CN111158776B - Smooth restarting method of Web application protection system - Google Patents
Smooth restarting method of Web application protection system Download PDFInfo
- Publication number
- CN111158776B CN111158776B CN201911274285.7A CN201911274285A CN111158776B CN 111158776 B CN111158776 B CN 111158776B CN 201911274285 A CN201911274285 A CN 201911274285A CN 111158776 B CN111158776 B CN 111158776B
- Authority
- CN
- China
- Prior art keywords
- network
- server
- web application
- proxy
- network server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000008569 process Effects 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 abstract description 6
- 230000000694 effects Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 241000282326 Felis catus Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44568—Immediately runnable code
- G06F9/44578—Preparing or optimising for loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a smooth restarting method of a Web application protection system, when the Web application protection system receives a restarting command, a network proxy is kept active, meanwhile, a route rule between a current network proxy and a network server is cleared, a back-end server is constructed, the current network proxy directly transmits traffic to the back-end server, firewall rules are written into rule files and then are called and loaded, a new network proxy is started, the network server is restarted, and after the network server is started, the network proxy transmits the traffic to the network server. The invention adjusts the stopping and starting process of the service process, can prevent the user service interruption phenomenon caused by configuration reloading caused by the change operation and the newly added operation of the WEB application firewall, ensures that the service is not influenced in the process of restarting and reloading the new configuration of the WEB application firewall service, does not interrupt the service, enhances the usability of the WEB application firewall, and has good service continuity.
Description
Technical Field
The invention relates to the technical field of data exchange networks, in particular to a smooth restarting method of a Web application protection system.
Background
With popularization of the Internet and development of services, a WEB application firewall is already a WEB application security base protection device. In the field of WEB application security, WEB application firewalls are firewall devices in the network field, which are used as gateway proxy devices connected in series in a user network, configuration change and new operation often exist in the online running process of user service, and after the change and the new operation, proxy services need to be restarted and new configuration files need to be reloaded in order to enable the configuration to take effect immediately, and the process can affect the normal use of the service.
A WEB application firewall is used as gateway proxy type equipment connected in a user network in series, and frequent self-changing operation and newly-added operation relate to restarting and reloading new configuration files by self-proxy service. In the service restarting process, how to ensure that the service is not interrupted is a necessary basic function of the WEB application firewall, which requires that the WEB application firewall needs to have a mechanism for ensuring smooth service based on a proxy configuration reloading process so as to ensure that the service is not interrupted due to the restarting of the WEB application firewall, otherwise, the WEB application firewall is often subjected to serious accidents such as service interruption caused by manual operation after being delivered to a client for use.
Disclosure of Invention
The invention solves the problems in the prior art that in the service restarting process, the WEB application firewall cannot ensure that the service is not interrupted, and after the user performs on-line changing and newly-added operation, in order to enable the configuration to take effect immediately, proxy service is required to be restarted, and new configuration files are required to be reloaded, and the process can influence the normal use of the service.
The technical scheme adopted by the invention is that the method for smoothly restarting the Web application protection system comprises the following steps:
step 1: the Web application protection system receives a restarting command;
step 2: keeping the network agent active, and clearing the routing rule between the current network agent and the network server;
step 3: constructing a back-end server, and directly transmitting traffic to the back-end server by a current network proxy;
step 4: writing the firewall rules into the rule file, and calling and loading the firewall rules;
step 5: starting a new network agent;
step 6: restarting the network server, and after the network server is started, sending the flow to the network server by the network proxy.
Preferably, in the step 4, the iptables rule is written into the iptables file, and the iptables file is called to load the iptables rule.
Preferably, in said step 5, after the new network proxy is started, the initial network proxy does not accept any new connection any more, and is executed by the new network proxy; when the initial network agent finishes processing all the traffic, the network agent is closed, and the step 6 is performed.
Preferably, in the step 6, the network server is closed first, and the number of processes of the network server is read every t1 time, if the number of processes is 0, the closing is successful; and opening the network server, reading the process number of the network server every t2 time, and setting a flag bit when the process number is not zero until the process number is not increased any more, so that the network server is restarted successfully.
Preferably, in the non-restarting stage, the service flow is sent from the network agent to the network server and then contacts the back-end server, and the text, picture and streaming media file are directly sent to the back-end server by the network agent.
The invention provides an optimized smooth restarting method of a Web application protection system, which is characterized in that when the Web application protection system receives a restarting command, a network proxy is kept active, meanwhile, a routing rule between a current network proxy and a network server is cleared, a back-end server is constructed, the current network proxy directly transmits traffic to the back-end server, a firewall rule is written into a rule file, then the firewall rule is called and loaded, a new network proxy is started, the network server is restarted, and after the network server is started, the network proxy transmits the traffic to the network server.
The invention adjusts the stopping and starting process of the service process, can prevent the user service interruption phenomenon caused by configuration reloading caused by the change operation and the newly added operation of the WEB application firewall, ensures that the service is not influenced in the process of restarting and reloading the new configuration of the WEB application firewall service, does not interrupt the service, enhances the usability of the WEB application firewall, and has good service continuity.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a schematic diagram of traffic transmission relationships at different stages in a restarting process of the present invention, wherein client is a client, server is a backend server, webroxy.old is an old network proxy, apache.old is an old network server, webroxy.new is a new network proxy, and apache.new is a new network server;
(a) The connection relation in the steps 2 and 3 is left-hand access and right-hand access;
(b) The connection relation in the step 5 is;
(c) For the connection in step 6, the left Lu Tong and right paths are not connected.
Detailed Description
The present invention will be described in further detail with reference to examples, but the scope of the present invention is not limited thereto.
The invention relates to a smooth restarting method of a Web application protection system, which mainly aims at the problems that in the existing method, when the Web application protection system is restarted, a network proxy (webproxy) is closed firstly, then related firewall rules (iptables rules) are stopped, routing rules are cleared, then new routing rules are regenerated, and after a network server is restarted, the network proxy is started, and new firewall rules are generated; this approach would result in longer application change times and thus longer times for not accessing pages in the case of more configurations, and longer firewall rule generation times due to longer network server startup times, so the network agent would be closed first, indicating that the previous connection would be all broken, and only after a new network agent is established would the connection be re-established, taking a significant amount of time, which is obviously undesirable.
The method of the present invention comprises the following steps.
Step 1: and the Web application protection system receives the restarting command.
In the invention, before restarting, the client and the network proxy are connected in long chain, and the network proxy and the network server are connected in short chain; short links between the network proxy and the network server and between the network server and the back-end server are realized by using an option http-server-close parameter.
In the invention, during normal operation, the service flow is sent to the network server, but the pictures, files and the like are directly sent to the back-end server.
Step 2: keep the network agent active and clear the current routing rules from the network agent to the network server.
Step 3: and constructing a back-end server, and directly transmitting the traffic to the back-end server by the current network proxy.
In the present invention, the current network proxy in step 3 refers to the original network proxy, and after the back-end server is constructed, all traffic will be sent from the original network proxy directly to the back-end server without going through the network server (apache).
Step 4: and writing the firewall rules into the rule file, and calling and loading the firewall rules.
In the step 4, the iptables rule is written into the iptables file, and the iptables file is called to load the iptables rule.
In the invention, because the prior art adopts a single rule to call iptables rules, once call, firstly, the whole rule set in the kernel space is extracted, then the insertion, the addition or other changes are carried out, finally, a new rule set is inserted into the kernel space from the memory space, and a great amount of time is spent for carrying out the operation for many times; therefore, the iptables rule is written into the iptables file, and one rule table can be loaded at a time by using the iptables-restore, so that a great deal of time is saved.
In the present invention, the embodiment of step 4 presented herein is not the only implementation.
Step 5: a new network proxy is started.
In step 5, after the new network proxy is started, the initial network proxy does not accept any new connection any more, and the new network proxy executes the new connection; when the initial network agent finishes processing all the traffic, the network agent is closed, and the step 6 is performed.
In the invention, a new network proxy is started, a "/webproxy-b" command is used for starting, and a "-b" command is used because the parameter can be added into the source code of the network proxy, and when the parameter exists, the network proxy can send all traffic, including traffic, to a back-end server directly instead of to the network server.
Step 6: restarting the network server, and after the network server is started, sending the flow to the network server by the network proxy.
In the step 6, the network server is closed first, the process number of the network server is read every t1 time, and if the process number is 0, the closing is successful; and opening the network server, reading the process number of the network server every t2 time, and setting a flag bit when the process number is not zero until the process number is not increased any more, so that the network server is restarted successfully.
In the non-restarting stage, the service flow is transmitted from the network agent to the network server and then contacts the back-end server, and the text, the picture and the streaming media file are directly transmitted to the back-end server by the network agent.
In the invention, after the network server is started, the network proxy is informed to send the traffic to the network server, wherein the traffic refers to the service traffic.
In the invention, the network server is closed firstly, meanwhile, the process number of the network server is read by using ps grep every preset time, the number of survival processes is inquired, if the number of the survival processes is equal to 0, the situation that the apache is closed is indicated, and the preset time can be 1s.
In the invention, a start command is used for starting the network server, the number of processes is read every preset time, a flag bit is set when the number of processes starts to increase, if the number of processes does not increase, the network server is already established, and a USR2 signal is sent by using 'kill-USR 2' cat/var/run/webroxy. The service flow is sent to a network server subsequently; the preset time here may be 1s.
When the Web application protection system receives a restarting command, the network proxy is kept active, the routing rule between the current network proxy and the network server is cleared, the back-end server is constructed, the current network proxy directly transmits the flow to the back-end server, the firewall rule is written into the rule file and then is called and loaded, a new network proxy is started, the network server is restarted, and the network proxy transmits the flow to the network server after the network server is started.
The invention adjusts the stopping and starting process of the service process, can prevent the user service interruption phenomenon caused by configuration reloading caused by the change operation and the newly added operation of the WEB application firewall, ensures that the service is not influenced in the process of restarting and reloading the new configuration of the WEB application firewall service, does not interrupt the service, enhances the usability of the WEB application firewall, and has good service continuity.
Claims (3)
1. A smooth restarting method of a Web application protection system is characterized in that: the method comprises the following steps:
step 1: the Web application protection system receives a restarting command;
before restarting, the client and the network proxy are connected in a long chain, and the network proxy and the network server are connected in a short chain; short links between the network proxy and the network server and between the network server and the back-end server are realized by using an option http-server-close parameter;
step 2: keeping the network agent active, and clearing the routing rule between the current network agent and the network server;
step 3: constructing a back-end server, and directly transmitting traffic to the back-end server by a current network proxy;
step 4: writing the firewall rules into the rule file, and calling and loading the firewall rules;
step 5: starting a new network agent; after the new network proxy is started, the initial network proxy does not accept any new connection any more and is executed by the new network proxy; when the initial network agent finishes processing all the traffic, the network agent is closed, and the step 6 is performed; in the non-restarting stage, the service flow is sent to the network server from the new network agent and then contacts the back-end server, and the text, the picture and the streaming media file are directly sent to the back-end server by the new network agent;
wherein a new network proxy is started, using a "/webroxy-b" command;
step 6: restarting the network server, and after the network server is started, sending the flow to the network server by the new network proxy.
2. The method for smoothly restarting the Web application protection system according to claim 1, wherein the method comprises the following steps: in the step 4, the iptables rule is written into the iptables file, and the iptables file is called to load the iptables rule.
3. The method for smoothly restarting the Web application protection system according to claim 1, wherein the method comprises the following steps: in the step 6, the network server is closed first, the process number of the network server is read every t1 time, and if the process number is 0, the closing is successful; and opening the network server, reading the process number of the network server every t2 time, and setting a flag bit when the process number is not zero until the process number is not increased any more, so that the network server is restarted successfully.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911274285.7A CN111158776B (en) | 2019-12-12 | 2019-12-12 | Smooth restarting method of Web application protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911274285.7A CN111158776B (en) | 2019-12-12 | 2019-12-12 | Smooth restarting method of Web application protection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111158776A CN111158776A (en) | 2020-05-15 |
| CN111158776B true CN111158776B (en) | 2023-12-26 |
Family
ID=70556794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911274285.7A Active CN111158776B (en) | 2019-12-12 | 2019-12-12 | Smooth restarting method of Web application protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111158776B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1035708A1 (en) * | 1999-03-05 | 2000-09-13 | International Business Machines Corporation | Method and system for optimally selecting a web firewall in a TCP/IP network |
| CN102687480A (en) * | 2009-12-12 | 2012-09-19 | 阿卡麦科技公司 | Cloud-based firewall system and service |
| CN105450782A (en) * | 2016-01-15 | 2016-03-30 | 网宿科技股份有限公司 | A method and system for restart network service without package losses and machine halt |
| CN105677433A (en) * | 2016-03-15 | 2016-06-15 | 深圳创维-Rgb电子有限公司 | Hot upgrading method and device for server program |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| WO2017143807A1 (en) * | 2016-02-25 | 2017-08-31 | 网宿科技股份有限公司 | Method and system for restarting network service |
| CN107408064A (en) * | 2015-03-20 | 2017-11-28 | 亚马逊技术股份有限公司 | Order is performed in virtual machine instance |
| CN108959455A (en) * | 2018-06-15 | 2018-12-07 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Single page Web application implementation method, device, computer equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2003205083A1 (en) * | 2002-01-11 | 2003-07-30 | Akamai Tech Inc | Java application framework for use in a content delivery network (cdn) |
| US20050273849A1 (en) * | 2004-03-11 | 2005-12-08 | Aep Networks | Network access using secure tunnel |
-
2019
- 2019-12-12 CN CN201911274285.7A patent/CN111158776B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1035708A1 (en) * | 1999-03-05 | 2000-09-13 | International Business Machines Corporation | Method and system for optimally selecting a web firewall in a TCP/IP network |
| CN102687480A (en) * | 2009-12-12 | 2012-09-19 | 阿卡麦科技公司 | Cloud-based firewall system and service |
| CN107408064A (en) * | 2015-03-20 | 2017-11-28 | 亚马逊技术股份有限公司 | Order is performed in virtual machine instance |
| CN105450782A (en) * | 2016-01-15 | 2016-03-30 | 网宿科技股份有限公司 | A method and system for restart network service without package losses and machine halt |
| WO2017143807A1 (en) * | 2016-02-25 | 2017-08-31 | 网宿科技股份有限公司 | Method and system for restarting network service |
| CN105677433A (en) * | 2016-03-15 | 2016-06-15 | 深圳创维-Rgb电子有限公司 | Hot upgrading method and device for server program |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| CN108959455A (en) * | 2018-06-15 | 2018-12-07 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Single page Web application implementation method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111158776A (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8006243B2 (en) | Method and apparatus for remote installation of network drivers and software | |
| EP3179701B1 (en) | File upload and download methods and associated server | |
| EP3190766B1 (en) | Method, device and system for invoking local service assembly by browser | |
| USRE35110E (en) | System for optimizing data transmission associated with addressable buffer devices | |
| CN101501674B (en) | Resetting/restarting endpoint devices | |
| CN109726039B (en) | Method and apparatus for managing virtual machines | |
| CN114885332A (en) | Traffic processing method and device, storage medium and electronic equipment | |
| CN106559485A (en) | A kind of method and device of control server shutdown | |
| EP1175646A1 (en) | A method and apparatus for remote installation of network drivers and software | |
| CN109905352B (en) | Method, device and storage medium for auditing data based on encryption protocol | |
| CN111158776B (en) | Smooth restarting method of Web application protection system | |
| CN112532714B (en) | Data processing method, processing device, server and storage medium | |
| US20150261810A1 (en) | Data transfer apparatus and method | |
| US7181486B1 (en) | Method and apparatus for remote installation of network drivers and software | |
| CN110392416B (en) | Network selection method of android system | |
| JP2006227763A (en) | Data sharing system, data sharing method, and program | |
| CN109996349B (en) | Session recovery method and device | |
| CN115665055A (en) | Message processing method and device | |
| CN103546500A (en) | Method and system for switching servers | |
| CN113765871B (en) | Method and device for managing fort machine | |
| CN107968794A (en) | A kind of virtual drive hanging method and system, server, terminal | |
| JP2008219187A (en) | Route information changing method, route information changing device, and route information changing program | |
| KR102221018B1 (en) | Relay system and method for deling with fault of secure session for DB connection | |
| CN110086661B (en) | Method and device for identifying virtual terminal | |
| JP2005071183A (en) | Network device, network management apparatus and network management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |