CN113810464A - Access method, web cache proxy system and electronic equipment - Google Patents
Access method, web cache proxy system and electronic equipment Download PDFInfo
- Publication number
- CN113810464A CN113810464A CN202110924514.6A CN202110924514A CN113810464A CN 113810464 A CN113810464 A CN 113810464A CN 202110924514 A CN202110924514 A CN 202110924514A CN 113810464 A CN113810464 A CN 113810464A
- Authority
- CN
- China
- Prior art keywords
- module
- client
- request
- proxy
- http request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The embodiment of the invention relates to the technical field of communication, and discloses an access method, a web cache agent system and electronic equipment. In some embodiments of the present application, an access method is applied to a web cache agent system including an agent module and a cache module, and includes: the agent module establishes SSL (secure socket layer) connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, feeding back the redirection response to the client, and indicating the client to initiate an HTTP request based on the request resource information by the redirection response; the proxy module forwards the HTTP request to the caching module, so that the caching module feeds back the resource based on the HTTP request. The technical scheme provided by the embodiment of the application can respond to the HTTPS request of the resource initiated by the client.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a resource access method, a web cache proxy system and electronic equipment.
Background
However, in an application scenario in which the WEB cache server is used as a forward proxy, since specific contents in a request of a user https (hyper Text Transfer Protocol over Secure Socket layer) cannot be obtained, cache acceleration service cannot be provided for the user, so that bandwidth resources cannot be saved, and the access speed of the user cannot be increased.
Disclosure of Invention
The embodiment of the invention aims to provide an access method, a web cache agent system and electronic equipment, so that an HTTPS request of a resource initiated by a client can be responded.
To solve the foregoing technical problem, in a first aspect, an embodiment of the present invention provides an access method applied to a web cache agent system including an agent module and a cache module, including: the method comprises the steps that a proxy module establishes Secure Sockets Layer (SSL) connection with a client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to obtain request resource information; generating a redirection response based on the request resource information, feeding back the redirection response to the client, and indicating the client to initiate an HTTP request based on the request resource information by the redirection response; the proxy module forwards the HTTP request to the caching module, so that the caching module feeds back the resource based on the HTTP request.
In a second aspect, an embodiment of the present invention provides a web caching proxy system, including: the device comprises an agent module and a cache module; the agent module is used for: establishing a Secure Socket Layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, feeding back the redirection response to the client, and indicating the client to initiate an HTTP request based on the request resource information by the redirection response; the HTTP request is forwarded to a cache module; the cache module is used for: resources are fed back based on the HTTP request.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the access method mentioned in the above embodiments.
Compared with the prior art, the method and the device have the advantages that the SSL connection is established between the agent module and the client, the HTTPS request is analyzed to obtain the request resource information when the HTTPS request is received, and the request resource information is fed back to the client, so that the client initiates the HTTP request based on the request resource information, and the HTTPS request is degraded into the HTTP request. Because the HTTPS request is degraded to the HTTP request, the web cache proxy system can analyze the HTTP request of the plaintext and return to the cache of the resource corresponding to the HTTP request.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
FIG. 1 is a flow chart of an access method of an embodiment of the present application;
FIG. 2 is a flow chart of an access method of another embodiment of the present application;
FIG. 3 is a flow chart of an access method of yet another embodiment of the present application;
FIG. 4 is a schematic diagram of interaction among a client, a transport layer proxy server, an application layer proxy server, a cache server, and an origin station server according to an embodiment of the present application;
FIG. 5 is a schematic diagram illustrating a process of transferring a destination port via a proxy protocol between a client, a transport layer proxy server, an application layer proxy server, a cache server, and a source station server according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of a web caching proxy system in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
In the description of the present disclosure, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present disclosure, "a plurality" means two or more unless otherwise specified.
The embodiment of the application provides an access method, which is applied to a web cache proxy system comprising a proxy module and a cache module, and as shown in fig. 1, the access method comprises the following steps.
Step 101: the agent module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 102: the proxy module generates a redirection response based on the request resource information and feeds back the redirection response to the client; the redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 103: the proxy module forwards the HTTP request to the caching module, so that the caching module feeds back the resource based on the HTTP request.
In the embodiment of the application, the agent module establishes SSL connection with the client, provides and analyzes the HTTPS request to obtain the request resource information when receiving the HTTPS request, and feeds back the request resource information to the client, so that the client initiates the HTTP request based on the request resource information, and the HTTPS request is degraded into the HTTP request. Because the HTTPS request is degraded to the HTTP request, the web cache proxy system can analyze the HTTP request of the plaintext and return to the cache of the resource corresponding to the HTTP request.
In an implementation, the request resource information may be a Uniform Resource Locator (URL), such as www.abc.com. Taking the example that the client initiates an HTTPS request to www.abc.com, the client browser sends the HTTPS request: before https:// www.abc.com/, an SSL connection is requested to be established with a source station server, and the SSL connection request passes through a proxy module before reaching the source station server; when the proxy module receives a client browser initiated SSL connection request, an SSL connection may be established with the client browser based on the pseudo-certificate.
The client browser sends an HTTPS request based on the established SSL connection: HTTPS:// www.abc.com/, the agent module receives the HTTPS request based on the SSL connection and may parse it to obtain the request resource information: // www.abc.com/.
Then the proxy module constructs a redirection response (302 response) based on the request resource information and feeds the redirection response back to the client browser, wherein the 302 response comprises an instruction for instructing the client browser to send out an HTTP request: location http:// www.abc.com/.
After receiving the 302 response, the client browser sends an HTTP request to www.abc.com/according to Location (Location), i.e., HTTP:// www.abc.com/.
After receiving the HTTP request, the proxy module forwards the HTTP request to the cache module to request HTTP:// www.abc.com/corresponding resources from the cache module, and feeds the HTTP:// www.abc.com/corresponding resources back to the client.
In one embodiment, after the proxy module forwards the HTTP request to the caching module, the method further includes: the cache module determines whether corresponding resources are cached, and if the resources corresponding to the HTTP request exist in the cache, the resources can be directly fed back to the client through the proxy module; and if the resources corresponding to the HTTP request do not exist in the cache, requesting the resources from the source station server providing the corresponding resources, feeding back the resources to the client through the proxy module, and caching the resources. In one implementation, when forwarding the HTTP request to the cache module, the proxy module synchronizes a destination address and a port included in the HTTPs request sent by the client browser to the cache module, so that the cache module can directly request a resource from a source station server to which the destination IP and the port point. In another implementation, the cache module may obtain address information of a source station server providing the requested resource directly based on domain name resolution in the HTTP request, and request the resource from the corresponding source station server based on the domain name resolution result.
In one embodiment, the proxy module forwards the HTTP request to the caching module, including: adding a first header to the HTTP request, wherein the first header indicates that the original protocol type of the HTTP request is HTTPS; sending the HTTP request added with the first header to a cache module; correspondingly, the cache module requests resources from the source station server, including: if the first header exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending a second HTTPS request to the source station server; if it is determined that the HTTP request does not have the first header, the HTTP request is sent to the source station server, specifically, the first header may be an X-CDN-SSL header to mark that the HTTP request is originally an HTTPs request, and the first header may also be information in other forms, which is only exemplified in this embodiment. In this embodiment, the proxy module adds a first header to an HTTP request obtained by degrading an HTTPS request to mark that an original request initiated by a client to a source station server is the HTTPS request, and the cache module determines whether the HTTPS request needs to be initiated to the source station server according to whether the received HTTP request includes the first header, so as to avoid initiating the HTTP request to the source station server that only supports the HTTPS protocol, which results in a failure to return to the source.
In one embodiment, the caching module feeds back the resource to the client through the proxy module, including: the cache module sends the resources to the agent module; the proxy module acquires resources and modifies an HTTPS link in the resources into an HTTP link; and feeding back the modified resources to the client. In this embodiment, after receiving the resource fed back by the cache module, the proxy module modifies the HTTPS link in the resource to the HTTP link, so that after receiving the feedback resource, if the user needs to further initiate an access request for the link content in the feedback resource, the client browser initiates a subsequent sub-request in the HTTP request manner, and is received by the proxy module and performs subsequent cache proxy.
In one embodiment, before the proxy module feeds back the redirection response to the client, the method further includes: the agent module acquires destination port information of the first HTTPS request; if it is determined that the destination port information of the first HTTPS request indicates that the destination port of the first HTTPS request is not the designated port (the designated port is, for example, 443), destination port information is added in the Location header of the redirection response, so that the client adds the destination port information to the Location header to initiate an HTTP request, and when the proxy module receives the HTTP request, it is determined that the destination port of the HTTP request is the non-designated port, and when the HTTP request is forwarded to the cache module, the destination port is carried in the forwarded HTTP request. In this embodiment, when the proxy module feeds back the redirect response, the proxy module feeds back the information of the non-designated destination port in the HTTPS request to the client together, so that when the client browser initiates the HTTP request based on the redirect response, the request destination port is the destination port information indicated in the redirect response, and thus the proxy module can directly obtain the non-designated destination port from the HTTP request initiated from the client browser to the source station server, and transmit the non-designated destination port to the cache module, and thus the destination port can be prevented from being lost without setting a local record to store the non-designated port.
It should be noted that, as can be understood by those skilled in the art, the proxy server may also feed back destination port information to the client through other manners, so that the client carries the destination port in the HTTP request, and this embodiment is merely an example.
In one embodiment, the proxy module forwards the HTTP request to the caching module, including: the proxy module receives the HTTP request and adds a second header to the HTTP request, wherein the second header comprises destination port information; the caching module requests resources from the source station server, and the method comprises the following steps: the caching module identifies destination port information carried in a second head part of the HTTP request; and requesting resources from the source station server through a port of the source station server corresponding to the destination port information. In this embodiment, after receiving an HTTP request obtained by degrading an HTTPS request, the proxy module adds destination port information in the HTTPS request to a header of the HTTP request, so that after the HTTP request is forwarded to the cache module, the cache module can normally return to the source station server based on the destination port information carried in a second header of the HTTP request, so that the cache module can normally serve HTTPS requests of different destination ports, solve the problem of destination port loss, increase access speed, and save a return bandwidth.
In one embodiment, the agent module comprises a client agent submodule and a cache agent submodule, the client agent submodule respectively establishes TCP connection with the client and the cache agent submodule, and forwards an SSL connection request sent by the client to the cache agent submodule based on the TCP connection, so that the cache agent submodule establishes SSL connection with the client based on the SSL connection request.
Optionally, the process of the client agent sub-module establishing a TCP connection with the client includes: and the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises the TCP connection between the source station server and the client.
Specifically, two layers of proxy services are arranged between the client and the cache module, and the client is in communication connection with the cache module through a client proxy submodule and a cache proxy submodule. The client agent sub-module can be a transmission layer agent service, mainly realizes a transmission layer transparent agent service, realizes intelligent routing and guides data flow. The cache agent submodule can be an application layer agent service, is mainly connected with the client through SSL (secure socket layer), and completes redirection and resource modification tasks in an application layer. In short, the client agent sub-module distributes the data of the transmission layer, and the cache agent sub-module performs the service of the application layer.
In this embodiment, after creating the SSL connection between the cache agent sub-module and the client, the client agent sub-module forwards the first HTTPS request to the cache agent sub-module after receiving the first HTTPS request sent by the client. The cache agent sub-module analyzes the first HTTPS request to obtain request resource information; and generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate the HTTP request based on the request resource information. The client sends an HTTP request to the client agent submodule. The client agent sub-module forwards the HTTP request to the cache agent sub-module. The cache agent sub-module adds a first head part for the HTTP request, and the first head part indicates that the original protocol type of the HTTP request is HTTPS; and sending the HTTP request added with the first header to a cache module, so that the cache module feeds back resources based on the HTTP request. If the cache module determines that the first header exists in the HTTP request, the HTTP request is converted into a second HTTPS request; and sending a second HTTPS request to the source station server. And if the HTTP request does not have the first header, sending the HTTP request to the source station server. After the cache module requests to obtain the corresponding resources, the resources are sent to a cache agent submodule; the cache agent sub-module acquires resources and modifies an HTTPS link in the resources into an HTTP link; and feeding back the modified resources to the client agent submodule, and sending the modified resources to the client by the client agent submodule.
Optionally, after receiving an HTTPS request of a resource initiated by a client, the client agent sub-module obtains destination port information of the HTTPS request if it is determined that the destination port information of the HTTPS request indicates that the destination port of the HTTPS request is not a designated port; and transmitting the destination port information and the HTTPS request to a cache agent submodule. After the cache agent submodule analyzes the HTTP request in the HTTPS request, destination port information is added in the head of the redirection response, the redirection response is fed back to the client, and the redirection response indicates the client to initiate the HTTP request of the resource.
In one embodiment, after transmitting the destination port information and the HTTPS request to the cache client agent submodule, the client agent submodule receives an HTTP request for a resource initiated by a client; adding a second header to the HTTP request, the second header comprising destination port information; and sending the HTTP request added with the second header to a cache client agent submodule.
In one embodiment, the client agent submodule transmits the destination port information via a Proxy Protocol (Proxy Protocol). Specifically, the format of the PROXY protocol header is { PROXY protocol stack source IP destination IP source port destination port }, and the destination port information may be stored in the destination port of the header and transmitted to the cache PROXY sub-module.
It should be noted that, as will be understood by those skilled in the art, the client agent submodule may also transmit the destination port information in other manners, and this embodiment is merely an example.
The above embodiments can be mutually combined and cited, for example, the following embodiments are examples after being combined, but not limited thereto; the embodiments can be arbitrarily combined into a new embodiment without contradiction.
In one embodiment, an access method performed by a web caching proxy system, as shown in FIG. 2, includes the following steps.
Step 201: the agent module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 202: and the proxy module generates a redirection response based on the request resource information and feeds back the redirection response to the client. The redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 203: and after the proxy module receives the HTTP request of the client, adding a first header to the HTTP request. The first header indicates that the original protocol type of the HTTP request is HTTPs.
Step 204: the proxy module sends the HTTP request added with the first header to the cache module, so that the cache module feeds back resources based on the HTTP request.
Step 205: the cache module judges whether resources corresponding to the HTTP request exist in the cache. If yes, go to step 206, otherwise, go to step 207.
Step 206: and the caching module feeds back the resources to the client through the proxy module. The flow is then ended.
Step 207: the cache module requests resources from the source station server, feeds back the resources to the client through the proxy module, and caches the resources.
Wherein, the caching module requests resources from the source station server, including: if the first header exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending a second HTTPS request to the source station server; and if the HTTP request does not have the first header, sending the HTTP request to the source station server.
The caching module feeds back resources to the client through the proxy module, and the method comprises the following steps: the cache module sends the resources to the agent module; the proxy module acquires resources and modifies an HTTPS link in the resources into an HTTP link; and feeding back the modified resources to the client.
Optionally, the agent module includes a client agent sub-module and a cache agent sub-module, the client agent sub-module establishes TCP connections with the client and the cache agent sub-module respectively, and forwards an SSL connection request sent by the client to the cache agent sub-module based on the TCP connections, so that the cache agent sub-module establishes SSL connections with the client based on the SSL connection request.
Optionally, the process of the client agent sub-module establishing a TCP connection with the client includes: and the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises the TCP connection between the source station server and the client.
In one embodiment, an access method performed by a web caching proxy system is shown in FIG. 3 and includes the following steps.
Step 301: the agent module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 302: the proxy module generates a redirect response based on the request resource information.
Step 303: and the agent module acquires the destination port information of the first HTTPS request.
Step 304: the proxy module determines whether the destination port information indicates that the destination port is not a designated port. If yes, go to step 305, otherwise, go to step 306.
Step 305: the proxy module adds destination port information in the head of the redirect response, so that the client initiates the HTTP request based on the destination port information.
Step 306: the proxy module feeds back the redirection response to the client; the redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 307: and after the proxy module receives the HTTP request of the client, adding a first header and a second header to the HTTP request. The first header indicates that the original protocol type of the HTTP request is HTTPs. The second header includes destination port information.
Step 308: the proxy module sends the HTTP request added with the first header and the second header to the cache module, so that the cache module feeds back resources based on the HTTP request.
Step 309: the cache module judges whether resources corresponding to the HTTP request exist in the cache. If yes, go to step 310, otherwise, go to step 311.
Step 310: and the caching module feeds back the resources to the client through the proxy module. The flow is then ended.
Step 311: the cache module requests resources from the source station server, feeds back the resources to the client through the proxy module, and caches the resources.
Wherein, the caching module requests resources from the source station server, including: and identifying the destination port information carried in the second head part of the HTTP request by the cache module, and determining that the destination port information is a port corresponding to the source station server. If the first header is further determined to exist in the HTTP request, converting the HTTP request into a second HTTPS request, and sending the second HTTPS request to a corresponding port of the source station server, namely a port corresponding to the destination port information; and if the HTTP request does not have the first header, sending the HTTP request to a corresponding port of the source station server.
Optionally, the caching module feeds back the resource to the client through the proxy module, including: the cache module sends the resources to the agent module; the proxy module acquires resources and modifies an HTTPS link in the resources into an HTTP link; and feeding back the modified resources to the client.
Optionally, the agent module includes a client agent sub-module and a cache agent sub-module, the client agent sub-module establishes TCP connections with the client and the cache agent sub-module respectively, and forwards an SSL connection request sent by the client to the cache agent sub-module based on the TCP connections, so that the cache agent sub-module establishes SSL connections with the client based on the SSL connection request.
Optionally, the process of the client agent sub-module establishing a TCP connection with the client includes: and the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises the TCP connection between the source station server and the client.
It is to be noted that, the agent module and the cache module in the web cache agent system provided in the embodiment of the present application may be respectively deployed on different service devices, or may also be deployed on the same service device, further, the client agent submodule and the cache agent submodule in the agent module may be respectively deployed on different service devices, or may also be deployed on the same service device, and the specific deployment manner may be set according to an actual application scenario.
In one example, the server with the client agent submodule deployed may be referred to as a transport layer proxy server, the server with the cache agent submodule deployed may be referred to as an application layer proxy server, and the server with the cache module deployed may be referred to as a cache server. Two layers of proxy services are arranged between the client and the cache server, and the client is in communication connection with the cache server through the transmission layer proxy server and the application layer proxy server in sequence. The transmission layer proxy server mainly realizes transmission layer transparent proxy service, realizes intelligent route selection and guides data flow. The application layer proxy server is mainly connected with the client end through SSL, and completes redirection and page modification tasks in the application layer. In short, the transport layer proxy server performs transport layer data distribution, and the application layer proxy server performs application layer services. In this example, the schematic diagram of the interaction between the client, the transport layer proxy server, the application layer proxy server, the cache server and the source station server is shown in fig. 4, and the method for accessing resources, which is executed by the transport layer proxy server, the application layer proxy server and the cache server in cooperation, includes the following steps.
Step 401: and the client and the transport layer proxy server handshake for three times to establish TCP connection.
Specifically, the transport layer proxy server intercepts a TCP connection request sent by a client to a source station server, and masquerades as a TCP connection between the source station server and the client, wherein the TCP connection is also established between the transport layer proxy server and an application layer proxy server.
Step 402: the client sends the SSL connection request and establishes SSL connection with the application layer proxy server based on the pseudo certificate fed back by the application layer proxy server.
Specifically, the transport layer proxy server forwards an SSL connection request sent by the client to the application layer proxy server based on TCP connection, the application layer proxy server constructs a pseudo certificate and disguises the pseudo certificate as a source station server to respond to the SSL connection request of the client, and if the user selects to trust the pseudo certificate through the client, the client can establish SSL connection with the application layer proxy server based on the pseudo certificate.
Step 403: the client initiates an HTTPS request to the transport layer proxy server.
Specifically, when the SSL connection is established, the client may send an HTTPS request to the source station server based on the SSL connection, where the HTTPS request may be, for example, a hypertext Markup Language (HTML) page request issued for a website home page.
Step 404: the transport layer proxy server forwards the HTTPS request to the application layer proxy server.
Step 405: the application layer proxy server parses the HTTPS request to obtain the request resource information, and replies 302 a response to the client. The response 302 instructs the client browser to initiate an HTTP request to the request resource information.
Step 406: the client receives 302 the response, initiating an HTTP request.
Step 407: the transport layer proxy server forwards the HTTP request to the application layer proxy server.
Step 408: and the application layer proxy server adds an X-CDN-SSL header to the HTTP request and distributes the HTTP request added with the X-CDN-SSL header to a rear-end cache server. The X-CDN-SSL header indicates that the client was originally an HTTPS request.
Step 409: the cache server receives an HTTP request sent by the application layer proxy server, and the HTTP request contains an X-CDN-SSL head, so that the HTTP request is indicated to be an HTTPS request, is converted into the HTTPS request, and is sent to the source station server.
Step 410: and the source station server returns the resource requested to be accessed by the HTTPS request to the cache server.
Step 411: and the cache server returns the resource responded by the source station server to the application layer proxy server and caches the resource responded by the source station server.
Step 412: and after receiving the content responded by the source station server, the application layer proxy server modifies the HTTPS link in the content responded by the source station server into an HTTP link, so that the protocol of the subsequent sub-request is an HTTP protocol, and returns the modified content to the transmission layer proxy server.
For example, after obtaining HTTPS:// www.baidu.com/page content, a number of HTTPS links are included in the HTML page tag. The HTML page tags are as follows:
<img
src='https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/baiduyun@2x-e0be79e69e.png'/>.
at this point, the src link in the img tag of the HTML page tag is modified to downgrade the HTTPS link to an HTTP link. The modified src links as follows:
'http://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/baiduyun@2x-e0be79e69e.png'.
the modified link is a degraded HTTP link.
Step 413: and the transmission layer proxy server forwards the modified content to the client.
As can be seen from the above, with the method for accessing resources according to this embodiment, the client can successfully acquire the resource originally requested by the HTTPS request, and a web cache agent is implemented.
Step 414: the client sends a downgrade for the resource as an HTTP sub-request to the transport layer proxy server.
Wherein, the HTTP sub-request refers to an access request further issued by the client for the link in the received response content. Step 415: the transport layer proxy server forwards the HTTP sub-request to the application layer proxy server.
Step 416: and the application layer proxy server analyzes the HTTP sub-request, adds an X-CDN-SSL header to the HTTP sub-request, and transmits the HTTP sub-request added with the X-CDN-SSL header to the cache server.
Step 417: and the cache server identifies the HTTP sub-request, converts the HTTP sub-request into an HTTPS sub-request and sends the HTTPS sub-request to the source station server.
Step 418: the source station server returns the resource requested to be accessed by the HTTPS sub-request.
Step 419: and the cache server returns the content responded by the source station server to the application layer proxy server and caches the content responded by the source station server.
Step 420: and after receiving the content responded by the source station server, the application layer proxy server modifies the HTTPS link in the content responded by the source station server into an HTTP link, so that the protocol of the subsequent sub-request is an HTTP protocol, and returns the modified content to the transmission layer proxy server.
Step 421: and the transmission layer proxy server forwards the modified content to the client.
As can be seen from the above, with the method for accessing resources according to this embodiment, the client can successfully acquire the resource originally requested by the HTTPS request. Through 302 redirection response and page rewriting, the HTTPS requests in the home page and child chain are downgraded to HTTP protocol, so that the cache server can parse the HTTP request in the plaintext and return to the cache. Under the condition of cache miss, the cache server can convert the HTTP request into a corresponding HTTPS request, return the HTTP request to the source to acquire the resource, return the HTTP request to the client, and cache the HTTP request.
In one example, if the destination Port of the HTTPS request initiated by the client is not the designated Port (443 Port), taking the second header named as WS-Port header as an example, the process of transferring the destination Port between the client, the transport layer proxy server, the application layer proxy server, the cache server and the source station server through the proxy protocol is shown in fig. 5 and includes the following sub-steps.
Step 501: the client sends an HTTPS request to the transport layer proxy server. The destination port of the HTTPS request is an unspecified 443 port, for example, port 8888.
Step 502: the transport layer proxy server redirects the HTTPS request to a local port (such as 2020 port) through a filtering system (such as iptables), and at this time, the original destination port information of the HTTPS request can be acquired through a socket application program interface (socket api).
Step 503: the transport layer Proxy server transfers destination port information through a Proxy Protocol (Proxy Protocol). The head format of the PROXY protocol is { PROXY protocol stack source IP destination IP source port destination port }. The destination port information may be stored in a destination port field of the proxy protocol header for transmission to the next hop proxy server, while forwarding the HTTPS request to the application layer proxy server.
Step 504: the application layer proxy server obtains original destination port information of the HTTPS request, finds that the destination port is not a designated port (443 port), adds the original destination port into a URL (uniform resource locator) of a redirection response in a Location header of the 302 response, and sends the redirection response to the client.
Step 505: the client receives 302 the response and sends an HTTP request to the original destination port.
Step 506: the transport layer proxy server adds a WS-Port header to the HTTP request, adds destination Port 8888 to the WS-Port header, and forwards the HTTP request with the WS-Port header added to the application layer proxy server.
Step 507: and the application layer proxy server adds an X-CDN-SSL head for the HTTP request after the WS-Port head is added, and sends the HTTP request after the X-CDN-SSL head is added to the cache server.
Step 508: and the cache server restores the request into an HTTPS request according to the X-CDN-SSL head, and initiates a source returning request to a target Port of a correct source station server according to a target Port carried by the WS-Port head.
Step 509: and the source station server feeds back the resource requested by the HTTPS request to the client. The specific process can refer to the related contents of steps 410 to 413.
As can be seen from the above, with the method for accessing resources according to this embodiment, for the problem that the destination port is lost when HTTPS traffic is forwarded, a Proxy Protocol (Proxy Protocol) is used to transmit the destination port of the HTTPS request to the next-hop Proxy server, so that the subsequent Proxy server can establish a connection to the correct port of the source station server.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
An embodiment of the present application further provides a web caching proxy system, as shown in fig. 6, including: an agent module 601 and a cache module 602. The agent module 601 is used for: establishing a Secure Socket Layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, feeding back the redirection response to the client, and indicating the client to initiate an HTTP request based on the request resource information by the redirection response; forwarding the HTTP request to the caching module 602; the caching module 602 is configured to: resources are fed back based on the HTTP request.
In one example, the caching module 602 is specifically configured to: if the resources corresponding to the HTTP request exist in the cache are determined, feeding back the resources to the client through the proxy module; and if the fact that the resources corresponding to the HTTP request do not exist in the cache is determined, requesting the resources from the source station server, feeding back the resources to the client through the proxy module, and caching the resources.
In one example, the proxy module includes a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes TCP connections with the client and the cache proxy sub-module respectively, and forwards an SSL connection request sent by the client to the cache proxy sub-module based on the TCP connections, so that the cache proxy sub-module establishes an SSL connection with the client based on the SSL connection request
It should be understood that the present embodiment is an apparatus embodiment corresponding to the above method embodiment, and the present embodiment can be implemented in cooperation with the above method embodiment. The related technical details mentioned in the above method embodiments are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related art details mentioned in the present embodiment can also be applied to the above-described method embodiments.
It should be noted that, all the modules involved in this embodiment are logic modules, and in practical application, one logic unit may be one physical unit, may also be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, a unit which is not so closely related to solve the technical problem proposed by the present invention is not introduced in the present embodiment, but this does not indicate that there is no other unit in the present embodiment.
An embodiment of the present application further provides an electronic device, as shown in fig. 7, including: at least one processor 701; and a memory 702 communicatively coupled to the at least one processor 701; wherein the memory stores instructions executable by the at least one processor 701 to cause the at least one processor 701 to perform the above-described method embodiments.
The memory 702 and the processor 701 are coupled by a bus, which may comprise any number of interconnecting buses and bridges that couple one or more of the various circuits of the processor 701 and the memory 702. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 701 is transmitted over a wireless medium through an antenna, which receives the data and transmits the data to the processor 701.
The processor 701 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory 702 may be used for storing data used by the processor 701 in performing operations.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (12)
1. An access method applied to a web cache agent system comprising an agent module and a cache module, the method comprising:
the agent module establishes a Secure Socket Layer (SSL) connection with a client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information;
the proxy module forwards the HTTP request to the caching module, so that the caching module feeds back resources based on the HTTP request.
2. The accessing method according to claim 1, after the proxy module forwards the HTTP request to the caching module, further comprising:
if the cache module determines that the resources corresponding to the HTTP request exist in the cache, the proxy module feeds the resources back to the client; and if the fact that the resources corresponding to the HTTP request do not exist in the cache is determined, requesting the resources from a source station server, feeding back the resources to the client through the proxy module, and caching the resources.
3. The method according to claim 2, wherein the proxy module forwards the HTTP request to the cache module, and comprises:
adding a first header to the HTTP request, wherein the first header indicates that the original protocol type of the HTTP request is HTTPS;
sending the HTTP request added with the first header to the cache module;
the caching module requests resources from a source station server, and the method comprises the following steps:
if the first header exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending the second HTTPS request to the source station server;
and if the HTTP request does not have the first header, sending the HTTP request to the source station server.
4. The access method according to claim 2, wherein the caching module feeds back the resource to the client through the proxy module, and comprises:
the cache module sends the resource to the agent module;
the agent module acquires the resource and modifies an HTTPS link in the resource into an HTTP link; and feeding back the modified resources to the client.
5. The access method according to claim 2, before the proxy module feeds back the redirect response to the client, further comprising:
the agent module acquires destination port information of the first HTTPS request; if the destination port information of the first HTTPS request indicates that the destination port of the first HTTPS request is not the designated port, adding the destination port information in the head of the redirection response, so that the client initiates the HTTP request based on the destination port information.
6. The method according to claim 5, wherein the proxy module forwards the HTTP request to the caching module, and comprises:
the proxy module receives the HTTP request and adds a second header to the HTTP request, wherein the second header comprises the destination port information;
the caching module requests resources from a source station server, and the method comprises the following steps:
the cache module identifies the destination port information carried in a second header of the HTTP request; and requesting the source station server for the resources through a port of the source station server corresponding to the destination port information.
7. The access method according to claim 1, wherein the proxy module comprises a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes TCP connections with the client and the cache proxy sub-module respectively, and forwards SSL connection requests sent by the client to the cache proxy sub-module based on the TCP connections, so that the cache proxy sub-module establishes SSL connections with the client based on the SSL connection requests.
8. The access method according to claim 7, wherein the process of the client agent submodule establishing the TCP connection with the client comprises:
and the client agent submodule intercepts a TCP connection request sent by the client to a source station server and disguises the TCP connection between the source station server and the client.
9. A web caching proxy system, comprising: the device comprises an agent module and a cache module;
the agent module is configured to: establishing a Secure Socket Layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; forwarding the HTTP request to the caching module;
the cache module is used for: feeding back resources based on the HTTP request.
10. The web caching proxy system of claim 9, wherein the caching module is specifically configured to:
if the resources corresponding to the HTTP request exist in the cache, feeding back the resources to the client through the proxy module;
and if the fact that the resources corresponding to the HTTP request do not exist in the cache is determined, requesting the resources from a source station server, feeding back the resources to the client through the proxy module, and caching the resources.
11. The web caching proxy system of claim 9, wherein the proxy module comprises a client proxy submodule and a caching proxy submodule, the client proxy submodule respectively establishes TCP connections with the client and the caching proxy submodule and forwards SSL connection requests sent by the client to the caching proxy submodule based on the TCP connections, so that the caching proxy submodule establishes SSL connections with the client based on the SSL connection requests.
12. An electronic device, comprising: at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the access method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110924514.6A CN113810464A (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110924514.6A CN113810464A (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113810464A true CN113810464A (en) | 2021-12-17 |
Family
ID=78942778
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110924514.6A Pending CN113810464A (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810464A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242766A (en) * | 2022-08-02 | 2022-10-25 | 亚数信息科技(上海)有限公司 | Method for HTTPS transparent gateway based on two-layer network bridge |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
| CN101217508A (en) * | 2007-12-29 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A network agent system and the corresponding realizing methods based on instant communication platform |
| JP2010193306A (en) * | 2009-02-19 | 2010-09-02 | Dainippon Printing Co Ltd | Ssl/tls connection method and computer program |
| EP2512101A1 (en) * | 2011-04-11 | 2012-10-17 | Deutsche Telekom AG | Method and system to pre-fetch user-specific HTTP requests for web applications |
| WO2014157224A1 (en) * | 2013-03-29 | 2014-10-02 | Kddi株式会社 | Web-content delivery device |
| US20170295132A1 (en) * | 2014-08-15 | 2017-10-12 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
| CN107483609A (en) * | 2017-08-31 | 2017-12-15 | 深圳市迅雷网文化有限公司 | A kind of Network Access Method, relevant device and system |
| CN108494825A (en) * | 2018-02-24 | 2018-09-04 | 深圳市联软科技股份有限公司 | A kind of method, medium and equipment redirecting access request |
| CN108737343A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of implementation method and device of secure access network |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN109818946A (en) * | 2019-01-11 | 2019-05-28 | 网宿科技股份有限公司 | The method and system of CA certificate application and deployment |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN111064775A (en) * | 2019-12-05 | 2020-04-24 | 深圳市任子行科技开发有限公司 | Method and system for portal authentication aiming at HTTPS (hypertext transfer protocol secure) protocol in bypass deployment mode |
| CN113204730A (en) * | 2021-05-19 | 2021-08-03 | 网宿科技股份有限公司 | Resource acquisition method, webvpn proxy server, system and server |
-
2021
- 2021-08-12 CN CN202110924514.6A patent/CN113810464A/en active Pending
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
| CN101217508A (en) * | 2007-12-29 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A network agent system and the corresponding realizing methods based on instant communication platform |
| JP2010193306A (en) * | 2009-02-19 | 2010-09-02 | Dainippon Printing Co Ltd | Ssl/tls connection method and computer program |
| EP2512101A1 (en) * | 2011-04-11 | 2012-10-17 | Deutsche Telekom AG | Method and system to pre-fetch user-specific HTTP requests for web applications |
| WO2014157224A1 (en) * | 2013-03-29 | 2014-10-02 | Kddi株式会社 | Web-content delivery device |
| US20170295132A1 (en) * | 2014-08-15 | 2017-10-12 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
| CN108737343A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of implementation method and device of secure access network |
| CN107483609A (en) * | 2017-08-31 | 2017-12-15 | 深圳市迅雷网文化有限公司 | A kind of Network Access Method, relevant device and system |
| CN108494825A (en) * | 2018-02-24 | 2018-09-04 | 深圳市联软科技股份有限公司 | A kind of method, medium and equipment redirecting access request |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN109818946A (en) * | 2019-01-11 | 2019-05-28 | 网宿科技股份有限公司 | The method and system of CA certificate application and deployment |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN111064775A (en) * | 2019-12-05 | 2020-04-24 | 深圳市任子行科技开发有限公司 | Method and system for portal authentication aiming at HTTPS (hypertext transfer protocol secure) protocol in bypass deployment mode |
| CN113204730A (en) * | 2021-05-19 | 2021-08-03 | 网宿科技股份有限公司 | Resource acquisition method, webvpn proxy server, system and server |
Non-Patent Citations (2)
| Title |
|---|
| 胡佳欢, 张旭: "CDN HTTPS安全加速解决方案及优化实践", 金陵科技学院学报, vol. 35, no. 03 * |
| 陆奇: "HTTP 2.0对CDN和Cache的影响及应对分析报告", 中国高新区, vol. 2018, no. 01 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242766A (en) * | 2022-08-02 | 2022-10-25 | 亚数信息科技(上海)有限公司 | Method for HTTPS transparent gateway based on two-layer network bridge |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10225362B2 (en) | Processing DNS queries to identify pre-processing information | |
| US9608957B2 (en) | Request routing using network computing components | |
| EP1405224B1 (en) | System and method for pushing data from an information source to a mobile communication device including transcoding of the data | |
| US9160703B2 (en) | Request routing management based on network components | |
| US6862607B1 (en) | Method to provide information in an internet telecommunication network | |
| US7080158B1 (en) | Network caching using resource redirection | |
| US8131823B2 (en) | System and method for reading ahead of content | |
| US8156243B2 (en) | Request routing | |
| JP2004164630A (en) | Client/server communication system | |
| CN112104744B (en) | Traffic proxy method, server and storage medium | |
| EP3230885A1 (en) | System and method for content retrieval from remote network regions | |
| JP2016541048A (en) | Method, device and system for transferring data using service proxy | |
| JP2009140290A (en) | Content repeater, content relay system, content relay method and program | |
| US10033830B2 (en) | Requesting web pages and content rating information | |
| CN113810464A (en) | Access method, web cache proxy system and electronic equipment | |
| US20200344205A1 (en) | Intelligently routing a response packet along a same connection as a request packet | |
| CN112804303B (en) | Service providing method, device, system, transit platform and storage medium | |
| JP2003141002A (en) | Url length conversion system and program | |
| CN113271362A (en) | Education resource processing method, device, system and medium based on hybrid cloud | |
| JP2017010388A (en) | Http server and control method for the same, image forming apparatus, and program | |
| US9565271B1 (en) | Methods for website version control using bucket cookies | |
| JP2013250691A (en) | Communication device and method | |
| US20100042677A1 (en) | Two-way communication system, server unit, repeater, two-way communication method and program | |
| EP3518113A1 (en) | Server device, transfer device, and program for content distribution system | |
| JP4797054B2 (en) | Data relay apparatus and data relay method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |