CN115134105A - Resource configuration method and device of private network, electronic equipment and storage medium - Google Patents
Resource configuration method and device of private network, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115134105A CN115134105A CN202110326265.0A CN202110326265A CN115134105A CN 115134105 A CN115134105 A CN 115134105A CN 202110326265 A CN202110326265 A CN 202110326265A CN 115134105 A CN115134105 A CN 115134105A
- Authority
- CN
- China
- Prior art keywords
- private network
- resource request
- server
- local port
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a resource configuration method and device of a private network, electronic equipment and a storage medium. The resource configuration method of the private network comprises the following steps: receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network; the method comprises the steps that a local port corresponding to a private network on a server is obtained based on an identifier, a resource request is sent to an intranet penetration client through the local port, the intranet penetration client processes resources of the private network for a user terminal through private network proxy service, the intranet penetration client and the private network proxy service are deployed in the private network, and a private communication tunnel with a long connection is established between the intranet penetration client and the local port in advance. The embodiment of the invention realizes the uniform safe operation and maintenance management of private networks, particularly virtual machines or network equipment resources of numerous private networks, and has the advantages of high safety and low cost.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for resource allocation in a private network, an electronic device, and a storage medium.
Background
The more cloud services are used, for example, for an enterprise, a large number of servers originally in an intranet environment are migrated to the cloud, and services are provided in the form of virtual machines, however, the virtual machines on the cloud are exposed on the internet, and potential safety hazards exist. For this purpose, cloud service providers provide a solution of Private network vpc (virtual Private cloud), which can divide cloud virtual machines into sub-networks and control internet access rules through firewalls. Thus, the server can be prevented from being attacked by the security of the Internet. To ensure reliability of service, enterprises often choose to use off-site multimodal redundancy, namely: and meanwhile, virtual machines are purchased from different cloud service providers and are respectively divided into VPC subnets. Aiming at a scene with multiple VPC subnets or a group company with multiple remote server rooms, a safe unified operation and maintenance method generally comprises the steps of exposing a login port of virtual resources in the VPC subnets, adding a bastion machine IP (Internet Protocol Address) white list on a firewall, and then uniformly controlling all the virtual resources through the bastion machine. This approach requires public network IP for the virtualized resources in VPC, which is costly, and moreover, many group companies' server rooms cannot provide many public network IPs for use, which is not feasible.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for configuring resources of a private network, an electronic device, and a storage medium.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a resource configuration method for a private network, where the resource configuration method is applied to a server, and the resource configuration method includes:
receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network;
obtaining a local port corresponding to the private network on the server based on the identifier, and sending the resource request to an intranet penetration client through the local port so that the intranet penetration client processes the resources of the private network for the user terminal through a private network proxy service,
the intranet penetration client and the private network proxy service are deployed in the private network, and the intranet penetration client establishes a private communication tunnel with a long connection with the local port in advance.
Further, the server is provided with a private network server,
the receiving a resource request of a private network sent by a user terminal includes: the private network server receives a resource request of a private network based on a websocket protocol sent by a user terminal through a browser,
the obtaining a corresponding local port of the private network on the server based on the identifier includes: the private network server obtains a local port corresponding to the private network based on the identity and forwards the resource request to the local port.
Further, the server deploys an intranet penetration service end, and the resource request is sent to an intranet penetration client through the local port, so that the intranet penetration client processes resources of the private network for the user terminal through a private network proxy service, including:
the intranet penetration service end monitors the local port, and when the local port receives the resource request, the intranet penetration service end sends the resource request to the intranet penetration client through the communication tunnel, so that the intranet penetration client forwards the resource request to the private network proxy service, the private network proxy service obtains private network login authentication from the private network service end according to the resource request, and processes resources of the private network for the user terminal after the login authentication is successful.
Further, the private network proxy service performs private network login authentication from the private network server through OAuth2(Open Authorization 2.0) protocol.
In a second aspect, an embodiment of the present invention provides a resource configuration method for a private network, which is applied to the private network, and the resource configuration method includes:
receiving a resource request of a private network sent by an intranet penetrating service terminal through a local port of a server, wherein the resource request comprises an identifier of the private network, and the resource request is sent to the private network service terminal by a user terminal and sent to the local port by the private network service terminal;
processing resources of the private network for the user terminal according to the resource request,
the intranet penetration service end and the private network service end are deployed in the server.
Further, the private network is deployed with intranet penetration clients and private network proxy services,
the receiving of the resource request of the private network sent by the intranet penetrating the server through the local port of the server includes: the intranet penetration client receives a resource request of a private network sent by the intranet penetration server through a local port of a server through a communication tunnel, wherein the intranet penetration client establishes a long-connection private communication tunnel with the intranet penetration server in advance;
the processing the resources of the private network for the user terminal according to the resource request includes: the intranet penetration client forwards the resource request to the private network proxy service, and the private network proxy service acquires private network login authentication from the private network server according to the resource request and processes the resources of the private network for the user terminal after the login authentication is successful.
In a third aspect, an embodiment of the present invention provides a resource configuration apparatus for a private network, where the resource configuration apparatus is applied to a server, and the resource configuration system includes:
the private network server is used for receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network, acquiring a local port corresponding to the private network based on the identifier, and forwarding the resource request to the local port;
the intranet penetration service terminal is used for monitoring the local port and sending the resource request to an intranet penetration client deployed by a private network when the local port receives the resource request, so that the intranet penetration client forwards the resource request to a private network proxy service deployed by the private network, and the private network proxy service acquires private network login authentication from the private network service terminal according to the resource request and processes resources of the private network for the user terminal after the login authentication is successful.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the resource configuration method for a private network according to the first aspect or the second aspect when executing the program.
In a fifth aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the resource configuration method for a private network according to the first aspect or the second aspect.
In a sixth aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the steps of the resource configuration method for a private network according to the first aspect or the second aspect are implemented.
As can be seen from the above technical solutions, the method, the apparatus, the electronic device, and the storage medium for configuring resources of a private network provided in the embodiments of the present invention receive a resource request of the private network sent by a user terminal, obtain a corresponding local port of the private network on a server based on an identifier, and send the resource request to an intranet-penetrating client through the local port, so that the intranet-penetrating client processes resources of the private network for the user terminal through a private network proxy service, thereby implementing uniform secure operation and maintenance management of resources of virtual machines or network devices of the private network, especially numerous private networks. The private network is not required to expose the public network IP, so that the risk of invasion is avoided, the safety of the private network is improved, and particularly under the condition that the private networks are numerous, the public network IP is not required to be configured for each private network, so that the cost is effectively reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of a resource allocation method of a private network according to an embodiment of the present invention;
fig. 2 is a flowchart of a resource allocation method of a private network according to another embodiment of the present invention;
fig. 3 is a block diagram illustrating a resource allocation apparatus of a private network according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a flowchart of a resource configuration method of a private network according to an embodiment of the present invention. As shown in fig. 1, the resource allocation method for a private network provided in the embodiment of the present invention is applied to a server, and the resource allocation method for a private network includes the following steps:
step 101: and receiving a resource request of the private network sent by the user terminal, wherein the resource request comprises the identification of the private network.
In an embodiment of the present invention, a server is deployed with a private network server, and the receiving a resource request of a private network sent by a user terminal includes: the private network server receives a resource request of a private network based on a websocket protocol (namely, a protocol for full-duplex communication on a single TCP connection) sent by a user terminal through a browser.
Step 102: the method comprises the steps of obtaining a local port of a private network on a server based on an identifier, and sending a resource request to an intranet penetration client through the local port so that the intranet penetration client can process resources of the private network for a user terminal through private network proxy service, wherein the intranet penetration client and the private network proxy service are deployed in the private network, and a private communication tunnel with a long connection is established between the intranet penetration client and the local port in advance.
In an embodiment of the present invention, the obtaining, based on the identifier, a corresponding local port of the private network on the server includes: the private network server obtains a local port corresponding to the private network based on the identity and forwards the resource request to the local port.
In this example, the server deploys an intranet penetration service end, and the sending the resource request to an intranet penetration client through the local port is performed so that the intranet penetration client processes the resources of the private network for the user terminal through a private network proxy service, including: the intranet penetration service end monitors the local port, and when the local port receives the resource request, the resource request is sent to the intranet penetration client through the communication tunnel, so that the intranet penetration client forwards the resource request to the private network proxy service, the private network proxy service obtains private network login authentication from the private network service end according to the resource request, and processes resources of the private network for the user terminal after the login authentication is successful.
In the above example, the private network proxy service performs private network login authentication from the private network server, for example, via OAuth2 protocol.
In the above description, the private network is VPC, i.e.: a private network on a public cloud.
The server is called a central control server, the intranet penetrating service end is called an intranet penetrating service end unit, the private network service end is called a central control service unit, the intranet penetrating client end is called a VPC intranet penetrating client end unit, and the private network proxy service is called a VPC operation and maintenance proxy service unit. That is, the central control server is provided with an intranet penetration service end unit and a central control service unit; a VPC intranet penetration client unit and a VPC operation and maintenance agent service unit are deployed in the private network VPC.
As shown in fig. 2, a resource configuration method of a private network is applied to the private network, and the resource configuration method includes:
s201: receiving a resource request of a private network sent by an intranet penetrating through a server through a local port of a server, wherein the resource request comprises an identifier of the private network, and the resource request is sent to the private network server by a user terminal and sent to the local port by the private network server;
s202: and processing the resources of the private network for the user terminal according to the resource request, wherein the intranet penetration service terminal and the private network service terminal are deployed in the server.
In an embodiment of the present invention, a private network is deployed with an intranet penetration client and a private network proxy service, and the receiving a resource request of the private network sent by the intranet penetration client through a local port of a server includes: the intranet penetration client receives a resource request of a private network sent by the intranet penetration server through a local port of a server through a communication tunnel, wherein the intranet penetration client establishes a long-connection private communication tunnel with the intranet penetration server in advance; the processing the resources of the private network for the user terminal according to the resource request comprises: the intranet penetration client forwards the resource request to the private network proxy service, the private network proxy service acquires private network login authentication from the private network server according to the resource request, and processes the resources of the private network for the user terminal after the login authentication is successful.
The resource configuration of the private network VPC is described in detail below in connection with the interaction between the private network VPC and the central control server.
The VPC intranet penetration client unit establishes a long connection with the intranet penetration server unit on the central control server in advance through a socket (namely, a communication tunnel), and completes identity authentication to the central control server unit by using an OAuth2 protocol. The VPC intranet penetrates through the client side unit and is connected with the socket established by the intranet penetration server side unit, the communication tunnel is mainly used, the OAuth2 protocol is used for identity authentication, the intranet penetration server side unit can be prevented from being attacked maliciously, the safety of the intranet penetration server side unit is improved, and the VPC intranet penetration client side unit can be authorized and access controlled flexibly in the central control service unit.
The intranet penetrates the server side unit and monitors the local port on the central control server, and the flow of the local port is forwarded to the socket connection established with the VPC intranet penetrating client side unit, namely: and sending the data to the communication tunnel. In this example, the intranet penetrates through the server-side unit and monitors that the local port can only be accessed locally on the central control server, so that scanning and malicious attacks caused by the fact that the local port is exposed to the internet are avoided, and the security of the intranet is improved. The flow forwarding of the local port needs to ensure that the VPC intranet is correctly forwarded to penetrate the client unit, so that when a socket is established, a mapping relationship between the local port and the socket (i.e. a communication tunnel) needs to be made.
After the preparation work is done, if the user terminal performs resource allocation, resource calling, etc. for a certain private network VPC, the user terminal does not directly access the private network VPC through the internet, but sends a resource request to the central control service unit, that is: the central control service unit receives an operation and maintenance VPC resource request (namely, a resource request) which is sent by a user terminal through a browser and is based on a websocket protocol. In this example, the browser of the user terminal may be a browser supporting any websocket protocol, and since the central control service unit does not need to process the websocket request, it only needs to provide a websocket proxy service, and forwards the websocket request to a local port monitored by the intranet penetration service unit.
The central control service unit uses the VPC unique identifier (namely the private network identifier) carried in the resource request, finds a local port corresponding to the private network VPC from the local port mapping relation, and forwards the websocket request to the local port by adopting a reverse proxy technology. In this example, the websocket request carries a VPC unique identifier, and it is required to ensure that the resource currently requested to be operated and maintained belongs to the private network VPC. And the central control service unit finds a local port corresponding to the private network VPC from a mapping relation between the local port stored in the intranet penetration service end unit and the private network VPC according to the VPC unique identifier, and then forwards the websocket request to the local port by adopting an nginx reverse proxy technology.
And the intranet penetration server unit forwards the flow of the local port to a socket connection established with the VPC intranet penetration client unit. It should be noted that, when the local port monitored by the intranet-penetrating service-side unit receives data, the data is forwarded to the socket connection established between the local port and the VPC intranet-penetrating client-side unit, and meanwhile, when the intranet-penetrating service-side unit receives data from the socket connection established with the VPC intranet-penetrating client-side unit, the data is forwarded to the local port mapped to the socket connection established with the VPC intranet-penetrating client-side unit, so that the data will return to nginx and be forwarded to the browser of the user terminal.
The VPC intranet penetration client unit receives the operation and maintenance VPC resource request forwarded from the intranet penetration server unit. In this example, a long connection is established between the VPC intranet-penetrating client unit and the intranet-penetrating server unit, and this long connection can play a role of a communication tunnel, and when data arrives at the intranet-penetrating server unit, the data is forwarded to the VPC intranet-penetrating client unit, and when data arrives at the VPC intranet-penetrating client unit, the data is forwarded to the intranet-penetrating server unit.
The VPC intranet penetrates through the client side unit and forwards the flow of the local port to the service port of the VPC operation and maintenance agent service unit through a port forwarding technology. Specifically, the VPC intranet penetration client unit forwards the received data to the service port of the VPC operation and maintenance agent service unit, and the data does not need to be processed.
After receiving the resource request, the VPC operation and maintenance agent service unit requests login information and authentication information which are set for the operated and maintained resource in advance from the central control service unit, wherein the login information comprises a resource address, a port and a protocol, and the authentication information comprises a login name and a password. Specifically, the VPC operation and maintenance agent service unit is a unit that is used as a core operation and maintenance agent service and is used for finally processing the operation and maintenance resource request of the user. When a websocket request of an operation and maintenance resource is received, firstly, connection is established with the websocket, a request parameter transmitted by the websocket connection is received, login information and authentication information of the resource are requested from the central control service unit according to an operation and maintenance resource ID in the parameter, and the login information and the authentication information of the resource can be preset or can provide a corresponding management function in the central control service unit and are input by an administrator. Meanwhile, when the request is initiated, the OAuth2 is also needed to be adopted for identity authentication, and only when the authentication is passed, the request can normally respond to the data.
And the VPC operation and maintenance agent service unit initiates a remote login request to the resources in the VPC by using the login information and the authentication information. In this example, the VPC operation and maintenance agent service unit needs to complete resource login by using a corresponding remote login method according to a resource remote login protocol, which includes but is not limited to SSH, TELNET, VNC, RDP, and other protocols.
The VPC operation and maintenance agent service unit successfully logs in the resources, can store the current login connection in the memory, and is connected with the websocket for mapping. The resource login connection is generally a long connection and is related to a login protocol, and after login is successful, the login connection and the websocket connection need to be connected to form a mapping relation, so that traffic can be normally forwarded in the two connections.
And the VPC operation and maintenance agent service unit continuously reads data from the login connection and forwards the data to the websocket connection mapped with the VPC operation and maintenance agent service unit. Specifically, the login connection object is a desktop service or a character-type shell service of the resource, and the received data is generally desktop graphic drawing data or character display data. The protocol analysis and processing of various received login protocol data are needed, and the login protocol data are converted into self-defined protocol data, so that the subsequent uniform identification and processing at the browser end are facilitated.
And a browser terminal of the user terminal continuously receives websocket connection data, and the front-end data processing unit draws a resource desktop in the browser according to a remote desktop protocol and a CSS 32 d graphic drawing technology. In this example, the browser terminal of the user terminal receives data from the websocket connection, identifies the data according to a custom protocol, and calls an API related to a front-end graph drawing technology according to an identified instruction to complete graph drawing.
The user terminal can operate a mouse and a keyboard on a browser resource desktop, and the front-end data processing unit converts the operation into self-defined protocol data and sends the self-defined protocol data to the websocket for connection. Namely: the websocket connection can receive input data from the user terminal, including but not limited to mouse, keyboard operations, including single key and complex combination keys.
And the VPC operation and maintenance agent service unit receives user operation data from the websocket connection and forwards the data to the mapped resource login connection. Specifically, the VPC operation and maintenance agent service unit receives user operation data from the websocket connection, similarly needs to perform data protocol analysis, converts the user operation data into corresponding operation instruction data according to the current login resource protocol, and sends the operation instruction data to the resource login connection mapped with the websocket. Therefore, the operation and maintenance management of the private network VPC by the user terminal is realized.
According to the resource allocation method of the private network, the resource request of the private network sent by the user terminal is received, the corresponding local port of the private network on the server is obtained based on the identification, and the resource request is sent to the intranet penetration client through the local port, so that the intranet penetration client processes the resources of the private network for the user terminal through the private network proxy service, and the uniform safe operation and maintenance management of the private network, particularly the virtual machines or network equipment resources of numerous private networks is realized. The private network is not required to expose the public network IP, so that the risk of invasion is avoided, the safety of the private network is improved, and particularly under the condition that the private networks are numerous, the public network IP is not required to be configured for each private network, so that the cost is effectively reduced.
Fig. 3 is a schematic structural diagram illustrating a resource configuration apparatus of a private network according to an embodiment of the present invention. As shown in fig. 3, the resource configuration apparatus of the private network provided in this embodiment is applied to a server, and includes: private network server 31 and intranet pass-through server 32, where:
the private network server 31 is configured to receive a resource request of a private network sent by a user terminal, where the resource request includes an identifier of the private network, obtain a local port corresponding to the private network based on the identifier, and forward the resource request to the local port;
the intranet penetration service end 32 is configured to monitor the local port, and when the local port receives the resource request, send the resource request to an intranet penetration client deployed in a private network, so that the intranet penetration client forwards the resource request to a private network proxy service deployed in the private network, and the private network proxy service obtains a private network login authentication from the private network service end according to the resource request, and processes resources of the private network for the user terminal after the login authentication is successful.
According to the resource configuration device of the private network, the resource request of the private network sent by the user terminal is received, the corresponding local port of the private network on the server is obtained based on the identification, and the resource request is sent to the intranet penetration client through the local port, so that the intranet penetration client processes the resources of the private network for the user terminal through the private network proxy service, and the uniform safe operation and maintenance management of the private network, particularly the resources of virtual machines or network equipment of numerous private networks is realized. The private network is not required to expose the public network IP, so that the risk of invasion is avoided, the safety of the private network is improved, and particularly under the condition that the private networks are numerous, the public network IP is not required to be configured for each private network, so that the cost is effectively reduced.
According to one embodiment of the invention, the server is deployed with a private network server,
the receiving a resource request of a private network sent by a user terminal includes: the private network server receives a resource request of a private network based on a websocket protocol, which is sent by a user terminal through a browser,
the obtaining a corresponding local port of the private network on the server based on the identifier includes: the private network server obtains a local port corresponding to the private network based on the identity and forwards the resource request to the local port.
According to an embodiment of the present invention, the server is deployed with an intranet penetration service end, and the sending the resource request to an intranet penetration client through the local port is performed so that the intranet penetration client processes the resources of the private network for the user terminal through a private network proxy service, including:
the intranet penetration service end monitors the local port, and when the local port receives the resource request, the resource request is sent to the intranet penetration client through the communication tunnel, so that the intranet penetration client forwards the resource request to the private network proxy service, the private network proxy service obtains private network login authentication from the private network service end according to the resource request, and processes resources of the private network for the user terminal after the login authentication is successful.
According to one embodiment of the invention, the private network proxy service performs private network login authentication from the private network server side through OAuth2 protocol.
Since the resource configuration device of the private network provided in the embodiment of the present invention can be used to execute the resource configuration method of the private network described in the above embodiment, and the working principle and the beneficial effect are similar, detailed descriptions are omitted here, and specific contents can be referred to the description of the above embodiment.
In this embodiment, it should be noted that each module in the apparatus according to the embodiment of the present invention may be integrated into a whole, or may be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device, which specifically includes the following contents, with reference to fig. 4: a processor 401, a memory 402, a communication interface 403, and a communication bus 404;
the processor 401, the memory 402 and the communication interface 403 complete mutual communication through the communication bus 404;
the processor 401 is configured to call a computer program in the memory 402, and the processor implements all the steps of the resource configuration method of the private network when executing the computer program, for example, the processor implements the following processes when executing the computer program: receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network; obtaining a local port corresponding to the private network on the server based on the identifier, and sending the resource request to an intranet penetration client through the local port, so that the intranet penetration client processes resources of the private network for the user terminal through a private network proxy service, wherein the intranet penetration client and the private network proxy service are deployed in the private network, and a private communication tunnel with long connection is established between the intranet penetration client and the local port in advance; or receiving a resource request of a private network sent by an intranet penetration service terminal through a local port of a server, wherein the resource request comprises an identifier of the private network, and the resource request is sent to the private network service terminal by a user terminal and sent to the local port by the private network service terminal; and processing the resources of the private network for the user terminal according to the resource request, wherein the intranet penetration service terminal and the private network service terminal are deployed in the server.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
Based on the same inventive concept, yet another embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements all the steps of the above-mentioned method for configuring resources of a private network, for example, the processor implements the following processes when executing the computer program: receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network; obtaining a local port corresponding to the private network on the server based on the identifier, and sending the resource request to an intranet penetration client through the local port, so that the intranet penetration client processes resources of the private network for the user terminal through a private network proxy service, wherein the intranet penetration client and the private network proxy service are deployed in the private network, and a private communication tunnel with long connection is established between the intranet penetration client and the local port in advance; or receiving a resource request of a private network sent by an intranet penetration service terminal through a local port of a server, wherein the resource request comprises an identifier of the private network, and the resource request is sent to the private network service terminal by a user terminal and sent to the local port by the private network service terminal; and processing the resources of the private network for the user terminal according to the resource request, wherein the intranet penetration service terminal and the private network service terminal are deployed in the server.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
Based on the same inventive concept, another embodiment of the present invention provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements all the steps of the resource allocation method of the private network, for example, when the processor executes the computer program, the processor implements the following processes: receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network; obtaining a local port corresponding to the private network on the server based on the identifier, and sending the resource request to an intranet penetration client through the local port, so that the intranet penetration client processes resources of the private network for the user terminal through a private network proxy service, wherein the intranet penetration client and the private network proxy service are deployed in the private network, and a private communication tunnel with long connection is established between the intranet penetration client and the local port in advance; or receiving a resource request of a private network sent by an intranet penetrating through a server through a local port of a server, wherein the resource request comprises a private network identifier, and the resource request is sent to the private network server by a user terminal and sent to the local port by the private network server; and processing the resources of the private network for the user terminal according to the resource request, wherein the intranet penetration service terminal and the private network service terminal are deployed in the server.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions may be essentially or partially implemented in the form of software products, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the traffic auditing method according to various embodiments or some parts of embodiments.
Moreover, in the present invention, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Furthermore, in the present disclosure, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A resource configuration method of a private network is applied to a server, and the resource configuration method comprises the following steps:
receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network;
a local port corresponding to the private network on the server is obtained based on the identification, and the resource request is sent to an intranet penetration client through the local port so that the intranet penetration client can process the resources of the private network for the user terminal through a private network proxy service,
the intranet penetration client and the private network proxy service are deployed in the private network, and the intranet penetration client establishes a private communication tunnel with a long connection with the local port in advance.
2. The method for configuring resources of a private network according to claim 1, wherein the server is deployed with a private network server,
the receiving a resource request of a private network sent by a user terminal includes: the private network server receives a resource request of a private network based on a websocket protocol sent by a user terminal through a browser,
the obtaining a corresponding local port of the private network on the server based on the identifier includes: the private network server obtains a local port corresponding to the private network based on the identity and forwards the resource request to the local port.
3. The method according to claim 2, wherein the server deploys an intranet penetration service end, and the resource request is sent to an intranet penetration client through the local port, so that the intranet penetration client processes the resources of the private network for the user terminal through a private network proxy service, and the method comprises:
the intranet penetration service end monitors the local port, and when the local port receives the resource request, the intranet penetration service end sends the resource request to the intranet penetration client through the communication tunnel, so that the intranet penetration client forwards the resource request to the private network proxy service, the private network proxy service obtains private network login authentication from the private network service end according to the resource request, and processes resources of the private network for the user terminal after the login authentication is successful.
4. The method of claim 3, wherein the private network proxy service performs private network login authentication from the private network server via OAuth2 protocol.
5. A resource configuration method of a private network is applied to the private network, and is characterized in that the resource configuration method comprises the following steps:
receiving a resource request of a private network sent by an intranet penetrating service terminal through a local port of a server, wherein the resource request comprises an identifier of the private network, and the resource request is sent to the private network service terminal by a user terminal and sent to the local port by the private network service terminal;
processing resources of the private network for the user terminal in accordance with the resource request,
the intranet penetration service end and the private network service end are deployed in the server.
6. The method of claim 5, wherein the private network is deployed with intranet-penetrating clients and private network proxy services,
the receiving of the resource request of the private network sent by the intranet through the server through the local port of the server includes: the intranet penetration client receives a resource request of a private network sent by the intranet penetration server through a local port of a server through a communication tunnel, wherein the intranet penetration client establishes a long-connection private communication tunnel with the intranet penetration server in advance;
the processing the resources of the private network for the user terminal according to the resource request includes: the intranet penetration client forwards the resource request to the private network proxy service, and the private network proxy service acquires private network login authentication from the private network server according to the resource request and processes the resources of the private network for the user terminal after the login authentication is successful.
7. A resource configuration device of a private network, applied to a server, the resource configuration system comprising:
the private network server is used for receiving a resource request of a private network sent by a user terminal, wherein the resource request comprises an identifier of the private network, acquiring a local port corresponding to the private network based on the identifier, and forwarding the resource request to the local port;
the intranet penetration service end is used for monitoring the local port and sending the resource request to an intranet penetration client deployed by a private network when the local port receives the resource request, so that the intranet penetration client forwards the resource request to a private network proxy service deployed by the private network, and the private network proxy service acquires private network login authentication from the private network service end according to the resource request and processes resources of the private network for the user terminal after the login authentication is successful.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for resource allocation of a private network according to any one of claims 1 to 6 when executing the program.
9. A non-transitory computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method for configuring resources of a private network according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the method for resource allocation of a private network according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110326265.0A CN115134105A (en) | 2021-03-26 | 2021-03-26 | Resource configuration method and device of private network, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110326265.0A CN115134105A (en) | 2021-03-26 | 2021-03-26 | Resource configuration method and device of private network, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115134105A true CN115134105A (en) | 2022-09-30 |
Family
ID=83375122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110326265.0A Pending CN115134105A (en) | 2021-03-26 | 2021-03-26 | Resource configuration method and device of private network, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115134105A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426404A (en) * | 2022-11-03 | 2022-12-02 | 深圳市明源云科技有限公司 | Intranet resource access method, system, equipment and computer readable storage medium |
| CN116455868A (en) * | 2023-03-29 | 2023-07-18 | 成都康胜思科技有限公司 | Integrated service system based on universal domain name resolution and private protocol intranet penetration |
| CN117650965A (en) * | 2024-01-26 | 2024-03-05 | 北京天维信通科技股份有限公司 | Method and device for realizing SD-WAN management network based on uCPE original port |
-
2021
- 2021-03-26 CN CN202110326265.0A patent/CN115134105A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426404A (en) * | 2022-11-03 | 2022-12-02 | 深圳市明源云科技有限公司 | Intranet resource access method, system, equipment and computer readable storage medium |
| CN116455868A (en) * | 2023-03-29 | 2023-07-18 | 成都康胜思科技有限公司 | Integrated service system based on universal domain name resolution and private protocol intranet penetration |
| CN116455868B (en) * | 2023-03-29 | 2023-11-07 | 成都康胜思科技有限公司 | Integrated service system based on universal domain name resolution and private protocol intranet penetration |
| CN117650965A (en) * | 2024-01-26 | 2024-03-05 | 北京天维信通科技股份有限公司 | Method and device for realizing SD-WAN management network based on uCPE original port |
| CN117650965B (en) * | 2024-01-26 | 2024-04-19 | 北京天维信通科技股份有限公司 | Method and device for realizing SD-WAN management network based on uCPE original ports |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102115837B1 (en) | Micro VPN tunneling for mobile platforms | |
| CN115134105A (en) | Resource configuration method and device of private network, electronic equipment and storage medium | |
| US9282111B1 (en) | Application-based network traffic redirection for cloud security service | |
| US10375110B2 (en) | Luring attackers towards deception servers | |
| US11063909B1 (en) | Methods and systems for efficient cyber protections of mobile devices | |
| US11140162B2 (en) | Response method and system in virtual network computing authentication, and proxy server | |
| US8095786B1 (en) | Application-specific network-layer virtual private network connections | |
| US11888816B2 (en) | Localization at scale for a cloud-based security service | |
| AU2015381737B2 (en) | Multi-tunneling virtual network adapter | |
| EP2129078A1 (en) | Proxy-based two-way web-service router gateway | |
| CN113905030B (en) | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium | |
| JP7045050B2 (en) | Communication monitoring system and communication monitoring method | |
| JP2008533784A (en) | Method, system, and computer program for communication in a computer system | |
| US10560433B2 (en) | Vertical cloud service | |
| KR102017038B1 (en) | An access control system for web applications | |
| WO2023020606A1 (en) | Method, system and apparatus for hiding source station, and device and storage medium | |
| CN112187532A (en) | Node control method and system | |
| CN115065495A (en) | Honeypot network operation method, device, equipment and storage medium | |
| CN107454050B (en) | Method and device for accessing network resources | |
| WO2021206832A1 (en) | Remoting user credential information to a remote browser | |
| US10831836B2 (en) | Browser storage for clientless VPN | |
| US10447731B2 (en) | Email address farming mitigation | |
| US20240007435A1 (en) | Chassis system management through data paths | |
| US20240211625A1 (en) | Systems and Methods for Providing Improved Account Management Services | |
| WO2022241939A1 (en) | Network security management method and computer device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |