CN113905013A - Method for realizing IP address transparent transmission facing cluster network - Google Patents
Method for realizing IP address transparent transmission facing cluster network Download PDFInfo
- Publication number
- CN113905013A CN113905013A CN202111270772.3A CN202111270772A CN113905013A CN 113905013 A CN113905013 A CN 113905013A CN 202111270772 A CN202111270772 A CN 202111270772A CN 113905013 A CN113905013 A CN 113905013A
- Authority
- CN
- China
- Prior art keywords
- address
- ssl
- load balancing
- balancing module
- proxy server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2528—Translation at a proxy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Abstract
The invention discloses a method for realizing IP address transparent transmission facing to a cluster network, which unloads SSL hardware on an SSL hardware proxy server and modifies the SSL hardware into an IP address and a port of a terminal device to realize source IP address transparent transmission, and realizes the functions of load of an application server, IP address transparent transmission, routing a packet according to a source MAC and the like on a load balancing module. The invention can obtain the IP address and the port information of the terminal equipment only by pointing the default route to the load balance by the application server through the SSL unloading and the IP address transparent transmission of the cluster network without any other modification, the source IP initiated by the user terminal is invariable all the time in the data packet stream transfer accessed by the actual user, and the target IP address is converted when passing through the SSL gateway and the load balance, thereby meeting the requirements of large concurrency and high stability in the industries of finance, securities, futures and the like and simultaneously meeting the supervision requirement.
Description
Technical Field
The invention relates to the technical field of computer network communication, in particular to a method for realizing IP address transparent transmission facing to a cluster network.
Background
In the key industries of finance, securities and the like related to the national civilization, in order to protect the safety of sensitive data in the transmission process, SSL is generally adopted for encryption transmission. The informatization simultaneously brings great threat to financial supervision, and various attacks emerge endlessly, so the financial supervision requires that all application servers must be capable of supervising and auditing the accessed information such as user identity, terminal IP (Internet protocol), port and the like.
In general, SSL is directly deployed on an application server to provide external services, and the application server can directly obtain information such as a user identity, a terminal IP, and a port of a terminal access. However, this solution exposes the core services directly to the internet, which is very vulnerable to network attacks. Meanwhile, SSL encryption and decryption consume a large amount of computing resources of the application server, resulting in a stuck operation page. Aiming at the problem, the common solution is to use dedicated gateway hardware to perform SSL offload and then forward the SSL offload to the application server, so as to realize loose coupling between SSL offload and application server processing logic.
After the special SSL hardware unloads the data packet, the SNAT and the DNAT are simultaneously carried out, namely, both the source address and the target address of the data packet are modified. The source address of the data packet detected by the application server is the SSL hardware address, not the real IP address of the client, so that the application server cannot directly obtain the terminal IP and the port information.
If the application server wants to obtain the IP information of the terminal, there are usually the following methods:
1. after an application program based on a B/S framework is unloaded through SSL hardware, terminal information is transmitted to an application server in a cookie injection mode or an X-Forward-For mode and the like, and the application server obtains terminal addresses and port information by reading cookie or header information in an http protocol. This solution is not useful for C/S framework applications.
2. For the C/S application program, the terminal information is transmitted to the application server in a Proxy Protocol (rfc6967) mode after the SSL hardware is unloaded. The Proxy Protocol adds a header information in the TCP Protocol to conveniently transmit the client information, and essentially inserts a data packet carrying the original connection quadruplet information into the back-end connection by the Proxy service on the SSL hardware device after the three-way handshake is completed. The scheme needs to modify the application server, and is inconvenient to popularize.
3. And acquiring the real IP address of the client through the TOA. In order to transfer the client IP address to the server, the client IP address and the PORT PORT are put into a self-defined tcp option field during forwarding after SSL is unloaded. According to the scheme, the application server is required to modify the kernel to acquire the IP address and the PORT of the terminal, so that the requirements on the application environment and developers are high, and the popularization is inconvenient.
4. The client acquires the self IP address and the PORT (which are commonly used for the intranet terminal to acquire the source IP and the PORT information of the corresponding internet access) through the SSL handshake protocol, and sends the self IP address and the PORT information to the server through the private protocol. The scheme relates to application protocol transformation and is inconvenient to popularize.
To this end, the applicant has sought, through useful research and research, a solution to the above-mentioned problems, in the context of which the technical solutions to be described below have been made.
Disclosure of Invention
The invention provides a method for realizing IP address transparent transmission facing a cluster network based on a high concurrency network aiming at the defects and shortcomings of the background technology, the method is disguised as the connection of the IP and a port of a user to a rear-end application server after being unloaded by SSL, and the application server can obtain terminal access information without any change.
The SSL unloading is a typical CPU intensive computing device, and all network data can be analyzed by adopting a special hardware device to carry out the SSL unloading, so that complete threat protection is obtained, network attack is resisted, and the performance of an application program is improved. SSL hardware devices are typically deployed in a clustered manner for high concurrency and high availability of the whole project scheme, so as to improve the overall SSL offload performance and the stability of the externally provided services of the application servers. Load balancing is generally only used for flow distribution, so that the consumed computing resources are small, and the load balancing can be deployed by a single device.
The invention aims to solve the technical problem that the application service can acquire the terminal IP and the port only by directing the default route to load balancing without any other customized modification.
The technical problem to be solved by the invention can be realized by adopting the following technical scheme:
a method for realizing IP address transparent transmission facing to cluster network includes the following steps:
the terminal equipment sends a connection request to the SSL hardware proxy server;
the SSL hardware proxy server acquires the IP address and the port information of the terminal equipment according to the connection request sent by the terminal equipment;
the SSL hardware proxy server unloads SSL hardware, disguises the SSL hardware into the IP address and port information of the terminal equipment and sends a connection request to the load balancing module;
after receiving a connection request sent by an SSL hardware proxy server, a load balancing module forwards the connection request to an application server;
the application server acquires the IP address, the port information and the user identity information according to the connection request forwarded by the load balancing module, performs related operation to generate a data packet, and then repackages the generated data packet to the load balancing module according to a default route;
the load balancing module wraps back to the SSL hardware proxy server initiated by the source according to the strategy route, the source IP address and the MAC address; and
and the source-initiated SSL hardware proxy server receives the data packet returned by the load balancing module, searches corresponding SOCKET connection according to the strategy route, performs SSL encryption processing on the data packet, and then returns the encrypted data packet to the terminal equipment initiating the connection according to the searched SOCKET connection.
In a preferred embodiment of the present invention, after receiving a connection request sent by an SSL hardware proxy server, the load balancing module forwards the connection request to an application server, including the following steps:
the load balancing module receives a connection request initiated by a terminal device disguised by an SSL hardware proxy server, and records an MAC address, a source IP and a port; and
and the load balancing module disguises the IP address and the port information of the terminal equipment to send a connection request initiated by the SSL hardware proxy server disguised as the terminal equipment to the application server.
In a preferred embodiment of the present invention, the load balancing module wraps back to the source-initiated SSL hardware proxy server according to policy routing, source IP address and MAC address, and comprises the following steps:
the load balancing module routes the received data packet to an lo port according to the strategy route;
the load balancing module searches corresponding SOCKET connection from the corresponding connection queue according to the strategy route; and
and the load balancing module searches the MAC address corresponding to the front-end connection according to the strategy routing connection and wraps the data packet back to the SSL hardware proxy server initiated by the source according to the MAC address.
Due to the adoption of the technical scheme, the invention has the beneficial effects that: the invention unloads and modifies SSL hardware into the IP address and port of the terminal device on the SSL hardware proxy server, realizes the transparent transmission of the source IP address, and realizes the functions of transparent transmission of the load and the IP address of the application server, routing back packets according to the source MAC and the like on the load balancing module. The invention can obtain the IP address and the port information of the terminal equipment only by pointing the default route to the load balance by the application server through the SSL unloading and the IP address transparent transmission of the cluster network without any other modification, the source IP initiated by the user terminal is invariable all the time in the data packet stream transfer accessed by the actual user, and the target IP address is converted when passing through the SSL gateway and the load balance, thereby meeting the requirements of large concurrency and high stability in the industries of finance, securities, futures and the like and simultaneously meeting the supervision requirement.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of the network topology of the present invention.
FIG. 2 is a schematic flow diagram of the present invention.
Fig. 3 is a variation of the IP address and port information of the present invention as it passes through the SSL hardware proxy and the load balancing module.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Referring to fig. 1, the SSL hardware proxy 200 performs a cluster self-load or ospf mode to provide external services, after the SSL is unloaded, the IP address and port of the terminal device 100 are used to initiate connection to the load balancing module 300 at the backend, and the load balancing module 300 implements original return of the applied load and according to the source IP address, the port information, and the MAC address. The application server only needs to point the default route to the load balancing module, and can acquire the IP address and the port information of the terminal equipment without any other customized modification. Load balancing here primarily functions as traffic distribution and return-to-original.
Referring to fig. 2 in conjunction with fig. 3, a method for implementing IP address transparent transmission for a cluster-oriented network is shown, which includes the following steps:
in step S10, the terminal device sends a connection request to the SSL hardware proxy server.
Step S20, the SSL hardware proxy server obtains the IP address and port information of the terminal device according to the connection request sent by the terminal device.
Step S30, the SSL hardware proxy server performs an offload process on the SSL hardware, and masquerades the IP address and port information of the terminal device to send a connection request to the load balancing module.
In step S40, after receiving the connection request sent by the SSL hardware proxy, the load balancing module forwards the connection request to the application server.
Step S50, the application server obtains the IP address, the port information, and the user identity information according to the connection request forwarded by the load balancing module, performs related operations to generate a data packet, and then repackages the generated data packet to the load balancing module according to a default route.
And step S60, the load balancing module wraps back to the SSL hardware proxy server initiated by the source according to the policy routing, the source IP address and the MAC address.
Step S70, the source-initiated SSL hardware proxy server receives the data packet returned by the load balancing module, searches for a corresponding SOCKET connection according to the policy routing, performs SSL encryption on the data packet, and returns the encrypted data packet to the terminal device initiating the connection according to the found SOCKET connection.
In step S40, after receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server, including the following steps:
step S41, the load balancing module receives the connection request initiated by the terminal device disguised by the SSL hardware proxy server, and records the MAC address, the source IP and the port;
step S42, the load balancing module masquerades as the IP address and port information of the terminal device, and sends the connection request initiated by the SSL hardware proxy server masquerading as the terminal device to the application server.
In step S60, the load balancing module wraps back to the source-initiated SSL hardware proxy according to the policy routing, the source IP address, and the MAC address, including the following steps:
step S61, the load balancing module routes the received data packet to the LO port according to the strategy route;
step S62, the load balancing module searches the corresponding SOCKET connection from the corresponding connection queue according to the strategy route;
step S63, the load balancing module searches for the MAC address corresponding to the front-end connection according to the policy routing connection, and wraps the packet back to the SSL hardware proxy server initiated by the source according to the MAC address.
The invention unloads and modifies SSL hardware into the IP address and port of the terminal device on the SSL hardware proxy server, realizes the transparent transmission of the source IP address, and realizes the functions of transparent transmission of the load and the IP address of the application server, routing back packets according to the source MAC and the like on the load balancing module. The invention can obtain the IP address and the port information of the terminal equipment only by pointing the default route to the load balance by the application server through the SSL unloading and the IP address transparent transmission of the cluster network without any other modification, the source IP initiated by the user terminal is invariable all the time in the data packet stream transfer accessed by the actual user, and the target IP address is converted when passing through the SSL gateway and the load balance, thereby meeting the requirements of large concurrency and high stability in the industries of finance, securities, futures and the like and simultaneously meeting the supervision requirement.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (3)
1. A method for realizing IP address transparent transmission facing to cluster network is characterized by comprising the following steps:
the terminal equipment sends a connection request to the SSL hardware proxy server;
the SSL hardware proxy server acquires the IP address and the port information of the terminal equipment according to the connection request sent by the terminal equipment;
the SSL hardware proxy server unloads SSL hardware, disguises the SSL hardware into the IP address and port information of the terminal equipment and sends a connection request to the load balancing module;
after receiving a connection request sent by an SSL hardware proxy server, a load balancing module forwards the connection request to an application server;
the application server acquires the IP address, the port information and the user identity information according to the connection request forwarded by the load balancing module, performs related operation to generate a data packet, and then repackages the generated data packet to the load balancing module according to a default route;
the load balancing module wraps back to the SSL hardware proxy server initiated by the source according to the strategy route, the source IP address and the MAC address; and
and the source-initiated SSL hardware proxy server receives the data packet returned by the load balancing module, searches corresponding SOCKET connection according to the strategy route, performs SSL encryption processing on the data packet, and then returns the encrypted data packet to the terminal equipment initiating the connection according to the searched SOCKET connection.
2. The method for realizing transparent transmission of IP addresses in a cluster-oriented network as claimed in claim 1, wherein the load balancing module forwards the connection request to the application server after receiving the connection request sent by the SSL hardware proxy server, comprising the steps of:
the load balancing module receives a connection request initiated by a terminal device disguised by an SSL hardware proxy server, and records an MAC address, a source IP and a port; and
and the load balancing module disguises the IP address and the port information of the terminal equipment to send a connection request initiated by the SSL hardware proxy server disguised as the terminal equipment to the application server.
3. The method for implementing transparent transmission of IP addresses to cluster-oriented networks as claimed in claim 1, wherein said load balancing module wraps back to source-initiated SSL hardware proxy server according to policy routing, source IP address and MAC address, comprising the steps of:
the load balancing module routes the received data packet to an lo port according to the strategy route;
the load balancing module searches corresponding SOCKET connection from the corresponding connection queue according to the strategy route; and
and the load balancing module searches the MAC address corresponding to the front-end connection according to the strategy routing connection and wraps the data packet back to the SSL hardware proxy server initiated by the source according to the MAC address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111270772.3A CN113905013A (en) | 2021-10-29 | 2021-10-29 | Method for realizing IP address transparent transmission facing cluster network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111270772.3A CN113905013A (en) | 2021-10-29 | 2021-10-29 | Method for realizing IP address transparent transmission facing cluster network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113905013A true CN113905013A (en) | 2022-01-07 |
Family
ID=79027024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111270772.3A Pending CN113905013A (en) | 2021-10-29 | 2021-10-29 | Method for realizing IP address transparent transmission facing cluster network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113905013A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116582365A (en) * | 2023-07-12 | 2023-08-11 | 北京亿赛通科技发展有限责任公司 | Network traffic safety control method and device and computer equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102771085A (en) * | 2009-12-23 | 2012-11-07 | 思杰系统有限公司 | Systems and methods for maintaining transparent end to end cache redirection |
| CN106506700A (en) * | 2016-12-28 | 2017-03-15 | 北京优帆科技有限公司 | A kind of transparent proxy method of load equalizer and SiteServer LBS |
| WO2018120800A1 (en) * | 2016-12-29 | 2018-07-05 | 华为技术有限公司 | Load balancing method, device and system |
-
2021
- 2021-10-29 CN CN202111270772.3A patent/CN113905013A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102771085A (en) * | 2009-12-23 | 2012-11-07 | 思杰系统有限公司 | Systems and methods for maintaining transparent end to end cache redirection |
| CN106506700A (en) * | 2016-12-28 | 2017-03-15 | 北京优帆科技有限公司 | A kind of transparent proxy method of load equalizer and SiteServer LBS |
| WO2018120800A1 (en) * | 2016-12-29 | 2018-07-05 | 华为技术有限公司 | Load balancing method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| 浮生(FS): "负载均衡之SSL Farm", pages 1 - 2, Retrieved from the Internet <URL:https://blog.csdn.net/sun5769675/article/details/50478646> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116582365A (en) * | 2023-07-12 | 2023-08-11 | 北京亿赛通科技发展有限责任公司 | Network traffic safety control method and device and computer equipment |
| CN116582365B (en) * | 2023-07-12 | 2023-09-26 | 北京亿赛通科技发展有限责任公司 | Network traffic safety control method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111034150B (en) | Method and apparatus for selectively decrypting SSL/TLS communications | |
| US20210360011A1 (en) | Transparent inspection of traffic encrypted with perfect forward secrecy (pfs) | |
| US8739274B2 (en) | Method and device for performing integrated caching in a data communication network | |
| US7483992B2 (en) | Session load balancing and use of VIP as source address for inter-cluster traffic through the use of a session identifier | |
| US8438626B2 (en) | Systems and methods for processing application firewall session information on owner core in multiple core system | |
| US6772348B1 (en) | Method and system for retrieving security information for secured transmission of network communication streams | |
| KR101850351B1 (en) | Method for Inquiring IoC Information by Use of P2P Protocol | |
| US6836795B2 (en) | Mapping connections and protocol-specific resource identifiers | |
| US20040128538A1 (en) | Method and apparatus for resource locator identifier rewrite | |
| JP2023535304A (en) | Encrypted SNI filtering method and system for cybersecurity applications | |
| US8077622B2 (en) | Systems and methods for efficiently load balancing based on least connections | |
| US11233777B2 (en) | Efficient SSL/TLS proxy | |
| JP2023502361A (en) | Method and system for preventing attacks related to the Domain Name System | |
| US11012524B2 (en) | Remote socket splicing system | |
| US20040225897A1 (en) | Client-server architecture incorporating secure tuple space | |
| CN113905013A (en) | Method for realizing IP address transparent transmission facing cluster network | |
| EP3313052A1 (en) | Means for enhancing privacy of users of a cloud-based service | |
| CN108718268B (en) | Method for improving concurrent processing performance of VPN (virtual private network) server | |
| Hsu et al. | The design and implementation of a lightweight CoAP-based IoT framework with smart contract security guarantee | |
| Fang et al. | Enabling virtual network functions in named data networking | |
| EP4300915A1 (en) | Hostname based reverse split tunnel with wildcard support |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |