CN111416813A

CN111416813A - Data filtering system based on reverse proxy service and implementation method

Info

Publication number: CN111416813A
Application number: CN202010181265.1A
Authority: CN
Inventors: 王力哲
Original assignee: Shandong Inspur Genersoft Information Technology Co Ltd
Current assignee: Shandong Inspur Genersoft Information Technology Co Ltd
Priority date: 2020-03-16
Filing date: 2020-03-16
Publication date: 2020-07-14

Abstract

The invention discloses a data filtering system based on reverse proxy service and a realization method, belonging to the field of computer system data processing, aiming at solving the technical problem of how to finish data filtering before a user request reaches an internal server and before internal data is transmitted to a user, and improving the safety of the internal server in the reverse proxy process, and adopting the technical scheme that: the system comprises a reverse proxy server, a user client and an internal server, wherein the reverse proxy server is respectively connected with the user client and the internal server; the reverse proxy server is developed based on JAVA language and runs in a servlet container; the reverse proxy server comprises an authentication module and a filtering module; the authentication module is used for configuring the request authority of the user client and realizing the authority control based on the reverse proxy and the visual authority control management; the filtering module is used for providing a function of setting authority data filtering words.

Description

Data filtering system based on reverse proxy service and implementation method

Technical Field

The invention relates to the field of computer system data processing, in particular to a data filtering system based on reverse proxy service and an implementation method.

Background

The reverse proxy is applied to most Web systems, serves as an entrance and an exit of a website end, and transfers a user request to an internal server, and the internal server responds and then transmits the user request to the user through the reverse proxy. However, most of the current reverse proxies are only used as transit stations of network information or as front-end processors of internal servers to reduce the load of the network and the servers, and do not collect and filter the information. Therefore, the user can still send any data to the internal server, the data returned by the internal server is displayed to the user in the original text, however, some websites need to filter the user group, the specific data can be only checked by the specific user group, and if the logic is completely realized through the internal server, the potential safety hazard exists.

In the current website application, before a user request reaches a core server, a plurality of transit services are often passed through, and a reverse proxy is the most common entry. However, most reverse proxy servers are only used as data transfer servers, and if all authority control and data control are performed in an internal server, the security of the internal server cannot be guaranteed. Once the request reaches the internal server, a hacker may somehow steal information that should not be revealed, posing a security risk to the internal server.

The main stream reverse proxy servers all provide a request forwarding function, but the authority management function is weak and does not have an information replacement function, because the authority management and the information replacement do not have generality, and the authority to be controlled and the replaced content in each system are different, a unified specification is not formed.

In summary, how to complete data filtering before a user request reaches an internal server and before internal data is transmitted to a user, and improving security of the internal server in a reverse proxy process is a technical problem to be solved urgently at present.

Patent document No. CN105187430A discloses a reverse proxy server, a reverse proxy system and a method, where the reverse proxy server is connected to an application server of a peripheral and a client of the peripheral, respectively, and includes a setting unit, an interaction unit and a verification unit, where the setting unit is configured to set an interception rule of UR L, the interaction unit is configured to receive a target access request sent by the client of the peripheral, and when the verification unit verifies that the target UR L is valid, forward the target UR L in the target access request to the application server of the peripheral, receive result data returned by the application server of the peripheral, and send the result data to the client, and the verification unit is configured to obtain the target UR L in the target access request received by the interaction unit according to the interception rule of UR L set by the setting unit, verify the validity of the target UR L, and reduce the possibility of the application server being attacked and damaged.

Disclosure of Invention

The technical task of the invention is to provide a data filtering system based on reverse proxy service and a realization method thereof, so as to solve the problem of how to finish data filtering before a user request reaches an internal server and before internal data is transmitted to a user and improve the safety of the internal server in the reverse proxy process.

The technical task of the invention is realized according to the following mode, a data filtering system based on reverse proxy service comprises a reverse proxy server, a user client and an internal server, wherein the reverse proxy server is respectively connected with the user client and the internal server, receives a network access connection request of the user client, forwards the request to the internal server which actually works in a network in a strategic manner, and returns the processing result from the internal server to the user client which initiates the connection request on the network;

the reverse proxy server is developed based on JAVA language and runs in a servlet container; the reverse proxy server includes a reverse proxy server including,

the authentication module is used for configuring the request authority of the user client and realizing the authority control and visual authority control management based on the reverse proxy;

the filtering module is used for providing a function of setting authority data filtering words, filtering contents according to different roles, storing the filtering contents in a database, storing different filtering contents according to different roles, supporting full text matching and regular expression matching, generating different filtering results according to different filtering rules, displaying the filtered contents as asterisks, and enabling a user not to check specific information.

Preferably, the authentication module has the following functions:

(1) the configurable system has which authorities and which roles the user has; wherein, the roles of the distributed users can not be deleted at will, and the roles of the unallocated users can be deleted;

(2) only if the authority is authorized to the role, and the user has the role, the authority control can take effect, and the request is rejected by default for the user without the configured authority;

(3) deleting authority, deleting role and canceling authority authorization to make user lose access authority;

(4) after the authority is saved, the authority takes effect, and the authority in the cache is cleared and regenerated; after the authority becomes effective, various authorities are modified; and after the modification is finished, performing control management according to the latest authority.

Preferably, the filtering module comprises a request data filtering submodule and a return data filtering submodule;

the request data filtering submodule is used for filtering dangerous contents before the reverse proxy server sends data to the internal server when a request reaches the reverse proxy server, and aims to protect the internal server from being attacked;

the returned data filtering submodule is used for making a returned result by the internal server after the request is sent to the internal server through the reverse proxy server, when the reverse proxy server returns data, the internal server is used for checking the returned data, sensitive content setting is not updated in time possibly because of strategies such as cache, and the content which is not returned to the user is used as the returned data and sent to the reverse proxy, so that the returned data is filtered, and the safety of the data can be ensured.

Preferably, the request data filtering submodule filters configured content, and performs rule replacement during filtering, wherein the rule is configured by a user of the reverse proxy server; the method comprises the following specific steps:

when a request reaches a reverse proxy server, acquiring user information and judging whether the acquisition is successful:

①, if yes, executing step (II);

②, if not, returning error information;

(II) judging whether the user exists in the system and whether the authentication information is correct:

①, if yes, executing step (three);

②, if not, returning error information;

and (III) acquiring all roles of the user according to the user information and judging whether the acquisition is successful:

①, if yes, executing step (four);

②, if not, returning error information;

and (IV) acquiring the filtering content when the request is received according to all roles of the user, retrieving by using a regular expression, and judging whether the filtering content is matched with the regular expression:

if so, the matched content is changed into an asterisk through replacement operation;

and (V) after the replacement is completed, sending the request to the internal server.

Preferably, the working process of the returned data filtering submodule is as follows:

when the returned data reaches the reverse proxy server, acquiring the filtering content during returning according to the user sensitive information acquired during requesting;

(ii) obtaining the filtering content when the request is made according to all the roles of the user, using the regular expression to search, and judging whether the filtering content is matched with the regular expression:

if yes, the sensitive content is changed into an asterisk through replacement operation;

and (iii) after the replacement is finished, sending a return result to the user.

Preferably, the reverse proxy server is also used as a load balancing server, that is, a load balancing mode is added in the reverse proxy server, on the basis of authentication, the users are grouped, and different grouped requests are sent to different internal servers, or the requests are grouped and sent in a mode of IPHASH, polling and writing a grouping strategy, so as to achieve the effect of supporting load balancing.

A data filtering implementation method based on reverse proxy service is disclosed, which comprises the following steps:

s1, the user client sends a request to the reverse proxy server, and the reverse proxy server receives the request sent by the user client;

s2, when the user client end request reaches the servlet container, obtaining various data of the request address, the request head and the request text in the request, and performing authority authentication and data filtering according to the authority and data filtering information inquired and configured from the database in the cache;

s3, the reverse proxy server processes the request data according to the authority control information and the data filtering information in the cache, and judges whether the request is forwarded:

①, if the authority passes, creating a new request, setting the data filtered by the original request information into the new request, replacing the host address and the host port in the request address, sending the new request to the internal server, and executing the step S4;

②, if the authority is not passed, directly sending error information to the user, and the request is not forwarded;

s4, the internal server processes the request received from the reverse proxy server, generates the return information and sends the return information to the reverse proxy server;

s5, after receiving the response, the reverse proxy server copies the response information to the response of the original client request and sends the response information to the user client; the user client receives the return data, and the basic function of the reverse proxy is completed.

Preferably, when the user client sends the request to the reverse proxy server in step S1, authentication is performed first, which is as follows:

s101, when the request reaches the reverse proxy, acquiring user information and judging whether the acquisition is successful:

①, if yes, go to step S202;

②, if not, returning error information;

s102, after the user information is obtained, whether the user exists in the system or not and whether the authentication information is correct or not are judged:

①, if it is correct, executing step S103;

②, if not, returning error information;

s103, acquiring all roles of the user according to the user information and judging whether the acquisition is successful:

①, if yes, go to step S104;

②, if not, returning error information;

s104, acquiring the authority according to all roles of the user, checking the request address of the user, and judging whether the request address is in the authority:

①, if yes, creating a new request and copying each request information;

②, if not, returning error information;

after the authentication is passed, the request is sent to the internal server; the method comprises the following specific steps:

and (I) traversing the request information, and checking whether the request information contains dangerous information:

①, if contain dangerous information, return the error message;

②, if all verification is completed and passed, executing the step (II);

(II) creating a new request, copying all information into a new situation, adding source information, sending the source information to an internal server, and waiting for the internal server to process;

and (III) after the processing is finished and the information is returned, checking whether the information content contains the information needing to be filtered or not, and returning the information to the user after filtering.

Preferably, the data filtering in the step S2 includes filtering of request data and filtering of return data;

the filtering of the request data is to filter the configured content, and the rules are replaced during the filtering, and are configured by a user of the reverse proxy server; the method comprises the following specific steps:

①, if yes, executing step (II);

②, if not, returning error information;

①, if yes, executing step (three);

②, if not, returning error information;

①, if yes, executing step (four);

②, if not, returning error information;

Preferably, the filtering of the returned data is specifically as follows:

The data filtering system and the implementation method based on the reverse proxy service have the following advantages that:

the invention allows the service provider to filter and replace the data visible to the user and the data transmitted by the user when the user accesses the website through the WEB server and passes through the reverse proxy, thereby realizing the effect of displaying different contents for different users, and filtering before the user requests to reach the internal server and before the internal data is transmitted to the user, thereby ensuring the safety of the internal server;

the invention can intercept the unauthorized user request outside the internal server, specifically when the user request reaches the reverse proxy, firstly authenticate, and return error information to the user without authority, wherein the request cannot reach the internal server and threaten the internal system;

and (III) the return data of the internal server can be modified: if the internal server can not judge the request source, part of sensitive information is returned, and when the data is transmitted to the user through the reverse proxy, the information is shielded and replaced, so that the safety of the data is ensured;

the invention is developed through JAVA language, development language can be replaced, realization mode servlet can be replaced, control is mainly carried out through network request, as the first layer of user access, authority control configuration information can be replaced, and data filtering content configuration can be replaced;

the authority management in the invention depends on the existing user authentication system and is related to the service function, if the authority management needs to be combined with other systems, the user authentication system can be rewritten and used in more scenes; the data filtering can be suitable for various scenes, and the normal work can be realized only by configuring the content to be filtered.

Drawings

The invention is further described below with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of a data filtering system based on reverse proxy service;

FIG. 2 is a flow chart of a data filtering implementation method based on reverse proxy service;

FIG. 3 is a schematic diagram of an interface for configuring a user's request rights.

Detailed Description

The data filtering system and the implementation method based on reverse proxy service according to the present invention are described in detail below with reference to the drawings and the specific embodiments.

Example 1:

as shown in fig. 1, the data filtering system based on reverse proxy service of the present invention comprises a reverse proxy server, a user client and an internal server, wherein the reverse proxy server is respectively connected with the user client and the internal server, the reverse proxy server receives a network access connection request of the user client, the reverse proxy server forwards the request to the internal server actually working in the network in a policy manner, and returns a result processed by the internal server to the user client initiating the connection request on the network; the proxy service means that an internal network sends a connection request to the Internet, and the proxy service needs to be formulated to send the HTTP which is originally and directly transmitted to the Web server to the proxy server.

The reverse proxy server is developed based on JAVA language, has the characteristic of cross-platform operation, can also be developed by using other languages, can be expanded in the existing product, can also be developed by itself, and operates in a servlet container, such as WEB L OGIC, TOMCAT, JETTY, JBOSS, Resin, WebSphere and the like.

Wherein the reverse proxy server comprises a first reverse proxy server,

the authentication module is used for configuring the request authority of the user client and realizing the authority control and visual authority control management based on the reverse proxy; as shown in fig. 3, the authentication module has the following functions:

The filtering module comprises a request data filtering submodule and a return data filtering submodule;

the request data filtering submodule is used for filtering dangerous contents before the reverse proxy server sends data to the internal server when a request reaches the reverse proxy server, and aims to protect the internal server from being attacked; the request data filtering submodule filters the configured content, and carries out rule replacement during filtering, wherein the rule is configured by a user of the reverse proxy server; the method comprises the following specific steps:

①, if yes, executing step (II);

②, if not, returning error information;

①, if yes, executing step (three);

②, if not, returning error information;

①, if yes, executing step (four);

②, if not, returning error information;

The returned data filtering submodule is used for making a returned result by the internal server after the request is sent to the internal server through the reverse proxy server, when the reverse proxy server returns data, the internal server is used for checking the returned data, sensitive content setting is not updated in time possibly because of strategies such as cache, and the content which is not returned to the user is used as the returned data and sent to the reverse proxy, so that the returned data is filtered, and the safety of the data can be ensured. The working process of the returned data filtering submodule is as follows:

Example 2:

as shown in fig. 2, the method for implementing data filtering based on reverse proxy service of the present invention specifically includes the following steps:

In step S1, when the user client sends a request to the reverse proxy server, authentication is performed first, which is as follows:

①, if yes, go to step S202;

②, if not, returning error information;

①, if it is correct, executing step S103;

②, if not, returning error information;

①, if yes, go to step S104;

②, if not, returning error information;

①, if yes, creating a new request and copying each request information;

②, if not, returning error information;

①, if contain dangerous information, return the error message;

②, if all verification is completed and passed, executing the step (II);

The data filtering in step S2 includes filtering of request data and filtering of return data;

①, if yes, executing step (II);

②, if not, returning error information;

①, if yes, executing step (three);

②, if not, returning error information;

①, if yes, executing step (four);

②, if not, returning error information;

Preferably, the filtering of the returned data is specifically as follows:

After all filtering is completed, data is sent to the user through the reverse proxy, and the information received by the user is ensured to be safe information and cannot cause threat.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A data filtering system based on reverse proxy service is characterized in that the system comprises a reverse proxy server, a user client and an internal server, wherein the reverse proxy server is respectively connected with the user client and the internal server;

2. The reverse-proxy-service-based data filtering system as claimed in claim 1, wherein said authentication module has functions of:

3. The reverse-proxy-service-based data filtering system of claim 1, wherein the filtering module comprises a request data filtering submodule and a return data filtering submodule;

the returned data filtering submodule is used for making a returned result for the internal server after the request is sent to the internal server through the reverse proxy server, and when the reverse proxy server returns data, the returned data is used as a check for the returned data, and the returned data is filtered to ensure the safety of the data.

4. The reverse-proxy-service-based data filtering system as claimed in claim 3, wherein the request data filtering submodule filters configured contents, and performs rule replacement when filtering, and the rule is configured by a user of the reverse proxy server; the method comprises the following specific steps:

①, if yes, executing step (II);

②, if not, returning error information;

①, if yes, executing step (three);

②, if not, returning error information;

①, if yes, executing step (four);

②, if not, returning error information;

5. The reverse-proxy-service-based data filtering system according to claim 3, wherein the return data filtering submodule specifically operates as follows:

6. The reverse proxy service-based data filtering system of claim 1, wherein the reverse proxy server further acts as a load balancing server, that is, a load balancing mode is added in the reverse proxy server, and on the basis of authentication, the reverse proxy server groups users, and sends requests of different groups to different internal servers, or sends requests in groups by means of IPHASH, polling, and writing a grouping policy, so as to support load balancing.

7. A data filtering implementation method based on reverse proxy service is characterized in that the method specifically comprises the following steps:

8. The method for implementing data filtering based on reverse proxy service as claimed in claim 7, wherein the user client performs authentication first when sending the request to the reverse proxy server in step S1, specifically as follows:

①, if yes, go to step S202;

②, if not, returning error information;

①, if it is correct, executing step S103;

②, if not, returning error information;

①, if yes, go to step S104;

②, if not, returning error information;

①, if yes, creating a new request and copying each request information;

②, if not, returning error information;

①, if contain dangerous information, return the error message;

②, if all verification is completed and passed, executing the step (II);

9. The reverse proxy service-based data filtering implementation method according to claim 7 or 8, wherein the data filtering in step S2 includes filtering of request data and filtering of return data;

①, if yes, executing step (II);

②, if not, returning error information;

①, if yes, executing step (three);

②, if not, returning error information;

①, if yes, executing step (four);

②, if not, returning error information;

10. The method for implementing data filtering based on reverse proxy service according to claim 9, wherein the filtering of the returned data is specifically as follows: