Disclosure of Invention
In order to overcome the defects of the prior art, one of the purposes of the invention is to provide an automatic deployment method of a fort machine, so as to solve the problem of long service time of deploying the fort machine.
One of the purposes of the invention is realized by adopting the following technical scheme:
an automatic deployment method of a fort machine comprises the following steps:
receiving bastion machine order information and storing bastion machine configuration parameters in the order information;
preprocessing the fort configuration parameters into API parameters, and generating a digital signature according to the API parameters;
the digital signature and the API parameters are sent to a server;
calling an API interface of the server, wherein the API interface creates an API interface of a fort service for the server;
and generating the access domain name of the fort service.
Further, receiving bastion machine order information, and storing bastion machine configuration parameters in the order information, wherein the bastion machine configuration parameters specifically comprise:
and storing the parameter name of the fort machine configuration parameter and the parameter Value of the fort machine parameter in a Key-Value form.
Further, the fort machine configuration parameters are formed into URL format character strings, and the URL format character strings are the API parameters;
using a key, the key comprising a private key and a public key;
and signing the API parameters through the private key to obtain the digital signature.
Further, preprocessing the fort configuration parameters into API parameters, and generating a digital signature according to the API parameters, comprising the following steps:
sequencing the fort configuration parameters according to a preset sequencing rule;
forming the ordered fort machine configuration parameters into URL format character strings; the URL format character string is the API parameter;
using a key, the key comprising a private key and a public key;
carrying out hash encryption on the API parameters to obtain a first digital signature;
encrypting the first digital signature by using the private key to obtain a second digital signature;
and encoding the second digital signature by using Base64 to obtain the digital signature.
Further, the digital signature and the API parameter are sent to a server, including the following steps:
receiving a verification result, wherein the verification result is a verification result of whether the API parameter is tampered;
when the verification result is that the verification passes, calling an API interface of the server;
and when the verification result is that the verification fails, returning error information.
Further, a key is used, the key comprising a private key and a public key, further comprising the steps of:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when authentication passes, a key is used, which includes a private key and a public key.
Further, generating the access domain name of the fort service further comprises the following steps:
randomly generating an access domain name of the fort service and storing the access domain name in a domain name database;
and configuring the access domain name to an Nginx server.
The second objective of the present invention is to provide an automatic deployment device for a fort machine, which provides an automatic deployment method for a fort machine, so as to solve the problem of long service time for deploying the fort machine.
The second purpose of the invention is realized by adopting the following technical scheme:
an automatic fort deployment device, comprising:
the system comprises an order receiving module, a data processing module and a data processing module, wherein the order receiving module is used for receiving the information of an order of a bastion machine and storing bastion machine configuration parameters in the information of the order;
the signature generation module is used for preprocessing the fort configuration parameters into API parameters and generating a digital signature according to the API parameters;
the sending module is used for sending the digital signature and the API parameters to a server;
the API calling module is used for calling an API interface of the server, and the API interface creates an API interface of the fort machine service for the server;
and the domain name generation module is used for generating the access domain name of the fort service.
A third object of the present invention is to provide an electronic device for executing one of the objects, which includes a processor, a storage medium, and a computer program stored in the storage medium, wherein the computer program when executed by the processor implements the automatic deployment method of the bastion engine.
It is a fourth object of the present invention to provide a computer readable storage medium storing one of the objects of the present invention, having stored thereon a computer program which when executed by a processor implements the automatic fort deployment method described above.
Compared with the prior art, the invention has the beneficial effects that:
the invention preprocesses the configuration parameters of the fort machine into the API parameters, the server side can finish the dynamic configuration of the fort machine parameters according to the API parameters, and the automatic creation of fort machine service can be realized by calling the API interface provided by the server side; the user can access the service of the fort machine through the generated access domain name, so that the automatic deployment of the fort machine is realized, the deployment efficiency and the user experience of the fort machine are improved, the integrity of the transmission of the configuration parameters is ensured through digital signature, and the parameters are prevented from being tampered in the transmission process.
Detailed Description
The invention will now be described in more detail with reference to the accompanying drawings, to which it should be noted that the description is given below by way of illustration only and not by way of limitation. Various embodiments may be combined with one another to form further embodiments not shown in the following description.
Example 1
An embodiment I provides an automatic method of a fort machine, which aims at calling an API interface by dynamically configuring parameter information of a fort machine server so as to realize automatic deployment of the fort machine.
With the development of cloud technology, traditional hardware or a fort machine combined by software and hardware is gradually replaced by the cloud fort machine. The cloud fort machine has higher computing power and safety protection capability than the traditional fort machine, and has lower cost. The cloud bastion server can create corresponding bastion services according to the parameters, and a user can access the bastion services by accessing corresponding API interfaces.
It should be noted that, the server in this embodiment refers to a server with a service function of a fort machine, where the server may complete related operations such as fort machine creation, digital signature verification, etc., and is typically a server storing a fort machine management platform.
Referring to fig. 1, an automatic deployment method of a fort machine is characterized by comprising the following steps:
s110, receiving bastion machine order information and storing bastion machine configuration parameters in the order information;
the bastion order information generally contains more content, such as user information, IP addresses, configuration parameter information selected by the user, and the like. When the bastion service is created, the creation of the bastion service can be completed only by extracting the configuration parameter information in the order information, and the bastion automatic deployment method provided by the embodiment only relates to the related method for the creation of the bastion service, so that only the configuration parameters of the bastion in the order information are required to be stored.
When the configuration parameters of the fort are stored, the configuration parameters of the fort need to be ordered according to the identification sequence of the server so as to be convenient for the server to identify the configuration parameters.
According to the principle, the information of the bastion machine order is received, and the configuration parameters of the bastion machine in the order information are stored, specifically:
and storing the parameter name of the fort machine configuration parameter and the parameter Value of the fort machine parameter in a Key-Value form.
Taking a fort machine for creating a single-core CPU as an example in the Key-Value storage mode, wherein the parameter name of the required fort machine configuration parameter is 'CPU', the parameter Value is '1' of the number of cores, the CPU is taken as a Key Value, 1 is taken as a Value, and the fort machine configuration parameter is stored in the form of Key-Value Key Value pairs. The above-mentioned Key-Value pair storage method is applicable to various storage tools, and for different software programming languages, the applicable Key-Value pair storage tools are different, for example, the mapping container (map container) of STL of c++, hashMap of Java, dictionary type of Python, and the like are all Key-Value pair storage tools, so in this embodiment, the storage tools for storing the Key-Value pair are not limited, and in particular, the corresponding Key-Value pair storage tools are selected according to the programming language of the server.
S120, preprocessing the configuration parameters of the fort machine into API parameters, and generating a digital signature according to the API parameters;
because the server side provides the API interface to facilitate the creation of the fort service, the configuration parameters need to be converted into the API parameters, so that the server side creates the fort service correspondingly configured according to the API parameters, the preprocessing mode of the configuration parameters is determined according to the transmitting mode of the API parameters, and in general, the transmitting mode of the API parameters is two modes of URL (Request-URL) and Body (Request-Body), so that the fort configuration parameters can be preprocessed into the API parameters in URL format or the API parameters in Body format according to the specific API parameter transmitting mode.
In S120, the integrity of the API parameter during the delivery process may be ensured by generating a digital signature. Because the server receiving the bastion machine order information and the server where the cloud bastion machine is located are different servers, the API parameters can be tampered in the transmission process, and whether the configuration parameters are tampered can be verified through the generated digital signature.
The specific method of generating the digital signature is not limited in this embodiment, but it is required to satisfy that the server can verify the generated digital signature.
S130, the digital signature and the API parameters are sent to a server;
the method comprises the steps of sending the API parameter and the digital signature to a server side so as to be convenient for the server side to verify, specifically, sending the digital signature and the API parameter to the server side, and the method comprises the following steps:
receiving a verification result, wherein the verification result is a verification result of whether the API parameter is tampered;
when the verification result is that the verification passes, calling an API interface of the server;
and when the verification result is that the verification fails, returning error information.
The server verifies the digital signature to determine whether the configuration parameters are tampered.
S140, calling an API interface created by the server, wherein the API interface creates an API interface of a fort service for the server;
s150, generating the access domain name of the fort service.
The user can be connected to the fort service through the generated access domain name, so that the fort service is accessed.
Example two
Example two was performed on the basis of example one.
Referring to fig. 2, the fort configuration parameters are preprocessed into API parameters, and a digital signature is generated according to the API parameters, which specifically includes the following steps:
s210, forming the configuration parameters of the fort machine into URL format character strings, wherein the URL format character strings are the API parameters;
s220, using a secret key, wherein the secret key comprises a private key and a public key;
s230, signing the API parameters by using the private key to obtain the digital signature.
In the embodiment, the transmission of the API parameters is performed by adopting a URL (Request-URL) mode, so that the configuration parameters are used for sequentially forming character strings in URL format, the character strings in URL format are the API parameters, and the server can automatically create the fort service and provide corresponding API interfaces by identifying the API parameters; this process requires the special characters in the configuration parameters to be percentage escape coded, e.g., replacing the "{" symbol by "%7B" to get a string in URL format. And carrying out private key signature on the configuration parameter character string in the URL format to obtain the digital signature.
The server for receiving the order information stores a randomly generated key pair, a private key is stored in the server for receiving the order information, and the server can decrypt the digital signature and verify the integrity of the API parameters by using a public key corresponding to the private key; typically the server only needs to generate a key pair (public and private) once, and each time a new order is received, the same private key is used to digitally sign the order without generating a key pair for each order.
The present embodiment is not limited to a specific asymmetric encryption algorithm (i.e., a method of generating a public key and a private key), as long as digital signature decryption can be achieved.
Before using the key, the server side also verifies the validity of the key user, specifically, uses the key, where the key includes a private key and a public key, and further includes the following steps:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when authentication passes, a key is used, which includes a private key and a public key.
The server side stores an IP white list library which stores legal IP addresses, and only the IP addresses in the white list library have the authority of using the secret key. The specific method for creating the whitelist library is not limited in this embodiment, and the whitelist library is created by a fort service provider (server side) or is an IP whitelist library shared by third-party network security companies. By setting the IP white list, illegal users such as hackers and the like can be prevented from maliciously accessing or purchasing the fort service.
Example III
Embodiment three is performed on the basis of embodiment one,
the third embodiment is different from the second embodiment in that the generation and verification of the digital signature are realized by using the private key and the public key in the second embodiment, and the digital signature is performed by means of hash encryption, the private key signature and Base64 coding, so that the reliability of the digital signature is higher.
Although the digital signature generated by the private key can be used to verify the identity of the sender of the information, there is a problem that the private key in the server is acquired by a person to further change the API parameter information, and at this time, the server side only needs to verify by the public key, so that it is difficult to determine that the API parameter has been changed, and therefore, it is necessary to further encrypt the API parameter to ensure that the configuration parameter has not been changed in the transfer process. Specifically, referring to fig. 3, a digital signature is generated according to the API parameters, and further includes the following steps:
s310, sorting the configuration parameters of the fort machine according to a preset sorting rule;
the preset ordering rule is usually ascending order or descending order according to the Key, taking ascending order as an example, when the parameter names stored by the Key are "tc", "ect", "edc", "act", respectively, the Key becomes "act", "ect", "edc", "tc" after being arranged according to the ordering rule of ascending order. The specific ordering rules can be set according to actual demands, and the ordering purpose is mainly to facilitate the server to hash and encrypt the API parameters according to the same sequence, so that different hash and encryption results caused by different sequences are avoided, and misjudgment during verification is prevented.
S320, forming the ordered fort configuration parameters into URL format character strings; the URL format character string is the API parameter;
in this embodiment, the transmission of the API parameters is also performed by using the URL transfer (Request-URL) method, and compared with the Body API transfer method, the Body parameter values and parameter names are separated, and the URL format string is easier to hash because the parameters are already combined into the string.
S330, using a secret key, wherein the secret key comprises a private key and a public key;
the key generation method in S330 is described in embodiment two.
S340, carrying out hash encryption on the API parameters to obtain a first digital signature;
the hash encryption method described in S340 may be an HMAC-SHA256 or HMAC-SHA1 signature method, and the embodiment does not limit a specific hash encryption algorithm, and the server stores the same hash encryption algorithm to facilitate verification of the signature.
S350, encrypting the first digital signature by using the private key to obtain a second digital signature;
s360, encoding the second digital signature by using Base64 to obtain the digital signature.
The Base64 is used for encoding the data after hash encryption to obtain a final signature, so that the data transmission speed can be increased, and because the encrypted data is generally longer, the Base64 can be used for shortening the length of the data and reducing the occupation of resources; in addition, the data after the Base64 coding has unreadability, and even if the digital signature is intercepted in the transmission process, the data before the Base64 coding is difficult to view.
Since the hash algorithm is an irreversible algorithm, other people cannot push out plaintext (API parameter) reversely, and even if the API parameter is changed in the transfer process, it is difficult to change the digital signature correspondingly. The double encryption method of the embodiment can achieve the technical effects of anti-counterfeit attack (namely whether the source of the request is legal), tamper attack prevention, replay attack prevention (namely that the request is attacked maliciously) and data information leakage prevention.
When the server verifies, the Base64 is used for decoding the digital signature, and the decoded digital signature is decrypted through the public key to obtain a first digital signature, namely the API parameter after hash encryption; the server side also needs to encrypt the received API parameters by adopting the same hash encryption method, and compares the encrypted result with the first digital signature to finish the verification of the API parameters.
Example IV
The fourth embodiment is based on the first embodiment, and mainly explains and describes a method for generating an access domain name.
Referring to fig. 4, the generation of the access domain name of the fort service further includes the following steps:
s410, randomly generating an access domain name of the fort service and storing the access domain name in a domain name database;
the randomly generated access domain name has uniqueness, and can prevent domain name repetition, thereby avoiding errors when accessing the bastion server. In the embodiment, the generation of the random domain name is realized by adopting an MD5 algorithm, and in other embodiments, the random domain name can be generated in other modes.
The domain name database in S410 may facilitate the user side to query the domain name.
S420, configuring the access domain name to an Nginx server.
Because the Nginx has the advantages of less occupied memory and strong concurrency, the function of connecting to the bastion server by using the access domain name can be realized through the Nginx, the user can access the intranet IP of the bastion server platform end through accessing the domain name, the intranet IP of the server of the bastion server platform end cannot be acquired by the user, and the server can be effectively prevented from being attacked maliciously.
It should be noted that, in addition to configuring the access domain name to the ngginx server, information such as the name of the purchasing user, the intranet IP address, etc. is also sent to the ngginx server, so that the ngginx server forwards the access domain name to the bastion service.
Example five
An embodiment five discloses a device corresponding to the automatic deployment method of the fort machine of the above embodiment, which is a virtual device structure of the above embodiment, please refer to fig. 5, and includes:
an order receiving module 510, configured to receive bastion machine order information, and store bastion machine configuration parameters in the order information;
the signature generation module 520 is configured to preprocess the fort configuration parameters into API parameters, and generate a digital signature according to the API parameters;
a sending module 530, configured to send the digital signature and the API parameter to a server;
an API calling module 540, configured to call an API interface of the server, where the API interface creates an API interface of a fort service for the server;
a domain name generating module 550, configured to generate an access domain name of the fort service.
Preferably, the bastion machine order information is received, and bastion machine configuration parameters in the order information are stored, which specifically comprises:
and storing the parameter name of the fort machine configuration parameter and the parameter Value of the fort machine parameter in a Key-Value form.
Preferably, preprocessing the fort configuration parameters into API parameters, and generating a digital signature according to the API parameters, including the steps of:
the fort machine configuration parameters are formed into URL format character strings, and the URL format character strings are the API parameters;
using a key, the key comprising a private key and a public key;
and signing the API parameters through the private key to obtain the digital signature.
Preferably, preprocessing the fort configuration parameters into API parameters, and generating a digital signature according to the API parameters, including the steps of:
sequencing the fort configuration parameters according to a preset sequencing rule;
forming the ordered fort machine configuration parameters into URL format character strings; the URL format character string is the API parameter;
using a key, the key comprising a private key and a public key;
carrying out hash encryption on the API parameters to obtain a first digital signature;
encrypting the first digital signature by using the private key to obtain a second digital signature;
and encoding the second digital signature by using Base64 to obtain the digital signature.
Preferably, the sending the digital signature and the API parameter to the server includes the following steps:
receiving a verification result, wherein the verification result is a verification result of whether the API parameter is tampered;
when the verification result is that the verification passes, calling an API interface of the server;
and when the verification result is that the verification fails, returning error information.
Preferably, a key is used, said key comprising a private key and a public key, further comprising the steps of:
receiving a verification result, wherein the verification result is an IP verification result of the server;
when authentication passes, a key is used, which includes a private key and a public key.
Preferably, generating the access domain name of the fort service further comprises the following steps:
randomly generating an access domain name of the fort service and storing the access domain name in a domain name database;
and configuring the access domain name to an Nginx server.
Example six
Fig. 6 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention, as shown in fig. 6, the electronic device includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of processors 610 in the computer device may be one or more, one processor 610 being taken as an example in fig. 6; the processor 610, memory 620, input device 630, and output device 640 in the electronic device may be connected by a bus or other means, for example in fig. 6.
The memory 620 is used as a computer readable storage medium, and may be used to store software programs, computer executable programs, and modules, such as program instructions/modules corresponding to the automatic fort deployment method in the embodiment of the present invention (e.g., the order receiving module 510, the signature generating module 520, the sending module 530, the API calling module 540, and the domain name generating module 550 in the automatic fort deployment method device). The processor 610 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 620, that is, implements the automatic deployment method of the bastion machine of the first to fourth embodiments.
Memory 620 may include primarily a memory program area and a memory data area, wherein the memory program area may store an operating system, applications required for at least one function, such as tools and applications that generate digital signatures; the storage data area may store data created according to the use of the terminal, etc., such as order information and configuration parameters. In addition, memory 620 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 620 may further include memory remotely located relative to processor 610, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 630 may be used to receive input user identity information, order information, etc. The output device 640 may include a display device such as a display screen for displaying the user's purchase results, including a purchase failure prompt, a purchase success prompt, and a generated access domain name.
Example seven
A seventh embodiment of the present invention also provides a storage medium containing computer-executable instructions, the storage medium being usable by a computer to perform a fort machine automated method comprising:
receiving bastion machine order information and storing bastion machine configuration parameters in the order information;
preprocessing the fort configuration parameters into API parameters, and generating a digital signature according to the API parameters;
the digital signature and the API parameters are sent to a server;
calling an API interface of the server, wherein the API interface creates an API interface of a fort service for the server;
and generating an access domain name of the API interface.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present invention is not limited to the above-described method operations, and may also perform the related operations in the automatic bastion-machine-based deployment method provided in any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing an electronic device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the automatic deployment method device based on the fort machine, each unit and module included are only divided according to the functional logic, but are not limited to the above-mentioned division, so long as the corresponding functions can be realized; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
It will be apparent to those skilled in the art from this disclosure that various other changes and modifications can be made which are within the scope of the invention as defined in the appended claims.