CN112261039B - Method for realizing fusion gateway http and http URL filtering - Google Patents
Method for realizing fusion gateway http and http URL filtering Download PDFInfo
- Publication number
- CN112261039B CN112261039B CN202011126839.1A CN202011126839A CN112261039B CN 112261039 B CN112261039 B CN 112261039B CN 202011126839 A CN202011126839 A CN 202011126839A CN 112261039 B CN112261039 B CN 112261039B
- Authority
- CN
- China
- Prior art keywords
- url
- filtering
- http
- executing
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention relates to the technical field of communication, and aims to provide a method for filtering fusion gateway http and http URL, which comprises the following steps: the management page configures URL filtering rules, wherein the URL filtering rules comprise equipment MAC addresses, filtering mode black lists, filtering mode white lists, URL lists and filtering time periods, and an application layer configuration interface is carried out; step 2: the fusion gateway receives the page configuration data, generates a URL Filter variable appointed with the kernel through the processing of a CGI interface, and finishes an application layer configuration interface through/proc/write kernel URL filtering module; and step 3: loading a URL filter module, and carrying out initial preparation work, including URL rule linked list and linked list spin lock initialization; and 4, step 4: creating/proc/net/xx files, providing interfaces interacting with an application layer, including adding, deleting and checking URL filter rules, and configuring a kernel URL rule linked list through a/proc file system when the application layer configures the filter rules; and 5: after receiving the data frame, the kernel bridge module delivers the data frame to the URL filtering module, and enters the URL filtering module for analysis.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method for realizing fusion of gateway http and http URL filtering.
Background
With the popularization of networks and mobile devices, on one hand, users can conveniently acquire required information from the internet; on the other hand, due to the high difficulty of network supervision, the internet also has websites for announcing bad things such as pornography, violence and confusion. In order to protect the physical and mental health of minors and prevent the minors from accessing unhealthy websites, URL filtering in devices such as routers and gateways is becoming more and more important.
A URL, also known as a web page address, is an address of a standard resource on the Internet, and is used to describe, in its entirety, the identity of a web page and other resource addresses on the Internet. The HTTP URL is used to mark reachable resources on the internet using HTTP (HyperText Transfer Protocol). The fusion gateway URL filtering function can control the URL accessed by the user, allow or forbid the user to access certain webpage resources, and achieve the purpose of standardizing the internet behavior.
The realization of filtering the URL filter by the fusion gateway of the current Linux system is mostly based on adding an iptables rule to a Linux netfilter frame for filtering, or importing data into an application layer by NFQUEUE to analyze http messages for filtering. The two URL filtering implementations have the defects that HTTPS filtering is not well supported, and fusion gateway bridging mode URL filtering is not supported. However, HTTPS encryption is currently used for internet URL resources, so simple HTTP URL filtering in some vendor converged gateways is not available.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a method for realizing the filtering of the fusion gateway http and http URL, provides a more comprehensive URL filtering function and improves the usability of the fusion gateway URL filtering function.
The method is realized by the following technical scheme: a method for realizing the filtering of the fusion gateway http and http URL comprises the following steps:
step 1: the management page configures URL filtering rules, wherein the URL filtering rules comprise equipment MAC addresses, filtering mode black lists, filtering mode white lists, URL lists and filtering time periods, an application layer configuration interface is carried out, and the step 2 is executed;
step 2: the fusion gateway receives the page configuration data, generates a URL Filter variable appointed with the kernel through the processing of a CGI interface, finishes an application layer configuration interface through/proc/write kernel URL filtering module, and executes the step 3;
and step 3: loading a URL filter module, performing initial preparation work including URL rule linked list, initializing linked list spin locks, and executing the step 4;
and 4, step 4: creating/proc/net/xx files, providing an interface for interaction with an application layer, including adding, deleting and checking URL filter rules, configuring a kernel URL rule linked list through a/proc file system when the application layer configures the filter rules, and executing the step 5;
and 5: and after receiving the data frame, the kernel bridge module delivers the data frame to the URL filtering module, enters the URL filtering module for analysis and rule matching, and ends.
Preferably, in step 5, the working principle of the URL filtering module includes the following steps:
step 21: analyzing the message to obtain a source mac, continuing to analyze, if the message is not an IP, setting a target mark as ACCEPT in the TCP message, executing step 25, if the message is an IP, analyzing a TCP data part according to an HTTP message format by the TCP to obtain an HTTP header Host field, if the analysis is successful, executing step 22, and if the analysis is failed, executing step 23;
step 22: and traversing the URL filtering rule linked list, performing matching rule processing, if all matching conditions are matched, setting a match mark 1, jumping out of a traversal loop, executing the step 24, and otherwise, continuously executing the step 22.
Step 23: analyzing HTTPS, acquiring a similar Host field when accessing an HTTPS URL by analyzing an extended field SNI in a ClientHello packet sent by the lower-hanging device through analyzing an SSL handshake process, and executing the step 21;
step 24: setting a target field according to the match mark and the black and white list mode, defaulting ACCEPT, and executing the step 25;
step 25: and judging whether the data packet is discarded or not according to the target mark.
Preferably, in the step 22, the matching conditions include a matching source Mac, a matching current time and time period, a fuzzy matching Host and a URL.
Preferably, in step 24, the blacklist mode match =1, the target DROP is set, the whitelist mode match =0, and the target ACCEPT is set.
Preferably, in step 25, if the target is DROP, the tcp reset message is assembled and sent to the DROP device, so that the browser fails to output the access URL, and does not attempt to access repeatedly, and if the target is ACCEPT, the URL filter module is skipped out and continues to be processed and forwarded by the kernel protocol stack.
Preferably, in said step 23, SNI is defined in RFC 4366, and is enabled in SSLv3/TLSv1, allowing the client to submit the request Host information upon initiating the SSL handshake request, so that the server can switch to the correct domain and return the corresponding certificate.
The invention has the beneficial effects that: the invention provides a method for realizing the filtering of a fusion gateway http and an http URL.
(1) HTTP, HTTPs URL filtering is supported. Different network modes of the convergence gateway are supported: route mode, bridge mode URL filtering. And URL filtering of the down-hanging terminal equipment in different time periods is supported. URL filter mode blacklist and whitelist modes are supported.
Drawings
FIG. 1 is a data processing flow diagram of a URL filtering module for implementing a method for filtering a fusion gateway http and https URL according to the present invention;
FIG. 2 is a design flow diagram of an embodiment of the present invention;
FIG. 3 is a Host field diagram of an embodiment of the present invention;
fig. 4 is a diagram of an SNI extension field according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to fig. 1 to 4 of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, fall within the scope of the present invention.
In the description of the present invention, it is to be understood that the terms "counterclockwise", "clockwise", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", etc., indicate orientations or positional relationships based on those shown in the drawings, and are used for convenience of description only, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be considered as limiting.
As shown in fig. 1, a method for implementing filtering of http and https URLs of a convergence gateway includes the following steps:
step 1: the management page configures URL filtering rules, wherein the URL filtering rules comprise equipment MAC addresses, filtering mode black lists, filtering mode white lists, URL lists and filtering time periods, an application layer configuration interface is carried out, and the step 2 is executed;
step 2: the fusion gateway receives the page configuration data, generates a URL Filter variable appointed with the kernel through the processing of a CGI interface, finishes an application layer configuration interface through/proc/write kernel URL filtering module, and executes the step 3;
and step 3: loading a URL filter module, performing initial preparation work including URL rule linked list, initializing linked list spin locks, and executing the step 4;
and 4, step 4: creating/proc/net/xx files, providing an interface for interaction with an application layer, including adding, deleting and checking URL filter rules, configuring a kernel URL rule linked list through a/proc file system when the application layer configures the filter rules, and executing the step 5;
and 5: and after receiving the data frame, the kernel bridge module delivers the data frame to the URL filtering module, enters the URL filtering module for analysis and rule matching, and ends.
It should be noted that, in the step 5, the working principle of the URL filtering module includes the following steps:
step 21: analyzing the message to obtain a source mac, continuing to analyze, if the message is not IP, setting a target mark as ACCEPT for the TCP message, executing step 25, if the message is IP, analyzing a TCP data part according to an HTTP message format by the TCP to obtain an HTTP header Host field, if the analysis is successful, referring to FIG. 3, if the content is the Host field, executing step 22, and if the analysis is failed, executing step 23;
step 22: and traversing the URL filtering rule linked list, performing matching rule processing, if all matching conditions are matched, setting a match mark 1, jumping out of a traversal loop, executing the step 24, and otherwise, continuously executing the step 22.
Step 23: analyzing HTTPS, acquiring a similar Host field when accessing an HTTPS URL by analyzing an extended field SNI in a ClientHello packet sent by the lower-hanging device through analyzing an SSL handshake process, and executing the step 21;
step 24: setting a target field according to the match mark and the black and white list mode, defaulting ACCEPT, and executing the step 25;
step 25: and judging whether the data packet is discarded or not according to the target mark.
It should be noted that, in the step 22, the matching conditions include a matching source Mac, a matching current time and time period, a fuzzy matching Host, and a URL.
It should be noted that, in step 24, the blacklist mode match =1, the target DROP is set, the whitelist mode match =0, and the target ACCEPT is set.
It should be noted that, in step 25, if the target is DROP, the tcp reset message is assembled and sent to the DROP device, so that the browser fails to output and access the URL, and does not attempt to access repeatedly, and if the target is ACCEPT, the URL filter module is skipped out, and the URL filter module continues to process and forward through the kernel protocol stack.
It is worth noting that in said step 23, SNI is defined in RFC 4366, and is enabled in SSLv3/TLSv1, allowing the client to submit the request Host information upon initiating the SSL handshake request, so that the server can switch to the correct domain and return the corresponding certificate, and SNI (server Name indication), defined in RFC 4366, is a technique for improving SSL/TLS, and is enabled in SSLv3/TLSv 1. It allows the client to submit the request's Host information when initiating an SSL handshake request (specifically, the ClientHello phase in the SSL request issued by the client), so that the server can switch to the correct domain and return the corresponding certificate. Modern browsers mostly support SSLv3/TLSv 1. The SNI extension field refers to the following wireshark packet capture screenshot, please refer to fig. 4.
The working principle of the embodiment is that the invention provides a URL filtering method with more comprehensive functions and stronger usability. The device comprises an application layer configuration interface and a Linux kernel URL filter module.
Claims (5)
1. A method for realizing the filtering of the fusion gateway http and http URL is characterized by comprising the following steps:
step 1: configuring URL filtering rules including equipment MAC addresses, filtering mode black lists, filtering mode white lists, URL lists and filtering time periods by the management page, configuring an interface by an application layer, and executing the step 2;
step 2: the fusion gateway receives the page configuration data, generates a URL Filter variable appointed with the kernel through the processing of a CGI interface, finishes an application layer configuration interface through/proc/write kernel URL filtering module, and executes the step 3;
and step 3: loading a URL filter module, performing initial preparation work including URL rule linked list, initializing linked list spin locks, and executing the step 4;
and 4, step 4: creating/proc/net/xx files, providing an interface for interaction with an application layer, including adding, deleting and checking URL filter rules, configuring a kernel URL rule linked list through a/proc file system when the application layer configures the filter rules, and executing the step 5;
and 5: after receiving the data frame, the kernel bridge module delivers the data frame to the URL filtering module, enters the URL filtering module for analysis and rule matching, and then is finished;
in step 5, the working principle of the URL filtering module includes the following steps:
step 21: analyzing the message to obtain a source mac, continuing to analyze, if the message is not IP, setting a target mark as ACCEPT for the TCP message, executing step 25, if the message is IP, the TCP analyzes a TCP data part according to an HTTP message format to obtain an HTTP header Host field, if the analysis is successful, executing step 22, and if the analysis is failed, executing step 23;
step 22: traversing the URL filtering rule linked list, performing matching rule processing, if all matching conditions are matched, setting a match flag 1, jumping out of a traversal loop, executing the step 24, and otherwise, continuing to execute the step 22;
step 23: analyzing HTTPS, acquiring a Host field when the HTTPS URL is accessed by analyzing an extended field SNI in a ClientHello packet sent by the lower-hanging device through analyzing an SSL handshake process, and executing the step 21;
step 24: setting a target field according to the match mark and the black and white list mode, defaulting ACCEPT, and executing the step 25;
step 25: and judging whether the data packet is discarded or not according to the target mark.
2. The method for implementing filtering of http and https URLs of a convergence gateway according to claim 1, wherein in the step 22, the matching conditions include a matching source Mac, a matching current time and time period, a fuzzy matching Host and a URL.
3. The method according to claim 2, wherein in step 24, the blacklist mode match =1 sets a target DROP, the whitelist mode match =0 sets a target ACCEPT.
4. The method for realizing filtering of http and https URLs of a convergence gateway according to claim 3, wherein in the step 25, if the target is DROP, a tcp reset message is assembled and sent to the DROP device, so that the browser fails to output and access the URL and does not try to access repeatedly, and if the target is ACCEPT, the URL filtering module is skipped out and continues to be processed and forwarded by the kernel protocol stack.
5. The method of claim 1, wherein in step 23, SNI is defined in RFC 4366, and is enabled in SSLv3/TLSv1, allowing the client to submit the request Host information when initiating the SSL handshake request, so that the server can switch to the correct domain and return the corresponding certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011126839.1A CN112261039B (en) | 2020-10-20 | 2020-10-20 | Method for realizing fusion gateway http and http URL filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011126839.1A CN112261039B (en) | 2020-10-20 | 2020-10-20 | Method for realizing fusion gateway http and http URL filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112261039A CN112261039A (en) | 2021-01-22 |
| CN112261039B true CN112261039B (en) | 2022-05-13 |
Family
ID=74245220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011126839.1A Active CN112261039B (en) | 2020-10-20 | 2020-10-20 | Method for realizing fusion gateway http and http URL filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112261039B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553745A (en) * | 2022-01-21 | 2022-05-27 | 浙江航芯科技有限公司 | Parent control device and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2501105A1 (en) * | 2011-03-14 | 2012-09-19 | British Telecommunications Public Limited Company | Service session resource management |
| CN103324710A (en) * | 2013-06-19 | 2013-09-25 | 深圳市共进电子股份有限公司 | User experiencing method based on uniform resource locator (URL) filtering function |
| CN104158698A (en) * | 2014-08-06 | 2014-11-19 | 厦门天锐科技有限公司 | Method and system for counting webpage browsing records |
| CN108111558A (en) * | 2016-11-25 | 2018-06-01 | 中兴通讯股份有限公司 | A kind of high-speed packet disposal method, apparatus and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209135B (en) * | 2013-05-03 | 2016-03-02 | 深圳市共进电子股份有限公司 | A kind of control method turned based on the http traffic of linux platform |
| CN103560995A (en) * | 2013-09-25 | 2014-02-05 | 深圳市共进电子股份有限公司 | URL filtering method for realizing IPv4 and IPv6 at the same time |
| CN103873466B (en) * | 2014-03-04 | 2018-01-19 | 深信服网络科技(深圳)有限公司 | HTTPS website programmings and the method and apparatus for blocking alarm |
| US10708228B2 (en) * | 2017-08-23 | 2020-07-07 | At&T Intellectual Property I, L.P. | Systems and methods for user defined network enabled content filtering |
| CN109995704B (en) * | 2017-12-29 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Advertisement blocking method, device, equipment and computer readable storage medium |
| CN108600191A (en) * | 2018-03-30 | 2018-09-28 | 深圳市伟文无线通讯技术有限公司 | Advertisement authentication based on mobile router lightweight and url filtering method |
-
2020
- 2020-10-20 CN CN202011126839.1A patent/CN112261039B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2501105A1 (en) * | 2011-03-14 | 2012-09-19 | British Telecommunications Public Limited Company | Service session resource management |
| CN103324710A (en) * | 2013-06-19 | 2013-09-25 | 深圳市共进电子股份有限公司 | User experiencing method based on uniform resource locator (URL) filtering function |
| CN104158698A (en) * | 2014-08-06 | 2014-11-19 | 厦门天锐科技有限公司 | Method and system for counting webpage browsing records |
| CN108111558A (en) * | 2016-11-25 | 2018-06-01 | 中兴通讯股份有限公司 | A kind of high-speed packet disposal method, apparatus and system |
Non-Patent Citations (2)
| Title |
|---|
| Fuzzy Multi-Keyword Query on Encrypted Data in the Cloud;Xiu-Jin Shi;《2016 4th Intl Conf on Applied Computing and Information Technology/3rd Intl Conf on Computational Science/Intelligence and Applied Informatics/1st Intl Conf on Big Data, Cloud Computing, Data Science & Engineering (ACIT-CSII-BCD)》;20170504;全文 * |
| 一种自动推断复杂系统层次结构任务模型的方法;高崇南;《计算机学报》;20100115;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112261039A (en) | 2021-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108616490B (en) | Network access control method, device and system | |
| US10148645B2 (en) | Method and device for classifying TCP connection carrying HTTP traffic | |
| US8910300B2 (en) | Secure tunneling platform system and method | |
| US10931686B1 (en) | Detection of automated requests using session identifiers | |
| US10044811B2 (en) | Methods and systems for forwarding data | |
| US20140101236A1 (en) | Method and system for correlation of session activities to a browser window in a client-server environment | |
| CN104580074A (en) | Logging method of client end application and corresponding server of logging method | |
| CN113824791B (en) | Access control method, device, equipment and readable storage medium | |
| US20220263823A1 (en) | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium | |
| CN109150874A (en) | Access authentication method, device and authenticating device | |
| CN112702425B (en) | WEB application access proxy method, device and storage medium based on domain name extensive resolution | |
| JP2023532924A (en) | Ensuring Separation of Control and User Planes in Mobile Networks | |
| US11240202B2 (en) | Message processing method, electronic device, and readable storage medium | |
| CN112261039B (en) | Method for realizing fusion gateway http and http URL filtering | |
| CN109495362B (en) | Access authentication method and device | |
| US10360379B2 (en) | Method and apparatus for detecting exploits | |
| CN111786932B (en) | Account login method and device, electronic equipment and computer storage medium | |
| CN111371775A (en) | Single sign-on method, device, equipment, system and storage medium | |
| US9413553B2 (en) | Network access control based on risk factor | |
| CN114710560A (en) | Data processing method and system, proxy equipment and terminal equipment | |
| US11611556B2 (en) | Network connection request method and apparatus | |
| US11277379B2 (en) | Modification of application-provided turn servers | |
| Cisco | Controlling Network Access and Use | |
| Cisco | Controlling Network Access and Use | |
| Cisco | Release Notes for the PIX Firewall Version 4.3 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |