CN113595991A - HTTP interface gateway, communication system and communication method - Google Patents
HTTP interface gateway, communication system and communication method Download PDFInfo
- Publication number
- CN113595991A CN113595991A CN202110767093.0A CN202110767093A CN113595991A CN 113595991 A CN113595991 A CN 113595991A CN 202110767093 A CN202110767093 A CN 202110767093A CN 113595991 A CN113595991 A CN 113595991A
- Authority
- CN
- China
- Prior art keywords
- request
- module
- http
- response
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000006854 communication Effects 0.000 title claims abstract description 26
- 238000004891 communication Methods 0.000 title claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 128
- 230000004044 response Effects 0.000 claims abstract description 103
- 238000006243 chemical reaction Methods 0.000 claims abstract description 80
- 238000012544 monitoring process Methods 0.000 claims abstract description 22
- 238000002955 isolation Methods 0.000 claims description 65
- 230000008569 process Effects 0.000 claims description 27
- 238000012546 transfer Methods 0.000 claims description 15
- 238000013475 authorization Methods 0.000 claims description 7
- 230000000007 visual effect Effects 0.000 claims description 4
- 238000012800 visualization Methods 0.000 claims description 2
- 238000010276 construction Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000007175 bidirectional communication Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Abstract
The invention provides an HTTP interface gateway, a communication system and a communication method, belonging to the technical field of computer network communication. The interface gateway comprises a route configuration module, a request monitoring module, a route synchronization module, a route matching module, a request processing module, a protocol conversion module and a request forwarding module; the routing configuration module is used for configuring basic information, a filter and access control information of an interface, the request monitoring module is used for receiving an access request of an application terminal, the routing matching module receives the request and carries out routing matching according to the configuration information of the routing configuration module, the protocol conversion module finishes the mutual conversion of HTTP request response and FTP request response files, and the request forwarding module interactively forwards the HTTP request with the application service and carries out response. The invention supports the two-way communication of the HTTP/HTTPS protocol across the gatekeeper, and ensures the information system construction conforming to the network security access specification.
Description
Technical Field
The invention belongs to the technical field of computer network communication, and particularly relates to an HTTP interface gateway, a communication system and a communication method.
Background
The interface gateway is interface-oriented and serial centralized strong management and control service appearing at the boundary of an enterprise internet technology information system, provides interface hosting service, and covers the full life cycle management of interface release, management, operation and maintenance and selling.
The interface gateway has the outstanding characteristics of uniformly solving the problems of authentication, flow control, interface routing, fusing timeout, monitoring alarm and the like of the interface. The interface gateway is mainly used for isolating external access and an internal system, assisting a user to simply, quickly, low-cost and low-risk realize service aggregation and front-end and back-end separation, and realizing the aim of opening functions and data to a partner.
Because the traditional interface gateway mainly operates in a network environment capable of direct intercommunication, the request processing based on the application layer protocol interface is realized. With the development of internet technology, the internet has penetrated into various fields of socioeconomic, political, cultural, etc., and the network environment has become increasingly complex. In order to solve the increasingly serious security problem of the information system, a security boundary (a "security isolation gatekeeper" or a "optical gate") appears at the enterprise boundary to realize the physical isolation of the network, and the change of the network environment influences the construction and innovation of the enterprise information system, so that the function expansion of the traditional interface gateway is required to adapt to the network environment of the gatekeeper.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide an HTTP interface gateway, a communication system, and a communication method, which solve the problem of bidirectional communication of an application layer in a security-isolated gatekeeper-based network environment and shield the influence of the network environment on service application.
In order to realize the purpose, the invention adopts the following technical scheme:
an HTTP interface gateway supporting a security isolation gatekeeper comprises a route configuration module, a request monitoring module, a route matching module, a request processing module, a protocol conversion module and a request forwarding module; wherein:
the routing configuration module is used for carrying out interface routing visual configuration;
the request monitoring module is used for receiving an access request of the application terminal;
the route matching module receives the request of the request monitoring module and performs route matching according to the route configuration information;
the request processing module is used for performing request control processing on the request according to the matched route;
the protocol conversion module is used for completing the conversion between the HTTP request and response and the FTP file protocol;
and the request forwarding module is used for interactively forwarding the HTTP request with the application service and responding.
Further, the routing configuration module is used for performing interface routing visualization configuration, and the specific configuration information includes basic information of the interface, request processing rules and access control information; wherein: the basic information comprises information such as interface names, belonged groups, interface types, access addresses, destination addresses and the like; the request processing rule is a rule for processing request information; the access control information comprises flow control configuration, overtime fusing configuration and authentication and authorization mode.
Further, the request monitoring module supports both HTTP and HTTPs protocol requests.
Further, the route matching module supports route matching according to the request path, the request message header and the request parameter.
Further, the request processing module is used for performing request control processing on the request according to the matched route, and the processing procedures comprise request conversion, overtime fusing, authentication and current limiting control; wherein:
the request conversion processing process supports request address conversion, message header addition and query parameter conversion processing modes and message conversion from an original request to a target request;
the authentication and authorization processing process supports unified user authentication, JWT authentication, application authentication, non-authentication and user-defined authentication, and realizes the legality authentication of the request;
the flow-limiting control processing process supports flow control according to the upper limit of each second access of the interface;
in the overtime fusing processing process, overtime refers to that a request exceeds the configured overtime and is directly returned, and fusing is supported according to the error percentage when the request exceeds the access times within a certain time.
Further, the protocol conversion module comprises a protocol conversion sub-module, a file uploading sub-module and a file downloading sub-module;
the protocol conversion sub-module supports the interconversion of four conditions of HTTP request and FTP request file conversion, FTP request file transfer HTTP request, HTTP response to FTP response file transfer and FTP response file transfer HTTP response;
the file uploading submodule supports the FTP protocol to upload FTP request and response file stream to the security isolation gateway;
and the file downloading submodule supports the downloading of FTP request and response files in the security isolation gateway through an FTP protocol.
Further, the request forwarding module is used for interactively forwarding the HTTP request with the application service and responding, and the specific mode is that the HTTP request processed by the protocol conversion module is forwarded to the application service, and the HTTP response returned by the application service is transmitted to the request processing module for response processing.
An inter-network HTTP communication method is realized based on any one of the HTTP interface gateways, and comprises the following steps:
(1) configuring interface route configuration information through a route configuration module; after the configuration is completed, the interface is started, and after the interface is started, the interface route is added into a routing table in a route matching module;
(2) the request monitoring module initializes and receives the application terminal request, and then transfers the request to the route matching module;
(3) after receiving the request, the route matching module performs assertion matching according to the route information in the route table generated in the step (1); if the matching is successful, adding the routing information into the request and delivering the routing information to a request processing module for processing; otherwise, returning a response with the HTTP status code of 404;
(4) the request processing module controls and processes the request with the routing information, and the request is delivered to the protocol conversion module after the processing is finished;
(5) the protocol conversion module converts the HTTP/HTTPS request and response into an FTP file, and realizes cross-network forwarding of the request and response through an FTP protocol;
(6) the request forwarding module forwards the HTTP request converted by the protocol conversion module to the application service through the asynchronous HTTP client and waits for an application service response, and the HTTP response is sent to the protocol conversion module for subsequent response processing after the application service response is received.
Further, in the step (2), after the request monitoring module is initialized, HTTP and HTTPs monitoring ports are respectively started, which are respectively used for receiving a common protocol request and an encryption protocol request, and the application terminal selects a corresponding protocol according to an application security requirement;
in the step (3), after receiving the request, the route matching module performs assertion matching according to the request path, the request message header and the request parameters according to the route information in the route table generated in the step (1);
in the step (4), the request processing module respectively performs request conversion, authentication, flow control and overtime fusing processing on the request with the routing information; the treatment method comprises the following steps:
(401) request conversion processing: respectively processing the conversion of the access address to the destination address and the processing conversion of the request head and the request parameter according to the request processing rule in the routing information carried in the request;
(402) and (4) overtime fusing: performing fusing control processing according to request timeout time and fusing configuration of configuration in routing information carried in the request; the specific process is as follows: after receiving the request, judging whether the current interface is in a fusing state, if so, directly returning a response of the HTTP status code 503; otherwise, continuing to be processed by the next module and waiting for response; in the process of waiting for response, whether the request reaches overtime is detected, if yes, the response of the HTTP status code 504 is returned, and the number of interface access failure times is accumulated; in the process of waiting for response, failure conditions such as abnormity occur, and the number of interface access failure times can be accumulated; if the interface access times in the fusing period are reached and the failure rate exceeds the configured percentage, the fusing interface is accessed;
(403) and (3) authentication and authorization processing: authenticating the request according to the authentication mode of the request carrying the routing information, and if the authentication is successful, continuing to perform the next processing; otherwise, returning a response with the HTTP status code of 401;
(404) and current limiting control processing: calculating whether the access requested by the interface exceeds the maximum flow per second or not according to the flow limiting configuration in the routing information carried in the request, and if the access requested by the interface does not exceed the maximum flow, carrying out the next step of processing; otherwise, a response to the HTTP status code 429 is returned;
in step (5), the processing procedure of the protocol conversion module is divided into a request processing procedure and a response processing procedure, wherein the request processing procedure is as follows:
1) protocol conversion: in the low-density area, the received HTTP/HTTPS request processed by the request processing module is converted into an encrypted FTP request file;
2) uploading a file: uploading the encrypted FTP request file stream to a security isolation gateway in a low-density area by using an FTP protocol; uploading the encrypted response file to a security isolation gateway in a high-density area by using an FTP (file transfer protocol);
3) downloading a file: downloading the encryption request file in the high-density area through an FTP protocol, and performing protocol conversion processing; downloading the encrypted response file in the low-density area through an FTP protocol, and performing protocol conversion processing;
4) protocol conversion: in the high-density area, the received encrypted FTP request file is converted into an HTTP/HTTPS request, and the HTTP/HTTPS request is delivered to a request forwarding module for processing;
the response processing procedure is as follows:
1) protocol conversion: in the high-density area, converting the HTTP/HTTPS response of the received application service into an encrypted FTP response file stream;
2) uploading a file: uploading the encrypted FTP response file to a security isolation gateway in a high-density area by using an FTP protocol;
3) downloading a file: downloading the encrypted response file in the low-density area through an FTP (file transfer protocol);
4) protocol conversion: in the low-density area, the downloaded FTP file stream is converted into HTTP/HTTPS response, and the HTTP/HTTPS response is processed by the request processing module.
A network communication system comprising an application terminal, a security isolation gatekeeper, an application service, and an HTTP interface gateway as claimed in any one of claims 1 to 6; the interface gateway is respectively provided with a set of system in a low-density area and a high-density area, the application terminal and the interface gateway communicate through an HTTP/HTTPS protocol, the interface gateway and the security isolation gateway communicate through an FTP protocol, and the interface gateway and the application service communicate through the HTTP/HTTPS protocol.
Further, the application terminal refers to a client in the enterprise information system, sends the user operation to the interface gateway in a HTTP/HTTPS request mode, and displays the content by responding to the interface gateway;
the interface gateway completes the forwarding of the HTTP request across the gatekeeper, the functions of the interface gateways of the low-density area and the high-density area are the same, and the interface gateways of the low-density area and the high-density area cooperate with each other to realize the two-way communication of the low-density area and the high-density area; the system comprises a security isolation gateway, a security isolation gateway and an application terminal, wherein the security isolation gateway is used for receiving an HTTP request of the application terminal, converting the HTTP request into an FTP protocol and sending the FTP protocol to the security isolation gateway;
the security isolation gatekeeper is used for realizing security isolation among networks with different security levels, providing a controllable software and hardware system for data exchange and supporting an FTP (file transfer protocol); the safety isolation network gate is deployed in the isolation area, the isolation area is divided into a low-density isolation area and a high-density isolation area, and the safety isolation network gate is used for completing the ferry of the FTP service files in the two isolation areas;
the application service is a function background service provided in the enterprise information system and used for receiving, processing and responding to a request of the application terminal forwarded by the interface gateway.
Compared with the prior art, the invention has the following advantages:
1. the invention supports the bidirectional communication of HTTP/HTTPS and FTP protocol conversion in the security isolation gatekeeper network environment, and can support the construction of an information application system meeting the security network environment.
2. The interface gateway of the invention can realize dynamic management of interface routing by visual interface routing configuration.
3. The invention ensures the safe and reliable operation of the system through various request control mechanisms such as authentication, current-limiting control, overtime fusing and the like, and simultaneously realizes the system expansion support by multiple authentication modes such as unified user authentication, JWT authentication, non-authentication, application authentication, user-defined authentication and the like.
Drawings
FIG. 1 is a deployment diagram of an embodiment of the present invention.
Fig. 2 is a one-way request response processing procedure of an embodiment of the present invention.
Fig. 3 is a block diagram of an interface gateway according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Fig. 1 shows a network communication system, which includes four parts, namely an application terminal, an interface gateway, a security isolation gatekeeper and an application service. Wherein, the interface gateway respectively deploys a set of system in the low-density area and the high-density area. The application terminal and the interface gateway communicate through an HTTP/HTTPS protocol, the interface gateway and the security isolation gateway communicate through an FTP protocol, and the interface gateway and the application service communicate through an HTTP/HTTPS protocol.
The application terminal refers to clients in an enterprise information system, such as a browser client, a mobile application client and the like, sends user operation to the interface gateway in an HTTP/HTTPS request mode, and can take over the response of the interface gateway to perform content presentation.
The interface gateways are respectively deployed in the low-density region and the high-density region, the interface gateways finish the forwarding of the HTTP request across the gatekeepers, the functions of the interface gateways in the low-density region and the high-density region are the same, and the interface gateways cooperate with each other to realize the two-way communication between the low-density region and the high-density region. The system is used for receiving an HTTP request of an application terminal, converting the HTTP request into an FTP protocol and sending the FTP protocol to the security isolation gateway.
The security isolation gatekeeper is used for realizing security isolation among networks with different security levels, providing a software and hardware system with moderately controllable data exchange and supporting an FTP protocol. The safety isolation network gate is arranged in the isolation area, the isolation area is divided into a low-density isolation area and a high-density isolation area, and the safety isolation network gate has the main function of completing the ferry of FTP service files in the two isolation areas.
The application service is a request of an application terminal which is provided with a function background service in an enterprise information system and forwarded by a main interface gateway, and the request is processed and responded.
As shown in fig. 3, the interface gateway includes a route configuration module, a request monitoring module, a route matching module, a request processing module, a protocol conversion module, and a request forwarding module, where: the system comprises a routing configuration module, a request monitoring module, a routing matching module, a request processing module, a protocol conversion module and a request forwarding module, wherein the routing configuration module is used for carrying out interface routing visual configuration, the request monitoring module is used for receiving a request of an application terminal, the routing matching module is used for receiving the request of the monitoring module to carry out routing matching according to routing configuration information, the request processing module is used for receiving the matched request and carrying out request processing control according to routing information, the request processing module is used for carrying out request control processing on the request according to the matched route, the protocol conversion module is used for completing conversion between an HTTP request and a response and an FTP file protocol, and the request forwarding module is interacted with an application service, forwards the HTTP request and carries out the response.
Fig. 2 is a diagram illustrating a cross-network HTTP communication request-response processing procedure from a low-density area to a high-density area of the interface gateway according to this embodiment. In this embodiment, the interfaces of the low-density region and the high-density region have the same functions, and support bidirectional HTTP request-response communication from the low-density region to the high-density region and from the high-density region to the low-density region. For simplifying the description, fig. 2 omits a part of modules that do not use the high-density-area interface gateway in the unidirectional request-response processing process, and in this embodiment, the unidirectional request-response process from the low-density area to the high-density area is described as an example, and the request-response processing process from the high-density area to the low-density area is similar.
The working process of the embodiment is as follows:
the first step, configuring interface route configuration information through a route configuration module, wherein the interface route configuration information comprises basic information of a configuration interface, a request processing rule and access control information; and after the configuration is finished, the interface is started, and after the interface is started, the interface route is added into a routing table in the route matching module.
Secondly, initializing a request monitoring module to receive a request of the application terminal, wherein the request monitoring module respectively starts HTTP and HTTPS monitoring ports for respectively receiving a common protocol request and an encryption protocol request, and the application terminal selects a corresponding protocol according to an application security requirement; and the request monitoring module receives the application terminal request and then delivers the request to the route matching module.
Thirdly, requesting a route matching process, wherein after receiving the request, a route matching module performs assertion matching according to the request path, the request message header and the request parameters according to the route information in the route table generated in the first step; if the matching is successful, adding the routing information into the request and handing the request to a request processing module for processing; otherwise, a response with HTTP status code 404 is returned.
And fourthly, a request processing process, wherein the request processing module respectively performs request conversion, authentication, flow control and overtime fusing processing on the request with the routing information, and the request is delivered to the protocol conversion module after the processing is completed. The request processing module comprises the following processing steps:
1) request conversion processing: respectively processing the conversion of the access address to the destination address and the processing conversion of the request head and the request parameter according to the request processing rule in the routing information carried in the request;
2) and (4) overtime fusing: and performing fusing control processing according to the request timeout time and the fusing configuration of the configuration in the routing information carried in the request. The treatment process is as follows: after receiving the request, judging whether the current interface is in a fusing state, if so, directly returning a response of the HTTP status code 503; otherwise, continuing to be processed by the next module and waiting for response; in the process of waiting for response, whether the request reaches overtime is detected, if yes, the response of the HTTP status code 504 is returned, and the number of interface access failure times is accumulated; in the process of waiting for response, failure conditions such as abnormity occur, and the number of interface access failure times can be accumulated; if the interface access times in the fusing period are reached and the failure rate exceeds the configured percentage, the fusing interface is accessed;
3) and (3) authentication and authorization processing: authenticating the request according to the authentication mode of the request carrying the routing information, and if the authentication is successful, continuing to perform the next processing; otherwise, returning a response with the HTTP status code of 401;
4) and current limiting control processing: calculating whether the access requested by the interface exceeds the maximum flow per second or not according to the flow limiting configuration in the routing information carried in the request, and if the access requested by the interface does not exceed the maximum flow, carrying out the next step of processing; otherwise, a response is returned to the HTTP status code 429.
And fifthly, in the protocol conversion processing process, the protocol conversion module converts the HTTP/HTTPS request and the response into an FTP file, and the request and the response are forwarded across the network through the FTP protocol. The protocol conversion module processing procedure is divided into a request processing procedure and a response processing procedure, and the specific procedures are described as follows:
the request processing procedure is as follows:
1) protocol conversion: in the low-density area, the received HTTP/HTTPS request processed by the request processing module is converted into an encrypted FTP request file;
2) uploading a file: uploading the encrypted FTP request file stream to a security isolation gateway in a low-density area by using an FTP protocol; and uploading the encrypted response file to the security isolation gateway in the high-density area by using the FTP protocol.
3) Downloading a file: downloading the encryption request file in the high-density area through an FTP protocol, and performing protocol conversion processing; and downloading the encrypted response file in the low-density area through the FTP protocol, and performing protocol conversion processing.
4) Protocol conversion: in the high-density area, the received encrypted FTP request file is converted into an HTTP/HTTPS request, and the HTTP/HTTPS request is delivered to the request forwarding module for processing.
The response processing procedure is as follows:
1) protocol conversion: in the high-density area, converting the HTTP/HTTPS response of the received application service into an encrypted FTP response file stream;
2) uploading a file: uploading the encrypted FTP response file to a security isolation gateway in a high-density area by using an FTP protocol;
3) downloading a file: downloading the encrypted response file in the low-density area through an FTP (file transfer protocol);
4) protocol conversion: in the low-density area, the downloaded FTP file stream is converted into HTTP/HTTPS response, and the HTTP/HTTPS response is processed by the request processing module.
And sixthly, request forwarding processing, wherein the request forwarding module forwards the HTTP request converted by the protocol conversion module to the application service through the asynchronous HTTP client and waits for an application service response, and the HTTP response is delivered to the protocol conversion module for subsequent response processing after the application service response is received.
In a word, the invention can support the two-way communication of the HTTP/HTTPS protocol across the gatekeeper, and ensure the information system construction on the premise of meeting the network security access specification.
Claims (10)
1. An HTTP interface gateway supporting a security isolation gatekeeper is characterized by comprising a route configuration module, a request monitoring module, a route matching module, a request processing module, a protocol conversion module and a request forwarding module; wherein:
the routing configuration module is used for carrying out interface routing visual configuration;
the request monitoring module is used for receiving an access request of the application terminal;
the route matching module receives the request of the request monitoring module and performs route matching according to the route configuration information;
the request processing module is used for performing request control processing on the request according to the matched route;
the protocol conversion module is used for completing the conversion between the HTTP request and response and the FTP file protocol;
and the request forwarding module is used for interactively forwarding the HTTP request with the application service and responding.
2. The HTTP interface gateway supporting the security isolation gatekeeper of claim 1, wherein the routing configuration module is configured to perform interface routing visualization configuration, and the specific configuration information includes basic information of an interface, request processing rules, and access control information; wherein: the basic information comprises information such as interface names, belonged groups, interface types, access addresses, destination addresses and the like; the request processing rule is a rule for processing request information; the access control information comprises flow control configuration, overtime fusing configuration and authentication and authorization mode.
3. The HTTP interface gateway supporting a security isolation gatekeeper of claim 1, wherein the request listening module supports both HTTP and HTTPs protocol requests;
the route matching module supports route matching according to the request path, the request message header and the request parameter.
4. The HTTP interface gateway supporting the security isolation gatekeeper of claim 1, wherein the request processing module is configured to perform request control processing on the request according to a matched route, including processing procedures of request conversion, timeout fusing, authentication and authentication, and current limit control; wherein:
the request conversion processing process supports request address conversion, message header addition and query parameter conversion processing modes and message conversion from an original request to a target request;
the authentication and authorization processing process supports unified user authentication, JWT authentication, application authentication, non-authentication and user-defined authentication, and realizes the legality authentication of the request;
the flow-limiting control processing process supports flow control according to the upper limit of each second access of the interface;
in the overtime fusing processing process, overtime refers to that a request exceeds the configured overtime and is directly returned, and fusing is supported according to the error percentage when the request exceeds the access times within a certain time.
5. The HTTP interface gateway supporting the security isolation gatekeeper of claim 1, wherein the protocol conversion module comprises a protocol conversion sub-module, a file uploading sub-module and a file downloading sub-module;
the protocol conversion sub-module supports the interconversion of four conditions of HTTP request and FTP request file conversion, FTP request file transfer HTTP request, HTTP response to FTP response file transfer and FTP response file transfer HTTP response;
the file uploading submodule supports the FTP protocol to upload FTP request and response file stream to the security isolation gateway;
and the file downloading submodule supports the downloading of FTP request and response files in the security isolation gateway through an FTP protocol.
6. The HTTP interface gateway supporting the security isolation gatekeeper as claimed in claim 1, wherein the request forwarding module is configured to interactively forward an HTTP request with the application service and perform a response, and specifically, forward the HTTP request processed by the protocol conversion module to the application service, and transmit an HTTP response returned by the application service to the request processing module for a response process.
7. An inter-network HTTP communication method, implemented based on the HTTP interface gateway according to any one of claims 1 to 6, comprising the steps of:
(1) configuring interface route configuration information through a route configuration module; after the configuration is completed, the interface is started, and after the interface is started, the interface route is added into a routing table in a route matching module;
(2) the request monitoring module initializes and receives the application terminal request, and then transfers the request to the route matching module;
(3) after receiving the request, the route matching module performs assertion matching according to the route information in the route table generated in the step (1); if the matching is successful, adding the routing information into the request and delivering the routing information to a request processing module for processing; otherwise, returning a response with the HTTP status code of 404;
(4) the request processing module controls and processes the request with the routing information, and the request is delivered to the protocol conversion module after the processing is finished;
(5) the protocol conversion module converts the HTTP/HTTPS request and response into an FTP file, and realizes cross-network forwarding of the request and response through an FTP protocol;
(6) the request forwarding module forwards the HTTP request converted by the protocol conversion module to the application service through the asynchronous HTTP client and waits for an application service response, and the HTTP response is sent to the protocol conversion module for subsequent response processing after the application service response is received.
8. The cross-network HTTP communication method according to claim 7, wherein in step (2), said request monitor module respectively starts HTTP and HTTPS monitor ports after initialization, respectively for receiving common protocol and encryption protocol requests, and the application terminal selects a corresponding protocol according to the application security requirement;
in the step (3), after receiving the request, the route matching module performs assertion matching according to the request path, the request message header and the request parameters according to the route information in the route table generated in the step (1);
in the step (4), the request processing module respectively performs request conversion, authentication, flow control and overtime fusing processing on the request with the routing information; the treatment method comprises the following steps:
(401) request conversion processing: respectively processing the conversion of the access address to the destination address and the processing conversion of the request head and the request parameter according to the request processing rule in the routing information carried in the request;
(402) and (4) overtime fusing: performing fusing control processing according to request timeout time and fusing configuration of configuration in routing information carried in the request; the specific process is as follows: after receiving the request, judging whether the current interface is in a fusing state, if so, directly returning a response of the HTTP status code 503; otherwise, continuing to be processed by the next module and waiting for response; in the process of waiting for response, whether the request reaches overtime is detected, if yes, the response of the HTTP status code 504 is returned, and the number of interface access failure times is accumulated; in the process of waiting for response, failure conditions such as abnormity occur, and the number of interface access failure times can be accumulated; if the interface access times in the fusing period are reached and the failure rate exceeds the configured percentage, the fusing interface is accessed;
(403) and (3) authentication and authorization processing: authenticating the request according to the authentication mode of the request carrying the routing information, and if the authentication is successful, continuing to perform the next processing; otherwise, returning a response with the HTTP status code of 401;
(404) and current limiting control processing: calculating whether the access requested by the interface exceeds the maximum flow per second or not according to the flow limiting configuration in the routing information carried in the request, and if the access requested by the interface does not exceed the maximum flow, carrying out the next step of processing; otherwise, a response to the HTTP status code 429 is returned;
in step (5), the processing procedure of the protocol conversion module is divided into a request processing procedure and a response processing procedure, wherein the request processing procedure is as follows:
1) protocol conversion: in the low-density area, the received HTTP/HTTPS request processed by the request processing module is converted into an encrypted FTP request file;
2) uploading a file: uploading the encrypted FTP request file stream to a security isolation gateway in a low-density area by using an FTP protocol; uploading the encrypted response file to a security isolation gateway in a high-density area by using an FTP (file transfer protocol);
3) downloading a file: downloading the encryption request file in the high-density area through an FTP protocol, and performing protocol conversion processing; downloading the encrypted response file in the low-density area through an FTP protocol, and performing protocol conversion processing;
4) protocol conversion: in the high-density area, the received encrypted FTP request file is converted into an HTTP/HTTPS request, and the HTTP/HTTPS request is delivered to a request forwarding module for processing;
the response processing procedure is as follows:
1) protocol conversion: in the high-density area, converting the HTTP/HTTPS response of the received application service into an encrypted FTP response file stream;
2) uploading a file: uploading the encrypted FTP response file to a security isolation gateway in a high-density area by using an FTP protocol;
3) downloading a file: downloading the encrypted response file in the low-density area through an FTP (file transfer protocol);
4) protocol conversion: in the low-density area, the downloaded FTP file stream is converted into HTTP/HTTPS response, and the HTTP/HTTPS response is processed by the request processing module.
9. A network communication system comprising an application terminal, a security isolation gatekeeper, an application service and an HTTP interface gateway as claimed in any one of claims 1 to 6; the interface gateway is respectively provided with a set of system in a low-density area and a high-density area, the application terminal and the interface gateway communicate through an HTTP/HTTPS protocol, the interface gateway and the security isolation gateway communicate through an FTP protocol, and the interface gateway and the application service communicate through the HTTP/HTTPS protocol.
10. The network communication system according to claim 9,
the application terminal refers to a client in an enterprise information system, sends user operation to an interface gateway in an HTTP/HTTPS request mode, and responds to the interface gateway to display content;
the interface gateway completes the forwarding of the HTTP request across the gatekeeper, the functions of the interface gateways of the low-density area and the high-density area are the same, and the interface gateways of the low-density area and the high-density area cooperate with each other to realize the two-way communication of the low-density area and the high-density area; the system comprises a security isolation gateway, a security isolation gateway and an application terminal, wherein the security isolation gateway is used for receiving an HTTP request of the application terminal, converting the HTTP request into an FTP protocol and sending the FTP protocol to the security isolation gateway;
the security isolation gatekeeper is used for realizing security isolation among networks with different security levels, providing a controllable software and hardware system for data exchange and supporting an FTP (file transfer protocol); the safety isolation network gate is deployed in the isolation area, the isolation area is divided into a low-density isolation area and a high-density isolation area, and the safety isolation network gate is used for completing the ferry of the FTP service files in the two isolation areas;
the application service is a function background service provided in the enterprise information system and used for receiving, processing and responding to a request of the application terminal forwarded by the interface gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110767093.0A CN113595991A (en) | 2021-07-07 | 2021-07-07 | HTTP interface gateway, communication system and communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110767093.0A CN113595991A (en) | 2021-07-07 | 2021-07-07 | HTTP interface gateway, communication system and communication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113595991A true CN113595991A (en) | 2021-11-02 |
Family
ID=78246589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110767093.0A Pending CN113595991A (en) | 2021-07-07 | 2021-07-07 | HTTP interface gateway, communication system and communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595991A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114374620A (en) * | 2022-02-14 | 2022-04-19 | 浪潮软件股份有限公司 | Application intermediate layer gateway device based on non-blocking dynamic configuration |
| CN114710476A (en) * | 2021-12-17 | 2022-07-05 | 武汉众智数字技术有限公司 | Cross-boundary data exchange method and system based on HTTP (hyper text transport protocol) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105900396A (en) * | 2014-02-07 | 2016-08-24 | 甲骨文国际公司 | Mobile cloud service architecture |
| CN106209801A (en) * | 2016-06-28 | 2016-12-07 | 广东电网有限责任公司信息中心 | Mobile solution platform and inner-external network data safety switching plane integrated system |
| US20170070507A1 (en) * | 2015-09-04 | 2017-03-09 | Airbus Operations Sas | High assurance segregated gateway interconnecting different domains |
| CN108512821A (en) * | 2017-02-28 | 2018-09-07 | 阿里巴巴集团控股有限公司 | Data transmission method, device and system and gateway and transaction data storage method |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN111181860A (en) * | 2020-01-07 | 2020-05-19 | 苏宁云计算有限公司 | Route forwarding method, device and system based on zuul gateway |
| CN111371679A (en) * | 2020-03-09 | 2020-07-03 | 山东汇贸电子口岸有限公司 | Method for realizing API gateway based on kubernets and Kong |
-
2021
- 2021-07-07 CN CN202110767093.0A patent/CN113595991A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105900396A (en) * | 2014-02-07 | 2016-08-24 | 甲骨文国际公司 | Mobile cloud service architecture |
| US20170070507A1 (en) * | 2015-09-04 | 2017-03-09 | Airbus Operations Sas | High assurance segregated gateway interconnecting different domains |
| CN106209801A (en) * | 2016-06-28 | 2016-12-07 | 广东电网有限责任公司信息中心 | Mobile solution platform and inner-external network data safety switching plane integrated system |
| CN108512821A (en) * | 2017-02-28 | 2018-09-07 | 阿里巴巴集团控股有限公司 | Data transmission method, device and system and gateway and transaction data storage method |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN111181860A (en) * | 2020-01-07 | 2020-05-19 | 苏宁云计算有限公司 | Route forwarding method, device and system based on zuul gateway |
| CN111371679A (en) * | 2020-03-09 | 2020-07-03 | 山东汇贸电子口岸有限公司 | Method for realizing API gateway based on kubernets and Kong |
Non-Patent Citations (1)
| Title |
|---|
| 刘勇燕等: "GAP技术实现政府内外网隔离的应用研究", 《计算机与数字工程》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710476A (en) * | 2021-12-17 | 2022-07-05 | 武汉众智数字技术有限公司 | Cross-boundary data exchange method and system based on HTTP (hyper text transport protocol) |
| CN114374620A (en) * | 2022-02-14 | 2022-04-19 | 浪潮软件股份有限公司 | Application intermediate layer gateway device based on non-blocking dynamic configuration |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6464298B2 (en) | End-to-end M2M service layer session | |
| US7450940B2 (en) | Wireless network communication system and method | |
| CN110278181B (en) | Instant protocol conversion system for cross-network data exchange | |
| US20040122956A1 (en) | Wireless local area communication network system and method | |
| EP1901520B1 (en) | Relay-server | |
| JP5678198B2 (en) | Mobile Internet service realization method, gateway, proxy and system | |
| WO2015124045A1 (en) | Channel establishing method and apparatus | |
| CN113595991A (en) | HTTP interface gateway, communication system and communication method | |
| US20070195804A1 (en) | Ppp gateway apparatus for connecting ppp clients to l2sw | |
| WO2011150610A1 (en) | Method and system for dynamically adjusting bandwidth services, and broadband policy system | |
| ZA200605000B (en) | Resource sharing broadband access system, methods, and devices | |
| CN100517291C (en) | On demand session provisioning of IP flows | |
| WO2015065210A1 (en) | Secure mobile access to resources within a private network | |
| JP2003110596A (en) | Data communication service providing method | |
| US7694015B2 (en) | Connection control system, connection control equipment and connection management equipment | |
| EP2693691B1 (en) | Method and apparatus for initializing gateway in device management system | |
| US11057757B2 (en) | Techniques for providing subscriber-specific routing of a roaming user equipment in a visited communication network | |
| US20120209976A1 (en) | Remote management and control using common internet protocols | |
| JP2012070225A (en) | Network relay device and transfer control system | |
| EP1593230A1 (en) | Terminating a session in a network | |
| WO2022042545A1 (en) | Tsn industrial application server, client, system, service method, and storage medium | |
| CN106899635B (en) | Method and device for realizing fixed communication port of file transfer protocol data link | |
| CN111064650A (en) | Method and device for dynamically changing tunnel connection service port number | |
| JP3802464B2 (en) | Communication network system, service processing control method, provider server, and service processing apparatus | |
| CN115883256B (en) | Data transmission method, device and storage medium based on encryption tunnel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20211102 |
|
| WD01 | Invention patent application deemed withdrawn after publication |