CN114666130A - WEB security reverse proxy method - Google Patents
WEB security reverse proxy method Download PDFInfo
- Publication number
- CN114666130A CN114666130A CN202210287161.8A CN202210287161A CN114666130A CN 114666130 A CN114666130 A CN 114666130A CN 202210287161 A CN202210287161 A CN 202210287161A CN 114666130 A CN114666130 A CN 114666130A
- Authority
- CN
- China
- Prior art keywords
- reverse proxy
- visitor
- web
- authentication
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000013475 authorization Methods 0.000 claims abstract description 12
- 230000000694 effects Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
Abstract
The invention discloses a WEB security reverse proxy method, which comprises the following steps: the visitor sends the first access request to an authentication and authorization program through the access authentication URL, and the authentication and authorization program judges that the visitor is a legal visitor; the authentication and authorization program returns authorization information for a legal visitor, determines WEB services which can be accessed by the visitor, and dynamically and randomly generates a reverse proxy URL; the WEB reverse proxy program analyzes the proxy port from the reverse proxy URL and dynamically forms a safety rule for each proxy port; and generating a reverse proxy rule; the WEB reverse proxy program checks whether the source IP of the second access request allows access to the proxy port in the reverse proxy URL or not according to the security rule; and after the check is passed, the legal visitor enters the WEB reverse proxy according to the reverse proxy rule. The invention has high safety protection without installing SDP client or other clients.
Description
Technical Field
The invention relates to the technical field of WEB application security, in particular to a WEB security reverse proxy method.
Background
The WEB reverse proxy is a method widely used in WEB service deployment. As shown in fig. 1, by using a WEB reverse proxy, service ports and access paths of real WEB services can be hidden. When an illegal visitor launches an attack, the attack object is a WEB reverse proxy program, and a real WEB service program cannot be directly attacked. However, the WEB reverse proxy has potential safety hazards: while no service port is exposed for real WEB services, a proxy service port is exposed for visitors (e.g., 8000 port of fig. 1). An attacker can scout the agent port provided by the WEB reverse proxy through port scanning and attack the agent port, so that the WEB reverse proxy cannot normally provide proxy service, and the access of a normal visitor to real WEB service is substantially prevented. In order to prevent an attacker from scanning and detecting an agent port provided by a WEB reverse agent and protect a WEB reverse agent program, two technical schemes are currently used:
1. and a firewall is deployed before the WEB reverse agent program for protection. When the firewall rules are static, they cannot adapt to dynamically changing attackers.
2. The SDP scheme is used. And the accessor installs an SDP client program, and the client program can access the WEB reverse proxy program through the secure tunnel after the client program passes the SPA authentication and authorization. The scheme can achieve extremely high safety protection, but the cost is that a visitor needs a safety client program, and the usability is reduced. Meanwhile, the compatibility of the client program and the operating system is also a difficult problem, which affects the experience of the user.
In conclusion, the industry is urgently required to develop the web reverse proxy which does not need to install other clients and has high security protection.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a safe reverse proxy method which has higher safety and does not need to install other clients.
The purpose of the invention is realized by the following technical scheme:
a WEB security reverse proxy method comprises the following steps: the visitor sends the first access request to an authentication and authorization program through the access authentication URL, and the authentication and authorization program judges that the visitor is a legal visitor; the authentication and authorization program returns authorization information for a legal visitor, determines the WEB services which can be accessed by the visitor, and dynamically and randomly generates a reverse proxy URL for each accessible WEB service; wherein the reverse proxy URL comprises a proxy port; the authentication and authorization program informs the IP of a legal visitor, the reverse proxy URL generated dynamically and randomly and the WEB service corresponding to the reverse proxy URL to a WEB reverse proxy program; the WEB reverse proxy program analyzes the proxy port from the reverse proxy URL and dynamically forms a safety rule for each proxy port; generating a reverse proxy rule according to the reverse proxy URL and the corresponding WEB service information; the authentication authorization program pushes an instruction for accessing the WEB service to a legal visitor, and the legal visitor sends a second access request to the WEB reverse agent program according to the instruction; the WEB reverse proxy program checks whether the source IP of the second access request is allowed to access the proxy port in the reverse proxy URL or not according to a security rule; and after the check is passed, the legal visitor enters the WEB reverse proxy according to the reverse proxy rule.
Preferably, the step of judging that the visitor is a valid visitor by the authentication and authorization program includes: the authentication and authorization program returns a login authentication page to an accessor according to the first access request; the visitor fills in all authentication information according to the requirements of the login authentication page and submits the authentication information to an authentication authorization program; and the authentication and authorization program authenticates and authorizes the visitor according to the authentication information and determines the visitor as a legal visitor.
Preferably, the step of the authentication and authorization program pushing an instruction for accessing the WEB service to a legitimate visitor, the step of the legitimate visitor sending a second access request to the WEB reverse-proxy program according to the instruction includes: the authentication and authorization program pushes a homepage comprising a WEB service icon which can be accessed by a legal visitor to the legal visitor, wherein the WEB service icon implies a reverse proxy URL (uniform resource locator) corresponding to the WEB service; and the visitor clicks the icon to initiate access, and a second access request is sent to the WEB reverse proxy program.
Preferably, the step of the legitimate visitor entering the WEB reverse proxy according to the reverse proxy rule includes: and after receiving a third access request for accessing the reverse proxy URL, the WEB reverse proxy program forwards the third access to the real WEB service, and a legal visitor enters the real WEB service access.
Compared with the prior art, the invention has the following advantages:
the agent port of the WEB reverse agent program is not a fixed port, but is dynamically and randomly generated. The agent ports generated after each authentication and authorization are different, and the agent ports generated for each WEB service are different. Before authentication and authorization, an accessor cannot guess the numerical value of the agent port, so that the agent port is prevented from being leaked; the security check rule is dynamically generated after the user is authenticated and authorized, the WEB reverse proxy program checks whether the source address of the access request allows access to the proxy port, and the passing request can enter the proxy flow, so that high security protection is realized without installing an SDP client or other clients, and the similar security protection effect of the SDP technology is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a conventional WEB security reverse proxy method.
Fig. 2 is a flow chart of the WEB security reverse proxy method according to the present invention.
Fig. 3 is a schematic view of a youu structure of another WEB security reverse proxy method of the present invention.
Detailed Description
The invention is further illustrated by the following figures and examples.
Referring to fig. 2 to fig. 3, a WEB security reverse proxy method includes the following steps:
step S1, the visitor sends the first access request to the authentication authorization program through the access authentication URL; such as visitor access https:// logic.
It should be noted that, in the default case, the WEB reverse proxy program does not provide the reverse proxy service, does not open any proxy port, and does not respond to any access request.
Step S2, the authentication and authorization program judges the visitor to be a legal visitor; step S2 specifically includes: the authentication and authorization program returns a login authentication page to an accessor according to the first access request; the visitor fills in all authentication information according to the requirements of the login authentication page and submits the authentication information to an authentication authorization program; and the authentication and authorization program authenticates and authorizes the visitor according to the authentication information and determines the visitor as a legal visitor. The authentication and authorization program receives the submitted authentication information and completes the authentication and authorization of the visitor through the interaction with the identity authentication system. For the illegal visitor to push the access prohibited page, the following processing is not performed.
Step S3, the authentication and authorization program returns authorization information for the legal visitor, determines the WEB services that the visitor can access, and dynamically and randomly generates a reverse proxy URL for each accessible WEB service; wherein the reverse proxy URL comprises a proxy port;
and for the legal visitor, the authentication and authorization program determines the WEB service which can be accessed by the visitor through the authorization information returned by the identity authentication system. For each accessible WEB service, a reverse proxy URL is generated. Such as: WEB services that legitimate visitor a allows access are oa.com and dev.com, and WEB services that legitimate visitor B allows access are oa.com. The reverse proxy URLs generated for A are https:// oa. proxy. com:5133 and https:// dev. proxy. com: 10066; the reverse proxy URL generated for B is https:// oa. The reverse proxy URL generation principle is as follows:
(1) different WEB services, the URL of the reverse proxy is different.
(2) Proxy port dynamic random generation. The agent port is a monitoring port of the WEB reverse agent program. The user's HTTP request needs to be sent to this port to be processed by the WEB reverse proxy. Different legitimate visitors, even accessing the same WEB service, access different agent ports. After the WEB reverse proxy is deployed, for the purpose of safety, a user is prohibited from directly accessing a real WEB service domain name, and only access can be performed through a URL (uniform resource locator) provided by a WEB reverse proxy program. For example, the real WEB service is oa.com, but the user cannot input https:// oa.com in the browser to access, and only can input the URL https:// oa.proxy.com:5133 provided by the reverse proxy program in the browser to access oa.com, and 5133 is the proxy port.
The proxy port of the present disclosure is only open to users who pass authentication authorization detection. The accessor which is not authorized by the authentication can not detect the agent port and can not access the agent port, thereby avoiding the agent port being attacked by an illegal person. And the proxy port is not a fixed port but is dynamically randomly generated. The agent ports generated after each authentication and authorization are different, and the agent ports generated for each WEB service are different. Before authentication and authorization, an access person cannot guess the value of the agent port, so that the agent port is prevented from being leaked, and the agent port of the WEB reverse agent program can be well protected.
Step S4, the authentication authorization program informs the IP of the legal visitor, the reverse proxy UR generated dynamically and randomly and the WEB service corresponding to the reverse proxy URL to the WEB reverse proxy program;
step S5, the WEB reverse agent program analyzes the agent port from the reverse agent URL and dynamically forms a safety rule for each agent port; generating a reverse proxy rule according to the reverse proxy URL and the corresponding WEB service information; web service information includes URLs for real Web services, such as https:// oa.com, https:// dev.com.
In this embodiment, the security rule includes: only the legitimate IP can access the proxy port. Such as: 5133 and 10066 ports have only A's IP access; port 7952 is only accessible to B IP.
The reverse proxy rule is a rule for guiding a reverse proxy, and how to guide the WEB reverse proxy program to forward the received HTTP request may be understood as a mapping table as follows:
| proxy URL | Web service URL |
| https://oa.proxy.com:5133 | https://oa.com |
| https://dev.proxy.com:10066 | https://dev.com |
After receiving a request for accessing https:// oa.proxy.com:5133, the WEB reverse proxy program forwards the request to https:// oa.com according to a reverse proxy rule; after receiving a request to access https:// dev.proxy.com:10066, the request is forwarded to https:// dev.com. The WEB reverse agent program can only correctly perform reverse proxy under the guidance of the reverse proxy rule.
Step S6, the authentication authorization program pushes the instruction of accessing the WEB service to the legal visitor, and the legal visitor sends a second access request to the WEB reverse agent program according to the instruction; step S6 specifically includes: the authentication and authorization program pushes a homepage comprising a WEB service icon which can be accessed by a legal visitor to the legal visitor, wherein the WEB service icon implies a reverse proxy URL (uniform resource locator) corresponding to the WEB service; and the visitor clicks the icon to initiate access, and a second access request is sent to the WEB reverse proxy program.
Step S7, the WEB reverse proxy program checks whether the source IP of the second access request allows to access the proxy port in the reverse proxy URL according to the security rule; the access request is sent to the WEB reverse-proxy. The WEB reverse agent program firstly checks the security rule: whether the source IP of the access request allows access to the proxy port in the reverse proxy URL. If the page is forbidden, pushing the forbidden access page to the visitor, and not performing the following processing.
And step S8, the legal visitor enters the WEB reverse proxy according to the reverse proxy rule after the check is passed. Step S8 specifically includes: and after receiving a third access request for accessing the reverse proxy URL, the WEB reverse proxy program forwards the third access to the real WEB service, and a legal visitor enters the real WEB service access.
According to the method, the agent port of the WEB reverse agent program is randomly and dynamically generated, and the safety check rule is dynamically generated after the user is authenticated and authorized; the WEB reverse agent program checks whether the source address of the access request allows the access agent port, and the agent process can be entered only by checking the passed request, thus achieving the similar safety protection effect of the SDP technology under the condition of not installing SDP client or other client. Compared with the firewall scheme: the security check rules and the proxy ports are dynamically and randomly generated, and the security is higher. Compared with the SDP scheme: the method and the device can achieve the similar dynamic protection effect of the SDP scheme by accessing through the browser without installing the SDP client.
The above-mentioned embodiments are preferred embodiments of the present invention, and the present invention is not limited thereto, and any other modifications or equivalent substitutions that do not depart from the technical spirit of the present invention are included in the scope of the present invention.
Claims (4)
1. A WEB security reverse proxy method is characterized by comprising the following steps:
the visitor sends a first access request to the authentication authority via the access authentication URL,
the authentication and authorization program judges that the visitor is a legal visitor;
the authentication and authorization program returns authorization information for a legal visitor, determines the WEB services which can be accessed by the visitor, and dynamically and randomly generates a reverse proxy URL for each accessible WEB service; wherein the reverse proxy URL comprises a proxy port;
the authentication and authorization program informs the IP of a legal visitor, the reverse proxy URL generated dynamically and randomly and the WEB service corresponding to the reverse proxy URL to a WEB reverse proxy program;
the WEB reverse proxy program analyzes the proxy port from the reverse proxy URL and dynamically forms a safety rule for each proxy port; generating a reverse proxy rule according to the reverse proxy URL and the corresponding WEB service information;
the authentication authorization program pushes an instruction for accessing the WEB service to a legal visitor, and the legal visitor sends a second access request to the WEB reverse agent program according to the instruction;
the WEB reverse proxy program checks whether the source IP of the second access request is allowed to access the proxy port in the reverse proxy URL or not according to a security rule;
and after the check is passed, the legal visitor enters the WEB reverse proxy according to the reverse proxy rule.
2. The WEB security reverse proxy method according to claim 1, wherein the step of determining that the visitor is a valid visitor by the authentication and authorization program comprises:
the authentication and authorization program returns a login authentication page to an accessor according to the first access request;
the visitor fills in all authentication information according to the requirements of the login authentication page and submits the authentication information to an authentication authorization program;
and the authentication and authorization program authenticates and authorizes the visitor according to the authentication information and determines the visitor as a legal visitor.
3. The WEB security reverse proxy method according to claim 1, wherein the authentication and authorization program pushes an indication of accessing a WEB service to a valid visitor, and the valid visitor sends a second access request to the WEB reverse proxy program according to the indication comprises:
the authentication and authorization program pushes a homepage comprising a WEB service icon which can be accessed by a legal visitor to the legal visitor, wherein the WEB service icon implies a reverse proxy URL (uniform resource locator) corresponding to the WEB service;
and the visitor clicks the icon to initiate access, and a second access request is sent to the WEB reverse proxy program.
4. The WEB security reverse proxy method according to claim 1, wherein the step of enabling the legal visitor to enter the WEB reverse proxy according to the reverse proxy rule comprises the following steps:
and after receiving a third access request for accessing the reverse proxy URL, the WEB reverse proxy program forwards the third access to the real WEB service, and a legal visitor enters the real WEB service access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210287161.8A CN114666130A (en) | 2022-03-23 | 2022-03-23 | WEB security reverse proxy method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210287161.8A CN114666130A (en) | 2022-03-23 | 2022-03-23 | WEB security reverse proxy method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114666130A true CN114666130A (en) | 2022-06-24 |
Family
ID=82032126
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210287161.8A Pending CN114666130A (en) | 2022-03-23 | 2022-03-23 | WEB security reverse proxy method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114666130A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319481A (en) * | 2023-11-29 | 2023-12-29 | 长沙普洛电气设备有限公司 | Port resource reverse proxy method, system and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011100207A (en) * | 2009-11-04 | 2011-05-19 | Nippon Yunishisu Kk | Remote access device, program, method and system |
| CN102143154A (en) * | 2010-12-28 | 2011-08-03 | 华为技术有限公司 | Method for preventing attack on media server and media server |
| CN106341438A (en) * | 2015-07-10 | 2017-01-18 | 阿里巴巴集团控股有限公司 | Request processing method and device |
| CN108924122A (en) * | 2018-06-28 | 2018-11-30 | 无锡宏创盛安科技有限公司 | A kind of network enemy and we recognition methods and system |
| CN109040225A (en) * | 2018-07-27 | 2018-12-18 | 北京志翔科技股份有限公司 | A kind of dynamic port desktop access management method and system |
| CN110113365A (en) * | 2019-06-05 | 2019-08-09 | 中国石油大学(华东) | A kind of mobile target system of defense cooperative control method for Web service |
| CN113905043A (en) * | 2021-09-15 | 2022-01-07 | 的卢技术有限公司 | Remote desktop connection method and connection system |
| CN114039750A (en) * | 2021-10-26 | 2022-02-11 | 中电鸿信信息科技有限公司 | Method for protecting SDP controller |
-
2022
- 2022-03-23 CN CN202210287161.8A patent/CN114666130A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011100207A (en) * | 2009-11-04 | 2011-05-19 | Nippon Yunishisu Kk | Remote access device, program, method and system |
| CN102143154A (en) * | 2010-12-28 | 2011-08-03 | 华为技术有限公司 | Method for preventing attack on media server and media server |
| CN106341438A (en) * | 2015-07-10 | 2017-01-18 | 阿里巴巴集团控股有限公司 | Request processing method and device |
| CN108924122A (en) * | 2018-06-28 | 2018-11-30 | 无锡宏创盛安科技有限公司 | A kind of network enemy and we recognition methods and system |
| CN109040225A (en) * | 2018-07-27 | 2018-12-18 | 北京志翔科技股份有限公司 | A kind of dynamic port desktop access management method and system |
| CN110113365A (en) * | 2019-06-05 | 2019-08-09 | 中国石油大学(华东) | A kind of mobile target system of defense cooperative control method for Web service |
| CN113905043A (en) * | 2021-09-15 | 2022-01-07 | 的卢技术有限公司 | Remote desktop connection method and connection system |
| CN114039750A (en) * | 2021-10-26 | 2022-02-11 | 中电鸿信信息科技有限公司 | Method for protecting SDP controller |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319481A (en) * | 2023-11-29 | 2023-12-29 | 长沙普洛电气设备有限公司 | Port resource reverse proxy method, system and storage medium |
| CN117319481B (en) * | 2023-11-29 | 2024-02-27 | 长沙普洛电气设备有限公司 | Port resource reverse proxy method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Analysing the Security of Google’s implementation of OpenID Connect | |
| JP5008851B2 (en) | Internet safety | |
| JP4405248B2 (en) | Communication relay device, communication relay method, and program | |
| Mainka et al. | SoK: single sign-on security—an evaluation of openID connect | |
| Li et al. | Security issues in OAuth 2.0 SSO implementations | |
| Sun et al. | The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems | |
| Lodderstedt et al. | OAuth 2.0 threat model and security considerations | |
| US7886339B2 (en) | Radius security origin check | |
| CN111510453B (en) | Business system access method, device, system and medium | |
| Wang et al. | Vulnerability assessment of oauth implementations in android applications | |
| Denniss et al. | Oauth 2.0 for native apps | |
| KR20110134455A (en) | A system and method for providing security in browser-based access to smart cards | |
| US10652244B2 (en) | Cross-site request forgery (CSRF) prevention | |
| CN106453378A (en) | Data authentication method, apparatus and system | |
| US8056123B2 (en) | Method, apparatus and program storage device for providing service access control for a user interface | |
| JP2009003559A (en) | Computer system for single sign-on server, and program | |
| CN114666130A (en) | WEB security reverse proxy method | |
| Li et al. | Mitigating csrf attacks on oauth 2.0 systems | |
| US11470113B1 (en) | Method to eliminate data theft through a phishing website | |
| JP6842951B2 (en) | Unauthorized access detectors, programs and methods | |
| Gao et al. | A research of security in website account binding | |
| CN107294920A (en) | It is a kind of reversely to trust login method and device | |
| Denniss et al. | RFC 8252: OAuth 2.0 for Native Apps | |
| Falah et al. | An Alternative Threat Model-based Approach for Security Testing | |
| Sumongkayothin et al. | OVERSCAN: OAuth 2.0 scanner for missing parameters |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |