CN113810464B - Access method, web cache proxy system and electronic equipment - Google Patents
Access method, web cache proxy system and electronic equipment Download PDFInfo
- Publication number
- CN113810464B CN113810464B CN202110924514.6A CN202110924514A CN113810464B CN 113810464 B CN113810464 B CN 113810464B CN 202110924514 A CN202110924514 A CN 202110924514A CN 113810464 B CN113810464 B CN 113810464B
- Authority
- CN
- China
- Prior art keywords
- module
- client
- request
- proxy
- cache
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000004044 response Effects 0.000 claims abstract description 55
- 230000008569 process Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000000593 degrading effect Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application relates to the technical field of communication, and discloses an access method, a web cache proxy system and electronic equipment. In some embodiments of the present application, an access method is applied to a web cache proxy system including a proxy module and a cache module, including: the proxy module establishes secure socket layer protocol layer (SSL) connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; the proxy module forwards the HTTP request to the cache module, so that the cache module feeds back the resource based on the HTTP request. The technical scheme provided by the embodiment of the application can respond to the HTTPS request of the resource initiated by the client.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a method for accessing resources, a web cache proxy system and electronic equipment.
Background
The WEB cache server can improve the page access speed and save bandwidth resources, but in an application scenario in which the WEB cache server is used as a forward proxy, the specific content in the request of the user HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) cannot be known, so that cache acceleration service cannot be provided for the user, bandwidth resources cannot be saved, and the access speed of the user cannot be improved.
Disclosure of Invention
The embodiment of the invention aims to provide an access method, a web cache proxy system and electronic equipment, so that HTTPS requests of resources initiated by a client can be responded.
In order to solve the above technical problems, in a first aspect, an embodiment of the present invention provides an access method, which is applied to a web cache proxy system including a proxy module and a cache module, including: the proxy module establishes a secure socket layer protocol layer (Secure Sockets Layer, SSL) connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; the proxy module forwards the HTTP request to the cache module, so that the cache module feeds back the resource based on the HTTP request.
In a second aspect, an embodiment of the present invention provides a web cache proxy system, including: the agent module and the buffer module; the agent module is used for: establishing secure socket layer protocol layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; forwarding the HTTP request to a cache module; the cache module is used for: the resources are fed back based on the HTTP request.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the access method as mentioned in the above embodiments.
Compared with the prior art, the proxy module establishes SSL connection with the client, and when receiving the HTTPS request, the proxy module provides the HTTPS request to be analyzed to obtain the request resource information, and feeds the request resource information back to the client, so that the client initiates the HTTP request based on the request resource information, and the HTTPS request is degraded to the HTTP request. Because the HTTPS request is downgraded to the HTTP request, the web cache proxy system can analyze the HTTP request in the plaintext and return the cache of the resource corresponding to the HTTP request.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.
FIG. 1 is a flow chart of an access method of an embodiment of the present application;
FIG. 2 is a flow chart of an access method of another embodiment of the present application;
FIG. 3 is a flow chart of an access method of yet another embodiment of the present application;
FIG. 4 is a schematic diagram of interactions between a client, a transport layer proxy server, an application layer proxy server, a cache server, and a source station server according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a process for transferring destination ports between a client, a transport layer proxy server, an application layer proxy server, a cache server, and a source station server via a proxy protocol according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a web cache proxy system in an embodiment of the application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of the embodiments of the present application will be given with reference to the accompanying drawings. However, those of ordinary skill in the art will understand that in various embodiments of the present application, numerous technical details have been set forth in order to provide a better understanding of the present application. The claimed application may be practiced without these specific details and with various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not be construed as limiting the specific implementation of the present application, and the embodiments can be mutually combined and referred to without contradiction.
In the description of the present disclosure, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present disclosure, unless otherwise indicated, the meaning of "a plurality" is two or more.
The embodiment of the application provides an access method which is applied to a web cache proxy system comprising a proxy module and a cache module, as shown in figure 1, and comprises the following steps.
Step 101: the proxy module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 102: the agent module generates a redirection response based on the request resource information and feeds back the redirection response to the client; the redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 103: the proxy module forwards the HTTP request to the cache module, so that the cache module feeds back the resource based on the HTTP request.
In the embodiment of the application, the proxy module establishes SSL connection with the client, and when receiving the HTTPS request, provides and analyzes the HTTPS request to obtain the request resource information, and feeds back the request resource information to the client, so that the client initiates the HTTP request based on the request resource information, thereby degrading the HTTPS request to the HTTP request. Because the HTTPS request is downgraded to the HTTP request, the web cache proxy system can analyze the HTTP request in the plaintext and return the cache of the resource corresponding to the HTTP request.
In implementations, the requested resource information may be a uniform resource location system (uniform resource locator, URL), e.g., www.abc.com. Taking an example in which a client initiates an HTTPS request to www.abc.com, a client browser is sending out an HTTPS request: https:// www.abc.com/before requesting to establish an SSL connection with the source server, the SSL connection request passing through the proxy module before reaching the source server; when the proxy module receives an SSL connection request initiated by the client browser, an SSL connection can be established with the client browser based on the pseudo certificate.
The client browser sends out an HTTPS request based on the established SSL connection: HTTPS:// www.abc.com/, the proxy module receives the HTTPS request based on the SSL connection and may parse it to obtain the request resource information: /(www.abc.com/.
The proxy module then constructs a redirect response (302 response) based on the request resource information, the 302 response including instructions instructing the client browser to issue an HTTP request to the client browser: location: http:// www.abc.com/.
After receiving 302 the response, the client browser sends www.abc.com/an HTTP request, i.e. http:// www.abc.com/, according to Location.
After receiving the HTTP request, the proxy module forwards the HTTP request to the cache module to request http:// www.abc.com/corresponding resources from the cache module and feeds the http:// www.abc.com/corresponding resources back to the client.
In one embodiment, after the proxy module forwards the HTTP request to the cache module, the method further includes: the caching module determines whether corresponding resources are cached, and if the corresponding resources of the HTTP request exist in the cache, the resources can be directly fed back to the client through the proxy module; if the fact that the resources corresponding to the HTTP requests do not exist in the cache is determined, requesting the resources from a source station server providing the corresponding resources, feeding back the resources to the client through the proxy module, and caching the resources. In one implementation, when forwarding the HTTP request to the cache module, the proxy module synchronizes a destination address and a port included in the HTTPs request sent by the client browser to the cache module, so that the cache module can directly request resources from a source station server pointed by the destination IP and the port. In another implementation, the caching module may obtain address information of a source station server providing the requested resource directly based on domain name resolution in the HTTP request, and request the resource from the corresponding source station server based on the domain name resolution result.
In one embodiment, the proxy module forwards the HTTP request to the cache module, comprising: adding a first header to the HTTP request, wherein the first header indicates that the original protocol type of the HTTP request is HTTPS; sending the HTTP request added with the first header to a cache module; correspondingly, the caching module requests the source station server for the resource, and the caching module comprises: if the first head part exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending a second HTTPS request to the source station server; if it is determined that the HTTP request does not have the first header, the HTTP request is sent to the source server, and specifically, the first header may be an X-CDN-SSL header to mark that the HTTP request is originally an HTTPs request, and the first header may also be other information, which is merely illustrated in this embodiment. In this embodiment, the proxy module adds a first header to the HTTP request obtained by degrading the HTTPS request, so as to mark that the client initiates the original request to the source station server as the HTTPS request, and the cache module determines whether to initiate the HTTPS request to the source station server according to whether the received HTTP request includes the first header, so as to avoid initiating the HTTP request to the source station server only supporting the HTTPS protocol, which results in a source-back failure.
In one embodiment, the caching module feeds back the resource to the client through the proxy module, including: the cache module sends the resource to the proxy module; the agent module acquires the resource and modifies the HTTPS link in the resource into an HTTP link; and feeding the modified resources back to the client. In this embodiment, after receiving the resource fed back by the cache module, the proxy module modifies the HTTPS link in the resource to the HTTP link, so that after receiving the feedback resource, if the user needs to further initiate an access request for the link content in the feedback resource, the client browser initiates a subsequent sub-request in the HTTP request manner, and is received by the proxy module and performs a subsequent cache proxy.
In one embodiment, before the proxy module feeds back the redirect response to the client, the method further comprises: the agent module obtains the destination port information of the first HTTPS request; if it is determined that the destination port information of the first HTTPS request indicates that the destination port of the first HTTPS request is not a designated port (designated port, e.g. 443), the destination port information is added in the Location header of the redirect response, so that the client adds the destination port information to the Location header to initiate the HTTP request, and when the proxy module receives the HTTP request, determines that the destination port of the HTTP request is a non-designated port, the proxy module may carry the destination port in the forwarded HTTP request when forwarding the HTTP request to the cache module. In this embodiment, when the proxy module feeds back the redirect response, the proxy module feeds back the non-specified destination port information in the HTTPS request to the client side, so that when the client browser initiates the HTTP request based on the redirect response, the request destination port is the destination port information indicated in the redirect response, so that the proxy module can directly obtain the non-specified destination port from the HTTP request initiated by the client browser to the source station server, and transmit the non-specified destination port to the cache module, thereby avoiding the destination port from being lost without setting a local record to save the non-specified port.
It should be noted that, as will be understood by those skilled in the art, the proxy server may also feed back the destination port information to the client in other manners, so that the client carries the destination port in the HTTP request, which is only illustrated in this embodiment.
In one embodiment, the proxy module forwards the HTTP request to the cache module, comprising: the agent module receives the HTTP request and adds a second header to the HTTP request, wherein the second header comprises destination port information; the caching module requests resources from the source station server, including: the cache module identifies destination port information carried in a second header of the HTTP request; and requesting resources from the source station server through a port of the source station server corresponding to the destination port information. In this embodiment, after receiving an HTTP request obtained by degrading an HTTPS request, the proxy module adds destination port information in the HTTPS request to a header of the HTTP request, so that after the HTTP request is forwarded to the cache module, the cache module may normally return to the source station server based on the destination port information carried in the second header of the HTTP request, so that the cache module may normally service HTTPS requests of different destination ports, solve the problem of destination port loss, improve access speed, and save a return source bandwidth.
In one embodiment, the proxy module includes a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes a TCP connection with the client and the cache proxy sub-module, respectively, and forwards an SSL connection request sent by the client to the cache proxy sub-module based on the TCP connection, so that the cache proxy sub-module establishes an SSL connection with the client based on the SSL connection request.
Optionally, the process of establishing the TCP connection between the client agent sub-module and the client includes: the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises that the source station server establishes TCP connection with the client.
Specifically, two layers of proxy services are arranged between the client and the cache module, and the client is in communication connection with the cache module through a client proxy sub-module and a cache proxy sub-module. The client agent sub-module can be a transport layer agent service, mainly realizes the transport layer transparent agent service, realizes intelligent routing and guides data flow. The caching agent sub-module can be an application layer agent service, mainly performs SSL connection with the client, and completes redirection and resource modification tasks at the application layer. In short, the client agent sub-module distributes the data of the transmission layer, and the cache agent sub-module performs the service of the application layer.
In this embodiment, after the SSL connection is created between the caching proxy sub-module and the client, the client proxy sub-module forwards the first HTTPS request to the caching proxy sub-module after receiving the first HTTPS request sent by the client. The caching agent sub-module analyzes the first HTTPS request to acquire request resource information; and generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response instructs the client to initiate an HTTP request based on the request resource information. The client sends an HTTP request to the client proxy sub-module. The client agent sub-module forwards the HTTP request to the caching agent sub-module. The caching agent submodule adds a first header to the HTTP request, and the first header indicates that the original protocol type of the HTTP request is HTTPS; and sending the HTTP request added with the first header to a cache module, so that the cache module feeds back resources based on the HTTP request. If the caching module determines that the first header exists in the HTTP request, converting the HTTP request into a second HTTPS request; and sending a second HTTPS request to the source station server. If it is determined that the first header does not exist in the HTTP request, the HTTP request is sent to the source station server. After the cache module requests to obtain the corresponding resources, the resources are sent to the cache agent sub-module; the caching agent submodule acquires the resource and modifies the HTTPS link in the resource into an HTTP link; and feeding the modified resources back to the client agent sub-module, and sending the modified resources to the client by the client agent sub-module.
Optionally, after the client agent submodule receives the HTTPS request of the resource initiated by the client, if it is determined that the destination port information of the HTTPS request indicates that the destination port of the HTTPS request is not the designated port, the destination port information of the HTTPS request is obtained; and transmitting the destination port information and the HTTPS request to a cache agent sub-module. After resolving the HTTP request of the HTTPS request, the cache agent sub-module adds destination port information in the header of the redirection response, feeds back the redirection response to the client, and the redirection response indicates the client to initiate the HTTP request of the resource.
In one embodiment, the client agent sub-module receives an HTTP request for a client-initiated resource after transmitting destination port information and an HTTPS request to the caching client agent sub-module; adding a second header to the HTTP request, the second header including destination port information; and sending the HTTP request added with the second header to a cache client agent sub-module.
In one embodiment, the client agent sub-module transmits destination port information via Proxy Protocol (Proxy Protocol). Specifically, the PROXY protocol header format is { PROXY protocol stack source IP destination IP source port destination port }, destination port information may be stored in the destination port of the header and passed to the caching PROXY sub-module.
It should be noted that, as will be understood by those skilled in the art, the client agent sub-module may also transmit the destination port information in other manners, and this embodiment is merely illustrative.
The above embodiments may be combined with each other to refer to each other, for example, the following are examples after the combination of the embodiments, but not limited to these examples; the embodiments can be arbitrarily combined into a new embodiment on the premise of no contradiction.
In one embodiment, an access method performed by a web cache proxy system is shown in FIG. 2, comprising the following steps.
Step 201: the proxy module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 202: the proxy module generates a redirect response based on the request resource information and feeds back the redirect response to the client. The redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 203: after the proxy module receives the HTTP request of the client, a first header is added to the HTTP request. The first header indicates that the original protocol type of the HTTP request is HTTPs.
Step 204: the proxy module sends the HTTP request added with the first header to the cache module, so that the cache module feeds back resources based on the HTTP request.
Step 205: and the cache module judges whether the resource corresponding to the HTTP request exists in the cache. If yes, go to step 206, otherwise, go to step 207.
Step 206: the caching module feeds back the resources to the client through the proxy module. The flow is then ended.
Step 207: the caching module requests the resource from the source station server, feeds back the resource to the client through the proxy module, and caches the resource.
The caching module requests resources from the source station server, and the caching module comprises the following steps: if the first head part exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending a second HTTPS request to the source station server; if it is determined that the first header does not exist in the HTTP request, the HTTP request is sent to the source station server.
The cache module feeds back resources to the client through the proxy module, and the method comprises the following steps: the cache module sends the resource to the proxy module; the agent module acquires the resource and modifies the HTTPS link in the resource into an HTTP link; and feeding the modified resources back to the client.
Optionally, the proxy module includes a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes a TCP connection with the client and the cache proxy sub-module respectively, and forwards an SSL connection request sent by the client to the cache proxy sub-module based on the TCP connection, so that the cache proxy sub-module establishes an SSL connection with the client based on the SSL connection request.
Optionally, the process of establishing the TCP connection between the client agent sub-module and the client includes: the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises that the source station server establishes TCP connection with the client.
In one embodiment, an access method performed by a web cache proxy system is shown in FIG. 3, comprising the following steps.
Step 301: the proxy module establishes SSL connection with the client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information.
Step 302: the proxy module generates a redirect response based on the request resource information.
Step 303: the proxy module obtains destination port information of the first HTTPS request.
Step 304: the proxy module determines whether the destination port information indicates that the destination port is not a designated port. If yes, go to step 305, otherwise, go to step 306.
Step 305: the proxy module adds destination port information in the header of the redirect response so that the client initiates an HTTP request based on the destination port information.
Step 306: the agent module feeds back a redirection response to the client; the redirect response instructs the client to initiate an HTTP request based on the request resource information.
Step 307: after receiving the HTTP request of the client, the proxy module adds a first header and a second header to the HTTP request. The first header indicates that the original protocol type of the HTTP request is HTTPs. The second header includes destination port information.
Step 308: the proxy module sends the HTTP request added with the first header and the second header to the cache module, so that the cache module feeds back resources based on the HTTP request.
Step 309: and the cache module judges whether the resource corresponding to the HTTP request exists in the cache. If yes, go to step 310, otherwise, go to step 311.
Step 310: the caching module feeds back the resources to the client through the proxy module. The flow is then ended.
Step 311: the caching module requests the resource from the source station server, feeds back the resource to the client through the proxy module, and caches the resource.
The caching module requests resources from the source station server, and the caching module comprises the following steps: and the cache module identifies the destination port information carried in the second header of the HTTP request, and determines the destination port information as a port corresponding to the source station server. If the first head exists in the HTTP request, converting the HTTP request into a second HTTPS request, and sending the second HTTPS request to a corresponding port of the source station server, namely a port corresponding to the destination port information; if it is determined that the first header does not exist in the HTTP request, the HTTP request is sent to a corresponding port of the source station server.
Optionally, the caching module feeds back the resource to the client through the proxy module, including: the cache module sends the resource to the proxy module; the agent module acquires the resource and modifies the HTTPS link in the resource into an HTTP link; and feeding the modified resources back to the client.
Optionally, the proxy module includes a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes a TCP connection with the client and the cache proxy sub-module respectively, and forwards an SSL connection request sent by the client to the cache proxy sub-module based on the TCP connection, so that the cache proxy sub-module establishes an SSL connection with the client based on the SSL connection request.
Optionally, the process of establishing the TCP connection between the client agent sub-module and the client includes: the client agent submodule intercepts a TCP connection request sent by the client to the source station server and disguises that the source station server establishes TCP connection with the client.
It should be noted that, the proxy module and the cache module in the web cache proxy system provided by the embodiment of the application may be deployed on different service devices, or may be deployed on the same service device, further, the client proxy sub-module and the cache proxy sub-module in the proxy module may be deployed on different service devices, or may be deployed on the same service device, and the specific deployment mode may be set according to the actual application scenario.
In one example, the server with the client agent sub-module deployed may be referred to as a transport layer proxy server, the server with the cache agent sub-module deployed may be referred to as an application layer proxy server, and the server with the cache module deployed may be referred to as a cache server. Two layers of proxy services are arranged between the client and the cache server, and the client is in communication connection with the cache server through the transmission layer proxy server and the application layer proxy server in sequence. The transport layer proxy server mainly realizes transport layer transparent proxy service, intelligent route selection and data traffic guidance. The application layer proxy server is mainly connected with the client side through SSL, and the redirection and page modification tasks are completed at the application layer. In short, the transport layer proxy server distributes the transport layer data, and the application layer proxy server performs the application layer service. In this example, the interaction diagram among the client, the transport layer proxy server, the application layer proxy server, the cache server and the source station server is shown in fig. 4, and the method for accessing the resource by cooperation of the transport layer proxy server, the application layer proxy server and the cache server includes the following steps.
Step 401: the client side and the transmission layer proxy server carry out three-way handshake to establish TCP connection.
Specifically, the transport layer proxy server intercepts a TCP connection request sent by a client to a source station server and masquerades as the source station server establishes TCP connection with the client, wherein TCP connection is also established between the transport layer proxy server and an application layer proxy server respectively.
Step 402: the client sends SSL connection request and establishes SSL connection with the application layer proxy server based on the pseudo certificate fed back by the application layer proxy server.
Specifically, the transport layer proxy server forwards an SSL connection request sent by a client to the application layer proxy server based on TCP connection, the application layer proxy server constructs a pseudo certificate and masquerades as a source station server to respond to the SSL connection request of the client, and if a user selects to trust the pseudo certificate through the client, the client can establish SSL connection with the application layer proxy server based on the pseudo certificate.
Step 403: the client initiates an HTTPS request to the transport layer proxy server.
Specifically, when SSL connection establishment is completed, the client may send an HTTPS request to the source server based on the connection, which may be, for example, a hypertext markup language (Hyper Text Markup Language, HTML) page request issued for the website top page.
Step 404: the transport layer proxy server forwards the HTTPS request to the application layer proxy server.
Step 405: the application layer proxy server parses the HTTPS request to obtain the requested resource information and replies 302 to the client. 302 response instructs the client browser to initiate an HTTP request to request resource information.
Step 406: the client receives 302 the response and initiates an HTTP request.
Step 407: the transport layer proxy server forwards the HTTP request to the application layer proxy server.
Step 408: the application layer proxy server adds an X-CDN-SSL header to the HTTP request, and distributes the HTTP request added with the X-CDN-SSL header to a cache server at the back end. The X-CDN-SSL header indicates that the client was originally an HTTPS request.
Step 409: the cache server receives the HTTP request sent by the application layer proxy server, and because the HTTP request contains an X-CDN-SSL header, the HTTP request is indicated to be an HTTPS request, and the HTTPS request is converted into an HTTPS request and sent to the source station server.
Step 410: the source station server returns the resource requested to be accessed by the HTTPS request to the cache server.
Step 411: the cache server returns the source station server response resource to the application layer proxy server and caches the source station server response resource.
Step 412: after the application layer proxy server receives the content responded by the source station server, the HTTPS link in the content responded by the source station server is modified to be an HTTP link, so that the protocol of the subsequent sub-request is an HTTP protocol, and the modified content is returned to the transmission layer proxy server.
For example, after the HTTPS:// www.baidu.com/page content is obtained, the HTML page tag contains a large number of HTTPS links. The HTML page tags are as follows:
<img
src='https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/baiduyun@2x-e0be79e69e.png'/>.
the src link in the img tag of the HTML page tag is modified at this point to downgrade the HTTPS link to an HTTP link. The modified src links are as follows:
'http://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/baiduyun@2x-e0be79e69e.png'.
the modified link is a degraded HTTP link.
Step 413: the transport layer proxy server forwards the modified content to the client.
Through the above, by the method for accessing resources in this embodiment, the client can successfully acquire the resources originally requested by the HTTPS request, and implement the web cache proxy.
Step 414: the client sends the degradation of the resource to an HTTP sub-request to the transport layer proxy server.
The HTTP sub-request refers to an access request further sent by the client for receiving a link in the response content. Step 415: the transport layer proxy server forwards the HTTP sub-request to the application layer proxy server.
Step 416: the application layer proxy server analyzes the HTTP sub-request, adds an X-CDN-SSL header to the HTTP sub-request, and sends the HTTP sub-request added with the X-CDN-SSL header to the cache server.
Step 417: the cache server identifies the HTTP sub-request, converts the HTTP sub-request into an HTTPS sub-request, and sends the HTTPS sub-request to the source station server.
Step 418: the source station server returns the resource requested to be accessed by the HTTPS sub-request.
Step 419: the caching server returns the content responded by the source station server to the application layer proxy server and caches the content responded by the source station server.
Step 420: after the application layer proxy server receives the content responded by the source station server, the HTTPS link in the content responded by the source station server is modified to be an HTTP link, so that the protocol of the subsequent sub-request is an HTTP protocol, and the modified content is returned to the transmission layer proxy server.
Step 421: the transport layer proxy server forwards the modified content to the client.
As can be seen from the above, by the method for accessing resources according to the embodiment, the client can successfully acquire the resources originally requested by the HTTPS request. And (3) degrading the HTTPS requests in the home page and the sub-chain to the HTTP through 302 redirection response and page rewriting, so that the cache server can analyze the HTTP requests of the plaintext and return to the cache. In the case of a cache miss, the cache server may convert the HTTP request to a corresponding HTTPs request, return the source fetch resource to the client, and cache the HTTP request.
In one example, if the destination Port of the HTTPS request initiated by the client is not the designated Port (443 Port), the process of transferring the destination Port through the proxy protocol between the client, the transport layer proxy server, the application layer proxy server, the cache server, and the source station server is illustrated in fig. 5, and includes the following sub-steps, taking the second header named WS-Port header as an example.
Step 501: the client sends an HTTPS request to the transport layer proxy server. The destination port of the HTTPS request is a non-designated 443 port, such as port 8888.
Step 502: the transport layer proxy server redirects the HTTPS request to the local port (e.g., 2020 port) through a filtering system (e.g., iptables), and at this time, the original destination port information of the HTTPS request may be obtained through a socket application program interface (socket api).
Step 503: the transport layer Proxy server delivers destination port information via Proxy Protocol (Proxy Protocol). The PROXY protocol header format is { PROXY protocol stack source IP destination IP source port destination port }. The destination port information may be stored in a destination port field of the proxy protocol header for transmission to the next hop proxy server while forwarding the HTTPS request to the application layer proxy server.
Step 504: the application layer proxy server obtains the original destination port information of the HTTPS request, discovers that the destination port is not the designated port (443 port), adds the original destination port into the URL of the redirection response in the Location header of the 302 response, and sends the redirection response to the client.
Step 505: the client receives 302 the response and sends an HTTP request to the original destination port.
Step 506: the transport layer proxy server adds a WS-Port header to the HTTP request and adds destination Port 8888 to the WS-Port header, forwarding the HTTP request with the WS-Port header added to the application layer proxy server.
Step 507: the application layer proxy server adds the X-CDN-SSL header for the HTTP request added with the WS-Port header, and sends the HTTP request added with the X-CDN-SSL header to the cache server.
Step 508: the cache server restores the request to an HTTPS request according to the X-CDN-SSL header, and initiates a source return request to the destination Port of the correct source server according to the destination Port carried by the WS-Port header.
Step 509: the source station server feeds back the resources requested by the HTTPS request to the client. For specific procedures, reference may be made to the relevant contents of steps 410 to 413.
As can be seen from the above, by the method for accessing resources according to the present embodiment, aiming at the problem of losing the destination port when HTTPS traffic is forwarded, a Proxy Protocol (Proxy Protocol) is adopted to transmit the destination port of the HTTPS request to the next-hop Proxy server, so that the subsequent Proxy server can establish connection to the port of the correct source station server.
The above steps of the methods are divided, for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as they include the same logic relationship, and they are all within the protection scope of this patent; it is within the scope of this patent to add insignificant modifications to the algorithm or flow or introduce insignificant designs, but not to alter the core design of its algorithm and flow.
The embodiment of the application also provides a web cache proxy system, as shown in fig. 6, which comprises: an agent module 601 and a cache module 602. The proxy module 601 is configured to: establishing secure socket layer protocol layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; forwarding the HTTP request to the cache module 602; the caching module 602 is configured to: the resources are fed back based on the HTTP request.
In one example, the caching module 602 is specifically configured to: if the resources corresponding to the HTTP request exist in the cache, feeding back the resources to the client through the proxy module; if it is determined that the resource corresponding to the HTTP request does not exist in the cache, requesting the resource from the source station server, feeding back the resource to the client through the proxy module, and caching the resource.
In one example, the proxy module includes a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes TCP connection with the client and the cache proxy sub-module respectively, and forwards SSL connection request sent by the client to the cache proxy sub-module based on the TCP connection, so that the cache proxy sub-module establishes SSL connection with the client based on the SSL connection request
It is to be noted that this embodiment is an embodiment of the apparatus corresponding to the above-described method embodiment, and this embodiment may be implemented in cooperation with the above-described method embodiment. The related technical details mentioned in the above method embodiments are still valid in this embodiment, and in order to reduce repetition, they are not repeated here. Accordingly, the related technical details mentioned in the present embodiment can also be applied in the above-described method embodiments.
It should be noted that, each module involved in this embodiment is a logic module, and in practical application, one logic unit may be one physical unit, or may be a part of one physical unit, or may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, units less closely related to solving the technical problem presented by the present invention are not introduced in the present embodiment, but it does not indicate that other units are not present in the present embodiment.
The embodiment of the application also provides an electronic device, as shown in fig. 7, including: at least one processor 701; and a memory 702 communicatively coupled to the at least one processor 701; wherein the memory stores instructions executable by the at least one processor 701, the instructions being executable by the at least one processor 701 to enable the at least one processor 701 to perform the above-described method embodiments.
Where memory 702 and processor 701 are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting the various circuits of the one or more processors 701 and memory 702 together. The bus may also connect various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or may be a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 701 is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor 701.
The processor 701 is responsible for managing the bus and general processing and may provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 702 may be used to store data used by processor 701 in performing operations.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples of carrying out the invention and that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (11)
1. An access method, applied to a web cache proxy system comprising a proxy module and a cache module, comprising:
the proxy module establishes secure socket layer protocol layer (SSL) connection with a client, receives a first HTTPS request initiated by the client based on the SSL connection, and analyzes the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; the request resource information is a uniform resource positioning system;
the proxy module forwards the HTTP request to the cache module, so that the cache module feeds back resources based on the HTTP request;
The agent module modifies the HTTPS link in the resource returned by the cache module into an HTTP link; and feeding the modified resources back to the client.
2. The access method according to claim 1, further comprising, after the proxy module forwards the HTTP request to the cache module:
If the cache module determines that the resource corresponding to the HTTP request exists in the cache, the resource is fed back to the client through the proxy module; and if the fact that the resources corresponding to the HTTP request do not exist in the cache is determined, requesting the resources from a source station server, feeding back the resources to the client through the proxy module, and caching the resources.
3. The access method according to claim 2, wherein the proxy module forwarding the HTTP request to the cache module comprises:
adding a first header to the HTTP request, wherein the first header indicates that the original protocol type of the HTTP request is HTTPS;
sending the HTTP request added with the first header to the cache module;
The caching module requests resources from a source station server, including:
if the first head part exists in the HTTP request, converting the HTTP request into a second HTTPS request; sending the second HTTPS request to the source station server;
And if the HTTP request is determined to not have the first header, sending the HTTP request to the source station server.
4. The access method of claim 2, further comprising, prior to the proxy module feeding back the redirect response to the client:
The agent module obtains the destination port information of the first HTTPS request; and if the destination port information of the first HTTPS request is determined to indicate that the destination port of the first HTTPS request is not a designated port, adding the destination port information in the header of the redirection response, so that the client initiates the HTTP request based on the destination port information.
5. The access method according to claim 4, wherein the proxy module forwarding the HTTP request to the cache module comprises:
The proxy module receives the HTTP request and adds a second header to the HTTP request, wherein the second header comprises the destination port information;
The caching module requests resources from a source station server, including:
The cache module identifies the destination port information carried in the second header of the HTTP request; and requesting the resource from the source station server through a port of the source station server corresponding to the destination port information.
6. The access method according to claim 1, wherein the proxy module comprises a client proxy sub-module and a cache proxy sub-module, the client proxy sub-module establishes TCP connections with the client and the cache proxy sub-module, respectively, and forwards SSL connection requests sent by the client to the cache proxy sub-module based on the TCP connections, so that the cache proxy sub-module establishes SSL connections with the client based on the SSL connection requests.
7. The access method of claim 6, wherein the process of the client proxy sub-module establishing the TCP connection with the client comprises:
The client agent submodule intercepts a TCP connection request sent by the client to a source station server and disguises that the source station server establishes TCP connection with the client.
8. A web cache proxy system, comprising: the agent module and the buffer module;
the agent module is used for: establishing secure socket layer protocol layer (SSL) connection with a client, receiving a first HTTPS request initiated by the client based on the SSL connection, and analyzing the first HTTPS request to acquire request resource information; generating a redirection response based on the request resource information, and feeding back the redirection response to the client, wherein the redirection response indicates the client to initiate an HTTP request based on the request resource information; forwarding the HTTP request to the cache module; modifying the HTTPS link in the resource returned by the cache module into an HTTP link; feeding back the modified resources to the client; the request resource information is a uniform resource positioning system;
the cache module is used for: and feeding back resources based on the HTTP request.
9. The web cache proxy system of claim 8, wherein the cache module is specifically configured to:
If the resources corresponding to the HTTP request exist in the cache, feeding back the resources to the client through the proxy module;
And if the fact that the resources corresponding to the HTTP request do not exist in the cache is determined, requesting the source station server for the resources, feeding back the resources to the client through the proxy module, and caching the resources.
10. The web caching proxy system of claim 8, wherein the proxy module comprises a client proxy sub-module and a caching proxy sub-module, the client proxy sub-module establishes TCP connections with the client and the caching proxy sub-module, respectively, and forwards SSL connection requests sent by the client to the caching proxy sub-module based on the TCP connections, such that the caching proxy sub-module establishes SSL connections with the client based on the SSL connection requests.
11. An electronic device, comprising: at least one processor; and
A memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the access method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110924514.6A CN113810464B (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110924514.6A CN113810464B (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113810464A CN113810464A (en) | 2021-12-17 |
| CN113810464B true CN113810464B (en) | 2024-05-14 |
Family
ID=78942778
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110924514.6A Active CN113810464B (en) | 2021-08-12 | 2021-08-12 | Access method, web cache proxy system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810464B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242766A (en) * | 2022-08-02 | 2022-10-25 | 亚数信息科技(上海)有限公司 | Method for HTTPS transparent gateway based on two-layer network bridge |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
| CN101217508A (en) * | 2007-12-29 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A network agent system and the corresponding realizing methods based on instant communication platform |
| JP2010193306A (en) * | 2009-02-19 | 2010-09-02 | Dainippon Printing Co Ltd | Ssl/tls connection method and computer program |
| EP2512101A1 (en) * | 2011-04-11 | 2012-10-17 | Deutsche Telekom AG | Method and system to pre-fetch user-specific HTTP requests for web applications |
| WO2014157224A1 (en) * | 2013-03-29 | 2014-10-02 | Kddi株式会社 | Web-content delivery device |
| CN107483609A (en) * | 2017-08-31 | 2017-12-15 | 深圳市迅雷网文化有限公司 | A kind of Network Access Method, relevant device and system |
| CN108494825A (en) * | 2018-02-24 | 2018-09-04 | 深圳市联软科技股份有限公司 | A kind of method, medium and equipment redirecting access request |
| CN108737343A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of implementation method and device of secure access network |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN109818946A (en) * | 2019-01-11 | 2019-05-28 | 网宿科技股份有限公司 | The method and system of CA certificate application and deployment |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN111064775A (en) * | 2019-12-05 | 2020-04-24 | 深圳市任子行科技开发有限公司 | Method and system for portal authentication aiming at HTTPS (hypertext transfer protocol secure) protocol in bypass deployment mode |
| CN113204730A (en) * | 2021-05-19 | 2021-08-03 | 网宿科技股份有限公司 | Resource acquisition method, webvpn proxy server, system and server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170295132A1 (en) * | 2014-08-15 | 2017-10-12 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
-
2021
- 2021-08-12 CN CN202110924514.6A patent/CN113810464B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
| CN101217508A (en) * | 2007-12-29 | 2008-07-09 | 腾讯科技(深圳)有限公司 | A network agent system and the corresponding realizing methods based on instant communication platform |
| JP2010193306A (en) * | 2009-02-19 | 2010-09-02 | Dainippon Printing Co Ltd | Ssl/tls connection method and computer program |
| EP2512101A1 (en) * | 2011-04-11 | 2012-10-17 | Deutsche Telekom AG | Method and system to pre-fetch user-specific HTTP requests for web applications |
| WO2014157224A1 (en) * | 2013-03-29 | 2014-10-02 | Kddi株式会社 | Web-content delivery device |
| CN108737343A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of implementation method and device of secure access network |
| CN107483609A (en) * | 2017-08-31 | 2017-12-15 | 深圳市迅雷网文化有限公司 | A kind of Network Access Method, relevant device and system |
| CN108494825A (en) * | 2018-02-24 | 2018-09-04 | 深圳市联软科技股份有限公司 | A kind of method, medium and equipment redirecting access request |
| CN109587275A (en) * | 2019-01-08 | 2019-04-05 | 网宿科技股份有限公司 | A kind of method for building up and proxy server of communication connection |
| CN109818946A (en) * | 2019-01-11 | 2019-05-28 | 网宿科技股份有限公司 | The method and system of CA certificate application and deployment |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN111064775A (en) * | 2019-12-05 | 2020-04-24 | 深圳市任子行科技开发有限公司 | Method and system for portal authentication aiming at HTTPS (hypertext transfer protocol secure) protocol in bypass deployment mode |
| CN113204730A (en) * | 2021-05-19 | 2021-08-03 | 网宿科技股份有限公司 | Resource acquisition method, webvpn proxy server, system and server |
Non-Patent Citations (2)
| Title |
|---|
| CDN HTTPS安全加速解决方案及优化实践;胡佳欢, 张旭;金陵科技学院学报;第35卷(第03期);全文 * |
| HTTP 2.0对CDN和Cache的影响及应对分析报告;陆奇;中国高新区;2018年(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113810464A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8131823B2 (en) | System and method for reading ahead of content | |
| US10225362B2 (en) | Processing DNS queries to identify pre-processing information | |
| US6862607B1 (en) | Method to provide information in an internet telecommunication network | |
| US7080158B1 (en) | Network caching using resource redirection | |
| US7584500B2 (en) | Pre-fetching secure content using proxy architecture | |
| EP1405224B1 (en) | System and method for pushing data from an information source to a mobile communication device including transcoding of the data | |
| US20230075806A1 (en) | System and method for content retrieval from remote network regions | |
| CN112954001B (en) | Method and device for HTTP-to-HTTPS bidirectional transparent proxy | |
| US8930554B2 (en) | Transferring session data between network applications accessible via different DNS domains | |
| CN102904959B (en) | Network accelerating method and gateway | |
| JP2004164630A (en) | Client/server communication system | |
| US20160241664A1 (en) | Method, device, and system for redirecting data by using service proxy | |
| CN112104744B (en) | Traffic proxy method, server and storage medium | |
| CN101136834B (en) | SSL VPN based link rewriting method and apparatus | |
| JP2009140290A (en) | Content repeater, content relay system, content relay method and program | |
| US20210112029A1 (en) | Intelligently routing a response packet along a same connection as a request packet | |
| US10033830B2 (en) | Requesting web pages and content rating information | |
| CN113810464B (en) | Access method, web cache proxy system and electronic equipment | |
| CN112804303B (en) | Service providing method, device, system, transit platform and storage medium | |
| JP2017010388A (en) | Http server and control method for the same, image forming apparatus, and program | |
| US20160080443A1 (en) | Non-Intrusive Proxy System and Method for Applications Without Proxy Support | |
| US20100042677A1 (en) | Two-way communication system, server unit, repeater, two-way communication method and program | |
| JP2013250691A (en) | Communication device and method | |
| JP3655575B2 (en) | Gateway device | |
| JP4797054B2 (en) | Data relay apparatus and data relay method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |