CN116366720A - Network method, device, equipment and storage medium based on TLS middle man-in-the-art - Google Patents
Network method, device, equipment and storage medium based on TLS middle man-in-the-art Download PDFInfo
- Publication number
- CN116366720A CN116366720A CN202111625729.4A CN202111625729A CN116366720A CN 116366720 A CN116366720 A CN 116366720A CN 202111625729 A CN202111625729 A CN 202111625729A CN 116366720 A CN116366720 A CN 116366720A
- Authority
- CN
- China
- Prior art keywords
- http
- server
- tls
- client
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a network acceleration method, a device, equipment and a storage medium based on a TLS middle man-in-the-art technology, wherein the method comprises the following steps: the client initiates TCP connection to the target website server; the proxy accelerator intercepts the TCP connection, truncates and falsifies the TLS response to complete the TLS handshake; the proxy accelerator initiates an HTTP/2 long connection request to the server; the server establishes HTTP/2 long connection with the proxy accelerator; the client initiates an HTTP access request to the proxy accelerator; the proxy accelerator generates an HTTP/2 format access request according to the HTTP access request and sends the HTTP/2 format access request to the server; the server initiates an HTTP request to the target website server based on the HTTP/2 format access request and the established bottom layer connection with the target website server; the target web server returns an HTTP response to the client via the server and proxy accelerator according to the HTTP request. The invention can improve the network performance during long-distance access.
Description
Technical Field
The present invention relates to the field of network acceleration, and in particular, to a TLS-based man-in-the-middle technology network method, apparatus, device, and storage medium.
Background
HTTPS has become the standard protocol in web page access, and ideally, its protocol handshaking requires at least 1 (TCP) +2 (TLS v 1.2) +1 (HTTP request) =4 RTTs (Round-Trip Time). Whereas in the case of long-range network accesses, such as transoceanic accesses, one RTT tends to take at least hundreds of milliseconds. Considering that access to a modern web page requires far more than one TCP network connection, then these 4 RTTs per protocol handshake phase of the connection become important factors affecting the user network access experience and even the network connectivity (too much delay tends to cause protocol handshake timeout, thus interrupting the connection).
Meanwhile, in the long-distance TCP traffic transmission process, because of the existence of the TCP congestion control algorithm, each independent TCP connection needs to undergo a slow start process, and the slow start adjustment process (i.e. the change of the TCP congestion window) is a round trip process in RTT. Therefore, even if the link is smooth, the traffic transmission process is not smooth, and after a plurality of RTTs are needed, the two transmission parties can coordinate to a higher network speed.
In the current network acceleration technology, a CDN technology can be generally adopted at a server side to distribute contents to servers close to users in advance, but not all websites deploy the technology, especially some websites with smaller audiences. The client network acceleration scheme generally adopts a network proxy or VPN technology based on public network or private line, which can only improve the line quality, reduce the congestion in the transmission stage, and cannot effectively improve the protocol delay caused by the long-distance network protocol handshake.
Disclosure of Invention
In view of the foregoing, an object of an embodiment of the present invention is to provide a network method, apparatus, device and storage medium based on TLS man-in-the-middle technology, so as to improve the foregoing problem.
The embodiment of the invention provides a network acceleration method based on a TLS man-in-the-middle technology, which comprises the following steps:
the client initiates TCP connection to the target website server; the TCP connection includes target website information;
the proxy accelerator intercepts TCP connection and intercepts and falsifies TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client; when the proxy accelerator performs TLS handshake with the client, the proxy accelerator dynamically issues certificates according to the TLS root certificates trusted by the client and the requested website information so as to complete the TLS handshake with the client;
the proxy accelerator initiates an HTTP/2 long connection request to the server;
the server responds to the HTTP/2 long connection request to establish HTTP/2 long connection with the proxy accelerator, and obtains target website information according to the HTTP/2 long connection, so as to initiate TCP and TLS connection to the target website server according to the target website information;
the client initiates an HTTP access request to the proxy accelerator;
the proxy accelerator generates an HTTP/2 format access request according to the HTTP access request and sends the HTTP/2 format access request to the server through an HTTP/2 long connection;
the server initiates an HTTP request to the target website server based on the HTTP/2 format access request and the established bottom layer connection with the target website server;
the target web server returns an HTTP response to the client via the server and proxy accelerator according to the HTTP request.
Preferably, the access requests in HTTP/2 format of the proxy accelerator are transmitted to the server in multiplexed form.
Preferably, the client and the proxy accelerator are deployed in the same device or in the same local area network.
Preferably, the underlying connection establishment between the server and the target website server and the TLS handshake of the client and the proxy accelerator are performed in parallel; the underlying connection includes a TCP handshake and a TLS handshake.
The embodiment of the invention also provides a network acceleration method based on the TLS middle man-in-the-art, which comprises the following steps:
intercepting TCP connection initiated by a client to a target server, intercepting and forging a TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client; the TCP connection comprises target website information; when carrying out TLS handshake with the client, dynamically issuing a certificate according to the TLS root certificate trusted by the client and the requested website information so as to complete TLS handshake with the client;
initiating an HTTP/2 long connection request to a server so that the server responds to the HTTP/2 long connection request to establish long connection with the proxy accelerator, and simultaneously establishing bottom connection from the server to a target website server according to target website information;
receiving an HTTP access request initiated by a client to a target server;
generating an access request conforming to the HTTP/2 format according to the access request, and sending the access request to a server, so that the server initiates an HTTP request to a target website server based on the access request in the HTTP/2 format and the established bottom layer connection, and the target website server returns an HTTP response through the server according to the HTTP request;
and sending the HTTP response to the client.
The embodiment of the invention also provides a network acceleration device based on the TLS middle man-in-the-art, which comprises:
the intercepting unit is used for intercepting TCP connection initiated by the client to the target server, intercepting and forging TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client; the TCP connection includes target website information;
the long connection unit is used for initiating an HTTP/2 long connection request to the server so that the server responds to the HTTP/2 long connection request to establish long connection with the proxy accelerator, and establishing bottom connection from the remote outlet to the target website server according to the target website information;
the forwarding unit is used for receiving an HTTP access request initiated by the client to the target server;
the forwarding unit is further used for generating an access request conforming to an HTTP/2 format according to the access request and sending the access request to the server, so that the server initiates the HTTP request to the target website server based on the access request in the HTTP/2 format and the established bottom layer connection, and the target website server returns an HTTP response through the server according to the HTTP request;
and the forwarding unit is also used for sending the HTTP response to the client.
The embodiment of the invention also provides a network acceleration device based on the TLS middle man-in-the-art technology, which comprises a memory and a processor, wherein a computer program is stored in the memory, and the computer program can be executed by the processor so as to realize the network acceleration method based on the TLS middle man-in-the-art technology.
The embodiment of the invention also provides a computer readable storage medium which stores a computer program, wherein the computer program can be executed by a processor of equipment where the computer readable storage medium is located, so as to realize the network acceleration method based on the TLS man-in-the-middle technology.
In summary, the present embodiment uses TLS middle man-in-the-art to cut off the long-distance handshake process from the client to the target website server, and converts it into three sets of handshakes between the client and the proxy accelerator, between the proxy accelerator and the server, and between the server and the target website server, and multiplexes the connection of the proxy accelerator to the server with the longest distance through HTTP/2 long connection, only one long-distance handshake is needed, avoiding a great amount of time overhead caused by repeated handshakes, and greatly shortening the delay of remote connection establishment.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network acceleration method based on TLS middle man-in-the-art according to a first embodiment of the present invention.
Fig. 2 is another flow chart of a network acceleration method based on TLS middle man-in-the-art according to the first embodiment of the present invention.
Fig. 3 is a flowchart of a network acceleration method based on TLS middle man-in-the-art according to a second embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a network acceleration device based on TLS middle man-in-the-art according to a third embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1 and 2, a first embodiment of the present invention provides a network acceleration method based on TLS middle man-in-the-art, which includes:
s101, the client initiates TCP connection to the target website server.
In this embodiment, the client may be a browser, and when the user wants to access a website, the user may input corresponding website information on the browser to complete the access, where the website information may be a corresponding domain name or chinese website information. For example, the target website that the user wants to access is hundred degrees, which can input "www.baidu.com"baidu" or "hundred degrees" may be input.
In this embodiment, after acquiring the website information input by the user, the client generates a corresponding DNS (domain name resolution service) resolution request to the proxy accelerator.
S102, the proxy accelerator intercepts the TCP connection and intercepts and falsifies the TLS response through a TLS root certificate pre-inserted in the client so as to complete TLS handshake with the client.
In this embodiment, when the client sets the proxy acceleration service, the proxy accelerator may take over the network connection sent out by the client. For example, when a client requests to establish a TCP connection to a target web server (denoted as target web site 1 in the drawing), the proxy accelerator may intercept the TCP connection and intercept and forge TLS responses by pre-inserting TLS root certificates at the client to complete TLS handshake with the client. Specifically:
after intercepting the TCP connection, the proxy accelerator establishes the TCP connection with the client and simultaneously acquires target website information, and then dynamically issues certificates according to the TLS root certificates trusted by the client and the requested target website information when in TLS handshake so as to complete TLS handshake with the client.
S103, the proxy accelerator initiates an HTTP/2 long connection request to the server.
S104, the server responds to the HTTP/2 long connection request to establish HTTP/2 long connection with the proxy accelerator, and obtains target website information according to the HTTP/2 long connection, so as to initiate TCP and TLS connection to the target website server according to the target website information.
In this embodiment, the HTTP/2 long connection of the proxy accelerator to the server may be pre-established, e.g., the HTTP/2 long connection may be established with the server immediately after the proxy accelerator is started.
Meanwhile, after the proxy accelerator acquires the target website information (such as a domain name or an IP address), the proxy accelerator sends the target website information to the server through HTTP/2 long connection, and the server can establish bottom connection of TCP and TLS with the target website server according to the target website information.
S105, the client initiates an HTTP access request to the proxy accelerator.
S106, the proxy accelerator generates an HTTP/2 format access request according to the HTTP access request and sends the HTTP/2 format access request to the server through the HTTP/2 long connection.
S107, the server initiates an HTTP request to the target website server based on the HTTP/2 format access request and the established underlying connection with the target website server.
And S108, the target website server returns an HTTP response to the client through the server and the proxy accelerator according to the HTTP request.
In this embodiment, after completing TLS handshake with the client, the client will start sending HTTP requests, the HTTP requests of the client will be converted into HTTP/2 format, and transmitted to the server in a multiplexed (Multiplexing) manner, after the server completes DNS resolution of the target website domain name, the server forwards the HTTP requests to the target website server through the established bottom connection, and the response of the target website server will also be returned from the original path.
It can be seen that in the whole process, the client and the proxy accelerator are generally located in the same computer or the same local area network, and the handshake delay is very low.
In addition, the part with the largest physical span in the whole acceleration process is arranged between the proxy accelerator and the server, however, TCP and TLS handshakes which are supposed to make a round trip between the client and a plurality of remote target website servers can share the path and only need one handshake, thereby avoiding a great amount of time expenditure caused by repeated handshakes.
Still further, there is only one HTTP/2 network flow on the remote path from the proxy accelerator to the server, and multiple connection requests from the user to multiple target website servers (target website 1 and target website 2 shown in fig. 2) are all merged into the same flow by the Multiplexing (Multiplexing) feature of HTTP/2, so that the network flow of the remote HTTP/2 can be ensured to always maintain a low-delay and high-throughput state by optimizing forwarding buffer and coordinating data transmission in synchronization with upstream and downstream with different bandwidths. Therefore, the slow start process of the congestion control algorithm will only occur once, avoiding the extra consumption of the slow start process to be re-performed every time the user newly establishes a TCP/TLS connection.
It should be noted that, in the above embodiment, the network access of the client takes TLS encryption based on the TCP protocol as an example, and in fact, the TLS encryption technology and its corresponding man-in-the-middle technology may also be based on other network protocols such as UDP, for example, when TLS encryption acts on the UDP protocol, the basic structure of the DTLS protocol is formed.
Based on the principle of TLS, the DTLS protocol also needs to perform TLS handshake, so as above, when the relevant part of the TCP protocol is replaced by UDP or other transport layer protocols, the invention can still play the role of reducing handshake overhead.
In the invention, the long connection from the proxy accelerator to the server is exemplified by HTTP/2 connection based on TCP protocol, and no matter what protocol is changed to the bottom connection, the method can be used for optimizing the method provided by the invention so as to solve the problems of delay and low bandwidth utilization rate caused by that each of a plurality of connections in the same path is required to finish a slow start process as long as the connection is based on reliable connection and congestion control is needed and HTTP protocol transmission is supported.
It should be noted that, based on different optimization strategies, the HTTP/2 long connection from the proxy accelerator to the server may be established at any suitable time, irrespective of the very beginning stage in the previous embodiments.
It should be noted that, in the embodiment of the present invention, after intercepting the TLS handshake of the client, the proxy accelerator transmits the target website information, such as domain name information, to the server through the established HTTP/2 long connection, so that the bottom connection establishment of the server and the target website server may be completed in parallel (shown in fig. 2), that is, the bottom connection establishment (including TCP handshake and TLS handshake) between the server and the target website server and the TLS handshake between the client and the proxy accelerator may be performed simultaneously. However, it will be appreciated that in the actual implementation process, if there is no step, the whole process is performed sequentially (as shown in fig. 1), and the complete acceleration effect can be achieved, that is, handshake overhead is reduced and remote connection is multiplexed, so that multiple slow starts are avoided.
In summary, the present embodiment adopts TLS middle man-in-the-art to intervene in the TLS remote handshake process of the user, disassembles the remote handshake process, multiplexes a section of network connection with the farthest distance, and avoids a great amount of time overhead caused by repeated handshake. Meanwhile, the embodiment utilizes the Multiplexing (Multiplexing) characteristic of HTTP/2 to combine the network flows of the same path and the multi-band congestion control into one network flow, thereby avoiding the multiple slow start process under the conditions of long distance and high RTT and improving the network performance during long distance access.
Referring to fig. 3, a second embodiment of the present invention further provides a network acceleration method based on TLS man-in-the-middle technology, which is described from the perspective of a proxy accelerator, and includes:
s201, intercepting TCP connection initiated by a client to a target server, intercepting and forging a TLS response through a TLS root certificate pre-inserted in the client so as to complete TLS handshake with the client; the TCP connection includes target website information;
s202, after completing TLS handshake, initiating HTTP/2 long connection request to the server, so that the server responds to the HTTP/2 long connection request to establish long connection with the proxy accelerator, and establishing bottom connection from the remote outlet to the target website server according to the target website information.
S203, receiving an HTTP access request initiated by a client to a target server;
s204, generating an access request conforming to the HTTP/2 format according to the access request, and sending the access request to a server, so that the server initiates an HTTP request to a target website server based on the access request in the HTTP/2 format and the established bottom layer connection, and the target website server returns an HTTP response through the server according to the HTTP request;
s205, the HTTP response is sent to the client.
When performing TLS handshake with the client, dynamically issuing a certificate according to the TLS root certificate trusted by the client and the requested target website information so as to complete TLS handshake with the client.
Referring to fig. 4, the third embodiment of the present invention further provides a network acceleration device based on TLS middle man-in-the-art, which includes:
a intercepting unit 310, configured to intercept a TCP connection initiated by a client to a target server, and intercept and forge a TLS response by pre-inserting a TLS root certificate in the client, so as to complete TLS handshake with the client; the TCP connection includes target website information;
a long connection unit 320, configured to initiate an HTTP/2 long connection request to the server after completing the TLS handshake, so that the server establishes a long connection with the proxy accelerator in response to the HTTP/2 long connection request, and establishes a bottom connection from the remote outlet to the target website server according to the target website information;
a forwarding unit 330, configured to receive an HTTP access request initiated by a client to a target server;
the forwarding unit 330 is further configured to generate an access request conforming to an HTTP/2 format according to the access request, and send the access request to the server, so that the server initiates an HTTP request to the target website server based on the access request in the HTTP/2 format and the established underlying connection, and causes the target website server to return an HTTP response via the server according to the HTTP request;
the forwarding unit 330 is further configured to send the HTTP response to the client.
The fourth embodiment of the present invention further provides a TLS middle man-in-the-art based network acceleration device, which includes a memory and a processor, where the memory stores a computer program, and the computer program is capable of being executed by the processor to implement the TLS middle man-in-the-art based network acceleration method as described above.
The fifth embodiment of the present invention further provides a computer program stored therein, where the computer program can be executed by a processor of a device where the computer readable storage medium is located, so as to implement a network acceleration method based on TLS middle man-in-the-art technology as described above.
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus and method embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A network acceleration method based on TLS middle man-in-the-art, comprising:
the client initiates TCP connection to the target website server; the TCP connection includes target website information;
the proxy accelerator intercepts TCP connection and intercepts and falsifies TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client;
the proxy accelerator initiates an HTTP/2 long connection request to the server;
the server responds to the HTTP/2 long connection request to establish HTTP/2 long connection with the proxy accelerator, and obtains target website information according to the HTTP/2 long connection, so as to initiate TCP and TLS connection to the target website server according to the target website information;
the client initiates an HTTP access request to the proxy accelerator;
the proxy accelerator generates an HTTP/2 format access request according to the HTTP access request and sends the HTTP/2 format access request to the server through an HTTP/2 long connection;
the server initiates an HTTP request to the target website server based on the HTTP/2 format access request and the established bottom layer connection with the target website server;
the target web server returns an HTTP response to the client via the server and proxy accelerator according to the HTTP request.
2. The TLS based intermediate technology network acceleration method of claim 1, wherein when the proxy accelerator performs TLS handshake with the client, the proxy accelerator dynamically issues certificates according to the TLS root certificates trusted by the client and the requested target website information, so as to complete TLS handshake with the client.
3. A network acceleration method based on TLS middle man-in-the-art according to claim 1, characterized in that the access requests in HTTP/2 format of the proxy accelerator are transmitted to the server in multiplexed form.
4. The TLS based man in the middle technique network acceleration method of claim 1, wherein the client and the proxy accelerator are deployed in the same device or in the same local area network.
5. The TLS-based man-in-the-middle network acceleration method of claim 1, wherein the underlying connection establishment between the server and the target web server and the TLS handshake of the client and the proxy accelerator are performed in parallel; the underlying connection includes a TCP handshake and a TLS handshake.
6. A network acceleration method based on TLS middle man-in-the-art, comprising:
intercepting TCP connection initiated by a client to a target server, intercepting and forging a TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client; the TCP connection includes target website information;
initiating an HTTP/2 long connection request to a server so that the server responds to the HTTP/2 long connection request to establish long connection with the proxy accelerator, and simultaneously establishing bottom connection from the server to a target website server according to target website information;
receiving an HTTP access request initiated by a client to a target server;
generating an access request conforming to the HTTP/2 format according to the access request, and sending the access request to a server, so that the server initiates an HTTP request to a target website server based on the access request in the HTTP/2 format and the established bottom layer connection, and the target website server returns an HTTP response through the server according to the HTTP request;
and sending the HTTP response to the client.
7. The TLS based man-in-the-middle technique network acceleration method of claim 6, wherein upon TLS handshake with the client, the certificate is dynamically issued according to the TLS root certificate trusted by the client and the requested target website information to complete the TLS handshake with the client.
8. A TLS man-in-the-middle technology based network acceleration apparatus, comprising:
the intercepting unit is used for intercepting TCP connection initiated by the client to the target server, intercepting and forging TLS response through a TLS root certificate pre-inserted in the client so as to carry out TLS handshake with the client; the TCP connection includes target website information;
the long connection unit is used for initiating an HTTP/2 long connection request to the server so that the server responds to the HTTP/2 long connection request to establish long connection with the proxy accelerator, and establishing the bottom connection from the server to the target website server according to the target website information;
the forwarding unit is used for receiving an HTTP access request initiated by the client to the target server;
the forwarding unit is further used for generating an access request conforming to an HTTP/2 format according to the access request and sending the access request to the server, so that the server initiates the HTTP request to the target website server based on the access request in the HTTP/2 format and the established bottom layer connection, and the target website server returns an HTTP response through the server according to the HTTP request;
and the forwarding unit is also used for sending the HTTP response to the client.
9. A TLS based middleman technique network acceleration apparatus comprising a memory and a processor, the memory having stored therein a computer program executable by the processor to implement the TLS based middleman technique network acceleration method of claim 6 or 7.
10. A computer readable storage medium, storing a computer program executable by a processor of a device in which the computer readable storage medium resides to implement the TLS based man-in-the-middle network acceleration method of claim 6 or 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111625729.4A CN116366720B (en) | 2021-12-27 | 2021-12-27 | Network method, device, equipment and storage medium based on TLS middle man-in-the-art |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111625729.4A CN116366720B (en) | 2021-12-27 | 2021-12-27 | Network method, device, equipment and storage medium based on TLS middle man-in-the-art |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116366720A true CN116366720A (en) | 2023-06-30 |
| CN116366720B CN116366720B (en) | 2023-08-29 |
Family
ID=86914915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111625729.4A Active CN116366720B (en) | 2021-12-27 | 2021-12-27 | Network method, device, equipment and storage medium based on TLS middle man-in-the-art |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366720B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110302653A1 (en) * | 2010-03-01 | 2011-12-08 | Silver Tail Systems, Inc. | System and Method for Network Security Including Detection of Attacks Through Partner Websites |
| CN103392316A (en) * | 2013-01-11 | 2013-11-13 | 华为技术有限公司 | Method of traversing firewall, client, and media traversing server |
| CN109660370A (en) * | 2019-01-08 | 2019-04-19 | 湖南康通电子股份有限公司 | A kind of equipment communication means of digit broadcasting system |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
-
2021
- 2021-12-27 CN CN202111625729.4A patent/CN116366720B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110302653A1 (en) * | 2010-03-01 | 2011-12-08 | Silver Tail Systems, Inc. | System and Method for Network Security Including Detection of Attacks Through Partner Websites |
| CN103392316A (en) * | 2013-01-11 | 2013-11-13 | 华为技术有限公司 | Method of traversing firewall, client, and media traversing server |
| CN109660370A (en) * | 2019-01-08 | 2019-04-19 | 湖南康通电子股份有限公司 | A kind of equipment communication means of digit broadcasting system |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116366720B (en) | 2023-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Briscoe et al. | Reducing internet latency: A survey of techniques and their merits | |
| Cook et al. | QUIC: Better for what and for whom? | |
| US10021034B2 (en) | Application aware multihoming for data traffic acceleration in data communications networks | |
| US11088940B2 (en) | Cooperative multipath | |
| US10051089B2 (en) | Anycast transport protocol for content distribution networks | |
| US11425216B2 (en) | Virtual private network (VPN) whose traffic is intelligently routed | |
| US6754621B1 (en) | Asynchronous hypertext messaging system and method | |
| EP2930899B1 (en) | Tcp link configuration method and apparatus | |
| US9338192B1 (en) | Connection management using connection request transfer protocol | |
| US9578126B1 (en) | System and method for automatically discovering wide area network optimized routes and devices | |
| US10587733B2 (en) | Server-side HTTP translator | |
| WO2023151264A1 (en) | Load balancing method and apparatus, node, and storage medium | |
| Secchi et al. | Performance analysis of next generation web access via satellite | |
| CN116366720B (en) | Network method, device, equipment and storage medium based on TLS middle man-in-the-art | |
| EP3414877B1 (en) | Technique for transport protocol selection and setup of a connection between a client and a server | |
| CN110971671B (en) | Method and system for shortening network connection delay in long-distance communication | |
| US9609017B1 (en) | Methods for preventing a distributed denial service attack and devices thereof | |
| CN114679265A (en) | Flow obtaining method and device, electronic equipment and storage medium | |
| Roseti et al. | SPDY over satellite: Performance optimization through an end-to-end technology | |
| CN110995730A (en) | Data transmission method and device, proxy server and proxy server cluster | |
| Secchi et al. | Evaluating the Performance of Next Generation Web Access via Satellite | |
| US20240163350A1 (en) | Virtual Private Network (VPN) Whose Traffic Is Intelligently Routed | |
| KR20100088856A (en) | System and method for contents delivery using data segment information, and proxy server thereof | |
| Boros | Transparent Redirection in Content Delivery Networks using Software Defined Networking. | |
| EP3062474B1 (en) | Method, device, computer program product and storage medium for distributing file requests in adaptive streaming systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |