Disclosure of Invention
In order to solve the problems existing in the prior art, the invention provides a secure data transmission method of an HTTP proxy framework, which comprises the following steps:
the proxy gateway receives the login of the client;
the client sends out an HTTP request message, and the proxy gateway judges whether to receive the message request;
if the client terminal refuses to use, disconnecting the client terminal; if the request is accepted, the proxy gateway judges whether a snapshot exists locally at the proxy gateway or not according to the content of the request message;
if the snapshot does not exist, the proxy gateway takes out the corresponding content from the server;
and if the snapshot exists, reading corresponding content from the local snapshot according to a preset searching mechanism, and constructing an HTTP response message to be sent to the user.
Preferably, the client receives the data of the redirection unit, assembles the data into an HTTP request message, and forwards the HTTP request message to the server specified by the client according to the destination IP address determined in the redirection unit.
Preferably, after the designated server receives the message, the server directly transfers the data to the storage unit; the storage unit receives the data and then delivers the data to the client, meanwhile, the received object is stored in the local snapshot of the proxy gateway, and the client immediately forwards the data packet to the client after receiving the data packet.
Preferably, the client monitors the port number and the URL of the user request, evaluates the request according to a hash algorithm when the client receives the URL and the port number of the user request, and then performs corresponding processing according to a key value generated by the hash algorithm; and searching whether the object is hit according to the key value, and responding.
Preferably, when a client user accesses the content of the specific URL, the client randomly generates a data sending request from a port number to a proxy address of the HTTP proxy gateway, that is, sends a request for obtaining a message, and after receiving the request for obtaining the message, the proxy gateway performs related URL and data analysis, and queries whether a snapshot exists locally according to its own query mechanism; if the snapshot does not exist, the proxy gateway randomly generates a port number and sends a request to the website server; when receiving a message acquisition request of the HTTP proxy gateway, the server side replies a success mark and distributes the requested file content to the proxy gateway; after receiving the data, the proxy gateway distributes the data to the client, judges whether the data is snapshot or not according to the configuration items of the proxy gateway, and calls related components for storage if the data is snapshot;
when other client users of the same local area network access the same URL, the proxy gateway receives the request of the client and calls a related component to inquire whether the content of the request is stored or not, and judges whether the content is overdue or not, if not, the proxy gateway directly distributes the request content to the client;
when the content of the HTTP proxy gateway snapshot is expired, the proxy gateway sends a request message to a server end to judge whether the resource of the snapshot is modified; after receiving the resource query request, the server compares whether the resource is still unmodified according to the request, and sends a reply unmodified message to the HTTP proxy gateway if the resource is unmodified; after receiving the message that the snapshot resource is still unmodified, the HTTP proxy gateway extracts the content requested by the client from the snapshot of the HTTP proxy gateway and distributes the content to the client.
Compared with the prior art, the invention has the following advantages:
the invention provides a secure data transmission method of an HTTP proxy framework, which realizes secure and real-time data transmission of a proxy server based on HTTP.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the present invention provides a secure data transmission method for an HTTP proxy framework. Fig. 1 is a flowchart of a HTTP proxy framework secure data transmission method according to an embodiment of the present invention.
The HTTP proxy gateway is built between a client and a server and logically comprises an access control unit, a redirection unit, an authentication unit and a storage unit. The client logs in the proxy gateway through the authentication unit. When the client of the proxy gateway receives the HTTP request message from the user, the access control unit starts to judge whether the message request is received or refused. If the request is accepted, the storage unit judges whether the proxy gateway has a snapshot locally according to the content of the request message. If not, the connection is disconnected with the client. If there is no hit, the corresponding content is fetched to the server by the redirection unit. And if the local snapshot is hit, reading corresponding content from the local snapshot according to a preset searching mechanism, and constructing an HTTP response message to be delivered to the client side to be sent to the user. The client receives the data of the redirection unit and assembles the data into an HTTP request message. And then the HTTP request message is forwarded to the appointed server according to the destination IP address determined in the redirection unit. And after receiving the message, the appointed server sends a response HTTP response message to the server side. The server directly transfers the data to the storage unit. The storage unit receives the data and then delivers the data to the client, and meanwhile, the received object is stored in the local snapshot of the proxy gateway. And the client side immediately forwards the data packet to the client side after receiving the data packet, and the whole process is ended.
The authentication unit enables the client and the proxy gateway to negotiate a master key in a certain mode. The present invention therefore establishes a master key update algorithm for the shared master key portion. Taking a randomly generated random character string with the length of 128 and letters and numbers as a first master key, and then after a certain time, performing master key update between the client and the proxy gateway together, wherein the method specifically comprises the following steps:
intercepting the first character of the main key used at this time, and converting the first character into an integer n; circularly left-shifting the master key by n bits; sequentially dividing according to 256 bit length; respectively taking the segmentation result as a verified message digest and carrying out hash operation on the verified message digest and the current master key; and splicing the hash results to obtain a new key with the same length as the existing master key. Then, the client and the proxy gateway regenerate a corresponding new key array by using the new master key. By differently converting the master key, each party generates an independent key array, and the key arrays generated by the corresponding two parties are completely the same. The session key generation process is as follows: calculating an index value based on the master key; the master key is circularly moved left based on the index; dividing according to the 256-bit length sequence, mapping the index into the range of [1, 256], circularly moving the even-numbered section of key left, and circularly moving the odd-numbered section of key right; each part after cyclic shift is respectively used as a verified message digest and is subjected to hash operation with a used master key; and splicing the operation results to generate a session key with the same length as the master key. And after the process is iterated for the bits of the master key for several times, a session key array is generated.
Since the client and proxy gateway schedule the same session key from the same key array, authentication can be performed by this key: a session key is randomly acquired. The name value of the key array is transmitted, and an index value is randomly selected; acquiring a session key in a key array according to the index value and the name value; taking the session key as a message digest to perform hash operation together with the master key, and taking the obtained result as the session key used at this time; and the client and the proxy gateway communicate after acquiring the key.
In both proxy gateway and web server, the single sign-on module in the gateway and the server execute the same protocol. When the gateway and the server interact, MD5 algorithm encryption is executed first, after ciphertext information transmitted in communication reaches the opposite terminal, the opposite terminal firstly acquires a secret key, then MD5 algorithm decryption is executed, and authentication is executed. The specific process comprises the following steps:
(1) the client accesses the first server, a gateway in the first server intercepts the web request, checks whether a corresponding Cookie exists or not, does not have the Cookie, is redirected by the gateway and enters a login page, otherwise, the step (7) is carried out;
(2) the client executes an authentication algorithm, acquires a session key from the key array as a shared key, executes an MD5 algorithm to encrypt a user name and a password, and transmits the encrypted user name and the encrypted password to the server;
(3) the server obtains an index value, obtains a session key from the key array, executes a hash algorithm, then executes MD5 decryption, obtains user information, verifies a user name and a password, generates a bill after passing the verification, and binds and stores the bill corresponding to the user name;
(4) the server executes an authentication algorithm, randomly generates the number of bits of the cyclic shift of the master key, schedules the acquisition of the master key from the key array of the first server, appends the master key to the ticket prefix, and then performs MD5 encryption on the content. Adding the bit number of the cyclic shift to the encrypted character string, and transmitting the content to the front end;
(5) verifying the encrypted bill information, encrypting the bill by using session keys in the key arrays of the first server and the second server respectively, and transmitting the encrypted bill contents to each server;
(6) each server firstly analyzes received data information, acquires an index value, schedules and acquires a key from a key array of a gateway, executes a hash algorithm, then executes an MD5 decryption algorithm for decryption, then verifies a session key spliced before a bill, executes an authentication algorithm again if verification is passed, schedules the key from the key array of a client, encrypts the session key and the bill information, appends the index value to an encryption character string, writes the index value into a Cookie, and stores the Cookie in a user browser. If the verification is not passed, notifying the user;
(7) the first server reads Cookie, acquires a master key from a key array of the client, executes an index algorithm, decrypts through an MD5 algorithm, acquires master key verification, and distributes a bill when the verification passes; after the bill is obtained, checking whether user information exists in the session, if the user information does not exist or the stored information is inconsistent with Cookie storage, communicating with the server, executing authentication of the proxy gateway, sending the encrypted information added with the index to the server for verification, and turning to (8); and if the session service system context exists and the storage information is consistent with the user information in the Cookie, the client enters the server.
(8) The server analyzes the received information, dispatches a key from the key array of the first server and decrypts the key by the MD5, then verifies the master key, checks the master key, returns verification information and notifies the user of failure; and if the verification is passed, verifying the bill information, acquiring the bill information in the snapshot, comparing the bill information with the received bill, if the bill information is consistent with the received bill information, passing the verification, otherwise, failing the verification, and returning the verification information to the server.
The client monitors the port number and the URL of the user request, evaluates the request according to a hash algorithm when the client receives the URL and the port number of the user request, and then performs corresponding processing according to a key value generated by the hash algorithm. And searching whether the object is hit according to the key value, and responding. When the requested object is hit, the proxy gateway calls a related calling function provided by a storage system of the proxy gateway to copy data from the storage system to the client, and the client forwards corresponding data to the user; when the object of the request is not hit, the server side of the proxy gateway forwards the request which is not hit, the proxy user of the proxy gateway makes a data request to the website server, when the data transmission of the website server reaches the HTTP proxy gateway, the server side transmits the data to a snapshot server in the storage system by calling a related function provided by the storage system, and the server performs corresponding storage and management when receiving the data and transmits the data to the client side.
When a client user accesses the content of a specific URL, the interaction process of the whole message and the file comprises the following steps:
the client randomly generates a data sending request of a port number to the proxy address of the HTTP proxy gateway, namely, sends a request for acquiring a message, and after receiving the request for acquiring the message, the proxy gateway performs related URL and data analysis and inquires whether a snapshot exists in the snapshots according to a self inquiry mechanism. If the snapshot does not exist, the proxy gateway randomly generates a port number and sends a request to the website server. And when receiving the message acquisition request of the HTTP proxy gateway, the server side replies a success mark and distributes the requested file content to the proxy gateway. After receiving the data, the proxy gateway distributes the data to the client, meanwhile, the proxy gateway judges whether the data is snapshot or not according to the configuration items of the proxy gateway, and if the data needs to be snapshot, relevant components are called to be stored.
When other client users of the same local area network access the same URL, the proxy gateway receives the request of the client and calls the related components to inquire whether the content of the request is stored or not, and judges whether the content is overdue or not, if not, the proxy gateway directly distributes the request content to the client.
When the content of the HTTP proxy gateway snapshot is expired, the proxy gateway sends a request message to a server end to judge whether the resource of the snapshot is modified; after receiving the resource inquiry request, the server compares whether the resource is still unmodified according to the request, and sends a reply unmodified message to the HTTP proxy gateway if the resource is unmodified. After receiving the message that the snapshot resource is still unmodified, the HTTP proxy gateway extracts the content requested by the client from its own snapshot and distributes the content to the client.
The HTTP proxy gateway further comprises a message monitoring unit, which is used for realizing the collection, analysis and filtration of data packets, mirroring the backbone network flow to the monitoring unit by using a mirroring switch, collecting the original data packets, carrying out protocol analysis on each data packet layer by layer, extracting the request information of a user, matching the request information of the user with a filtering rule, specifying the IP authority of the user, a request method for allowing snapshot, a server domain name and a file type, filtering out the request which does not accord with the filtering rule, and otherwise transferring the resource URL address requested by the user to an access control unit for processing.
And the access control unit performs service scheduling on other units, performs summary analysis on the information of the snapshot resources and performs storage, updating, replacement and cleaning. The access control unit receives the user request information handed over by the message monitoring unit, counts the user request times of the same resource, and organizes the request information in a proper form in the memory. The snapshot state of the file requested by the user is recorded, and the detailed record of the resource is updated every time a new resource is stored in the storage unit. The access control unit inquires the system snapshot record according to the user request information, and if the file system which is requested by the user has a snapshot, the access control unit distributes a strategy to the redirection unit to construct a response packet to redirect the user to the storage unit. If the request system has no snapshot, but the file is frequently accessed by the user, and the access times reach a threshold value preset by the system, a downloading strategy is distributed to the storage unit to carry out downloading snapshot of the file.
The storage unit also records important information of the user access request resource, each line records corresponding different URL resources, and each line describes the access times, snapshot state and byte size information of the resource. The data of the storage unit is sourced from the system access control unit, and when the resource object information in the access control unit is added, deleted or modified, the storage unit is informed to synchronously update the content of the storage unit.
For the proxy gateway snapshot scheme: adopting a leading snapshot and a variable length segment to divide data from a server into segments with different lengths, and determining whether to snapshot and replace according to the number of times and time of accessing each segment; and realizing uninterrupted service by adopting dynamic snapshot and multicast. The proxy gateway leaves a snapshot space for the new leading data packet. If the delay from the server to the proxy gateway is within the preset range dminTo dmaxInsofar, the proxy leaves disk snapshot space for a portion of the resources from the server, the snapshot having space to store at least d from the servermax-dminThe storage interval of (2). And then the instant playback is provided to the client by utilizing the storage part resource of the proxy gateway. To the web server, it appears as a multicast transmission to the client group; for a proxy gateway, it is a unicast transmission to the client group. Under the condition that only the precursor snapshot exists, assuming that the first request for the resource i arrives at the time 0, the proxy gateway transmits the resource precursor to the client; in the length of the preamble for a time viAt that moment, the first message at the tail is designed to reach the proxy gateway. At time (0, v)i) Upon any request arriving in, the proxy gateway immediately forwards the resource preamble to the new client, at viAnd transmitting the tail to the client at the time of +0, wherein the tail comes from the server and is stored in the dynamic snapshot. For the tail snapshot, which may be considered part of the preamble, transmission is still performed as described above. For in viRequests arriving after the time restart a service queue.
With the increase of the number of the stored leading snapshots, the invention uses the hash table to manage the leading snapshots so as to achieve the purposes of quick addition and quick search. The mapping nodes for establishing the leader snapshot in the memory are called snapshot mapping nodes, and each node corresponds to one stored leader. If a new leading snapshot is added, its snapshot-mapped node is inserted in the hash table at the same time. When searching, firstly, the snapshot mapping node in the hash table is checked, if not, it indicates that a new preamble needs to be stored, if found, the corresponding preamble snapshot is accessed to the disk snapshot according to the information of the snapshot mapping node, and when deleting a certain preamble snapshot, the snapshot mapping node needs to be deleted at the same time.
When searching a snapshot mapping node, firstly obtaining the cluster number of the node, arriving at the node queue appointed by the cluster number, searching the nodes in the queue in sequence, if finding the node which is consistent with the given characteristic string (obtained by URI), indicating that the snapshot is existed in advance, otherwise, indicating that the preamble of the resource is not stored. After receiving a resource request caused by a Web page URL, the proxy gateway firstly searches whether the local snapshot is existed or not, if yes, the proxy gateway sends content to the client, and if not, or at a certain moment before the sending is finished, the proxy sends an HTTP request to the Web server to request the server to send the data of the resource. This request is changed from a resource request of the client, and therefore, the client request is transformed to an HTTP request understood by the Web server.
In order to guarantee the quality of service, at the moment when the first message of the server arrives at the proxy, it is guaranteed that a snapshot of the required length has been allocated. When the proxy uses the content of the snapshot to serve the client, if the distance between the client at the head position and the client at the tail position is reduced, the saved space is recovered; if the distance becomes large, the snapshot should be extended. When the length of the snapshot is equal to the length of the first section of the media which is not snapshot, the length of the snapshot is not increased any more, and if the length of the snapshot is not enough, the client at the tail of the batch processing is deleted from the batch processing, and a service is opened again or the client is added into another batch processing. When only one client is left in batch processing, the snapshot content is stopped from being updated, the data sent by the server is directly transferred to the client after the snapshot content is used, and the snapshot is released.
Setting the length of a monitoring queue of a socket in a monitoring state to meet the requirement; all connections are represented by a doubly linked list for the client that has been connected to the proxy, the connection is dropped from connection establishment to the end of the communication, and a node is established in the HTTP table for each connection for maintaining the connection and communication between the proxy and the client and between the proxy and the server.
The agent receives the connection request of the client during the monitoring period, and generates a new socket and a port to establish connection with the client. After the connection is established, the client sends an HTTP request to the proxy, and the HTTP request is transmitted to the request analysis part after coming. The request analysis part mainly judges whether the type of the client request is a data request or a Web request.
And after the type of the request sent by the client is obtained, the next HTTP processing or data resource processing is carried out. The analysis request part further processes the obtained client request, obtains the name of the target server and the related information of the communication port from the client request, transmits the name and the related information of the communication port to a module for standby, completes the conversion from the server name to the IP address of the server, establishes connection with the target server after obtaining the target server, and sends the request of the client if the establishment is successful.
The invention adopts the cross chain table to manage the client, each sub-table represents a batch queue, and the table nodes have the state information of the client, including the length of received data, the reading state (reading leading, reading snapshot, reading server conventional channel) and the snapshot information. Information communicated with the server is also maintained for the head node of each sub-table.
After a new client is connected to the agent, the agent firstly searches the snapshot mapping table, if the snapshot exists, the client node is inserted into a queue requesting the snapshot, or a queue is newly established (the client node is used as a head node), and if the snapshot does not exist, the data is requested from the server. The data source is determined and the reading state of the node is also determined. For a client with a snapshot, at a certain time before a queue head node leaves the snapshot, an agent needs to connect to a server through information of the queue head node and distribute the snapshot, so that the first client enters the snapshot or is about to enter the snapshot when server data reaches the snapshot. Reading required data from the snapshot according to the state of the snapshot and the requirement of the client on the data, and respectively sending the required data to each client by adopting unicast to realize multicast;
and (3) directly deleting the client which logs out in the middle if the client is a common child table node, adjusting the length of the queue, and changing the length of the snapshot if the length of the queue changes. In the case of a sub-header node, it is necessary to reserve the fields associated with the buffers and traffic, delete this node, transfer his functions to his next node, and adjust the snapshot. If the node is a single head node, the node is directly deleted, and the resource is released.
In summary, the present invention provides a secure data transmission method for an HTTP proxy framework, which realizes secure and real-time data transmission for a proxy server based on HTTP.
It will be apparent to those skilled in the art that the elements or steps of the invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.