CN116366272A - Resource processing method, device, server and storage medium - Google Patents

Resource processing method, device, server and storage medium Download PDF

Info

Publication number
CN116366272A
CN116366272A CN202111681299.8A CN202111681299A CN116366272A CN 116366272 A CN116366272 A CN 116366272A CN 202111681299 A CN202111681299 A CN 202111681299A CN 116366272 A CN116366272 A CN 116366272A
Authority
CN
China
Prior art keywords
service
access address
resource
address
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111681299.8A
Other languages
Chinese (zh)
Inventor
刘清
王增钦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202111681299.8A priority Critical patent/CN116366272A/en
Publication of CN116366272A publication Critical patent/CN116366272A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Abstract

The embodiment of the application discloses a resource processing method, a device, a server and a storage medium, and belongs to the technical field of computers. The first server has a business service and a first proxy service running therein, the method comprising: responding to an external resource processing request sent by a client, sending a first access address corresponding to the external resource processing request to a first proxy service through a business service, acquiring a first resource corresponding to the first access address through the first proxy service under the condition that the first access address is verified to pass, and sending the first resource to the business service; and sending a resource processing result to the client based on the first resource through the business service. According to the method provided by the embodiment of the application, the business service does not need to directly access the external equipment, so that the situation that the business service is attacked by the outside is avoided, and the safety of the business service is improved.

Description

Resource processing method, device, server and storage medium
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a resource processing method, a device, a server and a storage medium.
Background
With the continuous development of the internet, internet services are becoming more and more abundant and diverse. Under different business scenarios, business services need to be deployed to provide services for clients. The user sends a processing request to the business service through the client, and the business service directly obtains the resource requested to be accessed based on the processing request. By adopting the mode that the business service directly accesses based on the processing request, the business service is easy to be attacked externally, and the security of the business service is poor.
Disclosure of Invention
The embodiment of the application provides a resource processing method, a device, a server and a storage medium, which can improve the safety of business service. The technical scheme is as follows:
in one aspect, there is provided a resource processing method performed by a first server, in which a business service and a first proxy service are operated, the method comprising:
responding to an external resource processing request sent by a client, and sending a first access address corresponding to the external resource processing request to the first proxy service through the business service, wherein the external resource is a resource of other equipment stored outside the first server;
Acquiring a first resource corresponding to the first access address through the first proxy service under the condition that the first access address passes verification, and sending the first resource to the business service;
and sending a resource processing result to the client based on the first resource through the business service.
In one possible implementation manner, the performing, by the service, format conversion on the second access address based on at least one of a service type to which the external resource processing request belongs or a service identifier carried by the external resource processing request to obtain the first access address includes:
acquiring an address template corresponding to the target format through the service, wherein the address template comprises at least one of a service type field or a service identification field and an address field;
and filling at least one of the type identifier of the service type or the service identifier and the second access address into corresponding fields based on the address template to obtain the first access address.
In another possible implementation manner, the sending, based on the first resource, a resource processing result to the client includes any one of the following:
Sending the first resource to the client;
and processing the first resource to obtain the resource processing result, and sending the resource processing result to the client.
In another aspect, there is provided a resource processing apparatus executed by a first server having a business service and a first proxy service running therein, the apparatus comprising:
the first sending module is used for responding to an external resource processing request sent by the client, sending a first access address corresponding to the external resource processing request to the first proxy service through the business service, wherein the external resource is a resource of other equipment stored outside the first server;
the second sending module is used for obtaining a first resource corresponding to the first access address through the first proxy service under the condition that the first access address passes verification, and sending the first resource to the business service;
and the third sending module is used for sending a resource processing result to the client based on the first resource through the business service.
In one possible implementation manner, the first sending module includes:
The first conversion unit is used for carrying out format conversion on the second access address carried by the external resource processing request through the business service to obtain the first access address belonging to a target format, wherein the target format is an address format supported by the first proxy service;
and the first sending unit is used for sending the first access address to the first proxy service through the business service.
In another possible implementation manner, the first conversion unit is configured to perform, through the service, format conversion on the second access address based on at least one of a service type to which the external resource processing request belongs or a service identifier carried by the external resource processing request, to obtain the first access address.
In another possible implementation manner, the first conversion unit is configured to obtain, through the service, an address template corresponding to the target format, where the address template includes at least one of a service type field or a service identifier field and an address field; and filling at least one of the type identifier of the service type or the service identifier and the second access address into corresponding fields based on the address template to obtain the first access address.
In another possible implementation, the apparatus further includes:
the verification module is used for verifying the received first access address through the first proxy service;
and the determining module is used for determining that the first access address passes verification under the condition that the first access address does not belong to a target network segment, wherein the target network segment is a network segment which is not allowed to be accessed.
In another possible implementation manner, the determining module is configured to determine that the first access address is verified, where the first access address does not belong to a target network segment, the first access address has an associated hop address, and the hop address does not belong to the target network segment, and the hop address is an address that is automatically hopped to when the first access address is accessed.
In another possible implementation manner, the determining module is configured to determine that the first access address passes verification if the first access address does not belong to the target network segment, the first access address is associated with a multi-level jump address, and none of the multi-level jump addresses belong to the target network segment.
In another possible implementation manner, the second sending module includes:
The acquisition unit is used for acquiring the second resource stored under the first access address;
a second conversion unit, configured to, when the second resource belongs to an index file type and the second resource includes a third access address, convert the third access address into a fourth access address that belongs to a target format, where the target format is an address format supported by the first proxy service;
the obtaining unit is further configured to obtain the first resource stored under the fourth access address.
In another possible implementation manner, the obtaining unit is further configured to verify, by the first proxy service, the fourth access address; and acquiring the first resource stored under the fourth access address by the first proxy service under the condition that the fourth access address passes verification.
In another possible implementation, the first server does not have external access rights; the second sending module is configured to send, through the first proxy service, the first access address to a second proxy service when the first access address passes through verification, obtain, by the second proxy service, a first resource corresponding to the first access address, send, to the first proxy service, the first resource, and enable a second server deploying the second proxy service to have external access rights; and receiving the first resource sent by the second proxy service through the first proxy service.
In another possible implementation, the first access address includes a service identifier; the second sending module is configured to obtain, based on a service identifier in the first access address, the first resource stored in the first access address corresponding to the service identifier.
In another possible implementation manner, the second sending module includes:
the determining unit is used for inquiring the mapping relation between the service identifier and the key based on the service identifier in the first access address and determining the key corresponding to the service identifier;
and the acquisition unit is used for acquiring the first resource stored corresponding to the service identifier under the first access address based on the key corresponding to the service identifier.
In another possible implementation, the key has a validity duration; the apparatus further comprises:
a fourth sending module, configured to send, through the first proxy service, a key acquisition request to a key distribution service at each interval of a target duration, where the key acquisition request carries the service identifier; the key distribution service is used for generating a new key for the service identifier based on the key acquisition request and sending the new key to the first proxy service;
And the updating module is used for receiving the new key sent by the key distribution service through the first proxy service and updating the mapping relation based on the new key.
In another possible implementation manner, the third sending module is configured to send the first resource to the client; or processing the first resource to obtain the resource processing result, and sending the resource processing result to the client.
In another aspect, a server is provided, the server comprising a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to implement operations performed by a resource processing method as described in the above aspects.
In another aspect, there is provided a computer readable storage medium having stored therein at least one computer program loaded and executed by a processor to implement the operations performed by the resource processing method as described in the above aspects.
In yet another aspect, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the operations performed by the resource processing method as described in the above aspects.
According to the method, the device, the server and the storage medium, the business service and the first proxy service for providing the service for the client are deployed in the same server, when the client needs to access the external resource in the process that the business service provides the service for the client, the first proxy service is used for replacing the business service, the external resource is accessed under the condition that the access address is verified, then the business service returns a resource processing result to the client based on the external resource accessed by the first proxy service, the access mode does not need the business service to directly access the external device, the condition that the business service is attacked by the outside is avoided, and therefore the security of the business service is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present application;
FIG. 2 is a flowchart of a resource processing method according to an embodiment of the present application;
FIG. 3 is a flowchart of a resource processing method according to an embodiment of the present application;
FIG. 4 is a flowchart of accessing cloud resources provided by an embodiment of the present application;
FIG. 5 is a flow chart of accessing cloud resources provided by an embodiment of the present application;
FIG. 6 is a flowchart for updating a mapping relationship according to an embodiment of the present application;
FIG. 7 is a flowchart of accessing cloud resources provided by an embodiment of the present application;
FIG. 8 is a flowchart of obtaining a first resource corresponding to the first access address according to an embodiment of the present application;
FIG. 9 is a flowchart of a first proxy service process based on a first access address provided by an embodiment of the present application;
FIG. 10 is a flowchart of a method for obtaining a first resource stored at the first access address according to an embodiment of the present application;
FIG. 11 is a flowchart for accessing public network resources according to an embodiment of the present application;
FIG. 12 is a flowchart for accessing public network resources according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a resource processing device according to an embodiment of the present application;
Fig. 14 is a schematic structural diagram of a resource processing device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The terms "first," "second," "third," "fourth," and the like as used herein may be used to describe various concepts, but are not limited by these terms unless otherwise specified. These terms are only used to distinguish one concept from another. For example, a first access address may be referred to as a second access address, and similarly, a second access address may be referred to as a first access address, without departing from the scope of the present application.
The terms "at least one," "a plurality," "each," "any one," as used herein, include one, two or more, a plurality includes two or more, and each refers to each of a corresponding plurality, any one referring to any one of the plurality. For example, the plurality of access addresses includes 3 access addresses, and each refers to each of the 3 access addresses, and any one of the 3 access addresses can be the first access address, or the second access address, or the third access address.
Cloud Technology (Cloud Technology) refers to a hosting Technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
Cloud Storage (Cloud Storage) is a new concept that extends and develops in the concept of Cloud computing, and a distributed Cloud Storage system (hereinafter referred to as a Storage system for short) refers to a Storage system that integrates a large number of Storage devices (Storage devices are also referred to as Storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed Storage file system, so as to provide data Storage and service access functions for the outside.
At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as a data Identification (ID) and the like, the file system writes each object into a physical storage space of the logical volume, and the file system records storage position information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage position information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: according to the group of capacity measurement of objects stored in a logical volume (which often has a large margin with respect to the capacity of the objects actually to be stored) and redundant array of independent disks (RAID, redundant Array of Independent Disk), physical storage space is first divided into stripes, and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.
The resource processing method provided by the embodiment of the application is executed by the first server. Optionally, the first server is an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network ), and basic cloud computing services such as big data and artificial intelligence platform, but is not limited thereto. In some embodiments, a first server and other servers distributed across multiple sites and interconnected by a communication network can constitute a blockchain system.
FIG. 1 is a schematic diagram of an implementation environment provided by embodiments of the present application. Referring to fig. 1, the implementation environment includes at least one terminal 101 (3 are illustrated in fig. 1) and a first server 102. The terminal 101 and the first server 102 are directly or indirectly connected through wired or wireless communication, which is not limited herein.
The first server 102 operates with a business service and a first proxy service, and a client served by the business service is installed on the terminal 101, and the terminal 101 can implement functions such as data transmission, resource processing, and the like through the client. Alternatively, the terminal 101 is a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, a smart voice interaction device, a smart home appliance, a vehicle-mounted terminal, or the like, but is not limited thereto. Alternatively, the client is a client in the operating system of the terminal 101 or a client provided by a third party. For example, the client is a picture processing client having a picture processing function, and of course, the picture processing client can also have other functions, such as a video playing function, an image transcoding function, and the like.
The terminal 101 logs in to the client based on the user identifier, sends an external resource processing request to the first server 102 through the client, receives the external resource processing request through the service by the first server 102, obtains a first resource stored outside other devices through interaction between the service and the first proxy service by the first proxy service, returns the first resource to the service, and returns a resource processing result to the client based on the first resource by the service.
Fig. 2 is a flowchart of a resource processing method provided in an embodiment of the present application, where the method is performed by a first server, and the first server has a business service and a first proxy service running therein, and as shown in fig. 2, the method includes:
201. and the first server responds to the external resource processing request sent by the client, and sends a first access address corresponding to the external resource processing request to the first proxy service through the business service.
The external resource is a resource of other devices stored outside the first server. For example, the resource is a public network resource, such as video, pictures, etc. in a public website. For another example, the resource is a resource required by the business service to provide services for the client, such as the business service provides storage services for the client, and the resource is a resource requested to be stored by the client. If the resource is stored on the first server, the resource is an external resource to the first server; if the resource is stored on a device other than the first server, the resource is an external resource to the first server. The first access address is for accessing an external resource, the first access address indicating a storage location of the external resource. The first access address is an address carried by the external resource processing request, or an address obtained by processing an address carried by the external resource processing request. The first access address is an address supported by the first proxy service, and the first proxy service can access according to the first access address.
In the embodiment of the application, the first server is a server for providing business services, where the business services and the first proxy services are disposed in the first server, the business services are used for providing services for the client, and the first proxy services are used for accessing resources stored in other devices outside the first server. The client can send an external resource processing request to the first server, and the first server responds to the external resource processing request and sends a first access address corresponding to the external resource processing request to the first proxy service through the business service so that the subsequent first proxy server can access according to the first access address.
202. And the first server acquires a first resource corresponding to the first access address through the first proxy service under the condition that the first access address passes the verification, and sends the first resource to the business service.
The first resource is any type of resource, for example, the first resource is a text, image, audio or video resource. The first resource corresponds to the first access address, and the first resource is a resource stored under the first access address, or the first resource is a resource associated with a resource stored under the first access address. And verifying the first access address through the first proxy service, and acquiring the first resource corresponding to the first access address only when the first access address passes the verification so as to ensure the security of the access.
203. And the first server sends a resource processing result to the client through the business service based on the first resource.
After the first resource is acquired through the business service, the resource processing result sent by the client can be acquired based on the first resource, and the resource processing result is sent to the client, so that the resource processing service is provided for the client through the business service and the first proxy service.
According to the method provided by the embodiment of the invention, the business service and the first proxy service for providing the service for the client are deployed in the same server, when the business service provides the service for the client, the client replaces the business service through the first proxy service in the process of providing the service for the client, and under the condition of passing the verification of the access address, the external resource is accessed, and then the business service returns a resource processing result to the client based on the external resource accessed by the first proxy service.
On the basis of the embodiment shown in fig. 2, the address carried by the external resource processing request sent by the client is converted into the address in the format supported by the first proxy service, and then the first resource is acquired based on the address after format conversion through the first proxy service, and the specific process is described in the following embodiment.
Fig. 3 is a flowchart of a resource processing method provided in an embodiment of the present application, where the method is performed by a first server, and the first server has a business service and a first proxy service running therein, and as shown in fig. 3, the method includes:
301. the first server responds to an external resource processing request sent by the client, and performs format conversion on a second access address carried by the external resource processing request through the business service to obtain a first access address belonging to a target format.
The target format is a format supported by the first proxy service, and the first proxy service can access an address belonging to the target format. In this embodiment of the present application, the storage location indicated by the first access address is the same as the storage location indicated by the second access address, and only the address formats of the first access address and the second access address are different, where the second access address belongs to a format that is not supported by the first proxy service, and the first access format is obtained by performing format conversion on the second access address, where the first access address belongs to a target format supported by the first proxy service, so that the first access address that can be accessed by the first proxy service is subsequently obtained. After receiving the external resource processing request sent by the client, the business service performs format conversion on the second access address so as to enable the first access address after format conversion to be accessed by the first proxy service, namely, the proxy service is used for replacing the business service to access the external resource.
In one possible implementation, this step 301 includes: and through the service, performing format conversion on the second access address based on at least one of a service type to which the external resource processing request belongs or a service identifier carried by the external resource processing request to obtain the first access address.
The service identifier indicates a service corresponding to the external resource processing request, and the service identifier can be expressed in any form, for example, the service identifier is a service Key (Key value). The service type indicates a type to which the service requested by the external resource processing request belongs. In the embodiment of the application, the business service can provide multiple types of services for the client, for example, the business service provides access service of public network resources for the client, or the business service provides cloud storage service for the client, and the like. For the same service type, there may be multiple services, each corresponding to a service identifier, different services can be distinguished based on the service identifier, and different types of services can be distinguished based on the service type.
And converting the format of the second access address based on at least one of the service type to which the external resource processing request belongs or the service identifier carried by the external resource processing request so that the service type to which the service corresponding to the external resource processing request belongs can be obtained based on the first access address through the first proxy service.
Optionally, the process of converting the format of the first access address based on at least one of the service type to which the external resource processing request belongs or the service identifier carried by the external resource processing request includes: acquiring an address template corresponding to the target format through the business service; and filling at least one of the type identifier of the service type or the service identifier and the second access address into corresponding fields respectively based on the address template to obtain the first access address.
The address template comprises at least one of a service type field or a service identification field and an address field, wherein the service type field is used for filling a type identification of a service type, the service identification field is used for filling a service identification, and the address field is used for filling an access address. And when the format conversion is carried out on the second access address, filling the second access address into an address field in an address template, and filling at least one of a type identifier or a service identifier into at least one of a service type field or a service identifier field respectively, wherein the filled address template is the first access address obtained after the format conversion.
Optionally, the address template also includes other content. For example, the address template also includes domain names supported by the first proxy service. For example, the address template is 'http:// 111.0.0.1: [ service type field ]/[ service identification field ]/http (s)/[ address field ]', and 'http:// 111.0.0.1:' is the domain name supported by the first proxy service.
Optionally, the second access address includes a domain name and a resource path, and the address field in the address template includes a domain name field and a path field. And when format conversion is carried out, the domain name and the resource path in the second access address are respectively filled in the domain name field and the path field in the address template, so that the first access address is obtained. For example, the second access address is example.
302. The first server sends the first access address to the first proxy service through the business service.
The first proxy service is used for providing a service for external resource access for the business service, and is any type of service, for example, the first proxy service is an LSP (Local Secure Proxy, local security proxy). In the embodiment of the application, communication connection is established between the business service in the first server and the first proxy service, and after the business service acquires the first access address, the first access address is sent to the first proxy service through the communication connection with the first proxy service so as to be accessed by the first proxy service according to the first access address.
It should be noted that, in this embodiment of the present application, the external resource processing request carries the second access address, after the second access address is converted into the first access address by the service, the first access address is sent to the first proxy service, and in another embodiment, the steps 301 to 302 do not need to be executed, and other manners can be adopted, in response to the external resource processing request sent by the client, by the service, the first access address corresponding to the external resource processing request is sent to the first proxy service.
In one possible implementation manner, the external resource processing request sent by the client carries the first access address, the first proxy service supports a format to which the first access address belongs, and after receiving the external resource processing request through the service, the first proxy service directly sends the first access address carried by the external resource processing request to the first proxy service.
303. And the first server receives the first access address sent by the business service through the first proxy service, and verifies the received first access address.
The first proxy service receives a first access address sent by the business service through communication connection with the business service, and before the first access address is accessed, the first access address needs to be verified to ensure the security of resource access.
In one possible implementation, the process of verifying the first access address includes: determining, by a first proxy service, whether the first access address belongs to a target network segment, and determining that the first access address passes verification if the first access address does not belong to the target network segment; and determining that the first access address is not verified under the condition that the first access address belongs to the target network segment.
The target network segment is a network segment which is not allowed to be accessed, for example, the target network segment is a network segment which is not allowed to be directly accessed by the client and is of an internal network where the first server is located. If the first access address does not belong to the target network segment, the first access address is determined to pass verification, wherein the first access address is indicated to allow access; in the case that the first access address belongs to the target network segment, the first access address is determined to pass the verification if the first access address is not allowed to access.
Optionally, the target network segment is represented by a target character string, and in the case that the first access address includes the target character string, it is determined that the first access address belongs to the target network segment; and determining that the first access address does not belong to the target network segment under the condition that the first access address does not comprise the target character string. For example, the target character string is "1.2.3.4.5".
Optionally, in the process of verifying the first access address, the process of verifying the jump address associated with the first access address is further required, that is, the process of verifying the first access address includes: determining whether the first access address is associated with a jump address if the first access address does not belong to a target network segment, and determining that the first access address is verified if the first access address does not belong to a target network segment, the first access address has an associated jump address, and the jump address does not belong to the target network segment; in the event that the first access address does not belong to a target network segment, the first access address has an associated hop address, and the hop address belongs to the target network segment, determining that the first access address is validated.
Wherein the jump address is an address that automatically jumps to when accessing the first access address, e.g. the first access address is associated with a 302 jump address. When the first access address has an associated jump address, the first access address jumps to the jump address and then accesses the jump address when accessed according to the first access address, so that the jump address needs to be verified before accessing the jump address to ensure the security of the access.
Optionally, if the first access address is associated with a multi-level jump address, the process of verifying the multi-level jump address includes: and determining that the first access address passes verification under the condition that the first access address does not belong to the target network segment, the first access address is associated with the multi-level jump address, and the multi-level jump address does not belong to the target network segment.
When a first access address is accessed, the first access address and the multi-stage jump address associated with the first access address are jumped in the order of the first access address and the multi-stage jump address. For example, accessing a first access address jumps to a first jump address; accessing the primary jump address jumps to the secondary jump address, accessing the secondary jump address jumps to the tertiary jump address. In the embodiment of the application, the first access address is associated with the multi-level jump address, the first access address and the multi-level jump address need to be verified, the first access address is determined to pass verification only under the condition that the first access address and the associated multi-level jump address pass verification, and then resources are acquired according to the first access address and the associated multi-level jump address, so that potential safety hazards of the jump address are avoided, and the access safety is guaranteed.
Optionally, determining whether the first access address is associated with a jump address if the first access address does not belong to the target network segment; determining whether the first-level jump address associated with the first access address belongs to a target network segment under the condition that the jump address is associated with the first access address; determining whether the primary jump address is associated with a secondary address under the condition that the primary jump address does not belong to the target network segment; and under the condition that the primary jump address is associated with the secondary jump address, determining whether the secondary jump address belongs to the target network segment, repeating the steps until determining whether the last jump address belongs to the target network segment, and only under the condition that the first access address and the multi-stage jump address associated with the first access address do not belong to the target network segment, determining that the first access address passes verification.
Optionally, the first access address is obtained by performing format conversion on a second access address carried by the external resource processing request, where the first access address includes at least one of a service identifier or a type identifier and the second access address, and the process of verifying the first access address includes: determining, by the first proxy service, whether the second access address belongs to a target network segment, and determining that the second access address passes verification if the second access address does not belong to the target network segment; and in the case that the second access address belongs to the target network segment, determining that the second access address is not verified. Determining whether the second access address is associated with a jump address if the second access address does not belong to the target network segment, and determining that the second access address is verified if the second access address does not belong to the target network segment, the second access address has an associated jump address, and the jump address does not belong to the target network segment; in the event that the second access address does not belong to the target network segment, the second access address has an associated hop address, and the hop address belongs to the target network segment, determining that the second access address is validated.
304. And the first server acquires a first resource stored under the first access address through the first proxy service under the condition that the first access address passes the verification, and sends the first resource to the business service.
The first resource is a resource which is required to be processed by the client. In the embodiment of the application, a first resource is stored under a first access address, and the first resource stored under the first access address is acquired according to the first access address by the first proxy service; or when the first access address is accessed through the first proxy service, the first proxy service jumps to the jump address to acquire the first resource stored under the jump address.
In one possible implementation manner, the first access address includes a type identifier of a service type and a second access address carried by an external resource processing request, and the process of acquiring, by the first proxy service, the first resource includes: and under the condition that the first access address is verified to pass through a first proxy service, acquiring the first resource stored under the second access address based on a port matched with the service type indicated by the type identifier.
In the embodiment of the application, the first server is provided with a plurality of different ports, and different service types are adapted to different ports. For example, the first server is provided with a NAT (Network Address Translation ) port through which the first proxy service can access resources in the public network, and a cloud resource port through which resources stored in the cloud resources, such as COS (Cloud Object Storage ) resources, can be accessed. When the first proxy service accesses based on the first access address, the port adapted based on the service type corresponding to the first access address accesses, so that the first proxy service can distinguish the access addresses corresponding to different service types, and can access according to the corresponding service types. For example, if the service type corresponding to the first access address is a public network access type, the public network resource is directly accessed according to the first access address based on the port adapted by the public network access type. For another example, if the service type corresponding to the first access address is a cloud resource type, determining a key corresponding to a service identifier in the first access address based on a port adapted by the cloud resource type, and then accessing the cloud resource based on the key corresponding to the service identifier and the first access address.
Optionally, different service types are adapted to the same port, i.e. the first proxy service accesses resources for services of multiple service types based on the same port. The type identifier in the first access address will not need to distinguish between different types anymore, and the service identifier is unified to be the same character, for example, the service identifier is "default".
305. The first server receives a first resource sent by the first proxy service through the business service, and sends a resource processing result to the client based on the first resource.
After the business service receives the first resource, according to an external resource processing request sent by the client, sending a resource processing result to the client so as to realize the service of providing resource processing for the client.
In one possible implementation, this step 305 includes any of the following:
a first item: and sending the first resource to the client through the business service.
In this embodiment of the present application, the first resource corresponds to a resource processing result corresponding to an external resource processing request sent by the client, that is, the external resource processing request sent by the client is actually an access request, and is used for requesting to access the first resource, and after the service obtains the first resource, the first resource is directly sent to the client.
For example, if the external resource processing request sent by the client is a picture downloading request, after the service obtains the target picture, the target picture is a resource processing result corresponding to the picture downloading request, and the target picture is sent to the client.
The second item: and processing the first resource through the business service to obtain the resource processing result, and sending the resource processing result to the client.
In this embodiment of the present application, an external resource processing request sent by a client indicates that a first resource stored in another device other than a first server is processed, and after the first resource is obtained through the service, the first resource is processed according to the external resource processing request, so as to obtain a resource processing result, and the resource processing result is sent to the client.
For example, if the external resource processing request sent by the client is a resource transcoding request, after the service obtains the first resource, the service transcodes the first resource, and the transcoded resource is a resource processing result corresponding to the resource transcoding request, and sends the transcoded resource to the client.
For another example, the external resource processing request sent by the client is a picture processing request, after the service obtains the target picture, the service processes the target picture, for example, size adjustment, color adjustment, and the like, and the processed picture is a resource processing result corresponding to the resource transcoding request, and sends the processed picture to the client.
In addition, the embodiment of the present application is described in the case that the first access address is verified, and in another embodiment, after step 303, by the first proxy service, in the case that the first access address is verified, a verification failure notification is sent to the business service, the business service receives the verification failure notification, and based on the verification failure notification, an access failure notification is sent to the client to prompt that the second access address is not allowed.
The method provided by the embodiment of the application can also be applied to other various scenes, such as an online translation scene, a public network resource access scene or a cloud resource access scene. According to the access mode, the business service is not directly connected with the external equipment, so that the risk of SSRF (Server-Side Request Forgery, server side request forging) vulnerability attack can be reduced, the security defenses of the system are improved, and great guarantee is brought to the security of system information.
According to the method provided by the embodiment of the invention, the business service and the first proxy service for providing the service for the client are deployed in the same server, when the business service provides the service for the client, the client replaces the business service through the first proxy service in the process of providing the service for the client, and under the condition of passing the verification of the access address, the external resource is accessed, and then the business service returns a resource processing result to the client based on the external resource accessed by the first proxy service. In addition, the method provided by the embodiment of the application can improve the safety of business service only by arranging one first proxy service in the first server, does not need to manage a firewall, and has low cost of business code transformation and deployment.
And when the first proxy service accesses based on the first access address, the port adapted based on the service type corresponding to the first access address is accessed, so that the first proxy service can distinguish the access addresses corresponding to different service types, and the success of the access according to the first access address is ensured, thereby ensuring the accuracy of the resource access.
Based on the embodiment shown in fig. 3, the process of obtaining the first resource stored under the first access address according to step 304 includes: and under the condition that the first access address passes verification, acquiring a first resource stored corresponding to the service identifier under the first access address based on the service identifier in the first access address by the first proxy service.
In the embodiment of the application, the first access address includes a service identifier. The first resource corresponding to the service identifiers may be stored in the first access address, and the first resource corresponding to the service identifier may be determined based on the service identifier in the first access address.
In one possible implementation manner, if the mapping relationship between the service identifier and the key is stored in the first proxy service, the process of acquiring the first resource includes: inquiring a mapping relation between the service identifier and the key based on the service identifier in the first access address, and determining the key corresponding to the service identifier in the first access address; and acquiring a first resource stored corresponding to the service identifier under the first access address based on the key corresponding to the service identifier in the first access address.
The mapping relation between the service identifier and the secret key comprises at least one service identifier and a corresponding secret key. In the case that the key in the mapping relationship is set with an effective duration, that is, the key is a temporary key, the key is effective only in the effective duration; or in the case that the key in the mapping relation is not set for a valid duration, that is, the key is a permanent key, that is, in the case that the key is not changed, the key is valid all the time. Inquiring the mapping relation based on the service identifier in the first access address, determining a key corresponding to the service identifier, and acquiring a first resource stored corresponding to the service identifier under the first access address based on the inquired key.
Optionally, the mapping relationship between the service identifier and the key stored in the first proxy service is configured in a coding manner in the first proxy service, or is obtained by interaction with a configuration center. The configuration center is used for managing keys corresponding to various service identifications, for example, the configuration center is other servers except the first server. Optionally, the key corresponding to the service identifier in the configuration center is configured by a manager. As shown in fig. 4, in a first proxy service configured by a mapping relationship in a coding manner, a key included in the mapping relationship is a permanent key, the first proxy service is accessed through a business service, and then the first proxy service accesses a resource corresponding to a business identifier in a cloud resource based on the permanent key in the mapping relationship. As shown in fig. 5, the first proxy service acquires a permanent key corresponding to a service identifier through interaction with the configuration center, generates a mapping relation, accesses the first proxy service through the service, and accesses a resource corresponding to a certain service identifier in the cloud resource by the first proxy service based on the permanent key in the mapping relation.
Optionally, the process of acquiring, by the first proxy service, the first resource based on the key corresponding to the service identifier includes the following two ways:
the first way is: the first proxy service sends a key corresponding to the service identifier to a third server based on the first access address, the third server verifies the key, and when the key verification is passed, the first proxy service network sends a first resource stored corresponding to the service identifier under the first access address, and the first proxy service receives the first resource sent by the third server.
The third server is a server other than the first server, and the storage location indicated by the first access address is in the third server. For example, the first resource is a resource in a cloud resource, the cloud resource is stored in a distributed storage form, and the third server is any server in a distributed storage system corresponding to the cloud resource. In the embodiment of the application, in the process that the first proxy service interacts with the third server to acquire the first resource, the third server verifies the secret key, and the first resource is returned to the first proxy service only when the secret key verification is passed, so that the security of the resource stored in the third server is ensured.
Optionally, the third server verifies the key by: the third server stores the key corresponding to the service identifier, and determines that the key verification is passed when the key sent by the first proxy service is the same as the key corresponding to the service identifier in the third server; and under the condition that the key sent by the first proxy service is different from the key corresponding to the service identifier in the third server, determining that the key verification is not passed.
The second way is: the first proxy service encrypts the service identifier based on the key to obtain an encrypted service identifier, sends the encrypted service identifier to a third server based on the first access address, decrypts the encrypted service identifier to obtain the service identifier, and returns the resource stored corresponding to the service identifier under the first access address to the first proxy service.
In the process that the first proxy service interacts with the third server to acquire the first resource, the first proxy service encrypts the service identifier based on the key, then the third server decrypts the encrypted service identifier, only under the condition that decryption is successful, the corresponding stored first resource is inquired, and the inquired first resource is returned to the first proxy service, so that the safety of the resources stored in the third server is ensured.
Optionally, a correspondence between the service identifier and the key is stored in the third server, after the third server receives the encrypted service identifier and the first access address sent by the first proxy service, the third server determines the service identifier corresponding to the resource stored under the first access address, queries the correspondence based on the service identifier, determines the key corresponding to the service identifier, decrypts the encrypted service identifier based on the key to obtain a decrypted service identifier, queries the corresponding stored first resource under the condition that the decrypted service identifier is the same as the service identifier corresponding to the first access address, and returns the queried first resource to the first proxy service.
In the embodiment of the application, under the condition that the mapping relationship between the service identifier and the key is stored in the first proxy service, the first proxy service acquires the corresponding first resource based on the key corresponding to the service identifier in the first access address, so that the security of acquiring the resource is ensured.
It should be noted that, in the embodiment of the present application, the resource corresponding to each service identifier is obtained as an example to perform the description, and in another embodiment, when the service identifier in the first access address is the target service identifier, the mapping relationship does not include the key corresponding to the target service identifier, which indicates that the resource corresponding to the target service identifier is a public resource, and the resource corresponding to the target service identifier can be accessed without the key. For example, in the case that the service identifier in the first access address is the target service identifier, the resource stored in the first access address is directly acquired without querying the key corresponding to the target service identifier.
It should be noted that, on the basis of the above embodiment, if the key has a valid duration, the first proxy service periodically interacts with the key distribution service to update the key in the mapping relationship, that is, taking the key distribution service disposed on a fourth server other than the first server as an example, the first proxy service periodically interacts with the key distribution service to update the mapping relationship, as shown in fig. 6, where the process includes:
601. the first server sends a key acquisition request to a key distribution service through the first proxy service every a target time length.
The target time period is an arbitrary time period, for example, one week or one month. The key acquisition request carries a service identifier, the key acquisition request is used for requesting a key dispatch service to generate a key for the service identifier, and the key dispatch service is used for generating the key for the service identifier. In the embodiment of the application, the key in the mapping relationship between the service identifier and the key has an effective duration, the key is effective in the effective duration, and the key is unusable beyond the effective duration. Optionally, the key is within the valid duration within a target duration after the key generation time point. Optionally, the validity duration of the key is identified in the form of a time period. For example, the key corresponds to a start time point and an end time point, and the duration of the time period between the start time point and the end time point corresponding to the key is the effective duration corresponding to the key. Therefore, the first proxy service needs to send a key acquisition request to the key distribution service every interval of the target duration to acquire a new key corresponding to each service identifier.
602. The fourth server receives the key acquisition request through the key distribution service, generates a new key for the service identifier based on the key acquisition request, and transmits the new key to the proxy service.
The fourth server is any server except the first server, and a key dispatch service is deployed in the server.
And receiving the key acquisition request through the key distribution service, generating a new key for the service identifier carried by the key acquisition request, and sending the new key to the first proxy service so that the mapping relationship can be updated by the subsequent first proxy service.
In one possible implementation, where the key dispatch service generates a new key with a permanent key of a service identity, then 602 includes: and for any service identifier, generating a new key corresponding to the service identifier based on the target key corresponding to the service identifier through key distribution service.
Wherein the target key is a permanent key, the target key being permanently valid. And generating a new key corresponding to the service identifier through the target key of the service identifier so as to ensure that the new key has effective duration.
Optionally, through a key distribution service, an effective duration is determined based on the target key corresponding to the service identifier, and the target key and the effective duration are encoded to obtain the new key.
The method has the advantages that the target key corresponding to the service identifier and the effective duration are encoded, so that the obtained new key has timeliness, the new key is effective in the effective duration, and the new key is invalid outside the effective duration, so that the condition of unsafe access caused by key leakage is avoided, and the safety of access is ensured.
Optionally, the method for the key dispatch service to obtain the target key corresponding to the service identifier includes: the key distribution service sends a key acquisition request to the configuration center, the key acquisition request carries a service identifier, the configuration center receives the key acquisition request, queries a target key corresponding to the service identifier based on the key acquisition request, sends the target key corresponding to the service identifier to the key distribution service, receives the target key corresponding to the service identifier, and stores the service identifier and the target key.
In the embodiment of the present application, the configuration center is configured with a plurality of target keys corresponding to service identifiers, and optionally, the target keys corresponding to the service identifiers included in the configuration center are configured by a manager.
603. The first server receives the new key sent by the key distribution service through the first proxy service, and updates the mapping relationship based on the new key.
And receiving a new key sent by the key dispatch service through the first proxy service, and updating the mapping relation based on the new key corresponding to the service identifier so as to ensure that the key corresponding to each service identifier in the mapping relation is the latest key and each key is effective currently.
In the embodiment shown in fig. 6, the key distribution service is disposed in a server other than the first server, and in another embodiment, the key distribution service is disposed in the first server, and the first server does not need to execute the step 602, and can receive the key obtaining request through the key distribution service, generate a new key for the service identifier based on the key obtaining request, and send the new key to the proxy service.
According to the method provided by the embodiment of the application, the effective duration is set for the key stored in the first proxy service, the resource is acquired based on the key with the effective duration, the influence caused by key leakage is reduced, and therefore the safety of business service is guaranteed.
In addition, the key distribution service generates the key with the effective duration for the first proxy service, the code of the business service is changed little, the key can be reused in the effective duration of the key, one key is not required to be regenerated every time the key is used, the times of generating the key are reduced, and therefore the cost caused by generating the key is reduced.
As shown in fig. 7, in the scenario of acquiring cloud resources, a manager configures permanent keys corresponding to a plurality of service identifiers in a configuration center, a fourth server interacts with the configuration center through a key distribution service to acquire the permanent keys corresponding to the plurality of service identifiers, a first server periodically interacts with the key distribution service through a first proxy service to acquire temporary keys corresponding to the plurality of service identifiers, and updates the cached mapping relationship based on the temporary keys corresponding to the plurality of service identifiers. And accessing the first proxy service through the business service, and accessing the resource corresponding to a certain business identifier in the cloud resource by the first proxy service based on the temporary key in the mapping relation.
It should be noted that, in the embodiment shown in fig. 3, the first resource stored under the first access address is taken as an example, and the first resource stored under the first access address is obtained through the first proxy service, and in another embodiment, the first proxy service may be used to obtain the first resource corresponding to the first access address when the first access address is verified, without executing step 304.
As shown in fig. 8, taking an example that a resource stored at a first access address is not a first resource, after passing the verification of the first access address, a process of obtaining the first resource corresponding to the first access address includes:
801. and the first server acquires the second resource stored under the first access address through the first proxy service.
In this embodiment of the present application, the resource stored at the first access address is a second resource, where the second resource is any type of resource, for example, the second resource is an index file of the first resource, where the index file is used to index a corresponding resource, and the address included in the second resource is a storage address of the resource corresponding to the index file. Optionally, for the audio resource, the index file corresponding to the audio resource includes storage addresses corresponding to a plurality of audio clips in the audio resource. Optionally, for the video resource, the index file corresponding to the video resource includes storage addresses corresponding to a plurality of video clips in the video resource.
802. The first server converts the third access address into a fourth access address belonging to the target format through the first proxy service in the case that the second resource belongs to the index file type and the second resource contains the third access address.
Wherein the index file type indicates that the corresponding resource is used to index other resources, e.g., the index file type is m3u8 (Moving picture experts group audio layer 3Uniform resource locator UTF-8, a file format), or other type, etc. The process of format conversion for the third access address is the same as that of step 301, and will not be described again.
When the second resource belongs to the index file type, the second resource needs to be indexed to other resources according to the second resource, and the address contained in the second resource does not belong to the format supported by the first proxy service, so that format conversion needs to be performed on the address contained in the second resource, so that the first proxy service can index other resources corresponding to the second resource according to the address after format conversion.
803. And the first server acquires the first resource stored under the fourth access address through the first proxy service.
The fourth access address belongs to a target format, that is, the fourth access address is an address supported by the first proxy service, and after the third access address in the second resource belonging to the index file type is converted into the fourth access address supported by the first proxy service, the first resource stored under the fourth access address can be acquired through the first proxy service.
In one possible implementation, this step 803 includes: and verifying the fourth access address through the first proxy service, and acquiring the first resource stored under the fourth access address when the fourth access address passes the verification.
In the embodiment of the application, after the first proxy service obtains the second resource according to the first access address, and the second resource belongs to the index file type, after the third access address in the second resource is converted into the fourth access address belonging to the target format, the first resource stored under the fourth access address is directly obtained according to the fourth access address, then the first resource is returned to the service without returning the second resource to the service, and then the service interacts with the first proxy service to obtain the first resource, thereby reducing communication loss. Therefore, malicious resources including addresses can be intercepted, such as attacks on malicious audio and video resources, and the application range is wide.
For example, as shown in fig. 9, the process flow of the first proxy service for acquiring the first resource based on the first access address, after the first proxy service acquires the first access address, the first proxy service first checks whether the first access address is an intranet address where access is not allowed. If the first access address is an intranet address, sending a verification failure notification to the business service to prompt the first access address to be the intranet address which is not allowed to be accessed; if the first access address is not an intranet address, a determination is made as to whether the first access address has an associated jump address, such as 302 jump address. If the address is associated with the address, checking whether the address is an intranet address which is not allowed to be accessed, and if the address is not the intranet address, acquiring the resource stored under the address; if the jump address is an intranet address, a verification failure notification is sent to the business service to prompt that the jump address is the intranet address which is not allowed to be accessed. And if the first access address does not have the associated jump address, acquiring the resource stored under the first access address.
In the audio/video scene, after the resource corresponding to the first access address is acquired through the first proxy service, whether the resource is an audio file or a video file needs to be determined, if the acquired resource is determined not to be the audio file or the video file but to be the index file, format conversion is required to be performed on a third access address in the index file to obtain a fourth access address belonging to a target format, wherein the fourth access address is an address supported by the first proxy service, for example, the address included in the index file is "abc.1", and the fourth access address after format conversion is "http/sample.com/abc.1". And verifying the fourth access address through the first proxy service, and acquiring the first resource stored under the fourth access address, namely acquiring the audio resource or the video resource, under the condition that the fourth access address is verified. The first resource is then returned to the business service so that the audio or video resource can be processed by FFmpeg (Fast Forward mpeg, an open source plug-in) through the business service.
It should be noted that, in the embodiment of the present application, the second resource includes one third access address, and in another embodiment, the second resource includes a plurality of third access addresses, and after executing step 802, a plurality of fourth access addresses are obtained, and according to step 803, the resources under the plurality of fourth access addresses are obtained, and the resources under the plurality of fourth access addresses form the first resource. For example, the resource stored at the plurality of fourth access addresses is a video clip of the target video, and the plurality of video clips are configured into the target video.
It should be noted that, in the above embodiment, the first server has the external access right, and the first proxy service can directly access the external resource according to the access address. Optionally, the first server is configured with an external network card or NAT (Network Address Translation ) interface, and accesses, through the first proxy service, the external resource according to the access address based on the external network card or NAT interface. In another embodiment, if the first server does not have external access rights, a second server needs to be configured, a second proxy service is deployed in the second server, a communication connection is established between the first server and the second server, the first proxy service interacts with the second proxy service, and then the second proxy service accesses external resources. As shown in fig. 10, the process of the first server obtaining, through the first proxy service, the first resource stored under the first access address if the first access address passes the verification, includes:
1001. the first server transmits the first access address to the second proxy service through the first proxy service when the first access address is verified.
The verification process is the same as the above step 303, and will not be described herein. In the embodiment of the application, the first server does not have external access rights; the second server deploying the second proxy service has external access rights, and the first proxy service is capable of sending the first access address to the second proxy service based on a communication connection between the first server and the second server.
1002. The second server receives a first access address sent by the first proxy service through the second proxy service, acquires a first resource corresponding to the first access address, and sends the first resource to the first proxy service.
In one possible implementation manner, the process of acquiring the first resource corresponding to the first access address includes: and acquiring the first resource stored under the first access address through the second proxy service.
In another possible implementation manner, the process of storing the second resource under the first access address, where the second resource belongs to the index file type, and obtaining the first resource corresponding to the first access address includes: transmitting the second resource to the first proxy service through the second proxy service, receiving the second resource through the first proxy service, converting the third access address into a fourth access address belonging to a target format when the second resource belongs to an index file type and the second resource contains the third access address, verifying the fourth access address through the first proxy service, transmitting the fourth access address to the second proxy service when the fourth access address is verified through the first proxy service, acquiring the first resource stored under the fourth access address through the second proxy service, and transmitting the first resource to the first proxy service.
1003. The first server receives the first resource sent by the second proxy service through the first proxy service.
The first resource sent by the second proxy service is received through the first proxy service, so that the mode of accessing the external resource through the second proxy service is realized, the service is not required to directly access the external resource, the service is prevented from being attacked by the outside, and the safety of the service is ensured.
As shown in fig. 11, in the case that the first server has the external access right, the user equipment installs a client for providing the service by the business service, and sends an external resource processing request to the business service through the client based on a gateway corresponding to the first server. And accessing the first proxy service by adopting a proxy mode through the business service, and accessing the public network resource corresponding to the external resource processing request through the first proxy service.
As shown in fig. 12, when the first server does not have external access rights, the user equipment installs a client for providing services to the business service, and sends an external resource processing request to the business service through the client based on a gateway corresponding to the first server. Accessing a first proxy service by a proxy mode through business service; and accessing a second proxy service in the second proxy server through the first proxy service, and accessing the public network resource corresponding to the external resource processing request through the second proxy service.
Fig. 13 is a schematic structural diagram of a resource processing device provided in an embodiment of the present application, where the resource processing device is executed by a first server, and the first server runs a business service and a first proxy service, and as shown in fig. 13, the device includes:
the first sending module 1301 is configured to send, through a business service, a first access address corresponding to an external resource processing request to a first proxy service in response to the external resource processing request sent by the client, where the external resource is a resource of another device stored outside the first server;
the second sending module 1302 is configured to obtain, through the first proxy service, a first resource corresponding to the first access address when the first access address passes through verification, and send the first resource to the business service;
and the third sending module 1303 is configured to send, through the service, a resource processing result to the client based on the first resource.
In one possible implementation, as shown in fig. 14, the first sending module 1301 includes:
the first conversion unit 1311 is configured to perform format conversion on a second access address carried by the external resource processing request through the service, so as to obtain a first access address belonging to a target format, where the target format is an address format supported by the first proxy service;
The first sending unit 1312 is configured to send, through the business service, the first access address to the first proxy service.
In another possible implementation manner, the first conversion unit 1311 is configured to perform format conversion on the second access address through a service based on at least one of a service type to which the external resource processing request belongs or a service identifier carried by the external resource processing request, to obtain the first access address.
In another possible implementation manner, the first conversion unit 1311 is configured to obtain, through a service, an address template corresponding to the target format, where the address template includes at least one of a service type field or a service identification field and an address field; and filling at least one of the type identifier of the service type or the service identifier and the second access address into corresponding fields respectively based on the address template to obtain a first access address.
In another possible implementation, as shown in fig. 14, the apparatus further includes:
a verification module 1304, configured to verify, by using a first proxy service, the received first access address;
and the determining module 1305 is configured to determine that the first access address passes verification if the first access address does not belong to the target network segment, where the target network segment is a network segment that is not allowed to be accessed.
In another possible implementation, the determining module 1305 is configured to determine that the first access address is verified, where the first access address does not belong to the target network segment, the first access address has an associated jump address, and the jump address does not belong to the target network segment, and the jump address is an address that is automatically jumped to when the first access address is accessed.
In another possible implementation, the determining module 1305 is configured to determine that the first access address passes the verification if the first access address does not belong to the target network segment, the first access address is associated with a multi-level jump address, and none of the multi-level jump addresses belong to the target network segment.
In another possible implementation, as shown in fig. 14, the second transmitting module 1302 includes:
an acquiring unit 1321, configured to acquire a second resource stored under the first access address;
a second conversion unit 1322, configured to, when the second resource belongs to the index file type and the second resource includes a third access address, convert the third access address into a fourth access address belonging to a target format, where the target format is an address format supported by the first proxy service;
the acquiring unit 1321 is further configured to acquire the first resource stored under the fourth access address.
In another possible implementation manner, the acquiring unit 1321 is further configured to verify, through the first proxy service, the fourth access address; and acquiring the first resource stored under the fourth access address by the first proxy service under the condition that the fourth access address passes verification.
In another possible implementation, the first server does not have external access rights; the second sending module 1302 is configured to send, through the first proxy service, the first access address to the second proxy service when the first access address passes through the verification, obtain, by the second proxy service, a first resource corresponding to the first access address, send, to the first proxy service, and enable, to the second server that deploys the second proxy service, an external access right; and receiving the first resource sent by the second proxy service through the first proxy service.
In another possible implementation, the first access address includes a service identification; the second sending module 1302 is configured to obtain, based on the service identifier in the first access address, a first resource stored corresponding to the service identifier under the first access address.
In another possible implementation, as shown in fig. 14, the second transmitting module 1302 includes:
A determining unit 1323, configured to query a mapping relationship between the service identifier and the key based on the service identifier in the first access address, and determine a key corresponding to the service identifier;
the acquiring unit 1321 is configured to acquire, based on the key corresponding to the service identifier, a first resource stored corresponding to the service identifier at the first access address.
In another possible implementation, the key has a validity duration; as shown in fig. 14, the apparatus further includes:
a fourth sending module 1306, configured to send, through the first proxy service, a key acquisition request to the key distribution service every interval of a target duration, where the key acquisition request carries a service identifier; the key distribution service is used for generating a new key for the service identifier based on the key acquisition request and sending the new key to the first proxy service;
the updating module 1307 is configured to receive, by the first proxy service, a new key sent by the key distribution service, and update the mapping relationship based on the new key.
In another possible implementation manner, the third sending module 1303 is configured to send the first resource to the client; or processing the first resource to obtain a resource processing result, and sending the resource processing result to the client.
It should be noted that: the resource processing device provided in the above embodiment is only exemplified by the division of the above functional modules, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the first server is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the resource processing device and the resource processing method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the resource processing device and the resource processing method are detailed in the method embodiments and are not repeated herein.
The present application also provides a server, which includes a processor and a memory, where at least one computer program is stored in the memory, where the at least one computer program is loaded and executed by the processor to implement the operations performed by the resource processing method of the above embodiment.
Fig. 15 is a schematic structural diagram of a server provided in the embodiments of the present application, where the server 1500 may have a relatively large difference due to different configurations or performances, and may include one or more processors (Central Processing Units, CPU) 1501 and one or more memories 1502, where the memories 1502 store at least one computer program, and the at least one computer program is loaded and executed by the processors 1501 to implement the methods provided in the above-mentioned method embodiments. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
The present application also provides a computer readable storage medium having at least one computer program stored therein, the at least one computer program being loaded and executed by a processor to implement the operations performed by the resource processing method of the above embodiments.
Embodiments of the present application also provide a computer program product comprising a computer program which, when executed by a processor, implements the operations performed by the resource processing method as described in the above aspect.
Those of ordinary skill in the art will appreciate that all or a portion of the steps implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the above storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description of the embodiments is merely an optional embodiment and is not intended to limit the embodiments, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the embodiments of the present application are intended to be included in the scope of the present application.

Claims (16)

1. A resource processing method, performed by a first server having a business service and a first proxy service running therein, the method comprising:
Responding to an external resource processing request sent by a client, and sending a first access address corresponding to the external resource processing request to the first proxy service through the business service, wherein the external resource is a resource of other equipment stored outside the first server;
acquiring a first resource corresponding to the first access address through the first proxy service under the condition that the first access address passes verification, and sending the first resource to the business service;
and sending a resource processing result to the client based on the first resource through the business service.
2. The method according to claim 1, wherein the sending, by the business service, the first access address corresponding to the external resource processing request to the first proxy service includes:
converting the format of the second access address carried by the external resource processing request through the business service to obtain the first access address belonging to a target format, wherein the target format is an address format supported by the first proxy service;
and sending the first access address to the first proxy service through the business service.
3. The method according to claim 2, wherein said performing, by the service, format conversion on the second access address carried by the external resource processing request to obtain the first access address belonging to the target format includes:
and converting the format of the second access address based on at least one of the service type to which the external resource processing request belongs or the service identifier carried by the external resource processing request through the service to obtain the first access address.
4. The method according to claim 1, wherein the method further comprises:
verifying the received first access address through the first proxy service;
and under the condition that the first access address does not belong to a target network segment, determining that the first access address passes verification, wherein the target network segment is a network segment which is not allowed to be accessed.
5. The method of claim 4, wherein determining that the first access address is verified if the first access address does not belong to a target network segment comprises:
and determining that the first access address passes verification under the condition that the first access address does not belong to the target network segment, the first access address has an associated jump address, and the jump address does not belong to the target network segment, wherein the jump address is an address automatically jumped to when the first access address is accessed.
6. The method of claim 5, wherein determining that the first access address is validated if the first access address does not belong to the target network segment, the first access address has an associated jump address, and the jump address does not belong to the target network segment, comprises:
and determining that the first access address passes verification when the first access address does not belong to the target network segment, the first access address is associated with a multi-level jump address, and the multi-level jump address does not belong to the target network segment.
7. The method according to claim 1, wherein, in the case that the verification of the first access address passes, the obtaining the first resource corresponding to the first access address includes:
acquiring a second resource stored under the first access address;
converting a third access address into a fourth access address belonging to a target format, wherein the target format is an address format supported by the first proxy service, under the condition that the second resource belongs to an index file type and the second resource comprises the third access address;
and acquiring the first resource stored under the fourth access address.
8. The method of claim 7, wherein the obtaining the first resource stored at the fourth access address comprises:
verifying the fourth access address through the first proxy service;
and acquiring the first resource stored under the fourth access address by the first proxy service under the condition that the fourth access address passes verification.
9. The method of claim 1, wherein the first server does not have external access rights; the obtaining, by the first proxy service, the first resource corresponding to the first access address when the first access address is verified, includes:
transmitting, by the first proxy service, the first access address to a second proxy service when the first access address passes the verification, acquiring, by the second proxy service, a first resource corresponding to the first access address, transmitting, by the second proxy service, the first resource, and disposing, by the second proxy service, that a second server having an external access right;
and receiving the first resource sent by the second proxy service through the first proxy service.
10. The method of claim 1, wherein the first access address comprises a service identification; the obtaining the first resource corresponding to the first access address includes:
and acquiring the first resource stored corresponding to the service identifier under the first access address based on the service identifier in the first access address.
11. The method according to claim 10, wherein the obtaining, based on the service identifier in the first access address, the first resource stored corresponding to the service identifier at the first access address includes:
inquiring a mapping relation between a service identifier and a secret key based on the service identifier in the first access address, and determining the secret key corresponding to the service identifier;
and acquiring the first resource stored corresponding to the service identifier under the first access address based on the key corresponding to the service identifier.
12. The method of claim 11, wherein the key has a validity duration; the method further comprises the steps of:
sending a key acquisition request to a key distribution service through the first proxy service at each interval of target time length, wherein the key acquisition request carries the service identifier; the key distribution service is used for generating a new key for the service identifier based on the key acquisition request and sending the new key to the first proxy service;
And receiving the new key sent by the key distribution service through the first proxy service, and updating the mapping relation based on the new key.
13. A resource processing apparatus, characterized by being executed by a first server having a business service and a first proxy service running therein, the apparatus comprising:
the first sending module is used for responding to an external resource processing request sent by the client, sending a first access address corresponding to the external resource processing request to the first proxy service through the business service, wherein the external resource is a resource of other equipment stored outside the first server;
the second sending module is used for obtaining a first resource corresponding to the first access address through the first proxy service under the condition that the first access address passes verification, and sending the first resource to the business service;
and the third sending module is used for sending a resource processing result to the client based on the first resource through the business service.
14. A server comprising a processor and a memory, wherein the memory stores at least one computer program that is loaded and executed by the processor to implement the operations performed by the resource processing method of any of claims 1 to 12.
15. A computer readable storage medium having stored therein at least one computer program loaded and executed by a processor to implement the operations performed by the resource processing method of any of claims 1 to 12.
16. A computer program product comprising a computer program which, when executed by a processor, performs the operations performed by the resource processing method of any of claims 1 to 12.
CN202111681299.8A 2021-12-28 2021-12-28 Resource processing method, device, server and storage medium Pending CN116366272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111681299.8A CN116366272A (en) 2021-12-28 2021-12-28 Resource processing method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111681299.8A CN116366272A (en) 2021-12-28 2021-12-28 Resource processing method, device, server and storage medium

Publications (1)

Publication Number Publication Date
CN116366272A true CN116366272A (en) 2023-06-30

Family

ID=86938023

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111681299.8A Pending CN116366272A (en) 2021-12-28 2021-12-28 Resource processing method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN116366272A (en)

Similar Documents

Publication Publication Date Title
US10515058B2 (en) Unified file and object data storage
US9276926B2 (en) Secure and automated credential information transfer mechanism
US20160285832A1 (en) Secure consumption of platform services by applications
WO2017129016A1 (en) Resource access method, apparatus and system
US20140280859A1 (en) Sharing control system and method for network resources download information
US20190052643A1 (en) Cloud access rule translation for hybrid cloud computing environments
US20170371625A1 (en) Content delivery method
US9239911B2 (en) Replacement of security credentials for secure proxying
CN109542862B (en) Method, device and system for controlling mounting of file system
CN109521956B (en) Cloud storage method, device, equipment and storage medium based on block chain
CN112788031B (en) Micro-service interface authentication system, method and device based on Envoy architecture
CN110650112B (en) Universal authentication method and device and cloud service network system
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
CN114338682A (en) Flow identity mark transmission method and device, electronic equipment and storage medium
CN116070253A (en) Driving data processing method, driving data processing device and storage medium
CN111327680B (en) Authentication data synchronization method, device, system, computer equipment and storage medium
CN103533094B (en) Coding all-in-one and coding system
CN112306970B (en) Processing method, device, equipment and storage medium of container mirror warehouse
CN114428661A (en) Mirror image management method and device
CN113497762A (en) Data message transmission method and device
CN113784354B (en) Request conversion method and device based on gateway
CN116366272A (en) Resource processing method, device, server and storage medium
US11356382B1 (en) Protecting integration between resources of different services using service-generated dependency tags
CN116781764A (en) Long-connection task execution method and device and related equipment
CN117640765A (en) Cloud environment service access method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination