CN115277119A - Internal network access method, device, equipment and storage medium - Google Patents

Internal network access method, device, equipment and storage medium Download PDF

Info

Publication number
CN115277119A
CN115277119A CN202210813223.4A CN202210813223A CN115277119A CN 115277119 A CN115277119 A CN 115277119A CN 202210813223 A CN202210813223 A CN 202210813223A CN 115277119 A CN115277119 A CN 115277119A
Authority
CN
China
Prior art keywords
access request
internal network
address
access
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210813223.4A
Other languages
Chinese (zh)
Other versions
CN115277119B (en
Inventor
樊鹏辉
杨振燕
王志辉
周才军
曾依峰
罗燕武
宁海亮
胡新云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Digital Certificate Authority Center Co ltd
Original Assignee
Shenzhen Digital Certificate Authority Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Digital Certificate Authority Center Co ltd filed Critical Shenzhen Digital Certificate Authority Center Co ltd
Priority to CN202210813223.4A priority Critical patent/CN115277119B/en
Publication of CN115277119A publication Critical patent/CN115277119A/en
Application granted granted Critical
Publication of CN115277119B publication Critical patent/CN115277119B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network security, and discloses an internal network access method, device, equipment and storage medium, which are used for accessing an internal network through a public network for a long time, preventing projects from being attacked or cracked, improving the security of accessing the internal network and the smoothness of use of a user, and facilitating management and maintenance, thereby reducing the workload of operation and maintenance personnel. The method comprises the following steps: receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; if the access request has the right to access the internal network, the access request is forwarded to the first network address in the internal network.

Description

Internal network access method, device, equipment and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for accessing an internal network.
Background
With the popularization of enterprise information management, the information system used by internal users cannot meet the requirements of enterprises. The enterprise internal system can be accessed to office personnel of an enterprise with offices opened in other places and personnel going on a business trip in other places, and items of a test environment need to be accessed when the field demonstration is needed for a user or the user operates the system by himself.
In the related art, there are two ways for a user to access an intranet project. One way is to open the agent in a short period of time, during which the user can access the designated project through the public network address, but this way is inefficient in practical implementation, because the agent is opened in a short period of time within a specified time, for a company with a complicated internal flow, it takes a long time to complete the agent flow, and the access progress of the user is seriously affected. In addition, the mode cannot avoid the risk of being attacked in the access process, safety maintenance is carried out on a single project in a short time, the cost is high, and the workload of operation and maintenance personnel is increased. Another way is to open the agent to the outside for a long time, which, although time-saving and relatively simple, makes the item easily attacked and cracked, leaving the item in a dangerous environment. In addition, the method can cause the server to receive a large number of invalid requests, influence the smooth use feeling of the user, waste resources of the server and cause inconvenience in management along with the increase of projects.
Disclosure of Invention
The invention provides an access method, device, equipment and storage medium of an internal network, which are used for realizing the long-time access of the internal network through a public network, avoiding the attack or the crack of projects, improving the security of the access of the internal network and the smooth feeling of the use of a user, and facilitating the management and the maintenance, thereby reducing the workload of operation and maintenance personnel.
To achieve the above object, a first aspect of the present invention provides an internal network access method, including: receiving an access request from an external network; wherein the access request is used for accessing a first network address in the internal network; extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; if the access request has the right to access the internal network, the access request is forwarded to the first network address in the internal network.
Optionally, in a first implementation manner of the first aspect of the present invention, the specifying information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the step of extracting the specified information from the access request and inquiring whether the access request has the authority of accessing the internal network from the preset configuration file based on the specified information comprises the following steps: determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are inquired, the access request is determined to have the authority of accessing the internal network.
Optionally, in a second implementation manner of the first aspect of the present invention, in the configuration file, the IP address and the port have a specified mapping relationship; the mapping is used to indicate: an access request sent by the IP address is received through a port which has a mapping relation with the IP address; if the first IP address and the first port are inquired, the step of determining that the access request has the authority of accessing the internal network comprises the following steps: determining whether the first IP address and the first port have a mapping relation in a configuration file; and if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network.
Optionally, in a third implementation manner of the first aspect of the present invention, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Optionally, in a fourth implementation manner of the first aspect of the present invention, before the step of receiving the access request from the external network, the method for accessing the internal network further includes: based on the configuration file, sending the designated port information to the IP address of the external network to indicate that the equipment corresponding to the IP address of the external network sends the access request, carrying the designated port information, and sending the access request to the designated port contained in the designated port information.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the method for accessing an internal network further includes: receiving temporarily requested permission setting information; wherein, this authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; a token is issued to the second IP address, so that the second IP address carries the token when sending an access request for accessing the internal network; wherein the token is to indicate: the second IP address has access to the internal network.
Optionally, in a sixth implementation manner of the first aspect of the present invention, the token has a preset valid duration; the access method of the internal network further comprises the following steps: receiving a temporary request sent from the second IP address, and inquiring the issuing time of the token in the temporary request; determining whether the token is in a valid duration based on the issuance time and the current time; if the token is valid for the duration, the temporary request is forwarded to the second port.
A second aspect of the present invention provides an access device for an internal network, including: the receiving module is used for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network; the extraction module is used for extracting the specified information from the access request and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; and the forwarding module is used for forwarding the access request to the first network address in the internal network if the access request has the authority of accessing the internal network.
Optionally, in a first implementation manner of the second aspect of the present invention, the specifying information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the extraction module is further configured to: determining whether the first IP address and the first port are queried from the configuration file; and if the first IP address and the first port are inquired, determining that the access request has the authority of accessing the internal network.
Optionally, in a second implementation manner of the second aspect of the present invention, in the configuration file, the IP address and the port have a specified mapping relationship; the mapping is used to indicate: an access request sent by the IP address is received through a port which has a mapping relation with the IP address; the extraction module is further configured to: determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network.
Optionally, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Optionally, in a third implementation manner of the second aspect of the present invention, the apparatus further includes a sending module, configured to send, based on the configuration file, specified port information to an IP address of an external network, so as to indicate that a device corresponding to the IP address of the external network sends an access request, where the device carries the specified port information, and sends the access request to a specified port included in the specified port information.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the apparatus further includes a temporary receiving module, configured to: receiving temporarily requested permission setting information; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; a token is issued to the second IP address, so that the second IP address carries the token when sending an access request for accessing the internal network; wherein the token is to indicate: the second IP address has access to the internal network.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the token is preset with an effective duration; the apparatus further comprises a query module configured to: receiving a temporary request sent from the second IP address, and inquiring the issuing time of the token in the temporary request; determining whether the token is in the valid duration based on the issuance time and a current time; if the token is in the valid duration, forwarding the temporary request to the second port.
A third aspect of the present invention provides an access device for an internal network, the access device for the internal network including: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invokes instructions in the memory to cause the access device of the internal network to perform the access method of the internal network as described above.
A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon instructions which, when executed by a processor, implement the method of accessing an internal network as described above.
In the technical scheme provided by the invention, an access request from an external network is received; wherein the access request is for accessing a first network address in the internal network; extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; if the access request has permission to access the internal network, the access request is forwarded to a first network address in the internal network. In the method, the address applied according to the internal network is added into a preset configuration file, after an access request from an external network is received, whether the access request has the authority of accessing the internal network is inquired from the preset configuration file, and whether the access request is forwarded to the first network address in the internal network is determined based on a judgment result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that the server wastes resources due to the fact that the server receives a large number of invalid requests is solved, the smooth use feeling of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Drawings
Fig. 1 is a schematic diagram of an embodiment of an access method of an internal network in an embodiment of the present invention;
fig. 2 is a schematic diagram of another embodiment of the access method of the internal network in the embodiment of the present invention;
fig. 3 is a schematic diagram of an embodiment of an access device of an internal network according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another embodiment of an access device of an internal network according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an embodiment of an access device of an internal network in the embodiment of the present invention.
Detailed Description
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the prior art, there are two ways for a user to access an intranet project. One way is to open the agent in a short period of time, during which the user can access the designated project through the public network address, but this way is inefficient in practical implementation, because the agent is opened in a short period of time within a specified time, for a company with a complicated internal flow, it takes a long time to complete the agent flow, and the access progress of the user is seriously affected. In addition, the mode cannot avoid the risk of being attacked in the access process, the safety maintenance is carried out on a single project in a short time, the cost is high, and the workload of operation and maintenance personnel is increased. Another way is to open the proxy to the outside for a long time, which, although time-saving and relatively simple, makes the project easy to attack and crack, leaving the project in a dangerous environment. In addition, the method can also cause the server to receive a large number of invalid requests, influence the smooth feeling of use of the user, waste resources of the server and be inconvenient to manage along with the increase of projects.
Based on the above problems, the present embodiments provide an access method, an apparatus, a device and a storage medium for an internal network, which can be applied in a scenario of accessing an internal network of a company through a public network, and the access method for the internal network is applied to a proxy server.
For convenience of understanding, a specific flow of the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of an access method for an internal network according to the embodiment of the present invention includes:
step S101, receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
currently, most of the technical companies connect various computers, external devices, databases, etc. to each other within a certain range near the company to form a computer communication network, i.e. an internal network, i.e. a local area network, inside a firewall. The IP (Internet Protocol) addresses of each computer in the intranet are not repeatable, but are different in the local area network. The internal network IP address is a private address, is not allowed to be transmitted on a public network and can only be used internally, and an internal user accesses the project of a company through the internal network to prevent the project from being maliciously attacked and bring huge loss to the company. With the popularization of enterprise information management of companies, an information system used by an internal user cannot meet the requirements of enterprises, and therefore, the embodiment of the invention provides an internal network access method, which can realize access to the internal network through a public network for a long time and can also prevent items from being attacked or cracked.
Specifically, the proxy server receives an access request from the external network, the access request being for accessing a first network address in the internal network. The proxy server is a server and an intermediate program of a client, can control the behavior of a user, makes a decision on a received access request and filters the user request according to a filtering rule, and has the most basic functions of connection, particularly connection of an internal network and the internet, and the functions of security, caching, content filtering, access control management and the like. The access request is used for accessing a first network address in the internal network, and the first network address is a logical address which a node on the internet has in the network and can address the node.
In the embodiment of the invention, the open source framework getway-zuul is adopted to realize the proxy service, and the operation and maintenance personnel only need to manage the proxy server and maintain and deploy the open IP and port of the access system of the internal network, and can directly manage and configure projects aiming at illegal access requests or malicious access requests with higher frequency, thereby greatly simplifying the operation difficulty of the operation and maintenance personnel.
Step S102, extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server;
in actual implementation, the proxy server extracts specified information from the access request, wherein the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request; for example, if the indication information in a certain access request indicates that the address sending the access request is the first IP address, and/or the location where the proxy server receives the access request is the first port, the proxy server may query from a preset configuration file whether the access request has the right to access the internal network based on the specified information.
Specifically, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having the mapping relationship with the IP address receives the access request sent by the IP address. Further, whether the first IP address and the first port have a mapping relation in the configuration file is determined, if the first IP address and the first port have the mapping relation, the access request sent by the first IP address is received by the first port, and based on the fact that the access request has the authority of accessing the internal network is determined; if the first address does not have the mapping relation with the first port, the access request sent by the first IP address is indicated not to be received by the first port, and based on the result, the access request does not have the authority of accessing the internal network.
Whether the access request has the authority to access the internal network is determined through the mapping relation between the IP address and the port in the preset configuration file, so that illegal access requests or malicious access requests are screened and blocked, and the access security of the internal network is improved.
Furthermore, through the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that the server receives a large number of invalid requests, the resource of the server is wasted is solved, and meanwhile, the smooth use feeling of a user is improved.
Step S103, if the access request has the authority of accessing the internal network, the access request is forwarded to the first network address in the internal network.
In actual implementation, if the access request is determined to have the right to access the internal network, the proxy server forwards the access request to the first network address of the internal network, so as to access the item in the internal network through the external network.
The access method of the internal network receives an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; if the access request has permission to access the internal network, the access request is forwarded to a first network address in the internal network. In the method, an address applied according to an internal network is added to a preset configuration file, after an access request from an external network is received, whether the access request has the authority of accessing the internal network is inquired from the preset configuration file, and whether the access request is forwarded to a first network address in the internal network is determined based on a judgment result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that the server wastes resources due to the fact that the server receives a large number of invalid requests is solved, the smooth use feeling of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Optionally, the specifying information includes: a first IP address sending an access request and a first port of a proxy server receiving the access request; determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are inquired, the access request is determined to have the authority of accessing the internal network.
The access request which is sent by a user through an external network and used for accessing the first network address in the internal network comprises a first IP address and a first port through which the proxy server receives the access request. Further, the first IP address and the first port are inquired from a preset configuration file, whether the first IP address and the first port are inquired from the configuration file or not is determined, and if the first IP address and the first port are inquired, the access request is determined to have the authority of accessing the internal network. The preset configuration files are files for performing different configurations on different objects.
Optionally, in the configuration file, the IP address and the port have a specified mapping relationship; the mapping is used to indicate: an access request sent by the IP address is received through a port which has a mapping relation with the IP address; determining whether the first IP address and the first port have a mapping relation in a configuration file; and if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network.
That is, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having a mapping relationship with the IP address receives the access request sent by the IP address. Further, whether the first IP address and the first port have a mapping relation in the configuration file is determined, if the first IP address and the first port have the mapping relation, the access request sent by the first IP address is received by the first port, and based on the fact that the access request has the authority of accessing the internal network is determined; if the first address does not have the mapping relation with the first port, the access request sent by the first IP address is not received by the first port, and based on the fact that the access request does not have the authority of accessing the internal network, the access request is determined.
In the step, whether the access request has the authority to access the internal network is determined according to the mapping relation between the IP address and the port in the preset configuration file, so that illegal access requests or malicious access requests are screened and blocked, and the safety of internal network access is improved.
Optionally, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Specifically, the proxy server is provided with a plurality of ports, so that the requirement of receiving access requests sent by a plurality of IP addresses having mapping relations with the ports can be met, and each port has a mapping relation with a plurality of IP addresses in the configuration file; each IP address has a mapping relationship with at least one port. For example, if the first port has a mapping relationship with the first IP address, the second IP address, and the third IP address, if an access request sent through any one of the first IP address, the second IP address, or the third IP address is received by the first port, the access request has a right to access the internal network; if the first IP address has a mapping relationship with the first port and the second port, the access request sent by the first IP address is received by the first port, the access request has the right to access the internal network, and if the access request is received by the second network, the access request also has the right to access.
By adopting the steps, the method can meet the requirement that a plurality of users send access requests through different IP addresses, is convenient for the users to log in and check required data materials, provides convenience for the users, and simultaneously improves the safety of internal network access.
By adopting the step, the operation and maintenance personnel only need to open the port of the proxy server, access to the internal network through the external network is realized based on the configuration file, then the background management system is developed, and in an optional mode, the background management system can be developed by using a springboot frame, so that the visualization of the operation and maintenance personnel is realized.
Optionally, based on the configuration file, the designated port information is sent to the IP address of the external network to indicate that when the device corresponding to the IP address of the external network sends the access request, the designated port information is carried, and the access request is sent to the designated port included in the designated port information. Specifically, based on the configuration file, designated port information is sent to an IP address of an external network, where the designated port information is used to indicate port information that can receive an access request sent by the IP address of the external network, so as to indicate that a device corresponding to the IP address of the external network carries the designated port information when sending the access request, and sends the access request to the designated port. Based on the method, the user can realize the requirement of quickly accessing the internal network through the external network at any time and any place through the appointed port information, and the safety of accessing the internal network is also improved.
In addition, after the user logs in the access system of the internal network, all display and jump of the page are processed by the internal network, no other address for proxy is provided, overall management is carried out on all projects, the proxy is not required to be configured for each access of each project, the risk that the user is attacked in the access process is required, the workload of operation and maintenance personnel is reduced, and the use experience of the user is improved.
Further, receiving temporarily requested permission setting information; wherein, this authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; a token is issued to the second IP address, so that the second IP address carries the token when sending an access request for accessing the internal network; wherein the token is to indicate: the second IP address has access to the internal network.
In actual implementation, the embodiment of the invention can configure the temporary login identity and the access right for the user through a visual way, and the proxy server receives the right setting information of the temporary request, wherein the right setting information comprises the user identity information, a second IP address for sending the temporary request and a second port for receiving the temporary request by the proxy server; and issuing a token to the second IP address based on the permission setting information of the temporary request, so that the token is carried when the second IP address sends an access request for accessing the internal network, and the token is used for indicating that the second IP address has the permission for accessing the internal network. That is, the user carries the token when sending the temporary request through the external network device using the second IP address, and the second port, which receives the temporary request by the proxy server, receives the temporary request, based on which the user can temporarily log in and access the item in the internal network.
By adopting the steps, temporary login and access permission are provided for the user, project modules in the internal network can be conveniently displayed for the user, other products of an enterprise can be selectively displayed and introduced, convenience is brought to the user, and meanwhile additional benefits can be brought to the enterprise.
Further, the token is preset with an effective duration; receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is valid for a length of time based on the issuance time and the current time; if the token is valid for the duration, the temporary request is forwarded to the second port.
In practical implementation, the token is preset with valid duration, within the valid duration, the token is valid, and if the valid duration exceeds the valid duration, the token is invalid. The proxy server inquires the token issuing time in the temporary request after receiving the temporary request sent by the second IP address, determines whether the token is in the valid duration or not based on the token issuing time and the current time of receiving the temporary request, forwards the temporary request to the second port if the token is in the valid duration, and forwards the temporary request to the second port if the token is not in the valid duration, namely the token is invalid.
By adopting the steps, convenience can be provided for users who temporarily need to access the internal network, access requests of illegal users or malicious users can be prevented through the token, and the items of the internal network are ensured to be in a safe environment.
For further understanding of the present embodiment, referring to fig. 2, another embodiment of the method for accessing an internal network in the embodiment of the present invention includes:
step S201, based on the configuration file, sending appointed port information to the IP address of the external network to indicate that the equipment corresponding to the IP address of the external network carries the appointed port information when sending an access request, and sending the access request to the appointed port information;
specifically, the proxy server sends specified port information to an IP address of the external network based on a preset configuration file, where the specified port information is used to indicate port information that can receive an access request sent by the IP address of the external network, so as to indicate that a device corresponding to the IP address of the external network carries the specified port information when sending the access request, and sends the access request to the specified port. Based on the method, the user can realize the requirement of quickly accessing the internal network through the external network at any time and any place through the appointed port information, and the safety of accessing the internal network is also improved.
Step S202, receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
specifically, the proxy server receives an access request from the external network, the access request being for accessing a first network address in the internal network. The proxy server is a server and an intermediate program of a client, can control the behavior of a user, makes a decision on a received access request and filters the user request according to a filtering rule, and has the most basic functions of connection, particularly connection of an internal network and the internet, and the functions of security, caching, content filtering, access control management and the like. The access request is used for accessing a first network address in the internal network, the first network address is a logical address which a node on the internet has in the network, and the node can be addressed.
Step S203, extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server;
in actual implementation, the proxy server extracts specified information from the access request, wherein the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request; for example, if the indication information in a certain access request indicates that the address sending the access request is the first IP address, and/or the location where the proxy server receives the access request is the first port, the proxy server may query, based on the indication information, from a preset configuration file, whether the access request has the right to access the internal network.
Step S204, determining whether the first IP address and the first port have a mapping relation in a configuration file; if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network;
in the configuration file, the IP address and the port have a specified mapping relation; the mapping is used to indicate: the access request sent by the IP address is received through a port which has a mapping relation with the IP address. That is, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having a mapping relationship with the IP address receives the access request sent by the IP address.
Further, whether the first IP address and the first port have a mapping relation in the configuration file is determined, if the first IP address and the first port have the mapping relation, the access request sent by the first IP address is received by the first port, and based on the fact that the access request has the authority of accessing the internal network is determined; if the first address does not have the mapping relation with the first port, the access request sent by the first IP address is not received by the first port, and based on the fact that the access request does not have the authority of accessing the internal network, the access request is determined.
Step S205, if the access request has the right to access the internal network, the access request is forwarded to the first network address in the internal network.
In actual implementation, if it is determined that the access request has the right to access the internal network, the proxy server forwards the access request to the first network address of the internal network, so as to access the item in the internal network through the external network.
With reference to fig. 3, the method for accessing an internal network in the embodiment of the present invention is described above, and an access apparatus of an internal network in the embodiment of the present invention is described below, where an embodiment of the access apparatus of an internal network in the embodiment of the present invention includes:
a receiving module 31, configured to receive an access request from an external network; wherein the access request is used for accessing a first network address in the internal network;
the extracting module 32 is configured to extract the specified information from the access request, and query whether the access request has the right to access the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server;
a forwarding module 33, configured to forward the access request to the first network address in the internal network if the access request has the right to access the internal network.
The access device of the internal network receives an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server; if the access request has the right to access the internal network, the access request is forwarded to the first network address in the internal network. In the method, an address applied according to an internal network is added to a preset configuration file, after an access request from an external network is received, whether the access request has the authority of accessing the internal network is inquired from the preset configuration file, and whether the access request is forwarded to a first network address in the internal network is determined based on a judgment result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that the server wastes resources due to the fact that the server receives a large number of invalid requests is solved, the smooth use feeling of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Referring to fig. 4, another embodiment of the access device of the internal network according to the embodiment of the present invention includes:
a receiving module 31, configured to receive an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
an extracting module 32, configured to extract specified information from the access request, and query, based on the specified information, from a preset configuration file whether the access request has a right to access the internal network; the specified information is used for indicating an address for sending the access request and/or a position for receiving the access request by the proxy server;
a forwarding module 33, configured to forward the access request to the first network address in the internal network if the access request has the right to access the internal network.
The above-mentioned specified information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the extraction module is further configured to: determining whether the first IP address and the first port are queried from the configuration file; and if the first IP address and the first port are inquired, determining that the access request has the authority of accessing the internal network.
In the configuration file, the IP address and the port have a specified mapping relation; the mapping is used to indicate: an access request sent by the IP address is received through a port which has a mapping relation with the IP address; the extraction module is further configured to: determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network.
The proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
The apparatus further includes a sending module 34, configured to send, based on the configuration file, specified port information to an IP address of the external network, so as to indicate that, when sending an access request to a device corresponding to the IP address of the external network, the device carries the specified port information, and sends the access request to a specified port included in the specified port information.
The above apparatus further comprises a temporary receiving module 35 configured to: receiving temporarily requested permission setting information; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; a token is issued to the second IP address, so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is to indicate: the second IP address has access to the internal network.
The token is preset with valid duration; the apparatus further comprises a query module 36 configured to: receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is at the valid duration based on the issuance time and the current time; if the token is valid for the duration, the temporary request is forwarded to the second port.
Fig. 3 and fig. 4 describe the access device of the internal network in the embodiment of the present invention in detail from the perspective of modularization, and the access device of the internal network in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Fig. 5 is a schematic structural diagram of an access device of an internal network according to an embodiment of the present invention, where the access device 500 of the internal network may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) for storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown), each of which may include a series of instruction operations in the access device 500 to the internal network. Further, the processor 510 may be configured to communicate with the storage medium 530, and execute a series of instruction operations in the storage medium 530 on the access device 500 of the internal network.
The intranet access device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows Server, mac OS X, unix, linux, freeBSD, etc. Those skilled in the art will appreciate that the internal network access device configuration shown in fig. 5 does not constitute a limitation of the internal network access device and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and which may also be a volatile computer-readable storage medium, having stored therein instructions, which, when executed on a computer, cause the computer to perform the steps of the method for accessing an internal network.
The present invention further provides an access device of an internal network, where the access device of the internal network includes a memory and a processor, and the memory stores instructions, and the instructions, when executed by the processor, cause the processor to perform the steps of the access method of the internal network in the foregoing embodiments.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a portable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An access method for an internal network, the access method for the internal network being applied to a proxy server of the internal network, the access method for the internal network comprising:
receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; wherein, the specified information is used for indicating the address for sending the access request and/or the position for receiving the access request by the proxy server;
forwarding the access request to a first network address in the internal network if the access request has permission to access the internal network.
2. The method according to claim 1, wherein the specifying information includes: the first IP address sending the access request and the first port of the proxy server receiving the access request; the step of extracting the specified information from the access request and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information comprises the following steps:
determining whether the first IP address and the first port are queried from the configuration file;
and if the first IP address and the first port are inquired, determining that the access request has the authority of accessing the internal network.
3. The method according to claim 2, wherein the configuration file has a specified mapping relationship between an IP address and a port; the mapping relationship is used for indicating that: an access request sent by the IP address is received through a port which has a mapping relation with the IP address;
the step of determining that the access request has the right to access the internal network if the first IP address and the first port are queried comprises:
determining whether the first IP address and the first port have a mapping relation in the configuration file;
and if the first IP address has a mapping relation with the first port, determining that the access request has the authority of accessing the internal network.
4. The method according to claim 1, wherein the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
5. The method for accessing an internal network according to claim 1, wherein the step of receiving the access request from the external network is preceded by the method for accessing an internal network further comprising:
based on the configuration file, sending appointed port information to an IP address of an external network to indicate that the appointed port information is carried when an access request is sent to equipment corresponding to the IP address of the external network, and sending the access request to an appointed port contained in the appointed port information.
6. The method for accessing an internal network according to claim 1, further comprising:
receiving temporarily requested permission setting information; wherein the authority setting information includes: identity information, a second IP address for sending a temporary request, and a second port for receiving the temporary request by the proxy server;
a token is issued to the second IP address, so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is to indicate: the second IP address has a right to access the internal network.
7. The method according to claim 6, wherein the token is preset with a valid duration; the access method of the internal network further comprises the following steps:
receiving a temporary request sent by the second IP address, and inquiring the issuing time of a token in the temporary request;
determining whether the token is in the valid duration based on the issuance time and a current time;
forwarding the temporary request to the second port if the token is in the valid duration.
8. An access device for an internal network, the access device for the internal network being provided in a proxy server of the internal network, the access device for the internal network comprising:
the receiving module is used for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
the extraction module is used for extracting specified information from the access request, and inquiring whether the access request has the authority of accessing the internal network from a preset configuration file based on the specified information; wherein, the specified information is used for indicating the address for sending the access request and/or the position for receiving the access request by the proxy server;
a forwarding module, configured to forward the access request to the first network address in the internal network if the access request has the right to access the internal network.
9. An access device of an internal network, the access device of the internal network comprising: a memory and at least one processor, the memory having instructions stored therein;
the at least one processor invoking the instructions in the memory to cause the internal network access device to perform the internal network access method of any one of claims 1-7.
10. A computer-readable storage medium having instructions stored thereon, wherein the instructions, when executed by a processor, implement the method of accessing an internal network according to any one of claims 1 to 7.
CN202210813223.4A 2022-07-12 2022-07-12 Access method, device, equipment and storage medium of internal network Active CN115277119B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210813223.4A CN115277119B (en) 2022-07-12 2022-07-12 Access method, device, equipment and storage medium of internal network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210813223.4A CN115277119B (en) 2022-07-12 2022-07-12 Access method, device, equipment and storage medium of internal network

Publications (2)

Publication Number Publication Date
CN115277119A true CN115277119A (en) 2022-11-01
CN115277119B CN115277119B (en) 2024-02-09

Family

ID=83765719

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210813223.4A Active CN115277119B (en) 2022-07-12 2022-07-12 Access method, device, equipment and storage medium of internal network

Country Status (1)

Country Link
CN (1) CN115277119B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101040497A (en) * 2004-10-12 2007-09-19 松下电器产业株式会社 Firewall system and firewall control method
CN105376107A (en) * 2014-08-29 2016-03-02 腾讯科技(深圳)有限公司 Terminal test method and proxy server
CN106060041A (en) * 2016-05-30 2016-10-26 北京琵琶行科技有限公司 Enterprises network access authority control method and device
CN107948329A (en) * 2018-01-03 2018-04-20 湖南麓山云数据科技服务有限公司 A kind of cross-domain processing method and system
US20180255153A1 (en) * 2017-03-01 2018-09-06 Fujitsu Limited Information processing apparatus and information processing system
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
CN110166432A (en) * 2019-04-17 2019-08-23 平安科技(深圳)有限公司 The access method of internal net destination service provides the method for Intranet destination service
US20210055927A1 (en) * 2019-08-23 2021-02-25 Skyhigh Networks, Llc Systems, method, and media for determining security compliance of continuous build software

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101040497A (en) * 2004-10-12 2007-09-19 松下电器产业株式会社 Firewall system and firewall control method
CN105376107A (en) * 2014-08-29 2016-03-02 腾讯科技(深圳)有限公司 Terminal test method and proxy server
CN106060041A (en) * 2016-05-30 2016-10-26 北京琵琶行科技有限公司 Enterprises network access authority control method and device
US20180255153A1 (en) * 2017-03-01 2018-09-06 Fujitsu Limited Information processing apparatus and information processing system
CN107948329A (en) * 2018-01-03 2018-04-20 湖南麓山云数据科技服务有限公司 A kind of cross-domain processing method and system
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
CN110166432A (en) * 2019-04-17 2019-08-23 平安科技(深圳)有限公司 The access method of internal net destination service provides the method for Intranet destination service
US20210055927A1 (en) * 2019-08-23 2021-02-25 Skyhigh Networks, Llc Systems, method, and media for determining security compliance of continuous build software

Also Published As

Publication number Publication date
CN115277119B (en) 2024-02-09

Similar Documents

Publication Publication Date Title
US20200259858A1 (en) Identifying security actions based on computing asset relationship data
US9047387B2 (en) Secregating anonymous access to dynamic content on a web server, with cached logons
US7774470B1 (en) Load balancing using a distributed hash
CN101443746B (en) Method for protecting client and server
JP2005502239A (en) Method and apparatus for client side dynamic load balancing system
WO2004025491A1 (en) System and method for high performance shared web hosting
US6714970B1 (en) Protecting open world wide web sites from known malicious users by diverting requests from malicious users to alias addresses for the protected sites
JP7045050B2 (en) Communication monitoring system and communication monitoring method
CN104901923A (en) Virtual machine access device and method
US20140282891A1 (en) Method and system for unique computer user identification for the defense against distributed denial of service attacks
WO2013035409A1 (en) Cloud computing system
WO2005114957A1 (en) Method and apparatus for providing security to web services
CN109286630A (en) Deng guarantor's processing method, device, equipment and storage medium
CN107454050B (en) Method and device for accessing network resources
Kang et al. A strengthening plan for enterprise information security based on cloud computing
CN115277119B (en) Access method, device, equipment and storage medium of internal network
US6442654B1 (en) Operating system support for in-server caching of documents
JPH09325927A (en) Remote network management system
CN114039751B (en) Network dynamic sensing device, system and method
CN101800752A (en) Method and system for improving safety and performance of domain name system (DNS)
CN201717899U (en) System for improving safety and performance of domain name system
Bandela et al. Survey on cloud computing technologies and security threats
KR102383998B1 (en) Information collection agency system including proxy server that manages internet protocol addresses
Okunade Security Architecture for Thin Client Network
US8606748B2 (en) Customer detail publication in an internal UDDI

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant