CN117097591B - Application security access gateway system and route forwarding method - Google Patents
Application security access gateway system and route forwarding method Download PDFInfo
- Publication number
- CN117097591B CN117097591B CN202311356991.2A CN202311356991A CN117097591B CN 117097591 B CN117097591 B CN 117097591B CN 202311356991 A CN202311356991 A CN 202311356991A CN 117097591 B CN117097591 B CN 117097591B
- Authority
- CN
- China
- Prior art keywords
- filter
- application
- route
- forwarding
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000006243 chemical reaction Methods 0.000 claims abstract description 6
- 230000003068 static effect Effects 0.000 claims description 34
- 230000008569 process Effects 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 13
- 238000013475 authorization Methods 0.000 claims description 8
- 238000002347 injection Methods 0.000 claims description 8
- 239000007924 injection Substances 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 claims description 5
- 238000010276 construction Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 230000014509 gene expression Effects 0.000 claims description 3
- 230000002085 persistent effect Effects 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 60
- 238000010586 diagram Methods 0.000 description 11
- 230000003993 interaction Effects 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000003862 health status Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 235000013405 beer Nutrition 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012913 prioritisation Methods 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an application security access gateway system and a route forwarding method, wherein the system comprises a background management system and a service gateway system, and the service gateway system comprises a front router, a global routing table, a virtual repeater and a global forwarding filter. The gateway cluster groups are a plurality of gateway cluster groups with independent sub domain names, each gateway cluster group is provided with a global routing table, and each application corresponds to a virtual transponder; the front-end router is used for matching the route object according to the global route table; the global routing table is used for providing matching basis and strategy for the front-end router; the routing group table is used for being responsible for the routing forwarding work of all the requests; the global forwarding filter is used for realizing the copy forwarding and protocol conversion of the request data packet. The invention has flexible and expandable cluster architecture, can support the linear and non-stop expansion of gateway service, automatically shunts request flow and ensures the stable operation of service.
Description
Technical Field
The invention belongs to the technical field of network data transmission, and particularly relates to an application security access gateway system and a route forwarding method.
Background
In the process of enterprise digitization and office mobile construction, with the gradual popularization and application of various mobile platforms, such as enterprise WeChat, more and more core services realize mobile office, so that higher requirements on the security of service data are provided, and the security of the service data in the internet transmission process must be ensured.
In the prior art, the safety interaction platform uniformly built in the enterprise prior art architecture route can partially meet the transmission safety requirement of the service data network of offline application in the mobile platform. As shown in fig. 1, the secure interactive platform mainly consists of three modules: the method comprises the steps of safe interaction background, safe interaction agent and JS-SDK. The security interaction background is deployed and implemented in the enterprise data center in a unified way and serves as a unique entrance of the mobile terminal internet request, and the security interaction background uniformly forwards the request route to background services of all business applications. The JS-SDK integrated component is provided for the APP application at the mobile terminal, and the security interaction agent process can be started on the mobile phone through the interface provided by the JS-SDK, and the access address of the security interaction agent is obtained. The security interaction agent and the security interaction background are responsible for establishing a security network channel, all service request addresses of the mobile APP are access addresses of the security interaction agent, and the service request is forwarded to the service background service through the established security network channel.
At present, most of commonly used service gateway systems are realized based on Spring Cloud Gateway expansion, a registry component is used for dynamically constructing a route or a static route is constructed through a configuration file, and the system only has a basic request route forwarding function in default, so that the following problems mainly exist:
(1) the existing service gateway system can only carry out access management by taking micro services as units, and the constructed routing table also takes micro services as units. In the actual production operation and operation maintenance system, the management mode takes the business system as a unit. Under the micro-service architecture, a large service system is composed of a plurality of micro-service components, so that the micro-services of the service system are required to be packaged into a whole, and unified management and configuration are required.
(2) Only the basic route forwarding function is provided, and no perfect safety protection measures are provided. The gateway is used as a unified entrance of the service system, and besides basic request route forwarding, necessary security protection measures are also needed to ensure the security of interfaces and data of the service system.
(3) The configuration parameters cannot be maintained online and validated in real time. The traditional mode is to maintain system parameters by means of configuration files, the system is required to be restarted after the parameters are changed, the parameters can be effective, and the interruption of service in a high-concurrency gateway system is not preferable.
(4) Only dynamic routing is supported through the registry or static routing is supported through the configuration file. However, the configuration parameters related to the static route cannot be edited online, and the service gateway must be restarted after the static route parameters are modified.
(5) Support for multiple application layer network protocols cannot be provided, and generally only HTTP/HTTPS protocols are supported for gateway services. There is also an urgent need to support multiple mainstream network data transmission protocols (e.g., websocket, dubbo, etc.) in industry, and support private data transmission protocols through a protocol parsing and expanding mechanism.
(6) In addition to conventional routing matching policies based on application request paths, no other extension mechanism implements flexible routing matching implementation, e.g., policies based on request metadata, client source address matching, etc. For application of private data transfer protocols, the route matching policy is to be able to be customized quickly.
(7) As more applications are accessed, the global routing table becomes huge, so that the routing matching efficiency of the request data packet is drastically reduced, and the application efficiency and throughput are seriously affected.
With the development of various distributed development frameworks, distributed network data communication protocols with different purposes are adopted, such as application layer cross-platform text protocol HTTP, RPC binary proprietary protocol based on TCP/IP protocol, application layer full duplex communication protocol Websocket, etc. There is a need for a service mechanism that uniformly manages and coordinates access to various protocols and routing of packets. Secondly, as more and more applications are accessed, the global routing table is enlarged, the request routing matching efficiency is seriously affected, and the throughput of the whole system is reduced. The whole application access management system architecture cannot realize the real transverse service capability expansion and apportion the flow of the application request.
Disclosure of Invention
The invention aims to provide an application security access gateway system and a route forwarding method, and aims to solve the problems.
The invention is realized mainly by the following technical scheme:
the application security access gateway system comprises a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance; the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, and is provided with a service port and a management port, wherein the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing a background management system;
the gateway cluster groups are a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table;
the front router is used for analyzing a data communication protocol used by the request data packet, matching a route object according to a global route table of a gateway cluster group of a corresponding application, and sending the successfully matched route object to a virtual repeater of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet.
To better implement the present invention, the routing group table further includes a filter chain module for executing a filter chain, and a forwarding module for forwarding requests to a global forwarding filter.
In order to better realize the invention, the filter chain further comprises an HTTP checking filter, an authentication and authorization filter, an encryption and decryption filter, an anti-heavy filter, an XSS filter and an SQL injection filter which are sequentially arranged from front to back.
In order to better implement the present invention, further, the routing entries in the global routing table are divided into a static adjustment group, a dynamic adjustment group and a default group according to the matching priority from high to low.
In order to better realize the invention, the background management system further comprises an application access module, a route forwarding module, a security configuration module and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
The invention is realized mainly by the following technical scheme:
the routing forwarding method of the application security access gateway is carried out by adopting the gateway system and comprises the following steps:
step S100: the background management system interacts with the service gateway system and is accessed to the application system;
step S200: after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway system:
step S201: the client sends a request to a service port of the service gateway system, after the service gateway system receives the request, the front router matches the route according to the global routing table matching strategy, if the route is not matched, the service gateway system directly returns an error prompt, and if the route is successfully matched, the step S202 is entered;
step S202: requesting virtual forwarder processing, the virtual forwarder executing a filter chain, the filter chain executing each filter in turn, if the filter processing fails, directly returning an error prompt, otherwise, after the filter chain is executed, forwarding the request to a global forwarding filter by a forwarding module;
step S203: the global forwarding filter copies the request and forwards the request to the remote application, the remote application processes the request and returns a response to the global forwarding filter, the global forwarding filter processes the response, if the processing fails, an error prompt is returned to the server, and otherwise, a normal response is returned to the client.
In order to better implement the present invention, further, the step S202 includes the steps of:
step A1: firstly, checking message headers related to request cross-domain and request methods in an HTTP protocol through an HTTP checking filter, checking the value of the related message header Referer, origin through a trusted domain name white list in the request cross-domain, wherein the request methods only allow GET and POST to be used;
step A1: caller identity verification and application interface access authority checking are achieved through an authentication authorization filter;
step A2: the encryption and decryption filter adopts a national encryption SM2 and dynamic SM4 combination algorithm to decrypt the HTTP request main body and encrypt the response main body;
step A3: the anti-replay filter generates a message header according to a specified algorithm and protocol, and the service gateway system checks the message header to determine whether the request is a repeated request;
step A4: the tamper-resistant filter signs the requested data, and the service gateway system checks whether the signatures of the data are consistent, if not, the tamper-resistant filter indicates that the requested data are tampered;
step A5: the XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions respectively.
In order to better implement the present invention, further, the step S100 includes the steps of:
step S101: the user operates the application configuration through a UI interface provided by a background management system, and the background management system uses the persistent application configuration data of the relational database;
step S102: the service gateway system uses the management port to receive the application configuration parameter list, and a virtual forwarder component in the service gateway system updates a route group table according to the application configuration parameter list and updates an applied route forwarding rule and a filter chain;
step S103: the route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration;
step S104: the service gateway system monitors a management port and a service port, wherein the management port serves a control plane and processes application configuration parameters and service gateway running state index query; the service port serves the data plane and processes the service request of the application system.
The beneficial effects of the invention are as follows:
(1) According to the invention, the gateway cluster is divided into a plurality of gateway cluster groups with independent sub domain names, so that the gateway system has a flexible and expandable cluster architecture, the gateway service linearity and the non-stop expansion can be supported, the request flow is automatically split, and the stable operation of the service is ensured;
(2) The global routing table provides routing matching performance according to cluster fragment processing and routing item priority ordering strategies; when the routes are matched, firstly calculating the items in the static adjustment group, then matching the route items of the dynamic adjustment group, and finally calculating the default group items. The design aims to enable an administrator to intervene in the dynamic adjustment result, so that the request matching performance of the service gateway is improved, and the method has good practicability;
(3) The invention has unified application request network entrance, realizes standardized and standardized application access management, reduces application access difficulty and has lower access cost; the invention supports the security parameter configuration of simultaneous access and application individuation of multiple types of applications; the gateway system has the advantages of high concurrency, safety and stability, can meet the requirements of multiple types of application access, supports the safety access requirements of WEB application and REST application, has better universality and adaptability, has smaller influence on an application system, and can finish the access by a small amount of modification of a service system;
(4) The application realizes the functions of request route forwarding and security check through the working mechanism of the route group and the filter chain. The invention realizes the online management and real-time pushing update effect of the configuration parameters; the routing table supports dynamic routing and static routing, and the static routing can also realize online editing through a background management function. The application can adjust the application configuration parameters according to the needs through background management, and the application configuration parameters are pushed to the service gateway in real time, and the service gateway can update the routing group table in real time according to the application configuration parameters;
(5) The invention realizes the security guarantee of the application data in the network transmission process and the authorized access of the service interface, and ensures the integrity and confidentiality of the data through the data encryption and decryption and signature of the application layer. In addition, the service gateway also needs to support XSS script attack and SQL injection interception, and HTTP protocol cross-domain request and message header protection.
Drawings
FIG. 1 is a functional block diagram of a prior secure interactive platform;
FIG. 2 is a diagram of a deployment architecture of the present invention;
FIG. 3 is a general framework diagram of the application security access gateway system of the present invention;
FIG. 4 is a diagram of the creation of a global routing table;
FIG. 5 is a schematic diagram of a pre-router process;
FIG. 6 is a gateway cluster group relationship diagram;
FIG. 7 is a diagram of a gateway global routing table packet relationship;
FIG. 8 is a timing diagram of application configuration parameter management and real-time publishing;
FIG. 9 is a timing diagram of request route forwarding;
FIG. 10 is a timing diagram of filter chain execution;
fig. 11 is a schematic diagram of the operation of the registry.
Detailed Description
Example 1:
in the application security access gateway system, as shown in fig. 2, a service gateway adopts a cluster deployment mode to divide a gateway cluster into a plurality of gateway cluster groups with independent sub-domain names, and each gateway cluster group is correspondingly provided with a global routing table, and application services are correspondingly associated with specific gateway cluster groups through the sub-domain names, so that clients can access the application services by using the sub-domain names of the corresponding cluster groups. A virtual forwarder is provided for each application service, i.e. a routing group table is provided for each application service.
Preferably, as shown in fig. 11, the service provider registers service related information in a registry for maintaining a service registry, and the service gateway is for regularly pulling the registry information from the registry and updating the routing table information. Preferably, the information at the service provider includes a service ID, a protocol, an IP address, and a port registered in the registration center. The registry detects the health status of the service provider through a heartbeat mechanism. If it is detected that the service is down, the registry deletes the service registration information from the registry.
Preferably, the gateway system comprises a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance. As shown in fig. 3, the service gateway system includes a pre-router, a global routing table, a virtual repeater, and a global forwarding filter, where the service gateway system is provided with a service port and a management port, the service port is used for receiving a request and sending the request to the pre-router, and the management port is used for accessing a background management system.
Preferably, the gateway clusters are grouped into a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is respectively provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table.
Preferably, the pre-router is configured to parse a data communication protocol used by the request packet, match a routing object according to a global routing table of the gateway cluster group of the corresponding application, and send the successfully matched routing object to the virtual forwarder of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet. Preferably, the routing entries in the global routing table are classified into a static adjustment group, a dynamic adjustment group and a default group according to the matching priority from high to low.
Preferably, the routing group table includes a filter chain module for executing a filter chain, and a forwarding module for forwarding requests to a global forwarding filter. Preferably, the filter chain comprises an HTTP check filter, an authentication authorization filter, an encryption and decryption filter, an anti-heavy filter, an XSS filter and an SQL injection filter which are sequentially arranged from front to back.
Preferably, the background management system comprises an application access module, a route forwarding module, a security configuration module and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
The gateway cluster is divided into a plurality of gateway cluster groups with independent sub domain names, so that the gateway system has a flexible and expandable cluster architecture, can support the linear and non-stop expansion of gateway service, and can automatically shunt the request flow to ensure the stable operation of the service. The global routing table of the present invention provides route matching performance according to cluster fragment processing and route entry prioritization policies. The invention has unified application request network entrance, and realizes standardized and standardized application access management; the invention supports the security parameter configuration of simultaneous access and application individuation of multiple types of applications; the gateway system has the advantages of high concurrency, safety and stability, can meet the requirements of multiple types of application access, supports the safety access requirements of WEB application and REST application, has better universality and adaptability, has smaller influence on an application system, and can finish the access by a small amount of modification of a service system.
Example 2:
the application security access gateway system comprises a background management system and a service gateway system, as shown in fig. 3, wherein the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, the service gateway system is provided with a service port and a management port, the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing the background management system.
The background management system is used for providing a WEB terminal management interface and is responsible for application access management and application configuration parameter maintenance, wherein the configuration parameters comprise a route forwarding rule, security configuration and a national secret SM2 key pair. The routing forwarding rule is used for constructing a route, the security configuration is used for configuring a filter chain, and the cryptographic SM2 key pair is used for data encryption and signature. After the application configuration parameters are changed, the background management system adopts an active push mode and distributes the application configuration parameters to all service gateways in real time.
As shown in fig. 2, to support high concurrency, high availability, service gateways typically employ a cluster deployment mode and are located at network boundaries behind firewalls. The service gateway and the application service are typically deployed in the same data center, and the service gateway and the application service (application data center) communicate using a local area network. In order to ensure the security of application configuration parameters, background management and management terminals are also typically deployed in local area networks. The network environment of the client is relatively complex, and can be a company local area network or the Internet.
As shown in fig. 4, the global routing table module is responsible for maintaining static routing and dynamic routing information, the dynamic routing is automatically created by acquiring application service information through the registry, the static routing is created as required through application configuration module information, and the priority of the static routing is specified to be higher than that of the dynamic routing. Preferably, the registry supports a variety of three-party service providers, such as ali cloud, hua cloud, service governance services. The global routing table provides API request matching basis and strategy for the front-end router.
As shown in fig. 5, the pre-router is responsible for processing the API interface request packet, analyzing the data communication protocol used by the request packet, and matching the routing object according to the global routing table. The global routing table matches the route objects according to the data communication protocol and the matching policy of the route configuration. Preferably, the route matching policy is an open interface, and can match the route object according to the communication protocol and the information such as the characteristics of the request data packet. Common matching policy implementations include: request path matching, request metadata matching, request parameter matching and the like, and a matching mode with stronger function can be realized by logically combining a plurality of matching strategies.
And the virtual forwarder completes the request forwarding work according to the matched routing object. The virtual forwarder is an application-oriented functional module, and each accessed application corresponds to one virtual forwarder respectively and is responsible for the routing forwarding work of all requests of the application. The global forwarding filter is responsible for managing network communication with remote applications and realizing copy forwarding and protocol conversion of request data packets. The routing object in the global routing table also belongs to an application, and the corresponding virtual forwarder can be directly matched according to the application to complete the request forwarding.
The largest difference between the global routing table and the routing group table components is that the objects of the service are different, the global routing table serves the front routers of the service gateway, each route corresponds to one micro service, and the routing group table serves the application system. The route group is composed of at least one route, a forwarding module and a filter chain. The routing group table is created according to the application configuration parameters, and one routing group corresponds to one accessed application system in the routing group table. The application configuration parameters are changed, and the routing group table is synchronously updated in real time.
Preferably, as shown in fig. 6, a service cluster is a common high availability, high throughput solution, implementing multiple service nodes sharing traffic pressure according to some load policy. However, in the single service cluster mode, the service node also has an extended online, and cannot be extended infinitely. In addition, as the number of applications accessed is increased, the routing table becomes huge, so that more CPU time is spent in calculation of the routing matching strategy, and the performance of the whole service cluster is reduced. And dividing a large cluster into a plurality of small clusters (gateway clusters) by a cluster grouping mode, wherein each small cluster realizes the load balancing access of the gateway cluster through cloud native SLB load balancing service or other components, and an independent sub domain name is allocated to each small cluster.
Preferably, as shown in fig. 7, after the gateway cluster is divided into a plurality of small clusters (gateway clusters), the global routing table also needs to be split into a plurality of small routing tables, so that entries in the routing tables are reduced, and the routing traversal matching performance is improved. When the application is accessed, the background management needs to manually specify which cluster group carries the access flow of the application, so that the routing group of the application can only belong to the global routing table of one small cluster group, and the client uses the subdomain name of the corresponding cluster group to access the service of the application.
Preferably, routing entries in the global routing table by default determine the order of routing entries in the routing table based on application registration time. However, the order of the route entries may not be optimal for the route matching policy, and in the extreme case, the route entries applied by the maximum throughput are ranked most backward in the route table, and when the routes are matched, the matching calculation is sequentially performed on the previous route entries, and when the last route entry is matched, the target is hit. A sequential priority score is set for each route entry, the higher the value, the higher the priority, and the route matching is calculated first. And adopting two modes of static adjustment and dynamic adjustment aiming at the scores of the route entries in the global routing table. Static adjustment the score is set manually by the administrator through a background management function. Dynamic adjustment calculates the score dynamically according to some algorithmic strategy, e.g., the score is calculated according to concurrent accesses applied over a period of time, the greater the access, the higher the score, and the higher the routing entry priority. The order of the routing entries in the dynamic adjustment mode is automatically adjusted over time.
Preferably, the routing entries in the global routing table are divided into 3 logical groups: static adjustment group, dynamic adjustment group and default group, the priority is from high to low. The entries in the static adjustment group are calculated first during route matching, so that the purpose of the design is to enable an administrator to intervene in the dynamic adjustment result, then the dynamic adjustment group route entries are matched again, and finally the default group entries are calculated. Which group the application routing entry belongs to is configured by the administrator in the background management.
Dynamic routing is different from URL addresses forwarded in the data structure of static routing. The URL address of dynamic route adopts lb protocol, host address is service ID of micro service, service registry information is used to convert service ID into real IP address and port when route is forwarded.
Preferably, as shown in fig. 11, service-related information including a service ID, a protocol, an IP address, and a port is registered in the registry after the service provider is successfully started, among the micro service registry, the service gateway, and the service provider. The registry maintains a service registry that detects the health status of the service provider through a heartbeat mechanism. If it is detected that the service is down, the registry deletes the service registration information from the registry. The service gateway periodically pulls registry information from the registry and updates the routing table information.
Example 3:
the application security access gateway route forwarding method is carried out by adopting the gateway system, and the background management and the service gateway are interacted to access the application system. After the application system is successfully accessed, all requests must be routed through the service gateway.
Preferably, as shown in fig. 8, after the user operates the application configuration parameters, the interaction process between the background management and the service gateway is as follows:
the user operates the application configuration through the UI interface provided by the background management, and the background management uses the relation database to persist the application configuration data. The service gateway receives the application configuration parameter list by using the management port, and the virtual forwarder component in the service gateway updates the route group table according to the application configuration parameter list, and mainly updates the route forwarding rule and the filter chain of the application. The route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration.
The service gateway listens to two ports: management ports and service ports. The management port serves a control plane, and processes functions such as application configuration parameters, service gateway running state index query and the like. The service port serves the data plane and processes the service request of the application system. The security of the service gateway is further ensured by adopting a mode of separating a control plane from a data plane.
Preferably, as shown in fig. 9, the service gateway service request route forwarding process is as follows:
after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway. The client in the above figure may be a front end interface of an application system or a third party service system, and the client sends the request to a service port of the gateway. After receiving the request, the service gateway matches the route according to the global routing table matching policy, if the route is not matched, the gateway directly returns 404 an error, if the route is successfully matched, the virtual forwarder is requested to start processing in the next step. The virtual forwarder will execute a filter chain. The filter chain will execute each filter in turn, returning 400 a direct error if the filter processing fails. The forwarding module is responsible for requesting forwarding after the execution of the filter chain, and requests global forwarding filter processing. The global forwarding filter is responsible for realizing request replication and forwarding, and the application service processes the request and responds, at this time, the global forwarding filter processes the response, and if the processing fails, an error is returned 500.
Preferably, as shown in fig. 10, the execution of the filters in the filter chain is as follows:
(1) Whether a filter in the filter chain performs control by application configuration parameters. The user can operate the application configuration parameters through the management interface to turn on or off a certain filter function. In extreme cases all filter functions may be turned off.
(2) The HTTP check filter mainly checks important message headers in the HTTP protocol, including message headers related to the request cross-domain and request methods. Requesting cross-domain checking of the associated message header Referer, origin value by trusted domain name whitelists. The security requirement request method according to the national network only allows the use of GET and POST, if other request methods are used, the direct response 400 is wrong.
(3) The authentication authorization filter implements caller authentication and application interface access rights checking. Caller authentication supports Basic authentication modes of OAuth2 protocol and HTTP protocol. The service gateway realizes the function of a resource server in the OAuth2 protocol standard and supports the type of the beer access token. The system does not provide identity management and authorization management functions, and can only be realized through integrating a third party OAuth2 authorization center, such as a national network unified authority management system.
Aiming at the Basic authentication mode of the HTTP protocol, a service gateway issues an access Key and a secret Key for a caller, and the Basic authentication mode is needed to be adopted when a client requests each time.
OAuth2 protocol is more used for user identity authentication of WEB applications, and Basic authentication is often used for identity authentication of interface call between REST application background three-way systems.
The access right check depends on the identity verification result, and the access right check can be performed only after the identity verification is passed. The access right checking is also realized by delegating the third party OAuth2 authorization center. The service gateway defines an access rights checking REST interface specification.
(4) The encryption and decryption filter adopts a combination algorithm of the national cipher SM2 and the dynamic SM4 to decrypt the HTTP request main body and encrypt the response main body, so that the confidentiality of transmission in the data network is improved.
The value of the request header X-acuud-Crypto-symmetry-Code is the SM4 key, and the SM4 key text is encrypted using the SM2 public key. The background obtains an SM4 key through decryption of a corresponding SM2 private key, decrypts the request ciphertext by using the SM4 key, and encrypts the response by using the same SM4 key.
The SM2 key pair in the application configuration parameters is used for the WEB application, and if the REST application is used for the SM2 key pair distributed for the caller.
(5) The anti-replay filter generates a message header according to a prescribed algorithm and protocol and the service gateway checks the message header to determine if the request is a duplicate request.
(6) The tamper resistant filter checks whether the signature of the data is consistent by signing the requested data, and if not, this indicates that the requested data is tampered with.
(7) The XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions.
The invention can realize the simultaneous access management of various types of applications, and the service gateway supports the simultaneous operation of a plurality of applications. The method can realize the online management and the real-time pushing of the application configuration parameters, and the service gateway updates and takes effect in real time, so that the service gateway is prevented from interrupting the service due to parameter variation. Request route forwarding and security checking of the application system based on the route group and the filter chain may be implemented. The invention adopts the execution mode of the filter chain to realize the safety functions of identity authentication, access authorization check, data encryption transmission, SQL injection check, script attack protection and the like. And supports on-line configuration to turn on or off related inspection functions as needed. The filter chain may implement body data format conversion and metadata adaptation for request and response packets under the same data communication protocol, for example, adding header information and converting body media types in the HTTP protocol. The method for creating the route object in the global route table module supports dynamic route and configured static route constructed by the registry. And flexible and extensible route matching strategies are supported, and the route matching scenes of various protocol data packets are met. The global routing table routes the logic grouping of priority and dynamic calculation strategy of priority, has improved the performance that the service gateway requests to match effectively.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent variation, etc. of the above embodiment according to the technical matter of the present invention fall within the scope of the present invention.
Claims (6)
1. The application security access gateway system is characterized by comprising a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance; the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, and is provided with a service port and a management port, wherein the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing a background management system;
the gateway cluster groups are a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table;
the front router is used for analyzing a data communication protocol used by the request data packet, matching a route object according to a global route table of a gateway cluster group of a corresponding application, and sending the successfully matched route object to a virtual repeater of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet;
the routing group table comprises a filter chain module and a forwarding module, wherein the filter chain module is used for executing a filter chain, and the forwarding module is used for forwarding a request to a global forwarding filter;
and the routing entries in the global routing table are divided into a static adjustment group, a dynamic adjustment group and a default group from high to low according to the matching priority.
2. The system of claim 1, wherein the filter chain comprises an HTTP check filter, an authentication authorization filter, an encryption/decryption filter, an anti-replay filter, an XSS filter, and an SQL injection filter, which are sequentially arranged from front to back.
3. The application security access gateway system of claim 1, wherein the background management system comprises an application access module, a route forwarding module, a security configuration module, and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
4. A method for forwarding a route using a secure access gateway, which is performed using the gateway system of any one of claims 1 to 3, and is characterized by comprising the following steps:
step S100: the background management system interacts with the service gateway system and is accessed to the application system;
step S200: after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway system:
step S201: the client sends a request to a service port of the service gateway system, after the service gateway system receives the request, the front router matches the route according to the global routing table matching strategy, if the route is not matched, the service gateway system directly returns an error prompt, and if the route is successfully matched, the step S202 is entered;
step S202: requesting virtual forwarder processing, the virtual forwarder executing a filter chain, the filter chain executing each filter in turn, if the filter processing fails, directly returning an error prompt, otherwise, after the filter chain is executed, forwarding the request to a global forwarding filter by a forwarding module;
step S203: the global forwarding filter copies the request and forwards the request to the remote application, the remote application processes the request and returns a response to the global forwarding filter, the global forwarding filter processes the response, if the processing fails, an error prompt is returned to the server, and otherwise, a normal response is returned to the client.
5. The method for forwarding the application security access gateway route according to claim 4, wherein said step S202 comprises the steps of:
step A1: firstly, checking message headers related to request cross-domain and request methods in an HTTP protocol through an HTTP checking filter, checking the value of the related message header Referer, origin through a trusted domain name white list in the request cross-domain, wherein the request methods only allow GET and POST to be used;
step A1: caller identity verification and application interface access authority checking are achieved through an authentication authorization filter;
step A2: the encryption and decryption filter adopts a national encryption SM2 and dynamic SM4 combination algorithm to decrypt the HTTP request main body and encrypt the response main body;
step A3: the anti-replay filter generates a message header according to a specified algorithm and protocol, and the service gateway system checks the message header to determine whether the request is a repeated request;
step A4: the tamper-resistant filter signs the requested data, and the service gateway system checks whether the signatures of the data are consistent, if not, the tamper-resistant filter indicates that the requested data are tampered;
step A5: the XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions respectively.
6. The method for forwarding the application security access gateway route according to claim 4, wherein the step S100 comprises the steps of:
step S101: the user operates the application configuration through a UI interface provided by a background management system, and the background management system uses the persistent application configuration data of the relational database;
step S102: the service gateway system uses the management port to receive the application configuration parameter list, and a virtual forwarder component in the service gateway system updates a route group table according to the application configuration parameter list and updates an applied route forwarding rule and a filter chain;
step S103: the route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration;
step S104: the service gateway system monitors a management port and a service port, wherein the management port serves a control plane and processes application configuration parameters and service gateway running state index query; the service port serves the data plane and processes the service request of the application system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311356991.2A CN117097591B (en) | 2023-10-19 | 2023-10-19 | Application security access gateway system and route forwarding method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311356991.2A CN117097591B (en) | 2023-10-19 | 2023-10-19 | Application security access gateway system and route forwarding method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117097591A CN117097591A (en) | 2023-11-21 |
CN117097591B true CN117097591B (en) | 2024-01-23 |
Family
ID=88777312
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311356991.2A Active CN117097591B (en) | 2023-10-19 | 2023-10-19 | Application security access gateway system and route forwarding method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117097591B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117724869A (en) * | 2023-12-19 | 2024-03-19 | 成都九天智信科技有限公司 | Web-based custom system flow editor |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014015697A1 (en) * | 2012-05-04 | 2014-01-30 | 运软网络科技(上海)有限公司 | Autonomic management system and method of virtual network |
WO2015138043A2 (en) * | 2014-03-14 | 2015-09-17 | Nicira, Inc. | Route advertisement by managed gateways |
WO2017070545A1 (en) * | 2015-10-23 | 2017-04-27 | Interdigital Technology Corporation | Software-defined network enhancements enabling programmable information centric networking in edge networks |
CN111386676A (en) * | 2018-03-21 | 2020-07-07 | 华为技术有限公司 | Control method of application programming interface API gateway cluster and API gateway cluster |
CN112217555A (en) * | 2020-08-24 | 2021-01-12 | 成都天奥集团有限公司 | Formation satellite routing method based on SDN architecture and adopting SR routing protocol |
CN113572689A (en) * | 2021-09-24 | 2021-10-29 | 深圳市信润富联数字科技有限公司 | Microservice gateway management method, system, device, readable storage medium and product |
CN115883471A (en) * | 2021-09-28 | 2023-03-31 | 上海宝信软件股份有限公司 | Application gateway and flow management and control method thereof |
CN116055254A (en) * | 2023-01-10 | 2023-05-02 | 华中科技大学 | Safe and trusted gateway system, control method, medium, equipment and terminal |
CN116633724A (en) * | 2022-02-14 | 2023-08-22 | 上海宝信软件股份有限公司 | System and deployment method for multidimensional current limiting and dynamic routing |
CN116743742A (en) * | 2023-03-16 | 2023-09-12 | 阿里巴巴(中国)有限公司 | OpenVPN cluster, inter-instance communication method thereof and cloud gateway |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070082738A1 (en) * | 2005-10-06 | 2007-04-12 | Game Driven Corporation | Self-organizing turn base games and social activities on a computer network |
-
2023
- 2023-10-19 CN CN202311356991.2A patent/CN117097591B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014015697A1 (en) * | 2012-05-04 | 2014-01-30 | 运软网络科技(上海)有限公司 | Autonomic management system and method of virtual network |
WO2015138043A2 (en) * | 2014-03-14 | 2015-09-17 | Nicira, Inc. | Route advertisement by managed gateways |
WO2017070545A1 (en) * | 2015-10-23 | 2017-04-27 | Interdigital Technology Corporation | Software-defined network enhancements enabling programmable information centric networking in edge networks |
CN111386676A (en) * | 2018-03-21 | 2020-07-07 | 华为技术有限公司 | Control method of application programming interface API gateway cluster and API gateway cluster |
CN112217555A (en) * | 2020-08-24 | 2021-01-12 | 成都天奥集团有限公司 | Formation satellite routing method based on SDN architecture and adopting SR routing protocol |
CN113572689A (en) * | 2021-09-24 | 2021-10-29 | 深圳市信润富联数字科技有限公司 | Microservice gateway management method, system, device, readable storage medium and product |
CN115883471A (en) * | 2021-09-28 | 2023-03-31 | 上海宝信软件股份有限公司 | Application gateway and flow management and control method thereof |
CN116633724A (en) * | 2022-02-14 | 2023-08-22 | 上海宝信软件股份有限公司 | System and deployment method for multidimensional current limiting and dynamic routing |
CN116055254A (en) * | 2023-01-10 | 2023-05-02 | 华中科技大学 | Safe and trusted gateway system, control method, medium, equipment and terminal |
CN116743742A (en) * | 2023-03-16 | 2023-09-12 | 阿里巴巴(中国)有限公司 | OpenVPN cluster, inter-instance communication method thereof and cloud gateway |
Non-Patent Citations (1)
Title |
---|
WAP网关集群的分布式负载均衡;潘育飞, 吴震华, 顾尔丹, 陈 纯;计算机工程(第04期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN117097591A (en) | 2023-11-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11907359B2 (en) | Event-based user state synchronization in a local cloud of a cloud storage system | |
US9491201B2 (en) | Highly scalable architecture for application network appliances | |
JP4304055B2 (en) | Methods and structures for providing client session failover | |
US20160164826A1 (en) | Policy Implementation at a Network Element based on Data from an Authoritative Source | |
US20110314178A1 (en) | Methods, systems, and computer readable media for providing dynamic origination-based routing key registration in a diameter network | |
US20070104115A1 (en) | Overlay network infrastructure | |
CN112804722A (en) | Method for realizing micro-service gateway dynamic routing | |
EP3605948B1 (en) | Distributing overlay network ingress information | |
CN117097591B (en) | Application security access gateway system and route forwarding method | |
WO1999030460A2 (en) | Highly-distributed servers for network applications | |
US20080072282A1 (en) | Intelligent overlay for providing secure, dynamic communication between points in a network | |
US11658812B1 (en) | Distributed key management system | |
US11356448B1 (en) | Device and method for tracking unique device and user network access across multiple security appliances | |
US20240195790A1 (en) | Centralized management of private networks | |
US20200127975A1 (en) | Cloud computing architecture with secure multi-cloud integration | |
CN116668191B (en) | Internet of things application virtual gateway with data encryption convergence function | |
US11895227B1 (en) | Distributed key management system with a key lookup service | |
WO2008033532A2 (en) | Enterprise data protection management for providing secure communication in a network | |
US20190089680A1 (en) | Enhanced packet formating for security inter-computing system communication | |
US20220255905A1 (en) | Centralized management control lists for private networks | |
US20240195795A1 (en) | Computer-implemented methods and systems for establishing and/or controlling network connectivity | |
Nandini | Efficient-way of Data Storage on Decentralized Cloud using Blockchain Technology | |
KR102120229B1 (en) | Load balancing system and method based on artificial intelligence for security control of 4-tier type CASB | |
Karmakar et al. | On the design and implementation of a security architecture for end to end services in software defined networks | |
US20080082822A1 (en) | Encrypting/decrypting units having symmetric keys and methods of using same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |