CN117544668A - Method for reverse proxy through external network server - Google Patents
Method for reverse proxy through external network server Download PDFInfo
- Publication number
- CN117544668A CN117544668A CN202311828380.3A CN202311828380A CN117544668A CN 117544668 A CN117544668 A CN 117544668A CN 202311828380 A CN202311828380 A CN 202311828380A CN 117544668 A CN117544668 A CN 117544668A
- Authority
- CN
- China
- Prior art keywords
- message
- server
- external network
- data channel
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000013507 mapping Methods 0.000 claims abstract description 14
- 238000012545 processing Methods 0.000 claims description 5
- 230000006854 communication Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Abstract
The invention discloses a method for reverse proxy through an external network server, which relates to the technical field of communication. The method comprises the following steps of 1, establishing a data channel T by an intranet server and an extranet server; 2. establishing a mapping relation M of a port P and a data channel T on an external network server; 3. and after receiving the message of the port P, the external network server forwards the IP message to the data channel T. The invention avoids using alg function in the communication process of the external network host and the internal network server, so that the internal network server can provide richer service for the external network host.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method for reverse proxy through an external network server.
Background
In order to relieve the pressure of the exhaustion of the IP (Internet Protocol ) address space, NAT (Network Address Translation ) technology is currently being applied on a large scale. The NAT technology is mainly used to implement the function of an internal network (for short, intranet, private IP address) to access an external network (for short, extranet, public IP address). When the host of the intranet accesses the external network, the private network address can be converted into the public network address through the NAT technology, and a plurality of private network users can share one public network address to access the external network, so that the network intercommunication can be ensured, and the public network address is saved.
But if the intranet needs to provide services to the extranet, such as www services, NAT Server functions are required or TCP (Transmission Control Protocol ) reverse proxy is done through the extranet Server. The principle of TCP reverse proxy is shown in fig. 1:
1. two TCP connections are established on the extranet server: the method comprises the steps that a TCP connection 1 is established between an external network host and an external network server; the intranet server and the extranet server establish a TCP connection 2;
2. the data part of the TCP connection 1 received by the external network server is forwarded to the TCP connection 2; the data part of the TCP connection 2 received by the external network server is forwarded to the TCP connection 1;
but some special protocols cannot be simple data parts such as FTP (File Transfer Protocol ): an FTP server using an internal IP address may need to send its own IP address to the other party during the session with the external host, and this address information is the data part of the TCP message, when the external host receives this private address and uses it, the FTP server will appear unreachable. These special protocols therefore require analysis and change of TCP application layer data, ALG (Application Level Gateway, application layer gateway) functions, on the extranet server, ultimately enabling the application layer protocols to run across both the intranet and extranet.
The ALG function is complex to realize because of analyzing the application layer data, and can not process the application layer data if the application layer data has a safety encryption requirement; thus, certain restrictions are imposed on the services provided by the intranet server.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention aims to provide a method for reverse proxy through an external network server, so that an alg function is avoided in the communication process of an external network host and an internal network server, and the internal network server can provide richer services for the external network host.
In order to achieve the above object, the present invention is realized by the following technical scheme: a method of reverse proxy through an extranet server, comprising the steps of:
1. the method comprises the steps that a data channel T is established between an intranet server and an extranet server;
2. establishing a mapping relation M of a port P and a data channel T on an external network server;
3. and after receiving the message of the port P, the external network server forwards the IP message to the data channel T.
Preferably, after receiving the message of the data channel T, the external network server analyzes the source port and the protocol type in the IP message format if the data portion of the message is an IP message, searches the mapping table M in the source port and the protocol type to obtain the data channel T ', and if T and T' are the same data channel, correctly encapsulates the IP message and then sends the encapsulated IP message from the network port as a preference, and the internal network server creates a network interface and configures the interface IP address as the IP address of the external network server.
The invention has the beneficial effects that: in the process of accessing the intranet server by the extranet host, the extranet server does not need to deploy an ALG function, so that the complexity of the extranet server is reduced, and the intranet server can provide any type of IP service without being limited by the ALG; meanwhile, a large number of TCP connections are prevented from being established on the external network server, and the memory and CPU requirements of the external network server are greatly reduced.
Drawings
The invention is described in detail below with reference to the drawings and the detailed description;
FIG. 1 is a schematic diagram of the background art of the invention;
FIG. 2 is a schematic diagram of the structure of the present invention;
FIG. 3 is a diagram illustrating a message format of a data channel according to an embodiment of the present invention;
fig. 4 is a schematic diagram of mapping an authentication message and an address notification message according to an embodiment of the present invention.
Description of the embodiments
The invention is further described in connection with the following detailed description, in order to make the technical means, the creation characteristics, the achievement of the purpose and the effect of the invention easy to understand.
Example 1: as shown in fig. 2, the external network server has an IP address A1, and uses a UDP (User Datagram Protocol ) port P1 as a data channel service port; the intranet server is provided with an IP address A2, and UDP communication can be carried out between the intranet server and the port P1 of the extranet server through the port P1; the intranet server provides network services at TCP port P.
The system workflow comprises two parts of establishing a data channel and communicating an external network host and an internal network server, and specifically comprises the following steps:
1. establishing a data channel
1.1, an intranet server uses a port P1 to send a UDP authentication message to a port of an extranet server P1, wherein the authentication message comprises authentication information such as an intranet equipment identifier N/password or certificate, and the like, and optionally, the authentication message also comprises a port and a protocol type (such as a port P and a protocol TCP) for providing services for an extranet host by a local machine, and the port can comprise a plurality of ports;
1.2, after receiving the authentication message, the external network server judges whether the authentication information is correct or not: if the authentication is successful, generating a data channel T and generating a corresponding relation R of the intranet equipment name and the data channel; the IP five-tuple information (destination IP address, destination port, source IP, source port, protocol type) of the data channel T is the source IP address of the authentication message, the source port of the authentication message, the local IP address A1, the port P1, UDP respectively;
1.3, after the data channel T is established, the external network server sends an address notification message through the data channel T, wherein the address notification message comprises an IP address A1 of the external network server; the external network server establishes a port mapping table at the same time, the mapping table can be generated through port information (1.1 step optional information) carried in an authentication message, and also can be generated on the external network server through preset information, for example, an administrator configures a port P on the external network server to be distributed to equipment N, and searches T in R through N, and can also generate a mapping table M of the port and a data channel;
1.4, after receiving the address notification message, the intranet server generates a new network interface I, and configures the interface IP address as A1.
2. Communication between external network host and internal network server
After the data channel is established, the intranet server has the capability of providing service for the extranet host; taking an example that an external network host accesses an external network host TCP port P, a specific communication flow for establishing TCP connection is described in detail as follows:
2.1 The external network host sends a TCP SYN message to an external network server port P, the complete IP message is marked as D1, and the TCP connection enters a SYN_SENT state;
2.2 After receiving the message, the external network server searches the mapping table M by taking the destination port and the protocol type of the IP message as keys: if the data channel is not found, processing normally according to the original IP protocol stack; if the data channel is found, the received IP message D1 is sent to the data channel, and the message format of the data channel is shown in figure 3. In this embodiment, the data is sent through the data channel T;
2.3 After receiving the message at the UDP port P1, the intranet server judges the 1 st byte of the UDP message data part (namely D1), and if the data accords with the IP message format, the D1 is handed to the network interface I for processing by using the correct format;
2.4 Normally, the protocol stack of the intranet server replies a TCP SYN/ACK message, and the complete IP message is marked as D2; if the intranet server judges that the message source address is equal to A1, a message D2 is sent to the intranet server by using a UDP port P2 according to the format of figure 3;
2.5 After receiving the message of the data channel T, the external network server analyzes the source port and the protocol type in the IP message format if the data part of the message is the IP message, searches the mapping table M in the source port and the protocol type to obtain the data channel T ', and if the T and the T' are the same data channel, the IP message is correctly packaged and then sent from the network port. Specifically, the flow of the embodiment is that after the UDP port P1 receives the message, the 1 st byte symbol of the data portion (i.e., D2) of the UDP message is judged, and if the data portion does not conform to the IP message format, the data portion is processed according to the original flow; according to the IP message format, searching a mapping table M according to a source port and protocol types (P and TCP) in the D2, comparing whether a destination IP/destination port of a data channel T and a source IP address/source port of a UDP message are equal, if not, directly discarding the message, if so, correctly packaging the D2 (for example, if the local port is an Ethernet port, an Ethernet header is required to be packaged), and then sending the D2 from a correct network interface;
2.6 After the external network host receives the IP packet D2, the TCP connection enters the ESTABLISHED state.
The subsequent TCP ACK message and data interaction flow are not described in detail.
Because the two flows of establishing the data channel and communicating the external network host and the internal network server use the completely same IP quintuple information, the following modes are adopted for distinguishing in the embodiment: both the authentication message and the address notification message are encapsulated according to the format of fig. 4, i.e. the 1 st byte of the data part of the UDP message is equal to 0x00, which is different from 0x4x of the IPv4 message and 0x6x of the IPv6 message. Other ways of distinguishing the messages can be adopted, and the invention is not particularly limited.
From the above flow, in the process of accessing the intranet server by the extranet host, the extranet server does not need to deploy an ALG function, so that the complexity of the extranet server is reduced; and only the IP message is forwarded on the external network server, no TCP protocol processing is performed, a large number of TCP connections are avoided being established, and the memory and CPU requirements of the external network server can be greatly reduced.
If the external network server forwards the IP message to the internal network server for processing, a mapping table M does not need to be established; all IP messages are forwarded to the intranet server through the data channel.
The data channel is only used for carrying the IP message, so the data channel is not limited to the UDP protocol, but may be other protocol types such as TCP.
If the service port of the intranet server is different from the service port (such as port P) of the extranet server due to other limitations (such as that the android application cannot use a well-known port in general), port conversion needs to be performed in the intranet or extranet service provider, and at this time, ALG still needs to be deployed; but the TCP connection set up on the external network server can equally be avoided using the inventive idea.
The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (4)
1. A method for reverse proxy through an extranet server, comprising the steps of:
(1) Establishing a data channel T by an intranet server and an extranet server;
(2) Establishing a mapping relation M of a port P and a data channel T on an external network server;
(3) And after receiving the message of the port P, the external network server forwards the IP message to the data channel T.
2. The method according to claim 1, wherein after receiving the message of the data channel T, the external network server analyzes the source port and the protocol type in the form of an IP message if the data portion of the message is an IP message, searches the mapping table M for the data channel T 'in the source port and the protocol type, and if T and T' are the same data channel, then correctly encapsulates the IP message and sends the IP message from the network port.
3. The method for reverse proxy through extranet server according to claim 1, wherein said intranet server creates a network interface and configures the interface IP address as the IP address of the extranet server.
4. The method for reverse proxy through external network server according to claim 1, wherein after receiving the TCP message, the external network server searches the mapping table M by using the destination port and protocol type of the IP message as keys: if the data channel is not found, processing normally according to the original IP protocol stack; if the data channel is found, the received IP message is sent to the data channel T.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311828380.3A CN117544668A (en) | 2023-12-28 | 2023-12-28 | Method for reverse proxy through external network server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311828380.3A CN117544668A (en) | 2023-12-28 | 2023-12-28 | Method for reverse proxy through external network server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117544668A true CN117544668A (en) | 2024-02-09 |
Family
ID=89790285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311828380.3A Pending CN117544668A (en) | 2023-12-28 | 2023-12-28 | Method for reverse proxy through external network server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544668A (en) |
-
2023
- 2023-12-28 CN CN202311828380.3A patent/CN117544668A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6101543A (en) | Pseudo network adapter for frame capture, encapsulation and encryption | |
| US8265069B2 (en) | System, terminal, method, and computer program product for establishing a transport-level connection with a server located behind a network address translator and/or firewall | |
| US8116307B1 (en) | Packet structure for mirrored traffic flow | |
| US6822955B1 (en) | Proxy server for TCP/IP network address portability | |
| US7730521B1 (en) | Authentication device initiated lawful intercept of network traffic | |
| US7320027B1 (en) | System having generalized client-server computing | |
| US7016353B2 (en) | Method and system for dynamically assigning IP addresses in wireless networks | |
| US7716369B2 (en) | Data transmission system with a mechanism enabling any application to run transparently over a network address translation device | |
| US7480794B2 (en) | System and methods for transparent encryption | |
| Atkinson et al. | ILNP: mobility, multi-homing, localised addressing and security through naming | |
| KR20070041438A (en) | System and method for automatically initiating and dynamically establishing secure internet connections between a fire-walled server and a fire-walled client | |
| KR20020082483A (en) | Address acquisition | |
| WO2010127610A1 (en) | Method, equipment and system for processing visual private network node information | |
| US8724630B2 (en) | Method and system for implementing network intercommunication | |
| EP2479935A1 (en) | Method, system and communication terminal for implementing inter-communication between new network and internet | |
| JP2004180211A (en) | Proxy network control unit | |
| KR100772537B1 (en) | Ipv6 transition system and method tunneling from ipv6 packet to ipv4 in ipv4 network environment | |
| CN117544668A (en) | Method for reverse proxy through external network server | |
| KR20010073827A (en) | Method for expanding address for internet protocol version 4 in internet edge router | |
| WO2024027419A1 (en) | Packet sending method, apparatus and system | |
| TW201808049A (en) | Method for controlling a client device to access a network device, and associated control apparatus | |
| CN117097587A (en) | Method and equipment for two-layer interconnection of remote Ethernet | |
| WO2023117046A1 (en) | Network address translation | |
| CN117460085A (en) | Individual PFCP session model for residential gateway network access | |
| CN117459964A (en) | Combined PFCP session model for network access through residential gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |