be noted that the target message is a Hypertext Transfer Protocol (HTTP) message, a Hypertext Transfer security Protocol (HTTPs) message, or another application layer Protocol message, such as a User Datagram Protocol (UDP) message when redirecting a DNS message. Specifically, when receiving a message sent by a client, an access device may use the received message as a target message if it detects that a Transmission Control Protocol (TCP) destination port number of the message is 80(HTTP message), 443(HTTPs message), or a UDP destination port number is 53(DNS message).

S102: and the access equipment processes the target message to obtain a response message of the target message.

And the destination IP address and the destination port number of the response message are the source IP address and the source port number of the target message.

S103: and the access equipment replaces the source IP address of the response message with the stored destination IP address of the target message and sends the response message to the client.

Optionally, the access device may store the destination IP address of the target packet by creating a data table, where the data table includes a correspondence between a KEY VALUE (KEY) and a result VALUE (VALUE); the data table may be a hashed HASH table. That is, the access device receives a target packet sent by a client, obtains and stores a destination IP address of the target packet, which may specifically be: the access equipment receives a target message sent by a client, and acquires a source IP address, a source port number and a destination IP address of the target message; and taking the source IP address and the source port number of the target message as KEY, and taking the destination IP address of the target message as VALUE to store into the data table. Further, the access device replaces the source IP address of the response packet with the stored destination IP address of the target packet, and sends the response packet to the client, which may specifically be: the access equipment takes the destination IP address and the destination port number of the response message as a KEY and searches a data table corresponding to the KEY; and acquiring an IP address serving as a VALUE from the searched data table, taking the IP address as a source IP address of the response message, and sending the response message to the client.

Further, after receiving the target message sent by the client, and before acquiring and storing the target IP address of the target message, the access device may further detect whether the target IP address of the target message is the IP address of the first server; if not, the target IP address of the target message is stored, otherwise, the message is routed and forwarded, and no answer is made.

S104: and the access equipment receives a page acquisition request sent by the client, processes the page acquisition request and returns a page response to the page acquisition request to the client.

And the page response comprises the URL of the first server.

Optionally, the first server may be a server associated with the access device, where the first server includes a Web server, a video server, a game server, and the like, and the embodiment of the present invention is not limited thereto. In a specific embodiment, the processing, by the access device, the target packet to obtain a response packet of the target packet may specifically be: and the access equipment replaces the target IP address of the target message with the IP address of the access equipment, responds to the target message and obtains a response message of the target message, wherein the source IP address of the response message is the IP address of the access equipment. Further, the access device is preconfigured with the URL address of the first server, so as to generate a page response including the URL of the first server in response to the request when receiving a page obtaining request sent by the client. That is, the access device receives the page obtaining request sent by the client, and processes the page obtaining request, which may specifically be: and the access equipment receives a page acquisition request sent by the client, responds to the page acquisition request and obtains a page response of the page acquisition request.

In a specific embodiment, if the received packet is an HTTPS packet, before receiving an HTTP GET request, that is, a page GET request, sent by the client according to the response packet and processing the page GET request, the access device further needs to perform Secure Socket Layer (SSL) negotiation with the client and determine a key for communicating with the client. Specifically, the receiving, by the access device, a page obtaining request sent by the client, processing the page obtaining request, and returning a page response to the page obtaining request to the client may specifically be: the access equipment receives an HTTP GET request which is sent by the client and encrypted by the key, and decrypts the HTTP GET request according to the key; the access equipment responds to the HTTP GET request after decryption processing to obtain a page response of the page acquisition request, and encrypts the page response according to the secret key; and the access equipment returns the page response encrypted by the key to the client so that the client communicates with the first server according to the URL of the first server.

Optionally, a second server, that is, a redirection server, for redirecting a HTTP message, an HTTPs message, and the like sent by a client may be deployed in advance in the system, and the first server may be associated with the second server, and a URL address of the first server is configured in the second server. The processing, by the access device, of the target packet to obtain a response packet of the target packet may specifically be: the access equipment acquires an IP address of a second server; the access device replaces the destination IP address of the target message with the IP address of the second server and sends the target message to the second server so that the second server responds to the target message and generates a response message of the target message; and the access equipment receives the response message returned by the second server, wherein the source IP address of the response message is the IP address of the second server. Correspondingly, the receiving, by the access device, the page obtaining request sent by the client, and processing the page obtaining request may specifically be: the access equipment receives the page acquisition request and forwards the page acquisition request to the second server so that the second server responds to the page acquisition request to obtain a page response of the page acquisition request; and the access equipment receives the page response returned by the second server.

By implementing the embodiment of the invention, when a target message sent by a client is received, the target IP address of the target message is acquired and stored, the response message of the target message is acquired, the stored target IP address of the target message is used for replacing the source IP address of the response message, the response message is sent to the client after the IP address conversion is carried out, and when a page acquisition request sent by the client according to the response message is received, a page response comprising the URL of a first server can be returned to the client, so that the client can access the page corresponding to the URL.

Please refer to fig. 2, which is an interaction diagram of a message response method according to an embodiment of the present invention, where the method includes:

s201: and sending a TCP SYN message.

In a specific embodiment, a client inputs a URL of a website desired to be accessed through a browser, sends a DNS request to a DNS server corresponding to the website, and receives an IP address of the website returned by the DNS server in response to the DNS request. Optionally, the access device proxy may also respond to the DNS request and return the IP address of the website, which is not limited in the embodiment of the present invention.

After acquiring the IP address of the website, the client sends a TCP SYN (synchronization) message, i.e., a target message, and wants to establish a TCP connection with the remote website. And the destination IP address of the TCP SYN message is the IP address of the website, and the source IP address and the source port number are the IP address and the port number corresponding to the client.

S202: and taking the source IP address and the source port number of the TCP SYN message as key values, and taking the destination IP address of the TCP SYN message as a result value to create a HASH table.

In a specific embodiment, after receiving the TCP SYN packet, the access device creates a HASH table by using the source IP address and the source port number of the packet as a KEY VALUE KEY and the destination IP address as a result VALUE, so as to store the destination IP address of the packet, so as to obtain the destination IP address during subsequent IP conversion.

Further, after receiving the message sent by the client and before creating the HASH table, the access device may further detect whether the destination IP address of the message is an IP address of a preconfigured Web server, i.e., the first server; if not, the access equipment can establish a HASH table according to the source IP address and the destination IP address of the message; if yes, the access device carries out route forwarding on the message without carrying out substitute answering.

Further, after receiving the message sent by the client and before creating the HASH table, the access device may further determine whether the message is a TCP SYN message; if the TCP SYN packet is the TCP SYN packet, the access device may create a HASH table according to the source IP address, the port number, and the destination IP address of the TCP SYN packet.

S203: and replacing the destination IP address of the TCP SYN message by the IP address of the access equipment, and responding to the TCPSYN message to generate TCP SYN ACK messages.

Further, the access device uses the IP address of the access device as the destination IP address of the TCP SYN packet, and recalculates the checksum of the TCP packet header and the IP packet header in the TCP SYN packet. The access device generates TCP SYN ACK a message in response to the TCP SYN message.

S204: and taking the destination IP address and the destination port number of the TCP SYN ACK message as key values, searching a HASH table corresponding to the key values, acquiring the IP address serving as a result value from the searched HASH table, and taking the IP address as a source IP address of the TCPSYN ACK message.

S205: a TCP SYN ACK message is returned.

The access device searches a HASH table according to the destination IP and the destination port number of the TCP SYN ACK message, that is, the IP address and the port number of the client are used as KEY, obtains the destination IP address of the TCP SYN message, that is, the VALUE corresponding to the KEY, uses the IP address corresponding to the VALUE as the source IP address for sending the TCP SYN ACK message, recalculates the checksum of the TCP header and the IP header in the TCP SYN ACK message, and sends the result to the client, thereby realizing IP address conversion.

It should be noted that, in the redirection, i.e. in the message response process, for the subsequently received messages such as HTTP messages, HTTPs messages, DNS messages, etc., i.e. the messages with TCP destination port numbers of 80, 443, or UDP destination port numbers of 53, the access device may perform IP address conversion in the HASH table manner, and reply the client message, which is not described in detail later.

S206: and sending the TCP ACK message.

S207: the access device and the client carry out SSL negotiation, and a key for communication between the access device and the client is determined.

In a specific embodiment, during the SSL negotiation process between the access device and the client, the access device negotiates a certificate with the client to determine a key for communication between the access device and the client.

S208: an HTTP GET request is sent.

S209: and performing SSL processing on the HTTP GET request to generate a TCP FIN message, wherein the TCP FIN message comprises a URL (uniform resource locator) of the Web server.

In a specific embodiment, after the access device and the client perform SSL negotiation, the client encrypts an HTTPS GET request, that is, a page acquisition request, according to a key determined by the SSL negotiation, and sends an encrypted HTTPS GET request message to the access device.

S210: and returning the TCP FIN message.

After receiving the encrypted HTTPS GET request message, the access device decrypts the HTTPS GET request message according to a key determined by the SSL negotiation, thereby obtaining plaintext data, and generates a redirection message TCP FIN, which is a page response, in response to the HTTPS GET request, where the TCP FIN message may specifically be an HTTP 301 response message or an HTTP302 response message, and the TCP FIN message includes a preconfigured URL of a Web server, which is the URL of the first server, so that the client communicates with the Web server according to the URL. And meanwhile, setting the marking position of the TCP as FIN, and closing the link between the client and the access equipment. Specifically, before returning the TCP FIN to the client, the access device may further encrypt the TCP FIN packet by using the negotiated key, and when receiving the TCP FIN packet, the client decrypts the TCPFIN packet according to the negotiated key, thereby obtaining plaintext data.

S211: and sending the TCP ACK message.

S212: and sending the TCP FIN message.

S213: and returning the TCP ACK message.

In a specific embodiment, after receiving the TCP FIN packet returned by the access device, the client replies an ACK packet and a FIN packet in sequence, and the access device responds to the ACK packet and the FIN packet and replies an ACK packet.

Furthermore, the HASH table may further include connection status information between the access device and the client, and when a packet sent by the client is received or a packet is sent to the client, the connection status information between the access device and the client recorded in the HASH table may be updated to manage the HASH table. For example, the connection status information may include an Initial status Initial, a redirection status Redirect, a FIN message receiving status FIN Received, a FIN message sending status FIN set, a connection closed status closed, and the like. For example, the created HASH table may be as shown in table one.

Watch 1

Specifically, the access device may record connection state information of the access device and the client as Initial when receiving a TCP SYN message sent by the client; when sending a redirection message, the access device updates the connection state information to Redirect, when receiving a TCP FIN message sent by the client, updates the connection state information to FIN _ Received, and when responding to a TCP ACK message replied by the FIN message sent by the client, updates the connection state information to Closed. If the access device detects that the connection state information recorded in the HASH table is closed, it can be determined that the connection state between the access device and the client is closed, and the HASH table can be deleted.

It should be noted that, under normal conditions, when one HASH connection table entry is in Closed state, the HASH table may be deleted, and resources are released. However, in some abnormal situations, for example, physical link packet loss causes the HASH connection table entry not to be deleted normally, the old HASH table may be deleted by overwriting the old HASH table with the new HASH table. Specifically, the number of entries of each HASH table allowed to conflict may be preset, for example, the total length of the HASH table is 512 (i.e., the range of HASH table indexes), and if allowed to conflict 4 times, the HASH table has an overall specification of 512 × 4. When a new connection request is established each time, if it is calculated that the index of the HASH table already has 4 connections, the oldest connection is overwritten with the new connection.

S214: and sending a TCP SYN message.

S215: a TCP SYN ACK message is returned.

S216: and sending the TCP ACK message.

The client initiates TCP connection with the Web server, redirects to the Web server according to the URL, communicates with the Web server, and the Web server pushes pages to the client. For example, the Web server is a Portal server, and after the client initiates a TCP connection with the Portal server, the Portal server can push an authentication page to the client.

It should be noted that, for an IP packet arriving at a specified Web server, the access device directly forwards the IP packet to the Web server without performing the above redirection processing.

By implementing the embodiment of the invention, when a TCP SYN message, namely a target message, sent by a client is received, an HASH table is created according to a source IP address and a source port number of the SYN message to store a destination IP address of the message, and an IP address of an access device is used as a destination IP address of the target message, so that a response message is generated in response to the target message, then the destination IP address searched from the HASH table is used as the source IP address of the response message, IP address conversion is carried out, the response message is sent to the client, and after an HTTP GET request which is sent by the client according to the response message and is subjected to SSL negotiation is received, a pre-configured URL of a Web server is replied to the client after SSL processing is carried out on the HTTP GET request, so that the client can access a webpage corresponding to the URL.

Please refer to fig. 3, which is an interaction diagram of another message response method according to an embodiment of the present invention, where the method includes:

s301: and sending a TCP SYN message.

In a specific embodiment, a client inputs a URL of a website to be accessed through a browser, sends a DNS request to a DNS server corresponding to the website, obtains an IP address of the website, and sends a TCP SYN message, that is, a target message, to an access device.

S302: and taking the source IP address and the source port number of the TCP SYN message as key values, and taking the destination IP address of the TCP SYN message as a result value to create a HASH table.

In a specific embodiment, after receiving the TCP SYN packet, the access device creates a HASH table by using the source IP address and the source port number of the packet as a KEY VALUE KEY and the destination IP address as a result VALUE, and stores the destination IP address of the packet, so as to obtain the destination IP address during subsequent IP conversion.

S303: and replacing the destination IP address of the TCP SYN message by the IP address of the redirection server, and sending the TCP SYN message.

Optionally, a redirection server, that is, a second server, for performing redirection processing on messages such as HTTP messages, HTTPs messages, and DNS messages sent by the client may be deployed in the system in advance, so that the URL of the first server, that is, the Web server stored in the redirection server, can be flexibly configured.

Specifically, after the access device creates a HASH table, that is, stores the destination IP address of the TCP SYN packet, the access device may use the IP address of the redirection server as the destination IP address of the TCP SYN packet, and after recalculating the checksum of the TCP packet header and the IP packet header in the TCP SYN packet, send the TCP SYN packet to the redirection server, and perform packet processing by the redirection server.

S304: responding to the target message and generating TCP SYN ACK a message.

S305: a TCP SYN ACK message is returned.

In a specific embodiment, after receiving the TCP SYN message sent by the access device, the redirect server responds to the TCP SYN message, generates TCP SYN ACK message, and returns TCP SYN ACK message to the access device. The destination IP address and the destination port number of the TCP SYN ACK message are the IP address and the port number corresponding to the client.

S306: the IP address as the result value is searched from the HASH table, and the searched IP address is used as the source IP address of the TCP SYN ACK message.

S307: a TCP SYN ACK message is returned.

In a specific embodiment, the access device receives an TCP SYN ACK message, i.e., a response message, returned by the redirect server, searches the HASH table according to the destination IP address and the destination port number of the TCP SYN ACK message, i.e., the IP address and the port number of the client are used as a KEY, obtains the destination IP address of the TCP SYN message, i.e., the VALUE corresponding to the KEY, uses the IP address corresponding to the VALUE as the source IP address for sending the TCP SYN ACK message, recalculates the checksum of the TCP header and the IP header in the TCPSYN ACK message, and sends the checksum to the client, thereby implementing IP address conversion.

It should be noted that, in the redirection process, for subsequent received HTTP messages, HTTPs messages, DNS messages, and other messages, that is, messages with TCP destination port numbers of 80, 443, or UDP destination port numbers of 53, the access device may replace the destination IP address of the received message with the IP address of the redirection server through the above processing, and forward the message to the redirection server, and after the redirection server responds, send the response message to the access device, and the access device performs IP address translation according to the HASH table, and after taking the destination IP address of the received message stored in HASH as the source IP address of the response message, sends the response message to the client, and details are not repeated in the following.

S308: and sending the TCP ACK message.

S309: and sending the TCP ACK message.

S310: an HTTP GET request is sent.

S311: an HTTP GET request is sent.

S312: and responding to the HTTP GET request to generate a TCP FIN message, wherein the TCP FIN message comprises the URL of the Web server.

Optionally, before the client sends the HTTP GET request, i.e. the page GET request, the redirect server may also perform SSL negotiation with the client to determine a key for communication between the redirect server and the client. Further, the client may encrypt the HTTP sget request according to the key determined by the SSL negotiation, and send the encrypted HTTP GET request to the redirect server through the access device.

Further, after receiving the encrypted HTTPS GET request message, the redirect server decrypts the HTTPS GET request message according to a key determined by the SSL negotiation, thereby obtaining plaintext data, and generates a redirect message TCP FIN, which is a page response, in response to the HTTPS GET request, where the TCP FIN message may specifically be an HTTP 301 response message or an HTTP302 response message, and the TCP FIN message includes a preconfigured URL of the Web server, so that the client communicates with the Web server according to the URL.

It should be noted that the URL of the Web server in the redirect server can be flexibly configured according to the user requirement.

S313: and returning the TCP FIN message.

S314: and returning the TCP FIN message.

S315: and sending the TCP ACK message.

S316: and sending the TCP ACK message.

S317: and sending the TCP FIN message.

S318: and sending the TCP FIN message.

S319: and returning the TCP ACK message.

S320: and returning the TCP ACK message.

In a specific embodiment, after receiving the TCP FIN packet returned by the access device, the client may sequentially reply with the ACK packet and the FIN packet. After receiving the TCP FIN packet sent by the client, the access device may replace the destination IP address of the TCP FIN packet with the IP address of the redirect server and forward the IP address to the redirect server. The redirection server responds to the TCP FIN message and replies ACK, the replied TCP ACK message is returned to the access equipment, and the access equipment replies the TCP ACK message to the client.

S321: and sending a TCP SYN message.

S322: a TCP SYN ACK message is returned.

S323: and sending the TCP ACK message.

In a specific embodiment, after receiving a redirection packet including a URL of a Web server returned by an access device, a client may initiate a TCP connection with the Web server, redirect to the Web server according to the URL, and communicate with the Web server.

By implementing the embodiment of the invention, the redirection of the messages such as the HTTP message, the HTTPS message and the like is realized by deploying the redirection server, namely the second server in the system, so that the URL of the Web server to be redirected can be flexibly configured in the redirection server, and simultaneously, the load of the access equipment is lightened to a certain extent by deploying the redirection server, the redirection of the messages such as the HTTP message, the HTTPS message and the like can be effectively realized, and the client can access the webpage corresponding to the URL.

Referring to fig. 4, a schematic structural diagram of a message response apparatus according to an embodiment of the present invention is shown, where the apparatus may include a storage module 11, a message processing module 12, a message sending module 13, and a response module 14.

The device of the embodiment of the invention can be specifically arranged in access equipment such as a switch, a router and the like.

The storage module 11 is configured to receive a target packet sent by a client, acquire a destination IP address of the target packet, and store the destination IP address.

The target message includes a source IP address, a source port number, and the destination IP address.

In a specific embodiment, a client inputs a URL of a website to be accessed through a browser, obtains an IP address of the website, sends a DNS request to a DNS server corresponding to the website, and receives an IP address of a website returned by the DNS server in response to the DNS request. Optionally, the access device proxy may also respond to the DNS request and return the IP address of the website, which is not limited in the embodiment of the present invention.

And the client sends the target message after acquiring the IP address of the website, namely the destination IP address. The storage module 11 receives a target message sent by the client, and stores a destination IP address of the target message.

It should be noted that the target message is an HTTP message, an HTTPs message, or another application layer protocol message, such as a UDP message when redirecting a DNS message. Specifically, when receiving a message sent by a client, an access device may use the received message as a target message if it detects that a TCP destination port number of the message is 80(HTTP message), 443(HTTPs message), or a UDP destination port number is 53(DNS message).

The message processing module 12 is configured to process the target message to obtain a response message of the target message.

Optionally, the message processing module 12 may store the destination IP address of the target message by creating a data table, where the data table includes a correspondence between a KEY VALUE (KEY) and a result VALUE (VALUE), for example, the source IP address and the source port number of the target message are used as KEY, and the destination IP address of the target message is stored in the data table as VALUE. The data table may be a hashed HASH table.

The message sending module 13 is configured to replace the source IP address of the response message with the stored destination IP address of the target message, and send the response message to the client.

In a specific embodiment, after the message processing module 12 responds to the received target message and obtains a response message, the message sending module 13 may further use the destination IP address of the stored target message as the source IP address of the response message, and send the response message to the client.

The response module 14 is configured to receive a page obtaining request sent by the client, process the page obtaining request, and return a page response to the page obtaining request to the client, where the page response includes a URL of the first server.

Optionally, the first server may be a server associated with the access device, where the first server includes a Web server, a video server, a game server, and the like, and the embodiment of the present invention is not limited thereto. The access device is pre-configured with the URL address of the first server.

Further, after receiving a page acquisition request, such as an HTTP GET request, sent by the client according to the response message, the response module 14 may redirect the HTTP GET request to obtain a page response, and return the URL of the Web server to the client, where the URL needs to be redirected.

Referring to fig. 5, which is a schematic structural diagram of another message response apparatus according to an embodiment of the present invention, on the basis shown in fig. 4, the message processing module 12 may be specifically configured to:

the response module 14 may be specifically configured to:

Further, the apparatus may further include:

an SSL negotiation module 15, configured to perform SSL negotiation with the client, and determine a key for communication with the client;

the response module 14 may further include:

a second receiving unit 141, configured to receive the HTTP GET request encrypted with the key and sent by the client, and perform decryption processing on the HTTP GET request according to the key;

a response obtaining unit 142, configured to obtain a page response to the page obtaining request in response to the HTTP GET request after the decryption process, and encrypt the page response according to the key;

a second sending unit 143, configured to return the page response encrypted with the key to the client, so that the client communicates with the first server according to the URL of the first server.

In a specific embodiment, if the received packet is an HTTPS packet, before redirection processing, an SSL negotiation module 15 may perform an SSL negotiation with the client, negotiate a certificate with the client, and determine a key for communication between the access device and the client. Specifically, when performing redirection processing, the second receiving unit 141 may receive an HTTP GET request that is sent by the client and encrypted with the SSL negotiation key, perform SSL processing on the HTTP GET request, and decrypt the HTTP GET request into plaintext data. The response obtaining unit 142 may respond to the HTTP GET request, generate a redirection packet, i.e., a page response, encrypt the redirection packet with the key, and reply the redirection packet to the client through the second sending unit 143, so that the client communicates with the Web server according to the URL of the Web server, and redirects the client request to the Web server.

The embodiment of the invention can store the destination IP address of the message after the access equipment receives the target message sent by the client, and takes the IP address of the access equipment as the destination IP address of the target message so as to respond to the target message and generate a response message, and then takes the stored destination IP address as the source IP address of the response message to carry out IP address conversion and send the response message to the client; and after SSL processing is carried out on the HTTP GET request, a preset URL of the Web server is replied to the client, so that the redirection of the HTTPS message is realized, and the client can access the webpage corresponding to the URL.

Referring to fig. 6, which is a schematic structural diagram of another message response apparatus according to an embodiment of the present invention, on the basis of fig. 4, the message processing module 12 may further include:

an IP obtaining unit 121 configured to obtain an IP address of the second server;

a first sending unit 122, configured to replace a destination IP address of the target packet with an IP address of the second server, and send the target packet to the second server, so that the second server responds to the target packet, and generates a response packet of the target packet;

a first receiving unit 123, configured to receive the response packet returned by the second server, where a source IP address of the response packet is an IP address of the second server.

Optionally, a redirection server, that is, a second server, may be deployed in the system in advance, where the redirection server is used to redirect HTTP messages, HTTPs messages, and other messages sent by the client, and the first server may be associated with the second server, and a URL address of the first server is configured in the second server, so that a URL of the Web server stored in the second server may be flexibly configured.

Specifically, after the storage module 11 stores the destination IP address of the target packet, the IP address of the second server may be obtained through the IP obtaining unit 121, the first sending unit 122 uses the IP address of the second server as the destination IP address of the target packet, and after recalculating the checksum of the TCP packet header and the IP packet header in the target packet, sends the target packet to the second server, and the second server performs packet processing to generate the response packet of the target packet. The first receiving unit 123 receives a response message returned by the second server.

Further, in an embodiment of the present invention, the response module 14 may include:

a request processing unit 144, configured to receive the page obtaining request, and forward the page obtaining request to the second server, so that the second server responds to the page obtaining request to obtain a page response of the page obtaining request;

and the response processing unit 145 is configured to receive the page response returned by the second server, and return the page response to the client.

Optionally, before the client sends the page obtaining unit, such as an HTTP GET request, the second server may also perform SSL negotiation with the client to determine a key for communication between the second server and the client. Further, the client may encrypt the HTTP GET request according to the key determined by the SSL negotiation and send the encrypted HTTP GET request to the access device, and the access device may send the encrypted HTTP GET request to the second server through the request processing unit 144, so that the second server performs SSL processing on the HTTP GET request and generates a page response including the URL of the first server, such as a Web server, to which redirection is required. The response processing unit 145 receives the page response returned by the second server.

It should be noted that the URL of the Web server in the second server can be flexibly configured according to the user requirement.

By implementing the embodiment of the invention, the redirection of the messages such as the HTTP message or the HTTPS message is realized by deploying the redirection server, namely the second server in the system, so that the URL of the Web server to be redirected can be flexibly configured in the redirection server, and simultaneously, the load of the access equipment is lightened to a certain extent by deploying the redirection server, the redirection of the messages such as the HTTP message and the HTTPS message can be effectively realized, and the client can access the webpage corresponding to the URL.

Further, on the basis shown in fig. 4, fig. 5, or fig. 6, the storage module 11 may further include:

an IP obtaining unit 111, configured to receive a target packet sent by a client, and obtain a source IP address, a source port number, and a destination IP address of the target packet;

a creating unit 112, configured to create a data table by using the source IP address and the source port number of the target packet as key values and using the destination IP address of the target packet as a result value;

alternatively, the created data table may be embodied as a HASH table. Specifically, after receiving the target packet, the IP obtaining unit 111 may obtain a source IP address, a source port number, and a destination IP address of the target packet, and the creating unit 112 creates a HASH table by using the source IP and the source port number of the packet as KEY VALUEs KEY and the destination IP as a result VALUE, so as to store the destination IP address of the packet, so as to obtain the destination IP address during subsequent IP conversion.

The message sending module 13 may further include:

a searching unit 131, configured to search a data table corresponding to a key value by using a destination IP address and a destination port number of the response packet as the key value;

an IP conversion unit 132, configured to obtain an IP address as a result value from the data table searched by the search unit 131, use the IP address as a source IP address of the response packet, and send the response packet to the client.

Specifically, the searching unit 131 may search the HASH table according to the destination IP and the destination port number of the response packet, that is, the IP address and the port number of the client are used as KEY, obtain the destination IP address of the target packet, that is, the VALUE corresponding to the KEY, use the IP address corresponding to the VALUE, that is, the destination IP address as the source IP address for sending the response packet through the IP converting unit 132, recalculate the checksum between the TCP header and the IP header in the response packet, and send the result to the client, thereby implementing IP address conversion.

In the embodiment of the present invention, when receiving a target packet sent by a client, a HASH table may be created according to a source IP address and a source port number of the target packet to store a destination IP address of the packet, and a response packet of the target packet may be obtained by processing the target packet, and then the destination IP address found in the HASH table is used as a source IP address of the response packet, and the response packet is sent to the client after performing IP address translation, so that when receiving a page acquisition request sent by the client according to the response packet, a pre-configured URL of a first server is replied to the client, thereby implementing redirection of packets such as HTTP or HTTPs packets, and enabling the client to access a web page corresponding to the URL.

Further, please refer to fig. 7, which is a schematic structural component diagram of an access device according to an embodiment of the present invention, where the access device according to the embodiment of the present invention includes: the communication port 300, the memory 200 and the processor 100 may be connected by a bus, or may be connected by other methods. In this embodiment, a bus connection is described.

The Memory 200 may be a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.

The memory 200 stores therein a program. In particular, the program may include program code comprising computer operating instructions.

The processor 100 executes the program stored in the memory 200 to implement the message response method shown in fig. 1 of the present invention, which includes:

receiving a target message sent by a client through the communication port 300, acquiring and storing a destination Internet Protocol (IP) address of the target message, wherein the target message comprises a source IP address, a source port number and the destination IP address;

processing the target message to obtain a response message of the target message, wherein a destination IP address and a destination port number of the response message are a source IP address and a source port number of the target message;

replacing the source IP address of the response message with the stored destination IP address of the target message, and sending the response message to the client through the communication port 300;

receiving a page obtaining request sent by the client through the communication port 300, processing the page obtaining request, and returning a page response to the page obtaining request to the client through the communication port 300, wherein the page response includes a Uniform Resource Locator (URL) of the first server.

Optionally, the processing the target packet to obtain a response packet of the target packet specifically includes:

replacing the target IP address of the target message with the IP address of the access equipment, responding to the target message to obtain a response message of the target message, wherein the source IP address of the response message is the IP address of the access equipment;

correspondingly, the receiving a page obtaining request sent by the client and processing the page obtaining request specifically includes:

receiving a page acquisition request sent by the client through the communication port 300, responding to the page acquisition request, and obtaining a page response of the page acquisition request.

acquiring an IP address of a second server;

replacing the target IP address of the target message by the IP address of the second server, and sending the target message to the second server so that the second server responds to the target message and generates a response message of the target message;

receiving the response message returned by the second server, wherein the source IP address of the response message is the IP address of the second server;

receiving the page obtaining request through the communication port 300, and forwarding the page obtaining request to the second server, so that the second server responds to the page obtaining request to obtain a page response of the page obtaining request;

and receiving the page response returned by the second server through the communication port 300.

Optionally, before the receiving a page obtaining request sent by the client and processing the page obtaining request, the method may further include:

performing Secure Socket Layer (SSL) negotiation with the client, and determining a secret key for communication with the client;

correspondingly, the receiving a page obtaining request sent by the client, processing the page obtaining request, and returning a page response to the page obtaining request to the client specifically includes:

receiving, through the communication port 300, the HTTP GET request encrypted with the key sent by the client, and decrypting the HTTP GET request according to the key;

responding to the HTTP GET request after decryption processing to obtain a page response of the page acquisition request, and encrypting the page response according to the secret key;

and returning the page response encrypted by the key to the client through the communication port 300 so that the client communicates with the first server according to the URL of the first server.

Optionally, the receiving a target packet sent by a client, acquiring and storing a destination IP address of the target packet, specifically includes:

receiving a target message sent by a client through the communication port 300, and acquiring a source IP address, a source port number and a destination IP address of the target message;

taking the source IP address and the source port number of the target message as key values, and taking the target IP address of the target message as a result value to create a data table;

the memory 200 may also be used to store the data table.

Correspondingly, the replacing the source IP address of the response packet with the stored destination IP address of the target packet, and sending the response packet to the client specifically includes:

using the destination IP address and the destination port number of the response message as key values, and searching a data table corresponding to the key values;

and acquiring an IP address serving as a result value from the searched data table, using the IP address as a source IP address of the response packet, and sending the response packet to the client through the communication port 300.

The Processor 100 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A message response method, comprising:

the access equipment receives a page acquisition request sent by the client, processes the page acquisition request, and returns a page response to the page acquisition request to the client, wherein the page response comprises a Uniform Resource Locator (URL) of a first server;

the access device is preconfigured with the URL of the first server, so as to respond to the page obtaining request when receiving the page obtaining request sent by the client, and generate a page response including the URL of the first server.

2. The method of claim 1,

3. The method of claim 1,

the access equipment acquires an IP address of a second server;

4. The method of claim 2,

before the access device receives the page obtaining request sent by the client and processes the page obtaining request, the method further includes:

5. The method according to any one of claims 1 to 4,

6. A message response apparatus, wherein the apparatus is disposed in an access device, and comprises:

the response module is used for receiving a page acquisition request sent by the client, processing the page acquisition request and returning a page response to the page acquisition request to the client, wherein the page response comprises a URL (uniform resource locator) of the first server;

the access device is configured with a URL of the first server in advance, and the response module is specifically configured to respond to the page obtaining request when receiving the page obtaining request sent by the client, and generate a page response including the URL of the first server.

7. The apparatus of claim 6,

the message processing module is specifically configured to:

the response module is specifically configured to:

8. The apparatus of claim 6,

the message processing module comprises:

an IP obtaining unit configured to obtain an IP address of the second server;

the response module includes:

9. The apparatus of claim 7, further comprising:

the response module includes:

10. The apparatus according to any one of claims 6 to 9,

the memory module includes:

the message sending module comprises: