Automatic deploying method, device, equipment and medium for fortress machine
Technical Field
The invention relates to the technical field of communication, in particular to an automatic deploying method, device, equipment and medium for bastion machines.
Background
With the rapid development of enterprises, the phenomenon of operation and maintenance disorder inside enterprises is more and more common, and taking account operation and maintenance safety management of enterprises as an example, a phenomenon that a plurality of people share one account in an enterprise often occurs, and the problem that account information is easily revealed and unauthorized operation is easily caused when a plurality of people share one account. Therefore, enterprises begin to use bastion machines as their operation and maintenance and security auditing systems to solve the problem of enterprise operation and maintenance confusion.
The purchase and the deployment of the existing bastion machines are independent and separated, namely, a user purchases bastion machine products in an official website, customer service staff configure the bastion machines to deploy corresponding bastion machines on a host management platform according to the bastion machines selected by the user, and finally deliver the deployed bastion machines to the user for use. The service deployment process of the fortress machine is long, and a user cannot acquire the bought fortress machine product at the first time.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide an automatic fort machine deployment method to solve the problem that the service time of deploying fort machines is long.
One of the purposes of the invention is realized by adopting the following technical scheme:
an automatic deploying method of fortress machines comprises the following steps:
receiving order information of the fortress machine, and storing fortress machine configuration parameters in the order information;
preprocessing the fortress configuration parameters into API parameters, and generating a digital signature according to the API parameters;
sending the digital signature and the API parameters to a server;
calling an API (application programming interface) of the server, wherein the API creates an API of bastion machine service for the server;
and generating an access domain name of the bastion machine service.
Further, receiving order information of the fortress machine, and storing fortress machine configuration parameters in the order information specifically comprises the following steps:
and storing the parameter name of the fortress machine configuration parameter and the parameter Value of the fortress machine parameter in a Key-Value form.
Further, forming the configuration parameters of the bastion machine into URL format character strings, wherein the URL format character strings are the API parameters;
using a key, the key comprising a private key and a public key;
and signing the API parameters through the private key to obtain the digital signature.
Further, preprocessing the fortress configuration parameters into API parameters, and generating a digital signature according to the API parameters, wherein the method comprises the following steps:
sequencing the configuration parameters of the bastion machine according to a preset sequencing rule;
forming a character string in a URL format by the sequenced fortress configuration parameters; the URL format character string is the API parameter;
using a key, the key comprising a private key and a public key;
carrying out Hash encryption on the API parameters to obtain a first digital signature;
encrypting the first digital signature by using the private key to obtain a second digital signature;
and encoding the second digital signature by using Base64 to obtain the digital signature.
Further, the step of sending the digital signature and the API parameter to a server includes the steps of:
receiving a verification result, wherein the verification result is the verification result of whether the API parameter is tampered;
when the verification result is that the verification is passed, calling an API (application program interface) of the server;
and when the verification result is that the verification fails, returning error information.
Further, using a key, the key comprising a private key and a public key, further comprising the steps of:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when the authentication is passed, a key is used, which includes a private key and a public key.
Further, generating the access domain name of the bastion machine service, further comprises the following steps:
randomly generating an access domain name of the bastion machine service and storing the access domain name in a domain name database;
and configuring the access domain name to an Nginx server.
The invention also aims to provide an automatic fort machine deploying device, and provides an automatic fort machine deploying method to solve the problem that service time for deploying fort machines is long.
The second purpose of the invention is realized by adopting the following technical scheme:
an automatic fort machine deployment device, comprising:
the order receiving module is used for receiving order information of the fort machine and storing fort machine configuration parameters in the order information;
the signature generation module is used for preprocessing the fort machine configuration parameters into API parameters and generating digital signatures according to the API parameters;
the sending module is used for sending the digital signature and the API parameters to a server;
the API calling module is used for calling an API interface of the server, and the API interface creates an API interface of bastion machine service for the server;
and the domain name generation module is used for generating the access domain name of the bastion machine service.
It is a further object of the present invention to provide an electronic device comprising a processor, a storage medium and a computer program, the computer program being stored in the storage medium, the computer program, when executed by the processor, implementing the above-mentioned baster automatic deployment method.
It is a fourth object of the present invention to provide a computer-readable storage medium storing one of the objects of the invention, having a computer program stored thereon, which when executed by a processor, implements the bastion automatic deployment method described above.
Compared with the prior art, the invention has the beneficial effects that:
the method has the advantages that the configuration parameters of the bastion machine are preprocessed into the API parameters, the service end can complete the dynamic configuration of the bastion machine parameters according to the API parameters, and the automatic creation of the bastion machine service can be realized by calling the API interface provided by the service end; the user can access the bastion machine service through the generated access domain name, automatic deployment of the bastion machine is realized, deployment efficiency and user experience of the bastion machine are improved, completeness of transmission of configuration parameters is guaranteed through digital signature, and the parameters are prevented from being tampered in the transmission process.
Drawings
FIG. 1 is a flow chart of an automatic deployment method of a fort machine according to a first embodiment;
fig. 2 is a flowchart of a method of generating a digital signature according to the second embodiment;
fig. 3 is a flowchart of a method of generating a digital signature according to the third embodiment;
fig. 4 is a flowchart of a method of generating an access domain name according to the fourth embodiment;
FIG. 5 is a block diagram of the automatic deploying device of the fort machine in the fifth embodiment;
fig. 6 is a block diagram of the electronic apparatus of the sixth embodiment.
Detailed Description
The present invention will now be described in more detail with reference to the accompanying drawings, in which the description of the invention is given by way of illustration and not of limitation. The various embodiments may be combined with each other to form other embodiments not shown in the following description.
Example one
The embodiment provides an automatic method of a bastion machine, which aims to realize automatic deployment of the bastion machine by dynamically configuring parameter information of a bastion machine server and calling an API (application programming interface).
With the development of cloud technology, traditional hardware or a software and hardware combined bastion machine is gradually replaced by a cloud bastion machine. The cloud fort machine has higher computing power and safety protection capability than the traditional fort machine, and is lower in cost. The cloud bastion machine server can create corresponding bastion machine services according to the parameters, and the user can access the bastion machine services by accessing the corresponding API.
It should be noted that the server appearing in this embodiment refers to a server having a cloud bastion machine service function, and the server can complete related operations such as bastion machine creation and digital signature verification, and is generally a server storing a bastion machine management platform.
Referring to fig. 1, an automatic deploying method of a fort machine is characterized by comprising the following steps:
s110, receiving order information of the fort machine, and storing fort machine configuration parameters in the order information;
the bastion order information generally contains more contents, such as user information, an IP address, configuration parameter information selected by a user, and the like. When the bastion machine service is created, the creation of the bastion machine service can be completed only by extracting the configuration parameter information in the order information.
When the configuration parameters of the fort machine are stored, the configuration parameters of the fort machine need to be sequenced according to the identification sequence of the service end, so that the service end can conveniently identify the configuration parameters.
According to the principle, the method comprises the steps of receiving order information of the fortress machine, storing configuration parameters of the fortress machine in the order information, and specifically comprising the following steps:
and storing the parameter name of the fortress machine configuration parameter and the parameter Value of the fortress machine parameter in a Key-Value form.
The Key-Value storage mode takes the example of creating a single-core CPU bastion machine, the parameter name of the required bastion machine configuration parameter is 'CPU', the parameter Value is '1' of the kernel number, the CPU is used as a Key Value, 1 is used as a Value, and the bastion machine configuration parameter is stored in a Key-Value Key Value pair mode. The above storage manner of Key-Value Key Value pairs is applicable to a plurality of storage tools, and the applicable Key Value pair storage tools are also different for different software programming languages, for example, mapping containers (map containers) of STLs of C + +, hashmaps of Java, and dictionary types of Python are all Key Value pair storage tools, and therefore, in this embodiment, the storage tool storing the Key-Value Key Value pairs is not limited, and specifically, the corresponding Key Value pair storage tool is selected according to the programming language of the server.
S120, preprocessing the configuration parameters of the bastion machine into API parameters, and generating a digital signature according to the API parameters;
because the service end provides the API interface to facilitate creating the bastion service, the configuration parameter needs to be converted into the API parameter, so that the service end creates the corresponding configured bastion service according to the API parameter, the preprocessing mode of the configuration parameter is determined according to the transmission mode of the API parameter, and generally, the API parameter is transmitted in two modes, namely, URL (Request-URL) and Body (Request-Body), so that the bastion configuration parameter can be preprocessed into the API parameter in the URL format or the API parameter in the Body format according to the specific API parameter transmission mode.
In S120, the integrity of the API parameter during the transmission process can be ensured by generating a digital signature. Since the server receiving the bastion machine order information and the server where the cloud bastion machine is located are different servers, the API parameters may be tampered during the transmission process, and therefore, whether the configuration parameters are tampered or not can be verified through the generated digital signature.
In this embodiment, a specific method for generating a digital signature is not limited, but it is required to satisfy that a server can verify the generated digital signature.
S130, sending the digital signature and the API parameters to a server;
the method comprises the following steps of sending the API parameters and the digital signature to a server side so as to be convenient for the server side to verify, specifically, sending the digital signature and the API parameters to the server side, and comprising the following steps:
receiving a verification result, wherein the verification result is the verification result of whether the API parameter is tampered;
when the verification result is that the verification is passed, calling an API (application program interface) of the server;
and when the verification result is that the verification fails, returning error information.
And the server side verifies the digital signature to determine whether the configuration parameters are tampered.
S140, calling an API (application programming interface) created by the server, wherein the API creates an API of bastion machine service for the server;
and S150, generating an access domain name of the bastion machine service.
The user can enter into the bastion machine service through the generated access domain name, and the access of the bastion machine service is realized.
Example two
The second embodiment is carried out on the basis of the first embodiment.
Referring to fig. 2, preprocessing the fort machine configuration parameters into API parameters, and generating a digital signature according to the API parameters specifically includes the following steps:
s210, forming the configuration parameters of the bastion machine into URL format character strings, wherein the URL format character strings are the API parameters;
s220, using a secret key, wherein the secret key comprises a private key and a public key;
and S230, signing the API parameter by using the private key to obtain the digital signature.
In the embodiment, a URL (Request-URL) transmission mode is selected for transmitting the API parameters, so that the character strings in the URL format are formed by using the configuration parameters according to the sequence, the character strings in the URL format are the API parameters, and the service end can automatically create bastion machine service and provide corresponding API interfaces by identifying the API parameters; this process requires percentage escape encoding of special characters in the configuration parameters, such as substituting "{" symbol escape "% 7B", to get a string in URL format. And carrying out private key signature on the configuration parameter character string in the URL format to obtain a digital signature.
A randomly generated key pair is stored in the server for receiving the order information, a private key is stored in the server for receiving the order information, and the server side can decrypt the digital signature and verify the integrity of the API parameters by using a public key corresponding to the private key; the server typically only needs to generate a key pair (public and private) once, and each time a new order is received, it is digitally signed with the same private key, without having to generate a key pair for each order.
The present embodiment does not limit a specific asymmetric encryption algorithm (i.e., a method for generating a public key and a private key), as long as the decryption of a digital signature can be achieved.
Before using the secret key, the server side can also verify the validity of the secret key user, specifically, the secret key is used, the secret key comprises a private key and a public key, and the method further comprises the following steps:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when the authentication is passed, a key is used, which includes a private key and a public key.
The server side stores an IP white list library, the legal IP address is stored in the IP white list library, and only the IP address in the white list library has the authority of using the key. The embodiment does not limit the specific method for creating the white list library, and the white list library is created by a bastion service provider (server) or is an IP white list library shared by third-party network security companies. And the malicious access or purchase of the bastion machine service by illegal users such as hackers and the like can be prevented by setting the IP white list.
EXAMPLE III
The third embodiment is carried out on the basis of the first embodiment,
the third embodiment is different from the second embodiment in that the second embodiment uses a private key and a public key to generate and verify a digital signature, and the digital signature is performed by means of hash encryption, private key signature and Base64 encoding, so that the reliability of the digital signature is higher.
Although the digital signature generated by the private key can be used for verifying the identity of the information sender, the problem that the private key in the server is acquired by a person and then the API parameter information is changed exists, at this time, the server only uses a public key verification method to determine that the API parameter is changed, and therefore, the API parameter needs to be further encrypted to ensure that the configuration parameter is not changed in the transmission process. Specifically, referring to fig. 3, generating a digital signature according to the API parameter further includes the following steps:
s310, sorting the configuration parameters of the bastion machine according to a preset sorting rule;
the preset ordering rule is generally sorted in ascending order or sorted in descending order according to the Key, and taking the sorting in ascending order as an example, when the parameter names stored in the Key are respectively "tc", "ect", "edc", "act", the Key is changed into "act", "ect", "edc", "tc" after being arranged according to the sorting rule in ascending order. The specific sorting rule can be set according to actual requirements, and the sorting purpose is mainly to facilitate the server to carry out Hash encryption on the API parameters according to the same sequence, avoid different Hash encryption results caused by different sequences, and prevent misjudgment during verification.
S320, forming the sequenced fortress configuration parameters into a character string in a URL format; the URL format character string is the API parameter;
in this embodiment, a URL-URL (Request-URL) mode is also selected for transmitting API parameters, and compared with the API delivery mode of Body, because the parameter value and the parameter name of Body are separated, and the URL format string is easier to hash because the parameter has been already composed into a string.
S330, using a secret key, wherein the secret key comprises a private key and a public key;
please refer to example two for the key generation method in S330.
S340, carrying out hash encryption on the API parameters to obtain a first digital signature;
the hash encryption method described in S340 may be an HMAC-SHA256 or HMAC-SHA1 signature method, and this embodiment does not limit a specific hash encryption algorithm, and the same hash encryption algorithm is stored in the server, so as to verify the signature.
S350, encrypting the first digital signature by using the private key to obtain a second digital signature;
s360, encoding the second digital signature by using Base64 to obtain the digital signature.
The data after the hash encryption is coded by using the Base64 to obtain the final signature, so that the data transmission speed can be increased, because the encrypted data is usually longer, the length of the data can be shortened by using the Base64, and the resource occupation is reduced; in addition, the data encoded by the Base64 has unreadability, and even if the digital signature is intercepted in the transmission process, the data before encoding of the Base64 is difficult to be viewed.
Since the hash algorithm is an irreversible algorithm, others cannot reversely deduce to obtain plaintext (API parameters), and even if the API parameters are changed in the transmission process, it is difficult to correspondingly change the digital signature. The double encryption method of the embodiment can achieve the technical effects of preventing the counterfeit installation attack (namely whether the request source is legal), preventing the tampering attack, preventing the replay attack (namely the request is maliciously attacked) and preventing the data information leakage.
It should be noted that, when the server side verifies, it needs to use Base64 to decode the digital signature, and decrypt the decoded digital signature through the public key to obtain a first digital signature, that is, the hash encrypted API parameter; the server side also needs to encrypt the received API parameters by adopting the same Hash encryption method, and compares the encrypted result with the first digital signature to complete the verification of the API parameters.
Example four
The fourth embodiment is performed on the basis of the first embodiment, and mainly explains and explains a generation method of the access domain name.
Referring to fig. 4, generating the access domain name of the bastion service further includes the following steps:
s410, randomly generating an access domain name of the bastion machine service, and storing the access domain name in a domain name database;
the randomly generated access domain name has uniqueness, and the domain name can be prevented from being repeated, so that errors in accessing the bastion machine service are avoided. The MD5 algorithm is used in the embodiment to generate the random domain name, and in other embodiments, the random domain name may be generated in other manners.
The domain name database in S410 may facilitate the user side to query the domain name.
And S420, configuring the access domain name to an Nginx server.
Because Nginx has the advantages of less occupied memory and strong concurrency capability, the function of using the access domain name to connect to the bastion machine service can be realized through Nginx, the user can access the intranet IP of the server of the bastion machine service platform end through accessing the domain name, the intranet IP of the server of the bastion machine service platform end cannot be obtained by the user, and the server can be effectively prevented from being attacked maliciously.
It should be noted that, in addition to configuring the visited domain name to the Nginx server, information such as the name of the purchasing user and the intranet IP address is also sent to the Nginx server, so that the Nginx server forwards the visited domain name to the bastion service.
EXAMPLE five
The fifth embodiment discloses a device corresponding to the bastion machine automatic deployment method of the fifth embodiment, which is a virtual device structure of the fifth embodiment and shown in fig. 5, and includes:
the order receiving module 510 is used for receiving order information of the fortress machine and storing fortress machine configuration parameters in the order information;
the signature generation module 520 is used for preprocessing the fort machine configuration parameters into API parameters and generating digital signatures according to the API parameters;
a sending module 530, configured to send the digital signature and the API parameter to a server;
the API calling module 540 is used for calling an API interface of the server, and the API interface creates an API interface of the bastion machine service for the server;
and a domain name generation module 550, configured to generate an access domain name of the bastion machine service.
Preferably, the receiving of the order information of the fort machine and the storage of the fort machine configuration parameters in the order information specifically comprise the following steps:
and storing the parameter name of the fortress machine configuration parameter and the parameter Value of the fortress machine parameter in a Key-Value form.
Preferably, preprocessing the fortress configuration parameters into API parameters and generating a digital signature according to the API parameters, comprising the steps of:
forming the bastion machine configuration parameters into URL format character strings, wherein the URL format character strings are the API parameters;
using a key, the key comprising a private key and a public key;
and signing the API parameters through the private key to obtain the digital signature.
Preferably, preprocessing the fortress configuration parameters into API parameters and generating a digital signature according to the API parameters, comprising the steps of:
sequencing the configuration parameters of the bastion machine according to a preset sequencing rule;
forming a character string in a URL format by the sequenced fortress configuration parameters; the URL format character string is the API parameter;
using a key, the key comprising a private key and a public key;
carrying out Hash encryption on the API parameters to obtain a first digital signature;
encrypting the first digital signature by using the private key to obtain a second digital signature;
and encoding the second digital signature by using Base64 to obtain the digital signature.
Preferably, the step of sending the digital signature and the API parameter to a server includes the following steps:
receiving a verification result, wherein the verification result is the verification result of whether the API parameter is tampered;
when the verification result is that the verification is passed, calling an API (application program interface) of the server;
and when the verification result is that the verification fails, returning error information.
Preferably, a key is used, the key comprising a private key and a public key, further comprising the steps of:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when the authentication is passed, a key is used, which includes a private key and a public key.
Preferably, generating the access domain name of the bastion service further comprises the following steps:
randomly generating an access domain name of the bastion machine service and storing the access domain name in a domain name database;
and configuring the access domain name to an Nginx server.
EXAMPLE six
Fig. 6 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention, as shown in fig. 6, the electronic device includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of processors 610 in the computer device may be one or more, and one processor 610 is taken as an example in fig. 6; the processor 610, the memory 620, the input device 630, and the output device 640 in the electronic apparatus may be connected by a bus or other means, and fig. 6 illustrates an example of connection by a bus.
The memory 620 serves as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the bastion machine automatic deployment method in the embodiment of the present invention (for example, the order receiving module 510, the signature generating module 520, the sending module 530, the API calling module 540, and the domain name generating module 550 in the bastion machine automatic deployment method apparatus). The processor 610 executes various functional applications and data processing of the electronic device by running software programs, instructions and modules stored in the memory 620, that is, the bastion automatic deployment method of the first to fourth embodiments is implemented.
The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, such as a tool for generating a digital signature and an application program; the storage data area may store data created according to the use of the terminal, etc., such as order information and configuration parameters. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 620 can further include memory located remotely from the processor 610, which can be connected to an electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 630 may be used to receive input of user identity information, order information, and the like. The output device 640 may include a display device such as a display screen for displaying the user purchase result, including a purchase failure prompt, a purchase success prompt, and the generated access domain name.
EXAMPLE seven
The seventh embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the storage medium can be used for a computer to execute a bastion machine automatic method, and the method includes:
receiving order information of the fortress machine, and storing fortress machine configuration parameters in the order information;
preprocessing the fortress configuration parameters into API parameters, and generating a digital signature according to the API parameters;
sending the digital signature and the API parameters to a server;
calling an API (application programming interface) of the server, wherein the API creates an API of bastion machine service for the server;
and generating an access domain name of the API interface.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operation of the method described above, and can also execute the relevant operation in the bastion-based automatic deployment method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes instructions for enabling an electronic device (which may be a mobile phone, a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that in the embodiment of the automatic deployment method device based on the bastion machine, the included units and modules are only divided according to the functional logic, but are not limited to the above division as long as the corresponding functions can be realized; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Various other modifications and changes may be made by those skilled in the art based on the above-described technical solutions and concepts, and all such modifications and changes should fall within the scope of the claims of the present invention.