CN115694960A - Application proxy method, device, equipment and readable storage medium - Google Patents
Application proxy method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN115694960A CN115694960A CN202211324964.2A CN202211324964A CN115694960A CN 115694960 A CN115694960 A CN 115694960A CN 202211324964 A CN202211324964 A CN 202211324964A CN 115694960 A CN115694960 A CN 115694960A
- Authority
- CN
- China
- Prior art keywords
- application
- access
- port
- access request
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses an application proxy method, a device, equipment and a readable storage medium, wherein the method comprises the steps of receiving an access request sent by a client and acquiring an access certificate of the access request; if the access certificate cannot be acquired, intercepting an access request; if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port; the access request is sent to the target application using the application IP and the application port. In the application, the real port of the proxied application is hidden, and port mapping and application identification are performed only under the condition that the access certificate corresponding to the access request is obtained, so that the service system is naturally hidden for an attacker who cannot perform operations such as scanning on the service system, and the service system can be effectively protected.
Description
Technical Field
The present application relates to the field of security assurance technologies, and in particular, to an application proxy method, apparatus, device, and readable storage medium.
Background
The Reverse Proxy (Reverse Proxy) is to use a Proxy server to receive a connection request on the internet, then forward the request to a server on the internal network, and return the result obtained from the server to the client requesting connection on the internet, at this time, the Proxy server externally appears as a server.
The common reverse proxy is mainly configured with a reverse address for forwarding through nginx (a high-performance HTTP and reverse proxy server), and because no security mechanism exists, other security control cannot be performed on the application, real services are easily exposed, and potential safety hazards exist.
In summary, how to effectively improve the security of the reverse proxy is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application proxy method, device, equipment and readable storage medium can effectively improve the security of reverse proxy and effectively protect the security of proxied service/application.
In order to solve the technical problem, the application provides the following technical scheme:
an application proxy method, comprising:
receiving an access request sent by a client, and acquiring an access certificate of the access request;
if the access credential cannot be acquired, intercepting the access request;
if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port;
and sending the access request to a target application by using the application IP and the application port.
Preferably, obtaining the access credential of the access request includes:
judging whether the access request carries the access certificate or not;
if yes, obtaining the access certificate from the access request;
and if not, performing zero trust authentication to obtain the access credential.
Preferably, the performing zero trust authentication to obtain the access credential includes:
redirecting to a zero trust authentication service center for authentication;
after the authentication is successful, receiving the access certificate issued by the zero trust authentication service center;
and after the authentication fails, determining that the access certificate cannot be obtained.
Preferably, the redirecting to the zero trust authentication service center for authentication includes:
authenticating the target application by using the zero trust authentication service center, and obtaining a user token if the authentication is passed;
performing authority authentication on the client, and if the authentication is passed, obtaining an application token;
if the user token and the application token are obtained, determining to obtain the access configuration;
and if the user token and the application token are not obtained, determining that the access configuration cannot be obtained.
Preferably, mapping the access port in the access request to an application port, and acquiring the application IP by using the application port includes:
mapping the access port to the application port using KEEPALIVE in conjunction with a configuration file;
and inquiring the application IP corresponding to the application port from the configuration file by utilizing the ENTRY.
Preferably, the method further comprises the following steps:
receiving configuration information of a zero trust management center;
and dynamically adjusting the access address and the port of the specified application by using the configuration information.
Preferably, using the configuration information, dynamically adjusting an access address and a port of a specific application includes:
sending the configuration information to an OMS;
generating a configuration file of the configuration information by using the OMS;
and synchronizing the configuration file to KEEPALIVE and ENTRY so as to utilize the adjusted access address and port to proxy the specified application.
An application proxy apparatus comprising:
the access certificate acquisition module is used for receiving an access request sent by a client and acquiring an access certificate of the access request;
the flow interception module is used for intercepting the access request if the access certificate cannot be acquired;
the address mapping module is used for mapping an access port in the access request to an application port and acquiring an application IP (Internet protocol) by using the application port if the access certificate is successfully acquired;
and the flow forwarding module is used for sending the access request to a target application by utilizing the application IP and the application port.
An electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the application agent method when executing the computer program.
A readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the above-described application proxy method.
By applying the method provided by the embodiment of the application, the access request sent by the client is received, and the access certificate of the access request is obtained; if the access certificate cannot be acquired, intercepting an access request; if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port; the access request is sent to the target application using the application IP and the application port.
In the application, after receiving an access request, an access credential corresponding to the access request is first obtained, and only when the access credential is obtained, an access port in the access request is mapped to an application port, and a target application is identified through the application port, so that an application IP is obtained. Finally, the access request is sent to the target application based on the application IP and the real application port. That is, in the present application, the real port of the proxied application is hidden from the outside, and only when the access credential corresponding to the access request is obtained, the port mapping and the application identification are performed, so that the application can be effectively protected. Since the request forwarding is based on the access certificate and the application identification is realized based on the port, for the external aspect, the proxied application defaults not to accept all requests initiated by the client, and only opens the service port to a legal terminal and a legal user, so that the service system is naturally hidden against an attacker, the attacker cannot initiate operations such as scanning and the like on the service system, and the service system can be effectively protected.
Accordingly, the embodiment of the present application further provides an application proxy apparatus, a device and a readable storage medium corresponding to the application proxy method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart illustrating an implementation of an application proxy method according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating dynamic configuration adjustment according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a product architecture according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an application proxy apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart illustrating an application proxy method according to an embodiment of the present application. The method comprises the following steps:
s101, receiving an access request sent by a client, and acquiring an access credential of the access request.
The method can be applied to application security agents, such as zero trust gateway, and can also be applied to other agent devices, such as a proxy server.
In the embodiment of the present application, after receiving an access request sent by a client (e.g., a browser client), firstly, validity of the access request is clarified, specifically, the validity is performed based on a manner of obtaining an access credential of the access request.
Namely, the application security agent does not accept all requests initiated by the client by default, only opens a service port to a legal terminal and a legal user, so that the service system is hidden aiming at an attacker naturally, the attacker cannot initiate scanning and other operations on the service system, the zero-trust security client supports establishing security connection with the application security agent through an SPA technology, the service traffic initiated by the terminal is taken over and packaged, the service traffic is forwarded to the application security agent in a security encryption mode, and immune threat is generated in a reconnaissance stage of an attack chain.
Wherein, a Single Packet Authorization (SPA) is a core function of an SDP (software defined boundary). The method has the main function of closing the service port by default, so that the service can realize network stealth and cannot be connected or scanned from the network. If the service is needed to be used, the authentication message information is sent to the server through the specific client, and after the server authenticates the message, the relevant service is opened for the IP address.
That is to say, in the embodiment of the present application, the application security agent may check the terminal identity, the user identity, and the user permission in real time based on each access request, and only pass through the request traffic with trusted identity and permission. The specific implementation mode is based on the access credential.
In one embodiment of the present application, obtaining an access credential of an access request includes:
step one, judging whether an access request carries an access certificate or not;
step two, if yes, obtaining an access certificate from the access request;
and step three, if not, performing zero trust authentication to obtain the access credential.
For convenience of description, the above three steps will be described in combination.
In the embodiment of the application, the method can be opened only for legal users and legal applications. When a legal user accesses, an access certificate is carried in an access request of the legal user. In particular, the access credential may include a user token and an application token. The user token indicates that the application requesting access is a legal application, and the application token indicates that the user is a legal user.
That is to say, when the access request carries the access credential, the access configuration can be directly obtained from the access request, and when the access request does not carry the access credential, the zero trust authentication is performed to obtain the access credential.
In one embodiment of the present application, performing zero trust authentication to obtain an access credential includes:
step 1, redirecting to a zero trust authentication service center for authentication;
step 2, after the authentication is successful, receiving an access certificate issued by a zero trust authentication service center;
and 3, after the authentication fails, determining that the access certificate cannot be obtained.
When The access request is determined not to carry The access certificate, the access request can be redirected, and redirected to a zero trust authentication service center (TAM) for zero trust authentication. And the zero trust authentication service center performs zero trust authentication, after the authentication is successful, the zero trust authentication service center issues the access certificate, and if the authentication is failed, the zero trust authentication service center does not issue the access certificate. Therefore, after the authentication is successful, the access certificate can be obtained by receiving the access certificate issued by the zero trust authentication service center; after authentication fails, it may be determined that the access credential is not available.
Wherein, redirecting to the zero trust authentication service center for authentication comprises:
step (1), a zero trust authentication service center is utilized to authenticate a target application, and if the authentication is passed, a user token is obtained;
step (2), performing authority authentication on the client, and if the client passes the authentication, obtaining an application token;
step (3), if the user token and the application token are obtained, determining to obtain access configuration;
and (4) if the user token and the application token are not obtained, determining that the access configuration cannot be obtained.
And when the access request does not carry the access certificate, judging whether the target application carries a token, if the token does not exist, redirecting to a zero trust authentication page, completing authentication through zero trust authentication, issuing a user token for the zero trust gateway by a zero trust authentication service center, simultaneously judging whether the user has the authority of the application, and if so, issuing the application token of the target application to the zero trust gateway.
After determining whether the result of the access credential is obtained, the corresponding steps can be respectively executed according to specific result conditions. Specifically, if the access credential cannot be obtained, it indicates that the current access request has a problem, and at this time, step S102 is executed; when the access credential can be acquired, step S103 can be executed.
S102, if the access certificate cannot be acquired, intercepting the access request.
The access credential corresponding to the access request cannot be acquired, and at this time, the access request can be directly intercepted for security consideration. I.e. such that the access request cannot reach the real application.
In particular, an access request may be intercepted using Iptables. The Iptables is an IP packet filtering system integrated with the Linux kernel. If the Linux system is connected to the internet or a LAN, server or proxy server connecting the LAN and the internet, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system. The iptables component is a tool, also known as user space (userpace), that facilitates the insertion, modification, and removal of rules in a packet filter table.
S103, if the access certificate is successfully acquired, mapping the access port in the access request to the application port, and acquiring the application IP by using the application port.
If the access certificate is successfully obtained, namely the user token and the application token are successfully obtained, the current access request can be determined to be the access request of a legal user to the legal application, and therefore the access request can be subjected to proxy processing.
Based on the safety consideration, the scheme provided by the embodiment of the application does not show the real application port when the port information is shown to the user, so that the port hiding can be realized for the user. Accordingly, after receiving the access request, to implement the application access, the access port in the access request is also mapped to the application port. The access port is a false port set by external access of the target application, and the application port is a real port of the target application.
After the port mapping is completed, the application may be identified based on the port, resulting in an application IP. That is, in the present embodiment, the application is identified based on the port.
In a specific embodiment of the present application, mapping an access port in an access request to an application port, and acquiring an application IP by using the application port includes:
step one, mapping an access port to an application port by using KEEPALIVE and combining a configuration file.
The keepalived is implemented based on a vrrp (Virtual Router Redundancy Protocol), is a software composed compositely, has a vrrp function, and is used for customizing an IPVS (IP Virtual Server, providing load balancing), and the like. keepalived may enable high availability of other services through the functionality of scripts.
The configuration file generated in the configuration phase, in which the mapping relationship between the access port and the real application port is set, may be synchronized into KEEPALIVE, so that in conjunction with the configuration file, the access port may be mapped to the application port.
And secondly, inquiring an application IP corresponding to the application port from the configuration file by utilizing the ENTRY.
Wherein, ENTRY is the zero trust gateway control service. The configuration file generated in the configuration stage can be synchronized to ENTRY, and the application IP corresponding to the application port is recorded in the configuration file, so that the application identification can be completed based on the port by combining the configuration file, and the application IP corresponding to the application port can be obtained.
And S104, sending the access request to the target application by using the application IP and the application port.
After the application IP and application port are obtained, an access request may be sent to the target application.
After receiving the access request, the target application can respond and feed back to the access request.
By applying the method provided by the embodiment of the application, the access request sent by the client is received, and the access certificate of the access request is obtained; if the access certificate cannot be acquired, intercepting an access request; if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port; the access request is sent to the target application using the application IP and the application port.
In the application, after receiving an access request, an access credential corresponding to the access request is first obtained, and only when the access credential is obtained, an access port in the access request is mapped to an application port, and a target application is identified through the application port, so that an application IP is obtained. Finally, the access request is sent to the target application based on the application IP and the real application port. That is, in the present application, the real port of the proxied application is hidden from the outside, and only when the access credential corresponding to the access request is obtained, the port mapping and the application identification are performed, so that the application can be effectively protected. Since the request forwarding is based on the access certificate and the application identification is realized based on the port, for the external aspect, the proxied application defaults not to accept all requests initiated by the client, and only opens the service port to a legal terminal and a legal user, so that the service system is naturally hidden against an attacker, the attacker cannot initiate operations such as scanning and the like on the service system, and the service system can be effectively protected.
It should be noted that, based on the above embodiments, the embodiments of the present application also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
The related port proxy implementation scheme basically proxies the application out through the proxy service through the configuration file, but the proxy service is required to be restarted after the configuration file is modified so as to enable the proxy service to be effective. The method has the following defects: the agent service needs to be manually configured, and different configurations need to be carried out according to the service difference, namely four-layer application or seven-layer application, so that the configuration is relatively complicated; the proxy service needs to be manually restarted after the proxy service is configured.
Based on this, the present application optimizes on the basis of the above-described embodiments, thereby realizing dynamic configuration.
Specifically, the implementation process comprises the following steps:
step one, receiving configuration information of a zero trust management center.
The configuration information may include setting or changing information of an access port of the application, and setting or changing information of an access address.
And step two, dynamically adjusting the access address and the port of the appointed application by using the configuration information.
In this embodiment, dynamic adjustment is achieved directly based on the configuration information without having to resort to restarting the proxy service.
Wherein, the second step specifically comprises:
step 1, sending configuration information to an OMS;
step 2, generating a configuration file of the configuration information by utilizing the OMS;
and step 3, synchronizing the configuration file to KEEPALIVE and ENTRY so as to use the adjusted access address and port to proxy the specified application.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a configuration dynamic adjustment according to an embodiment of the present disclosure.
Configuration agent application configuration: the method comprises the steps of using a proxy application which is firstly required to be configured by an application proxy, configuring a real proxy application address and a port in a TAM controller, and configuring an IP (Internet protocol) of a proxy gateway and a port of the proxy gateway (the port is mainly identified and distinguished aiming at the application).
Gateway synchronization configuration information: after the configuration of the proxy application is configured, the TAM synchronizes the configuration information to the gateway, and the gateway stores the proxy configuration information in the memory. The OMS is then notified.
Dynamically generating a proxy application configuration file: the OMS receives the configuration information, generates a configuration file of the dynamic proxy application on the gateway, and then dynamically determines whether to restart the service according to whether the proxy application needs to be restarted (all operations are automatically configured through the OMS). Example (c): the application can be used to proxy through the proxy application according to the configuration and usage scenario of the application, and can proxy through openability or NGINX. The OMS may dynamically generate a corresponding configuration file.
Flow agent: when accessing an application, the application proxy method provided by the above embodiment is adopted, that is, traffic passes through a gateway, and then proxy distribution of the traffic is performed through a configured traffic proxy application.
In order to facilitate better understanding of the application proxy method provided in the embodiments of the present application, the application proxy method is described in detail below with reference to a specific application scenario as an example.
Referring to fig. 3, fig. 3 is a schematic diagram of a product architecture according to an embodiment of the present application.
Flow control side: global IP is mainly disabled by IPTABLES. Only after passing the identity authentication of the TAM controller, the TAM informs the OMS to pass through a certain port for a certain IP.
Port mapping side (high available): KEEPALIVE has OMS control for dynamic port mapping. There will be two nodes that are highly available through KEEPALIVE for dynamic drift VRRP.
Port control side: the ENTRY here will identify the specific application IP through the port by proxy configuration configured in the TAM.
And a flow distribution side: through the IP and the port of the specific application identified by ENTRY, when configuring the TAM agent configuration, the SUB will dynamically configure the application agent with the corresponding configuration file through the OMS. When an application accesses traffic to a SUB, it can proxy directly to the specific application.
In actual use, the application security proxy does not accept all requests initiated by the client by default, only opens service ports to a legal terminal and a legal user, so that a service system is hidden aiming at an attacker, the attacker cannot initiate scanning and other operations on the service system, the zero-trust security client supports establishing security connection with the application security proxy through an SPA technology, and forwards service traffic to the application security proxy in a security encryption manner by taking over and packaging service traffic initiated by the terminal. Thus, in the investigation phase of the attack chain, the threat can be immunized.
The application security agent checks the terminal identity, the user identity and the user authority in real time on the basis of each request, and only passes the request flow with credible identity and authority.
The application security agent can be linked with the unified identity management platform, an access control strategy is implemented according to the judgment result of the unified identity management platform, when the security access environment, the behavior risk and the like of the user change, the scheduling of the unified identity management platform is received, the access session of the risk user/terminal is stopped in real time, and the dynamic response of the security risk is realized.
The method provides service flow encryption for access of all agent applications, can realize safe transmission of application requests after agent regardless of whether the applications support a safe transmission mechanism, supports starting functions of one-way TLS, two-way TLS and national password TLS based on a TLS (Transport Layer Security) protocol mechanism, effectively defends possible risks of stealing, hijacking, tampering and the like on a communication channel between an accessor and an application system, and ensures the safety of the channel.
And providing application security strategies such as application flow control, application watermarking and the like. The method supports the establishment of an application flow control strategy according to parameters such as the size, the speed, the connection number, the time and the like of the request content, provides control for the request exceeding a threshold value of a preset condition, ensures the stable operation of a service system and prevents overload; the method supports loading the self-defined page watermark for the specified application page through linkage of a unified identity management platform, the watermark has the anti-elimination capacity, and the tracing means is provided for threatening potential data security risk actions such as screen capturing and shooting of the application.
For example, the following steps are carried out: the common reverse proxy is mainly configured with a reverse address through nginx for forwarding, needs to manually operate and configure on a server and restart service, can take effect, is free of any security mechanism and is easy to expose real service, can only proxy 7-layer service, cannot proxy the flow of a 4-layer model, and cannot perform other security control on the application, such as watermarking, application API desensitization, encryption, flow control and the like.
And the zero trust gateway reverse proxy after applying the application proxy method provided by the application (mainly issuing the application through a gateway proxy, hiding a real access address and a port of the application, and simultaneously guaranteeing a security mechanism of application access), wherein an initial flow is initiated by a browser, the zero trust gateway only opens a service port, and all terminals can initiate connection with the zero trust gateway.
The browser needs to carry a certificate when initiating a request every time, the certificate is used for being checked by the zero trust gateway, and legal flow is forwarded after the verification is passed.
And redirecting the request without the certificate to an authentication page by the zero-trust gateway, and linking the browser to verify the terminal identity and the user identity, so that the request cannot reach the service resource.
The zero trust proxy application (such as A: https:// dsg.com: 8443) access, firstly, through a zero trust gateway, the gateway (same zero trust gateway) judges whether the application carries a token, if the token does not exist, the gateway can redirect to a zero trust authentication page, authentication is completed through zero trust authentication, the zero trust authentication service center issues a user token for the zero trust gateway, simultaneously judges whether a user has the authority of the application, if the user has the authority, the application token of the application is issued to the zero trust gateway, after the gateway receives the user token and the application token, the gateway takes the real service address and the port of the real application according to the port of the accessed application, and finally forwards the flow to the real service address (such as A: https:// www.baidu.com: 443), and during the process, if the service proxy address and the port of the proxy are modified, only the registered proxy address and the port of the zero trust management center application are modified, and after the gateway receives the message of the zero trust management center, the access address and the port of the application are dynamically adjusted.
Zero trust gateway transparent proxy: the ports of the application can be hidden, and the ports of the application cannot be scanned by a scanning tool.
Any request initiated by the application does not accept all requests initiated by the client, only a service port is opened to a legal terminal and a legal user, the user transmits a user token to the gateway after the authentication of the user by using the terminal + zero trust authentication center is completed, and the gateway receives a message and takes the application owned by the user according to the authority configuration of the user, so that a service port of real application is opened, and the flow is forwarded to the real application.
Corresponding to the above method embodiment, the embodiment of the present application further provides an application proxy apparatus, and the application proxy apparatus described below and the application proxy method described above may be referred to correspondingly.
Referring to fig. 4, the apparatus includes the following modules:
an access credential obtaining module 101, configured to receive an access request sent by a client, and obtain an access credential of the access request;
the traffic intercepting module 102 is configured to intercept an access request if it is determined that the access credential cannot be obtained;
the address mapping module 103 is configured to map an access port in the access request to an application port if the access credential is successfully obtained, and obtain an application IP using the application port;
and the traffic forwarding module 104 is configured to send the access request to the target application by using the application IP and the application port.
The device provided by the embodiment of the application is applied to receive the access request sent by the client and obtain the access certificate of the access request; if the access certificate cannot be acquired, intercepting an access request; if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port; the access request is sent to the target application using the application IP and the application port.
In the application, after an access request is received, an access credential corresponding to the access request is firstly acquired, only when the access credential is acquired, an access port in the access request is mapped to an application port, and a target application is identified through the application port, so that an application IP is obtained. Finally, the access request is sent to the target application based on the application IP and the real application port. That is, in the present application, the real port of the proxied application is hidden from the outside, and only when the access credential corresponding to the access request is obtained, the port mapping and the application identification are performed, so that the application can be effectively protected. Since the request forwarding is based on the access certificate and the application identification is realized based on the port, for the external aspect, the proxied application defaults not to accept all requests initiated by the client, and only opens the service port to a legal terminal and a legal user, so that the service system is naturally hidden against an attacker, the attacker cannot initiate operations such as scanning and the like on the service system, and the service system can be effectively protected.
In a specific embodiment of the present application, the access credential obtaining module 101 is specifically configured to determine whether the access request carries an access credential;
if yes, obtaining an access certificate from the access request;
and if not, performing zero trust authentication to obtain the access certificate.
In a specific embodiment of the present application, the access credential obtaining module 101 is specifically configured to redirect to a zero trust authentication service center for authentication;
after the authentication is successful, receiving an access certificate issued by a zero trust authentication service center;
after the authentication fails, it is determined that the access credential cannot be obtained.
In a specific embodiment of the present application, the access credential obtaining module 101 is specifically configured to authenticate a target application by using a zero trust authentication service center, and if the authentication passes, obtain a user token;
performing authority authentication on the client, and if the authentication is passed, obtaining an application token;
if the user token and the application token are obtained, determining to obtain access configuration;
and if the user token and the application token are not obtained, determining that the access configuration cannot be obtained.
In a specific embodiment of the present application, the address mapping module 103 is specifically configured to map the access port to the application port by using KEEPALIVE and combining a configuration file;
and inquiring an application IP corresponding to the application port from the configuration file by utilizing the ENTRY.
In one embodiment of the present application, the method further includes:
the dynamic configuration module is used for receiving configuration information of the zero trust management center;
the access address and port of the specified application are dynamically adjusted using the configuration information.
In a specific embodiment of the present application, the dynamic configuration module is specifically configured to send configuration information to the OMS;
generating a configuration file of the configuration information by using the OMS;
the configuration file is synchronized to KEEPALIVE and ENTRY to proxy the specified application using the adjusted access address and port.
Corresponding to the above method embodiment, the present application embodiment further provides an electronic device, and the electronic device described below and the application proxy method described above may be referred to correspondingly.
Referring to fig. 5, the electronic device includes:
a memory 332 for storing a computer program;
a processor 322, configured to implement the steps of the application proxy method of the above method embodiments when executing the computer program.
Specifically, referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient storage or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the data processing apparatus. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a sequence of instruction operations in the memory 332 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341.
The steps in the application proxy method described above may be implemented by the structure of the electronic device.
Corresponding to the above method embodiment, the present application further provides a readable storage medium, and a readable storage medium described below and an application proxy method described above may be referred to in correspondence.
A readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the application proxy method of the above-described method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various readable storage media capable of storing program codes.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relationships such as first and second, etc., are intended only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms include, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. An application proxy method, comprising:
receiving an access request sent by a client, and acquiring an access certificate of the access request;
if the access credential cannot be acquired, intercepting the access request;
if the access certificate is successfully acquired, mapping an access port in the access request to an application port, and acquiring an application IP (Internet protocol) by using the application port;
and sending the access request to a target application by utilizing the application IP and the application port.
2. The application proxy method of claim 1, wherein obtaining the access credential of the access request comprises:
judging whether the access request carries the access certificate or not;
if yes, obtaining the access credential from the access request;
and if not, performing zero trust authentication to obtain the access credential.
3. The application proxy method of claim 2, wherein said performing zero trust authentication to obtain the access credential comprises:
redirecting to a zero trust authentication service center for authentication;
after the authentication is successful, receiving the access certificate issued by the zero trust authentication service center;
and after the authentication fails, determining that the access certificate cannot be obtained.
4. The application proxy method of claim 3 wherein said redirecting to a zero trust authentication service center for authentication comprises:
authenticating the target application by using the zero trust authentication service center, and obtaining a user token if the authentication is passed;
performing authority authentication on the client, and if the authentication is passed, obtaining an application token;
if the user token and the application token are obtained, determining to obtain the access configuration;
and if the user token and the application token are not obtained, determining that the access configuration cannot be obtained.
5. The application proxy method of claim 1, wherein mapping an access port in the access request to an application port, and obtaining an application IP using the application port comprises:
mapping the access port to the application port using KEEPALIVE in conjunction with a configuration file;
and inquiring the application IP corresponding to the application port from the configuration file by utilizing the ENTRY.
6. The application agent method of any of claims 1 to 5, further comprising:
receiving configuration information of a zero trust management center;
and dynamically adjusting the access address and the port of the specified application by using the configuration information.
7. The application proxy method of claim 6 wherein using the configuration information to dynamically adjust access addresses and ports for a given application comprises:
sending the configuration information to an OMS;
generating a configuration file of the configuration information by using the OMS;
and synchronizing the configuration file to KEEPALIVE and ENTRY so as to utilize the adjusted access address and port to proxy the specified application.
8. An application proxy apparatus, comprising:
the access certificate acquisition module is used for receiving an access request sent by a client and acquiring an access certificate of the access request;
the flow interception module is used for intercepting the access request if the access certificate cannot be acquired;
the address mapping module is used for mapping an access port in the access request to an application port if the access certificate is successfully acquired, and acquiring an application IP (Internet protocol) by using the application port;
and the flow forwarding module is used for sending the access request to a target application by utilizing the application IP and the application port.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the application proxy method as claimed in any one of claims 1 to 7 when executing said computer program.
10. A readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of the application proxy method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211324964.2A CN115694960A (en) | 2022-10-26 | 2022-10-26 | Application proxy method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211324964.2A CN115694960A (en) | 2022-10-26 | 2022-10-26 | Application proxy method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115694960A true CN115694960A (en) | 2023-02-03 |
Family
ID=85100145
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211324964.2A Pending CN115694960A (en) | 2022-10-26 | 2022-10-26 | Application proxy method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694960A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116938603A (en) * | 2023-09-15 | 2023-10-24 | 杭州安恒信息技术股份有限公司 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
| CN117439816A (en) * | 2023-12-18 | 2024-01-23 | 深圳竹云科技股份有限公司 | Application stealth method and device and computer equipment |
-
2022
- 2022-10-26 CN CN202211324964.2A patent/CN115694960A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116938603A (en) * | 2023-09-15 | 2023-10-24 | 杭州安恒信息技术股份有限公司 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
| CN116938603B (en) * | 2023-09-15 | 2023-12-05 | 杭州安恒信息技术股份有限公司 | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
| CN117439816A (en) * | 2023-12-18 | 2024-01-23 | 深圳竹云科技股份有限公司 | Application stealth method and device and computer equipment |
| CN117439816B (en) * | 2023-12-18 | 2024-03-12 | 深圳竹云科技股份有限公司 | Application stealth method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210176061A1 (en) | Providing Single Sign-On (SSO) in disjoint networks with non-overlapping authentication protocols | |
| US11606338B2 (en) | Mid-link server having a plurality of access resource servers for policy control | |
| US11647003B2 (en) | Concealing internal applications that are accessed over a network | |
| US7383573B2 (en) | Method for transparently managing outbound traffic from an internal user of a private network destined for a public network | |
| US11444925B1 (en) | Secure access to a corporate application in an SSH session using a transparent SSH proxy | |
| US9100365B2 (en) | Web application process | |
| CN115694960A (en) | Application proxy method, device, equipment and readable storage medium | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN113824791B (en) | Access control method, device, equipment and readable storage medium | |
| JP2004528609A (en) | Inter-application communication with filtering | |
| CN111416826B (en) | System and method for safely releasing and accessing application service | |
| US11620354B2 (en) | System and method for protected proxy design for dynamic API scanning service | |
| US20180103037A1 (en) | Resource access control using named capabilities | |
| CN115603932A (en) | Access control method, access control system and related equipment | |
| CN115996381B (en) | Network security management and control method, system, device and medium for wireless private network | |
| US20180324211A1 (en) | System and method for prevening denial of service attacks | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| JP2017537546A (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network and a computer program product having such a computer network infrastructure | |
| EP3501156B1 (en) | Providing single sign-on (sso) in disjoint networks with non-overlapping authentication protocols | |
| CN116938486A (en) | Access control method, device, system, equipment and storage medium | |
| Anderson | Universal Session Protocol: A Novel Approach to Session Management | |
| EP4358473A1 (en) | System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries | |
| US11831638B1 (en) | Single-packet authorization using proof of work | |
| US20240137355A1 (en) | System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries | |
| CN117278562A (en) | Load balancing method, device, system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |