CN115277119B - Access method, device, equipment and storage medium of internal network - Google Patents
Access method, device, equipment and storage medium of internal network Download PDFInfo
- Publication number
- CN115277119B CN115277119B CN202210813223.4A CN202210813223A CN115277119B CN 115277119 B CN115277119 B CN 115277119B CN 202210813223 A CN202210813223 A CN 202210813223A CN 115277119 B CN115277119 B CN 115277119B
- Authority
- CN
- China
- Prior art keywords
- address
- access
- internal network
- access request
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000013507 mapping Methods 0.000 claims description 76
- 238000000605 extraction Methods 0.000 claims description 8
- 238000012423 maintenance Methods 0.000 abstract description 21
- 238000005336 cracking Methods 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000001914 filtration Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Abstract
The invention relates to the technical field of network security, and discloses an access method, device, equipment and storage medium for an internal network, which are used for realizing long-time access to the internal network through a public network, avoiding attack or cracking of items, improving the security of accessing to the internal network and the smooth sense of use of a user, and facilitating management and maintenance, thereby reducing the workload of operation and maintenance personnel. The method comprises the following steps: receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; if the access request has the right to access the internal network, the access request is forwarded to a first network address in the internal network.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for accessing an internal network.
Background
With the popularization of enterprise informatization management, an informatization system used by an internal user cannot meet the requirements of enterprises. For office personnel of an enterprise with offices in the foreign areas and personnel on business trips in the foreign areas, the internal systems of the enterprise need to be accessed, and when a user needs to be presented on site or operate by himself, the user needs to access items of the test environment.
In the related art, there are two ways for a user to access an intranet item. One way is to open the agent in a short period of time, and the user can access the designated item through the public network address during the agent period, but this way is relatively inefficient in practical implementation, and because the agent is opened in a short period of time in a prescribed time, for a company with a relatively complex internal flow, it takes a long time to complete the agent flow, and seriously affects the access progress of the user. In addition, the method cannot avoid the risk of being attacked in the access process, safety maintenance is carried out on a single project in a short period, the cost is high, and the workload of operation and maintenance personnel is increased. Another way is to open the agent to the outside for a long time, which, while saving time, is simpler, can make the item easily attacked and cracked, leaving the item in a dangerous environment. In addition, the method can enable the server to receive a large number of invalid requests, influence smooth sense of use of users, waste resources of the server, and are inconvenient to manage along with the increase of projects.
Disclosure of Invention
The invention provides an access method, device, equipment and storage medium for an internal network, which are used for realizing long-time access to the internal network through a public network, avoiding attack or cracking of projects, improving the safety of accessing to the internal network and the smoothness of use of users, and facilitating management and maintenance, thereby reducing the workload of operation and maintenance personnel.
To achieve the above object, a first aspect of the present invention provides an access method for an internal network, the access method for an internal network including: receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; if the access request has the right to access the internal network, the access request is forwarded to a first network address in the internal network.
Optionally, in a first implementation manner of the first aspect of the present invention, the specifying information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the step of extracting the specified information from the access request, and based on the specified information, inquiring whether the access request has the authority to access the internal network from the preset configuration file comprises the following steps: determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are queried, determining that the access request has the right to access the internal network.
Optionally, in a second implementation manner of the first aspect of the present invention, in the configuration file, an IP address and a port have a specified mapping relationship; the mapping relationship is used for indicating: an access request sent by the IP address is received through a port with a mapping relation with the IP address; if the first IP address and the first port are queried, determining that the access request has the right to access the internal network comprises the following steps: determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
Optionally, in a third implementation manner of the first aspect of the present invention, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Optionally, in a fourth implementation manner of the first aspect of the present invention, before the step of receiving an access request from the external network, the access method of the internal network further includes: and sending the appointed port information to the IP address of the external network based on the configuration file so as to carry the appointed port information when the equipment corresponding to the IP address of the external network is instructed to send the access request, and sending the access request to the appointed port contained in the appointed port information.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the method for accessing an internal network further includes: receiving authority setting information of a temporary request; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; issuing a token to the second IP address so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is used for indicating: the second IP address has access to the internal network.
Optionally, in a sixth implementation manner of the first aspect of the present invention, the token is preset with a valid duration; the access method of the internal network further comprises the following steps: receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is in a valid duration based on the issuing time and the current time; if the token is in the valid duration, the temporary request is forwarded to the second port.
A second aspect of the present invention provides an access apparatus for an internal network, the access apparatus for an internal network including: the receiving module is used for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network; the extraction module is used for extracting the specified information from the access request, and inquiring whether the access request has the authority to access the internal network or not from the preset configuration file based on the specified information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; and the forwarding module is used for forwarding the access request to a first network address in the internal network if the access request has the authority to access the internal network.
Optionally, in a first implementation manner of the second aspect of the present invention, the specifying information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the extraction module is further used for: determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are queried, determining that the access request has the authority to access the internal network.
Optionally, in a second implementation manner of the second aspect of the present invention, in the configuration file, an IP address and a port have a specified mapping relationship; the mapping relationship is used for indicating: an access request sent by the IP address is received through a port with a mapping relation with the IP address; the extraction module is further used for: determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
Optionally, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Optionally, in a third implementation manner of the second aspect of the present invention, the apparatus further includes a sending module, configured to send, based on the configuration file, specified port information to an IP address of the external network, so as to instruct, when an apparatus corresponding to the IP address of the external network sends an access request, to carry the specified port information, and send the access request to a specified port included in the specified port information.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the apparatus further includes a temporary receiving module, configured to: receiving authority setting information of a temporary request; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; issuing a token to the second IP address so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is used for indicating: the second IP address has access to the internal network.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the token is preset with a valid duration; the device also comprises a query module for: receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is in the valid duration based on the issuing time and the current time; if the token is in the valid duration, the temporary request is forwarded to the second port.
A third aspect of the present invention provides an access device of an internal network, the access device of the internal network including: a memory and at least one processor, the memory storing instructions; the at least one processor invokes the instructions in the memory to cause the access device of the internal network to perform the access method of the internal network as described above.
A fourth aspect of the invention provides a computer readable storage medium having instructions stored thereon which, when executed by a processor, implement a method of accessing an internal network as described above.
In the technical scheme provided by the invention, an access request from an external network is received; wherein the access request is for accessing a first network address in the internal network; extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; if the access request has the right to access the internal network, the access request is forwarded to a first network address in the internal network. In the method, an address of an internal network application is added to a preset configuration file, after an access request from an external network is received, whether the access request has permission to access the internal network or not is inquired from the preset configuration file, and whether the access request is forwarded to a first network address in the internal network or not is further determined based on a judging result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that a large number of invalid requests are received by a server, the resource of the server is wasted is solved, the smooth sense of use of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for accessing an internal network according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another embodiment of an access method of an internal network according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of an access device for an internal network according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of another embodiment of an access device for an internal network according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an embodiment of an access device of an internal network according to an embodiment of the present invention.
Detailed Description
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
In the prior art, there are two ways for users to access intranet items. One way is to open the agent in a short period of time, and the user can access the designated item through the public network address during the agent period, but this way is relatively inefficient in practical implementation, and because the agent is opened in a short period of time in a prescribed time, for a company with a relatively complex internal flow, it takes a long time to complete the agent flow, and seriously affects the access progress of the user. In addition, the method cannot avoid the risk of being attacked in the access process, safety maintenance is carried out on a single project in a short period, the cost is high, and the workload of operation and maintenance personnel is increased. Another way is to open the agent to the outside for a long time, which, while saving time, is simpler, can make the item easily attacked and cracked, leaving the item in a dangerous environment. In addition, the method can enable the server to receive a large number of invalid requests, influence smooth sense of use of users, waste resources of the server, and are inconvenient to manage along with the increase of projects.
Based on the above-mentioned problems, the present embodiment provides an access method, apparatus, device and storage medium for an internal network, and the technology can be applied to accessing a company internal network scene through a public network, where the access method for an internal network is applied to a proxy server.
For easy understanding, the following describes a specific flow of an embodiment of the present invention, referring to fig. 1, and one embodiment of an access method for an internal network in an embodiment of the present invention includes:
step S101, receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
at present, most scientific and technological companies connect various computers, external devices, databases and the like to each other within a certain range near the company to form a computer communication network, that is, an internal network, that is, a local area network, inside a firewall. The IP (Internet Protocol internet protocol) address of each computer within the internal network is not repeatable, with variability within the local network. The internal network IP address is a private address, is not allowed to be transmitted on the public network, can only be used internally, and an internal user accesses the project of the company through the internal network so as to prevent the project from being subjected to malicious attack and bringing huge loss to the company. Along with popularization of enterprise informatization management, an informatization system used by an internal user cannot meet the demands of enterprises, and based on the method, the embodiment of the invention provides an access method of an internal network, which can realize long-time access to the internal network through a public network, and can also avoid attack or cracking of projects, wherein the public network is opposite to the internal network, namely an external network.
Specifically, the proxy server receives an access request from an external network, the access request being for accessing a first network address in the internal network. The proxy server is not only a server, but also an intermediate program of a client, can control the behavior of a user, makes a decision on a received access request, filters the user request according to a filtering rule, has the most basic functions of connecting an internal network with the Internet, and further comprises the functions of security, cache, content filtering, access control management and the like. The access request is used to access a first network address in the internal network, where the first network address is a logical address of a node on the internet in the network, and the node can be addressed.
In the embodiment of the invention, the proxy service is realized by adopting the open source framework getway-zuul, the operation and maintenance personnel only need to manage the proxy server, maintain the open IP and port of the access system for deploying the internal network, and can directly manage and configure the project aiming at illegal access requests or malicious access requests with higher frequency, thereby greatly simplifying the operation difficulty of the operation and maintenance personnel.
Step S102, extracting the appointed information from the access request, and inquiring whether the access request has the authority to access the internal network from the preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request;
in actual implementation, the proxy server extracts the specified information from the access request, where the specified information is used to indicate the address where the access request is sent, and/or the location where the access request is received by the proxy server; for example, in the indication information in a certain access request, the address indicated to send the access request is the first IP address, and/or the location where the proxy server receives the access request is the first port, then the proxy server may query, from a preset configuration file, whether the access request has a right to access the internal network based on the specified information.
Specifically, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having a mapping relationship with the IP address receives the access request sent by the IP address. Further, determining whether the first IP address and the first port have a mapping relation in the configuration file, if the first IP address and the first port have a mapping relation, indicating that an access request sent by the first IP address should be received by the first port, and determining that the access request has the authority to access the internal network based on the determination; if the first address and the first port do not have a mapping relationship, the access request sent by the first IP address is not received by the first port, and based on the determination, the access request does not have the authority to access the internal network.
And determining whether the access request has the authority to access the internal network or not through the mapping relation between the IP address and the port in the preset configuration file, so that illegal access requests or malicious access requests are screened and blocked, and the security of the access of the internal network is improved.
Furthermore, through the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that a large number of invalid requests are received by a server, the resource of the server is wasted is solved, and the smooth sense of use of a user is improved.
Step S103, if the access request has the right to access the internal network, forwarding the access request to the first network address in the internal network.
In actual implementation, if it is determined that the access request has the authority to access the internal network, the proxy server forwards the access request to the first network address of the internal network, so as to realize access to the items in the internal network through the external network.
The access method of the internal network receives an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; if the access request has the right to access the internal network, the access request is forwarded to a first network address in the internal network. In the method, an address of an internal network application is added to a preset configuration file, after an access request from an external network is received, whether the access request has permission to access the internal network or not is inquired from the preset configuration file, and whether the access request is forwarded to a first network address in the internal network or not is further determined based on a judging result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that a large number of invalid requests are received by a server, the resource of the server is wasted is solved, the smooth sense of use of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Optionally, the above specified information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are queried, determining that the access request has the right to access the internal network.
The access request sent by the user through the external network to access the first network address in the internal network comprises the first IP address and the first port for receiving the access request by the proxy server. Further, the first IP address and the first port are queried from a preset configuration file, whether the first IP address and the first port are queried from the configuration file is determined, and if the first IP address and the first port are queried, the access request is determined to have the authority to access the internal network. The preset configuration files are files for carrying out different configurations on different objects.
Optionally, in the configuration file, the IP address and the port have a specified mapping relationship; the mapping relationship is used for indicating: an access request sent by the IP address is received through a port with a mapping relation with the IP address; determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
That is, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having a mapping relationship with the IP address receives the access request sent by the IP address. Further, determining whether the first IP address and the first port have a mapping relation in the configuration file, if the first IP address and the first port have a mapping relation, indicating that an access request sent by the first IP address should be received by the first port, and determining that the access request has the authority to access the internal network based on the determination; if the first address and the first port do not have a mapping relationship, the access request sent by the first IP address is not received by the first port, and based on the determination, the access request does not have the authority to access the internal network.
In the step, whether the access request has the authority to access the internal network is determined through the mapping relation between the IP address and the port in the preset configuration file, so that illegal access requests or malicious access requests are screened and blocked, and the access security of the internal network is improved.
Optionally, the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
Specifically, the proxy server is provided with a plurality of ports, so that the requirement of receiving access requests sent by a plurality of IP addresses with mapping relation with the ports can be met, and in the configuration file, each port has mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port. For example, if the first port has a mapping relationship with the first IP address, the second IP address, and the third IP address, an access request sent through any one of the first IP address, the second IP address, and the third IP address has a right to access the internal network if received by the first port; if the first IP address has a mapping relation with the first port and the second port, the access request sent by the first IP address is received by the first port, the access request has the authority to access the internal network, and if the access request is received by the second network, the access request also has the authority to access.
By adopting the step, a plurality of users can send access requests through different IP addresses, the users can log in and view required data conveniently, convenience is provided for the users, and meanwhile, the safety of internal network access is improved.
By adopting the steps, the operation and maintenance personnel only need to open the port of the proxy server, access to the internal network through the external network is realized based on the configuration file, then the background management system is developed, in an optional mode, the background management system can be developed by using the springboot framework, thereby realizing the visualization of the operation and maintenance personnel, on the basis of the step, the operation and maintenance personnel only need to manage the proxy server, maintain the IP and the port which are opened by the access system for deploying the internal network, and can directly manage and configure in the project of the internal network aiming at illegal access requests or malicious access requests with higher frequency, thereby greatly simplifying the operation difficulty of the operation and maintenance personnel.
Optionally, based on the configuration file, sending the designated port information to the IP address of the external network, so as to carry the designated port information when the device corresponding to the IP address of the external network sends the access request, and sending the access request to the designated port included in the designated port information. Specifically, based on the configuration file, designated port information is sent to the IP address of the external network, where the designated port information is used to indicate port information that can receive the access request sent by the IP address of the external network, so as to indicate that, when the device corresponding to the IP address of the external network sends the access request, the designated port information is carried, and the access request is sent to the designated port. Based on the above, the user can realize the requirement of accessing the internal network through the external network at any time and any place through the specified port information, and the security of accessing the internal network is improved.
In addition, after the user logs in the access system of the internal network, all the display and the skip of the page are processed by the internal network, the addresses of other agents are not needed, the overall management is implemented on all the items, the agents are not needed to be configured for each access of each item, the danger that the user is attacked in the access process is also needed, the workload of operation and maintenance personnel is reduced, and the use experience of the user is improved.
Further, receiving permission setting information of the temporary request; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; issuing a token to the second IP address so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is used for indicating: the second IP address has access to the internal network.
In actual implementation, the embodiment of the invention can configure temporary login identity and access authority for a user through a visual way, and the proxy server receives authority setting information of a temporary request, wherein the authority setting information comprises user identity information, a second IP address for sending the temporary request and a second port for receiving the temporary request; and issuing a token to the second IP address based on the authority setting information of the temporary request, so that the token is carried when the second IP address sends an access request for accessing the internal network, and the token is used for indicating that the second IP address has the authority for accessing the internal network. That is, the user carries the token when sending the temporary request using the second IP address through the external network device, and the second port receiving the temporary request by the proxy server receives the temporary request, based on which the user can temporarily log in and access the items in the internal network.
By adopting the steps, temporary login and access rights are provided for the user, the project module in the internal network is conveniently displayed for the user, and other products of the enterprise can be selectively displayed and introduced, so that convenience is brought to the user, and additional benefits are possibly brought to the enterprise.
Further, the token is preset with effective duration; receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is in a valid duration based on the issuing time and the current time; if the token is in the valid duration, the temporary request is forwarded to the second port.
In actual implementation, the token is preset with an effective duration, and the token is effective within the effective duration and is invalid beyond the effective duration. After receiving the temporary request sent by the second IP address, the proxy server inquires the token issuing time in the temporary request, determines whether the token is in the effective duration based on the token issuing time and the current time of receiving the temporary request, if the token is in the effective duration, namely the token is effective, forwards the temporary request to the second port, and if the token is not in the effective duration, namely the token is ineffective, does not forward the temporary request to the second port.
By adopting the steps, convenience can be provided for users who temporarily need to access the internal network, access requests of illegal users or malicious users can be prevented through the token, and the items of the internal network are ensured to be in a safe environment.
For further understanding of the present embodiment, referring to fig. 2, another embodiment of the access method of the internal network in the embodiment of the present invention includes:
step S201, based on the configuration file, sending appointed port information to the IP address of the external network to indicate that when the equipment corresponding to the IP address of the external network sends an access request, the appointed port information is carried, and the access request is sent to the appointed port information;
specifically, the proxy server sends, based on a preset configuration file, specified port information to an IP address of the external network, where the specified port information is used to indicate port information that can receive an access request sent by the IP address of the external network, so as to indicate that, when a device corresponding to the IP address of the external network sends the access request, the device carries the specified port information, and sends the access request to the specified port. Based on the above, the user can realize the requirement of accessing the internal network through the external network at any time and any place through the specified port information, and the security of accessing the internal network is improved.
Step S202, receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
specifically, the proxy server receives an access request from an external network, the access request being for accessing a first network address in the internal network. The proxy server is not only a server, but also an intermediate program of a client, can control the behavior of a user, makes a decision on a received access request, filters the user request according to a filtering rule, has the most basic functions of connecting an internal network with the Internet, and further comprises the functions of security, cache, content filtering, access control management and the like. The access request is used to access a first network address in the internal network, where the first network address is a logical address of a node on the internet in the network, and the node can be addressed.
Step S203, extracting the appointed information from the access request, and inquiring whether the access request has the authority to access the internal network from the preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request;
In actual implementation, the proxy server extracts the specified information from the access request, where the specified information is used to indicate the address where the access request is sent, and/or the location where the access request is received by the proxy server; for example, in the indication information in a certain access request, the address indicated to send the access request is the first IP address, and/or the location where the proxy server receives the access request is the first port, then the proxy server may query, from a preset configuration file, whether the access request has a right to access the internal network based on the specified information.
Step S204, determining whether the first IP address and the first port have a mapping relation in the configuration file; if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network;
in the configuration file, the IP address and the port have a specified mapping relation; the mapping relationship is used for indicating: an access request sent by the IP address is received through a port having a mapping relation with the IP address. That is, the preset configuration file includes a mapping relationship between an IP address and a port, where the mapping relationship is used to indicate an access request sent by the IP address, and the port having a mapping relationship with the IP address receives the access request sent by the IP address.
Further, determining whether the first IP address and the first port have a mapping relation in the configuration file, if the first IP address and the first port have a mapping relation, indicating that an access request sent by the first IP address should be received by the first port, and determining that the access request has the authority to access the internal network based on the determination; if the first address and the first port do not have a mapping relationship, the access request sent by the first IP address is not received by the first port, and based on the determination, the access request does not have the authority to access the internal network.
Step S205, if the access request has the right to access the internal network, forwards the access request to the first network address in the internal network.
In actual implementation, if it is determined that the access request has the authority to access the internal network, the proxy server forwards the access request to the first network address of the internal network, so as to realize access to the items in the internal network through the external network.
The method for accessing the internal network in the embodiment of the present invention is described above, and the following describes an access device for the internal network in the embodiment of the present invention, referring to fig. 3, one embodiment of the access device for the internal network in the embodiment of the present invention includes:
A receiving module 31 for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
the extracting module 32 is configured to extract the specified information from the access request, and query whether the access request has a right to access the internal network from a preset configuration file based on the specified information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request;
a forwarding module 33, configured to forward the access request to a first network address in the internal network if the access request has a right to access the internal network.
The access device of the internal network receives an access request from an external network; wherein the access request is for accessing a first network address in the internal network; extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request; if the access request has the right to access the internal network, the access request is forwarded to a first network address in the internal network. In the method, an address of an internal network application is added to a preset configuration file, after an access request from an external network is received, whether the access request has permission to access the internal network or not is inquired from the preset configuration file, and whether the access request is forwarded to a first network address in the internal network or not is further determined based on a judging result. Furthermore, according to the mapping relation between the IP address and the port in the preset configuration file, the internal network can be accessed through the external network for a long time, the project can be prevented from being attacked or cracked, the safety of accessing the internal network is improved, in addition, the problem that a large number of invalid requests are received by a server, the resource of the server is wasted is solved, the smooth sense of use of a user is improved, the management and the maintenance are convenient, and the workload of operation and maintenance personnel is reduced.
Referring to fig. 4, another embodiment of an access device for an internal network according to an embodiment of the present invention includes:
a receiving module 31 for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
the extracting module 32 is configured to extract the specified information from the access request, and query whether the access request has a right to access the internal network from a preset configuration file based on the specified information; the appointed information is used for indicating an address for sending the access request and/or a position where the proxy server receives the access request;
a forwarding module 33, configured to forward the access request to a first network address in the internal network if the access request has a right to access the internal network.
The above-mentioned designation information includes: a first IP address for sending an access request and a first port for receiving the access request by a proxy server; the extraction module is further used for: determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are queried, determining that the access request has the authority to access the internal network.
In the configuration file, the IP address and the port have a specified mapping relation; the mapping relationship is used for indicating: an access request sent by the IP address is received through a port with a mapping relation with the IP address; the extraction module is further used for: determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
The proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relationship with at least one port.
The apparatus further includes a sending module 34, configured to send, based on the configuration file, the specified port information to the IP address of the external network, so as to carry the specified port information when the device corresponding to the IP address of the external network sends the access request, and send the access request to the specified port included in the specified port information.
The above apparatus further comprises a temporary receiving module 35 for: receiving authority setting information of a temporary request; wherein the authority setting information includes: identity information, a second IP address for sending the temporary request, and a second port for receiving the temporary request by the proxy server; issuing a token to the second IP address so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is used for indicating: the second IP address has access to the internal network.
The token is preset with effective duration; the apparatus further comprises a query module 36 for: receiving a temporary request sent by a second IP address, and inquiring the issuing time of a token in the temporary request; determining whether the token is in the valid duration based on the issuing time and the current time; if the token is in the valid duration, the temporary request is forwarded to the second port.
The above fig. 3 and fig. 4 describe the access device of the internal network in the embodiment of the present invention in detail from the viewpoint of modularization, and the following describes the access device of the internal network in the embodiment of the present invention in detail from the viewpoint of hardware processing.
Fig. 5 is a schematic structural diagram of an access device of an internal network according to an embodiment of the present invention, where the access device 500 of the internal network may have a relatively large difference due to configuration or performance, and may include one or more processors (central processing units, CPU) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) storing application programs 533 or data 532. Wherein memory 520 and storage medium 530 may be transitory or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown), each of which may include a series of instruction operations in the access device 500 to the internal network. Still further, the processor 510 may be arranged to communicate with a storage medium 530 and to perform a series of instruction operations in the storage medium 530 on an access device 500 of an internal network.
The access device 500 for the internal network may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input/output interfaces 560, and/or one or more operating systems 531, such as Windows Serve, mac OS X, unix, linux, freeBSD, and the like. It will be appreciated by those skilled in the art that the access device structure of the internal network shown in fig. 5 does not constitute a limitation of the access device of the internal network, and may include more or less components than illustrated, or may combine certain components, or may be arranged in different components.
The present invention also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, and which may also be a volatile computer readable storage medium, having stored therein instructions that, when executed on a computer, cause the computer to perform the steps of a method of accessing an internal network.
The present invention also provides an access device for an internal network, where the access device for an internal network includes a memory and a processor, and the memory stores instructions that, when executed by the processor, cause the processor to execute the steps of the access method for an internal network in the foregoing embodiments.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created from the use of blockchain nodes, and the like.
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (7)
1. An access method of an internal network, wherein the access method of the internal network is applied to a proxy server of the internal network, and the access method of the internal network comprises the following steps:
receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
extracting appointed information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the appointed information; wherein the designation information is used for indicating an address for transmitting the access request, and a position where the proxy server receives the access request; the specification information includes: a first IP address of the access request is sent, and a first port of the proxy server for receiving the access request is sent; the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relation with at least one port;
Forwarding the access request to a first network address in the internal network if the access request has permission to access the internal network;
the step of extracting the specified information from the access request, and based on the specified information, inquiring whether the access request has the authority to access the internal network from a preset configuration file comprises the following steps:
determining whether the first IP address and the first port are queried from the configuration file;
if the first IP address and the first port are queried, determining that the access request has the authority to access the internal network;
in the configuration file, the IP address and the port have a specified mapping relation; the mapping relation is used for indicating: the access request sent by the IP address is received through a port with a mapping relation with the IP address;
the step of determining that the access request has the right to access the internal network if the first IP address and the first port are queried, includes:
determining whether the first IP address and the first port have a mapping relation in the configuration file;
and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
2. The access method of an internal network according to claim 1, wherein before the step of receiving an access request from an external network, the access method of an internal network further comprises:
and sending the appointed port information to the IP address of the external network based on the configuration file so as to carry the appointed port information when the equipment corresponding to the IP address of the external network is instructed to send the access request, and sending the access request to the appointed port contained in the appointed port information.
3. The access method of an internal network according to claim 1, characterized in that the access method of an internal network further comprises:
receiving authority setting information of a temporary request; wherein the authority setting information includes: identity information, a second IP address for sending a temporary request, and a second port for receiving the temporary request by the proxy server;
issuing a token to the second IP address so that the token is carried when the second IP address sends an access request for accessing the internal network; wherein the token is used for indicating: the second IP address has access to the internal network.
4. A method of accessing an internal network according to claim 3, wherein the token is pre-set with a valid duration; the access method of the internal network further comprises the following steps:
Receiving a temporary request sent by the second IP address, and inquiring the issuing time of a token in the temporary request;
determining whether the token is in the valid duration based on the issuing time and the current time;
and if the token is in the effective duration, forwarding the temporary request to the second port.
5. An access device for an internal network, wherein the access device for an internal network is provided in a proxy server of the internal network, and the access device for an internal network comprises:
the receiving module is used for receiving an access request from an external network; wherein the access request is for accessing a first network address in the internal network;
the extraction module is used for extracting the specified information from the access request, and inquiring whether the access request has the authority to access the internal network or not from a preset configuration file based on the specified information; wherein the designation information is used for indicating an address for transmitting the access request, and a position where the proxy server receives the access request; the specification information includes: a first IP address of the access request is sent, and a first port of the proxy server for receiving the access request is sent; the proxy server is provided with a plurality of ports; in the configuration file, each port has a mapping relation with a plurality of IP addresses; each IP address has a mapping relation with at least one port;
A forwarding module, configured to forward the access request to a first network address in the internal network if the access request has a right to access the internal network;
the extraction module is further used for determining whether the first IP address and the first port are queried from the configuration file; if the first IP address and the first port are queried, determining that the access request has the authority to access the internal network;
in the configuration file, the IP address and the port have a specified mapping relation; the mapping relation is used for indicating: the access request sent by the IP address is received through a port with a mapping relation with the IP address;
the extraction module is further used for determining whether the first IP address and the first port have a mapping relation in the configuration file; and if the first IP address and the first port have a mapping relation, determining that the access request has the authority to access the internal network.
6. An access device for an internal network, the access device comprising: a memory and at least one processor, the memory having instructions stored therein;
The at least one processor invoking the instructions in the memory to cause an access device of the internal network to perform the access method of the internal network of any of claims 1-4.
7. A computer readable storage medium having instructions stored thereon, which when executed by a processor, implement the method of accessing an internal network according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813223.4A CN115277119B (en) | 2022-07-12 | 2022-07-12 | Access method, device, equipment and storage medium of internal network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813223.4A CN115277119B (en) | 2022-07-12 | 2022-07-12 | Access method, device, equipment and storage medium of internal network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115277119A CN115277119A (en) | 2022-11-01 |
| CN115277119B true CN115277119B (en) | 2024-02-09 |
Family
ID=83765719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210813223.4A Active CN115277119B (en) | 2022-07-12 | 2022-07-12 | Access method, device, equipment and storage medium of internal network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277119B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101040497A (en) * | 2004-10-12 | 2007-09-19 | 松下电器产业株式会社 | Firewall system and firewall control method |
| CN105376107A (en) * | 2014-08-29 | 2016-03-02 | 腾讯科技(深圳)有限公司 | Terminal test method and proxy server |
| CN106060041A (en) * | 2016-05-30 | 2016-10-26 | 北京琵琶行科技有限公司 | Enterprises network access authority control method and device |
| CN107948329A (en) * | 2018-01-03 | 2018-04-20 | 湖南麓山云数据科技服务有限公司 | A kind of cross-domain processing method and system |
| CN108600204A (en) * | 2018-04-11 | 2018-09-28 | 浙江大学 | A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel |
| CN110166432A (en) * | 2019-04-17 | 2019-08-23 | 平安科技(深圳)有限公司 | The access method of internal net destination service provides the method for Intranet destination service |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6750537B2 (en) * | 2017-03-01 | 2020-09-02 | 富士通株式会社 | Information processing apparatus, information processing system, information processing method, and information processing program |
| US20210055927A1 (en) * | 2019-08-23 | 2021-02-25 | Skyhigh Networks, Llc | Systems, method, and media for determining security compliance of continuous build software |
-
2022
- 2022-07-12 CN CN202210813223.4A patent/CN115277119B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101040497A (en) * | 2004-10-12 | 2007-09-19 | 松下电器产业株式会社 | Firewall system and firewall control method |
| CN105376107A (en) * | 2014-08-29 | 2016-03-02 | 腾讯科技(深圳)有限公司 | Terminal test method and proxy server |
| CN106060041A (en) * | 2016-05-30 | 2016-10-26 | 北京琵琶行科技有限公司 | Enterprises network access authority control method and device |
| CN107948329A (en) * | 2018-01-03 | 2018-04-20 | 湖南麓山云数据科技服务有限公司 | A kind of cross-domain processing method and system |
| CN108600204A (en) * | 2018-04-11 | 2018-09-28 | 浙江大学 | A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel |
| CN110166432A (en) * | 2019-04-17 | 2019-08-23 | 平安科技(深圳)有限公司 | The access method of internal net destination service provides the method for Intranet destination service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115277119A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11647043B2 (en) | Identifying security actions based on computing asset relationship data | |
| US10554622B2 (en) | Secure application delivery system with dial out and associated method | |
| KR100194252B1 (en) | Method and apparatus for improving mutual authentication, and computer readable program product | |
| US6134591A (en) | Network security and integration method and system | |
| US7039721B1 (en) | System and method for protecting internet protocol addresses | |
| WO2015183698A1 (en) | Method and system for implementing data security policies using database classification | |
| JPH09128337A (en) | Method and apparatus for protection of masquerade attack in computer network | |
| Kebande et al. | A functional architecture for cloud forensic readiness large-scale potential digital evidence analysis | |
| US6714970B1 (en) | Protecting open world wide web sites from known malicious users by diverting requests from malicious users to alias addresses for the protected sites | |
| US7841005B2 (en) | Method and apparatus for providing security to web services | |
| JP2005514699A (en) | Method and system for hosting multiple dedicated servers | |
| JP2013058101A (en) | Cloud computing system | |
| US20040225897A1 (en) | Client-server architecture incorporating secure tuple space | |
| Taneja et al. | Information Security in cloud computing: A Systematic Literature Review and analysis | |
| CN115277119B (en) | Access method, device, equipment and storage medium of internal network | |
| Prasadreddy et al. | A threat free architecture for privacy assurance in cloud computing | |
| US7640580B1 (en) | Method and apparatus for accessing a computer behind a firewall | |
| Vijaya Bharati et al. | Data storage security in cloud using a functional encryption algorithm | |
| Aldawibi et al. | Cloud Computing Privacy: Concept, Issues And Solutions | |
| Bandela et al. | Survey on cloud computing technologies and security threats | |
| Gregorio et al. | Hacking in the cloud | |
| JP5279601B2 (en) | Server apparatus, data processing system, form processing method, and program | |
| Sannasy et al. | Intelligent trust based temporal data storage and retrieval methods for cloud databases | |
| Abduvaliyevich et al. | Creation and Security of the Cloud Platform for Educational Technologies | |
| CN107623683B (en) | Method for preventing information disclosure through dynamic and safe cloud resources |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |