CN118118210A - CDN parent layer node anti-theft chain method, device, equipment and medium - Google Patents
CDN parent layer node anti-theft chain method, device, equipment and medium Download PDFInfo
- Publication number
- CN118118210A CN118118210A CN202311695819.XA CN202311695819A CN118118210A CN 118118210 A CN118118210 A CN 118118210A CN 202311695819 A CN202311695819 A CN 202311695819A CN 118118210 A CN118118210 A CN 118118210A
- Authority
- CN
- China
- Prior art keywords
- client
- request
- hotlinking
- detection
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 151
- 239000000523 sample Substances 0.000 claims abstract description 49
- 230000009471 action Effects 0.000 claims abstract description 32
- 230000006399 behavior Effects 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 11
- 230000002265 prevention Effects 0.000 claims 3
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 230000002087 whitening effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a CDN father layer node anti-theft method, a device, equipment and a medium, wherein the method comprises the steps of acquiring a client I P of a build-up client when an available father layer node receives an access request initiated by the build-up client, and judging whether the access request is a detection request or not; when the access request is a non-probe request, based on the client I P, verifying whether the non-probe request is a hotlinking action; when the non-detection request is a non-hotlinking action, passing the access request; and rejecting the access request when the non-detection request is a hotlinking action. Judging whether the access request is a detection request or not, and judging whether the access request needs to be subjected to anti-theft chain operation or not; when the access request is a non-detection request, the father layer anti-theft link strategy is dynamically adjusted through checking the hotlinking behavior of the client I P, so that false triggering of the anti-theft link operation is avoided, and the anti-theft reliability of CDN nodes is improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for preventing an hotlink of a CDN parent layer node.
Background
In the present CDN (Content Delivery Network ) technology, edge nodes are deployed around the globe, so as to provide high-quality, high-efficiency, low-latency network services for users. In order to improve the cache hit rate and reduce the source return rate, the CDN adopts an edge+father architecture, in general, the domain name with the configuration anti-theft chain is only checked at the edge node, the edge node does not need to check at the father layer node, and once the father layer IP leaks, a user can directly pull the resource content by accessing the father layer IP without the anti-theft chain parameter. If the father layer hotlinking event occurs, on one hand, customer complaints are easily caused, traffic is cut off, and service loss is caused, on the other hand, the father layer node traffic is not charged, and bandwidth loss is caused for CDNs.
For the above situation, the most commonly used parent layer anti-theft chain method at present mainly designs an encryption and decryption algorithm, generates an internal authentication header at each request sent to a parent layer node of an edge node, and then performs anti-theft chain verification at the parent layer node. However, this approach has some drawbacks:
1) It must be ensured that each request sent from the edge node to the parent node will carry an internal authentication header, however, in the actual production environment, the request sent from the edge cache node to the parent node is very complex, and because of different demands of clients, there are very many customized services, if the authentication header is not added, the client service will be directly affected and complained by the parent node. And part of clients can do back-source authentication, which may cause inconsistency between the authentication head calculated by the cache node and the clients due to the newly added internal authentication head, and finally cause the back-source to be refused, thereby affecting the client service.
2) Each component directly interacting with the parent layer gateway also needs to be modified, an authentication algorithm is adapted, and an internal authentication header is carried on each request sent to the parent layer node by the relevant component, so that modification cost is increased for each component.
3) Although the internal authentication header is time-efficient, if there is still a short-time risk of hotlinking if it leaks, the abnormal behaviour may still lead to customer complaints.
Therefore, how to improve the anti-theft reliability of the CDN node is a technical problem to be solved.
Disclosure of Invention
The application provides a CDN parent layer node anti-theft chain method, device, equipment and storage medium, aiming at improving the anti-theft reliability of CDN nodes.
In a first aspect, the present application provides a method for preventing a node of a parent layer of a CDN from being stolen, the method comprising:
When an available father layer node receives an access request initiated by a build-up client, acquiring a client IP of the build-up client, and judging whether the access request is a detection request or not;
when the access request is a non-detection request, based on the client IP, verifying whether the non-detection request is a hotlinking action;
When the non-detection request is a non-hotlinking action, passing the access request;
and rejecting the access request when the non-detection request is a hotlinking action.
In a second aspect, the present application further provides a device for preventing a node of a parent layer of a CDN from being stolen, where the device for preventing the node of the parent layer of the CDN from being stolen includes:
The access request judging module is used for acquiring the client IP of the establishing and connecting client when the available father layer node receives the access request initiated by the establishing and connecting client, and judging whether the access request is a detection request or not;
The hotlinking behavior verification module is used for verifying whether the non-detection request is a hotlinking behavior or not based on the client IP when the access request is the non-detection request;
the request passing module is used for passing the access request when the non-detection request is a non-hotlinking action;
And the access rejecting module is used for rejecting the access request when the non-detection request is a hotlinking action.
In a third aspect, the present application further provides a computer device, where the computer device includes a processor, a memory, and a computer program stored on the memory and executable by the processor, where the computer program when executed by the processor implements the steps of the CDN parent node hotlinking method as described above.
In a fourth aspect, the present application further provides a computer readable storage medium, where a computer program is stored on the computer readable storage medium, where the computer program, when executed by a processor, implements the steps of the CDN parent node hotlink protection method as described above.
The application provides a CDN father layer node anti-theft method, a device, equipment and a storage medium, wherein the method comprises the steps of acquiring a client IP of a build-up client when an available father layer node receives an access request initiated by the build-up client, and judging whether the access request is a detection request or not; when the access request is a non-detection request, based on the client IP, verifying whether the non-detection request is a hotlinking action; when the non-detection request is a non-hotlinking action, passing the access request; and rejecting the access request when the non-detection request is a hotlinking action. By the method, whether the access request initiated by the establishing and connecting client is a detection request or not is judged, and whether the access request is required to be subjected to anti-theft chain operation or not is further determined; when the access request is a non-detection request, whether the access request is a hotlinking behavior is judged through checking the hotlinking behavior of the client IP, and whether the access request passes through the access request is further judged, so that the dynamic adjustment of a father-layer hotlinking strategy and the screening accuracy of the hotlinking behavior are realized, the hotlinking operation is prevented from being triggered by mistake, and the hotlinking reliability of CDN nodes is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a first embodiment of a method for preventing hotlinking of a CDN parent node according to the present application;
Fig. 2 is a schematic diagram of a checking flow for a probe request according to an embodiment of the present application;
fig. 3 is a schematic diagram of an anti-hotlinking verification process of a parent layer anti-hotlinking module for a non-detection request according to an embodiment of the present application;
fig. 4 is a schematic flow chart of a first embodiment of a CDN parent node hotlinking method according to the present application;
Fig. 5 is a schematic flow chart of a second embodiment of a CDN parent node hotlinking method according to the present application;
fig. 6 is a schematic flow chart of a third embodiment of a method for preventing hotlinking of a CDN parent node according to the present application;
fig. 7 is a schematic structural diagram of a first embodiment of a CDN parent node hotlink protection device according to the present application;
Fig. 8 is a schematic block diagram of a computer device according to an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a CDN parent node hotlink protection system according to the present application.
In one embodiment, as shown in fig. 1, the system mainly comprises a request processing module, a detection frequency checking module, a detection registration storage module, a parent layer anti-theft chain module, a client device and a server.
In one embodiment, the client device may be a notebook, desktop, or like computer device.
In an embodiment, the server may be a server or a server cluster.
In an embodiment, the request processing module is configured to perform data parsing on a request initiated by the client device.
In an embodiment, the detection frequency verification module is configured to detect and verify a detection frequency of the detection request.
In one embodiment, the probe registration storage module is configured to register and update the client point IP of the client device into the database.
For example, a hash dictionary storage mode can be adopted to be responsible for registration, update and deletion operations of the probe request link establishment IP so as to be called and inquired by the parent layer anti-theft chain module.
An exemplary flow chart of the request processing module, the detection frequency checking module and the detection registration storage module is shown in fig. 2. After the CDN father layer gateway receives the request, the request processing module distinguishes whether the request is a detection request according to the request URL and the request head, if the request is the detection request, the request processing module firstly carries out establishment IP anti-theft chain judgment, the edge node uses the IP initiating establishment and the agreed key to generate an anti-theft chain string through an md5 algorithm, the anti-theft chain string is carried in a parameter signature of the detection request, the father layer node checks whether the encryption string generated by the establishment client IP and the agreed key through the md5 algorithm is consistent with the detection carrying parameter signature value, if not, the request rejection is carried out, and registration of the establishment IP is not carried out. If the detection frequency is consistent, the detection frequency is counted by adopting a sliding window, the detection frequency is checked for the detection request of the passing of the anti-theft chain, and the detection frequency enters a detection registration storage module within a specified range of the detection frequency to perform registration updating of the established IP; for the detection frequency not within the specified range, the detection frequency is considered as an illegal detection request, the detection registration storage module is entered, the deletion operation of the established IP is performed, and the request is refused in response 403.
In one embodiment, as shown in fig. 3, the parent-layer hotlink module contains triple filtering rules: if the client IP is judged to be the local request, the anti-theft chain is released; if the IP is not requested by the local machine, judging whether the IP is in the hash dictionary and is not expired, and if the IP is present and is not expired, passing the father layer anti-theft chain; if the request IP or the request domain name is not present or is out of date, judging whether the request IP or the request domain name is in a self-defined white list, if so, the parent layer anti-theft chain is put away, otherwise, the request is refused in an anti-theft chain way.
Referring to fig. 4, fig. 4 is a flowchart of a first embodiment of a method for preventing hotlinking of a CDN parent node according to the present application.
As shown in fig. 4, the CDN parent node hotlinking method includes steps S101 to S104.
S101, when an available father layer node receives an access request initiated by a build-up client, acquiring a client IP of the build-up client, and judging whether the access request is a probe request or not;
In an embodiment, after the CDN parent gateway receives the request, it distinguishes whether it is a probe request according to the request URL and the request header, if so, performs probe registration update, and if not, the flow enters the parent anti-theft chain module to perform anti-theft chain judgment processing.
S102, when the access request is a non-detection request, based on the client IP, verifying whether the non-detection request is a hotlinking action;
In an embodiment, for a non-probe request, the client IP is queried and checked by means of comparing the local IP of the client IP, querying a hash dictionary, querying a white list, and the like, so as to verify whether the non-probe request is a hotlinking behavior.
S103, when the non-detection request is a non-hotlinking action, passing the access request;
S104, rejecting the access request when the non-detection request is a hotlinking action.
In an embodiment, for the hotlinking behavior, the hotlinking module of the father layer node can be used for directly rejecting the request, and if the request is a fake detection request, the request can be marked as abnormal and rejected, if the request is a non-detection request, the hotlinking is directly rejected, and the client IP is not marked as an untrusted IP any more; and for non-hotlinking, the non-probe request is responded to.
Further, when the non-probe request is a non-hotlinking action, after passing the access request, the method further includes:
Determining target service data based on the access request, and inquiring whether the target service data exists in a cache server of the available parent layer node; when the target service data exist in the cache server, responding the target service data to the establishing connection client; and when the target service data does not exist in the cache server, executing a source returning operation, acquiring the target service data, and responding the target service data to the connection establishment client.
In an embodiment, after the parent layer anti-theft chain passes, the parent layer anti-theft chain enters actual customer business logic, a cache server of a parent layer node has a cache, and is directly responded to a client, if the cache server of the parent layer node does not have the cache of a corresponding URL, a source return pulling file is carried out and is cached in the current parent layer node, and then the client is responded to.
The embodiment provides a CDN father layer node anti-theft chain method, which is used for judging whether an access request initiated by a build-up client is a detection request or not, and further determining whether anti-theft chain operation is needed to be carried out on the access request or not; when the access request is a non-detection request, whether the access request is a hotlinking behavior is judged through checking the hotlinking behavior of the client IP, and whether the access request passes through the access request is further judged, so that the dynamic adjustment of a father-layer hotlinking strategy and the screening accuracy of the hotlinking behavior are realized, the hotlinking operation is prevented from being triggered by mistake, and the hotlinking reliability of CDN nodes is improved.
Referring to fig. 5, fig. 5 is a flowchart of a second embodiment of a method for preventing hotlinking of a CDN parent node according to the present application.
In this embodiment, based on the embodiment shown in fig. 4, the step S101 specifically includes:
S201, acquiring a local IP corresponding to the available parent layer node, and comparing the client IP with the local IP;
s202, if the client IP is consistent with the local IP, determining that the non-detection request is the non-hotlinking behavior.
In an embodiment, a gateway of a parent node receives a non-probe request, and first determines whether an IP of a client connected to the gateway is a local IP. If the client IP is the local IP, the client IP is confirmed to be non-hotlinking, and the parent layer hotlinking is released.
In one embodiment, if the client IP is not native IP, further verification is required.
Further, if the client IP is inconsistent with the local IP, inquiring whether the client IP exists in a preset hash dictionary; if the client IP exists in the hash dictionary, acquiring the effective period of the client IP; and if the effective period is currently valid, determining that the non-detection request is the non-hotlinking action.
In an embodiment, a hash dictionary storage mode may be used to store the client IP established with the parent layer node, and the hash dictionary is responsible for operations such as registration, update, deletion, etc. of the client IP established with the probe request, so as to be called and queried by the parent layer hotlink protection module.
In one embodiment, it is queried whether a client IP of the linked client is already stored in the hash dictionary, and if the client IP exists in the hash dictionary and is not expired, the parent layer hotlink passes.
In an embodiment, if the client IP exists in the hash dictionary, but the validity period of the client IP has expired, or the client IP does not exist in the hash dictionary, the client IP is further checked.
Further, if the client IP does not exist in the hash dictionary or the client IP exists in the hash dictionary and the effective period of the client IP is invalid currently, acquiring the client domain name of the non-detection request; acquiring a preset white list, and inquiring whether the domain name of the client and/or the IP of the client exist in the white list; and if the client domain name and/or the client IP exist in the white list, determining that the non-detection request is a non-hotlinking behavior.
In an embodiment, if the client IP that initiates the access request cannot be found in the hash dictionary, or the client IP exists but fails, the custom whitelist query is further performed on the domain name and IP of the request. If the domain name or IP is in the custom white list, the parent layer hotlink passes.
In one embodiment, if the domain name or IP is not in the custom whitelist, it is determined to be a hotlinking behavior, and hotlinking rejection is performed.
In the embodiment, for non-detection requests, a self-defined white list mode is combined to whiten the domain name or IP of the interaction component, so that the transformation cost of the interaction component is avoided, and father-layer anti-theft chain release is performed on the interaction component; and (3) for other client requests, inquiring and comparing the storage condition of the hash dictionary through the client IP of the request establishment, rejecting the father-layer anti-theft chain for the non-existing or expired IP, and releasing the father-layer anti-theft chain for the existing and non-exceeding IP. And adding the components interacted with the parent layer gateway into the custom white list by combining the custom white list, wherein the white list is loaded in a timing and dynamic mode to take effect, so that the transformation cost of the interacted components is avoided, and a mode of temporarily whitening the client IP access to the parent layer node is provided for the operation and maintenance investigation line parent layer node problem.
Referring to fig. 6, fig. 6 is a flowchart illustrating a third embodiment of a method for preventing hotlinking of a CDN parent node according to the present application.
In this embodiment, based on the embodiment shown in fig. 4, the step S101 specifically includes:
S301, when the access request is a detection request, verifying whether the detection request is a legal detection request;
In an embodiment, the edge node periodically performs survival detection on the parent layer node, if the parent layer node is continuously unresponsive or has overtime, marks that the parent layer IP is unavailable, and if the parent layer node is continuously responsive 200, marks that the corresponding parent layer IP is available. Meanwhile, the father layer node multiplexes the detection links of the edge nodes, carries out URL and request head judgment on the request, and judges whether the request is a legal detection request or not.
S302, when the detection request is a legal detection request, acquiring the detection frequency of the detection request, and verifying whether the detection frequency of the detection request is within a legal frequency range;
And S303, when the detection frequency is within the legal frequency range, performing registration or updating operation on the client IP, and sending a response signal to the connection establishment client to respond to the access request.
In an embodiment, for a probe request, firstly, performing a link establishment IP anti-theft chain judgment, generating an anti-theft chain string by an edge node through an md5 algorithm by using an IP initiating a link establishment and a contracted key, carrying the anti-theft chain string in a parameter signature of the probe request, checking whether an encrypted string generated by a link establishment client IP and the contracted key through the md5 algorithm is consistent with a probe carrying parameter signature value or not by a father layer node, and if the encrypted string is inconsistent with the probe carrying parameter signature value, rejecting the request and not registering the link establishment IP. If the IP antitheft links are consistent, the IP antitheft links are established to pass through.
In an embodiment, for a probe request, checking the link establishment IP anti-hotlink and the probe frequency of the probe task, if the link establishment IP anti-hotlink passes the check and the probe frequency is within a legal range, registering or updating the probe link establishment client IP, writing or updating the expiration time of the IP, storing in a hash dictionary, and notifying that the parent state of the client is normal by the probe request response 200.
Further, when the detected frequency is not within the legal frequency range, deleting the client IP stored in a preset database, and sending a request rejection signal to the established connection client to reject the access request.
In one embodiment, if the probe request fails to check the hotlink for the established IP, registration of the established client IP is not performed and the request is rejected directly in response 403. If the probe request is established and IP anti-theft chain check passes, but the frequency check exceeds the limit, deleting the corresponding client IP in the hash dictionary, and directly responding 403 to reject the request.
In an embodiment, by multiplexing an edge node detection link, identifying a detection request and a non-detection request, performing double check of a build-up IP anti-theft chain check sum detection frequency on the detection request, enabling the detection anti-theft chain to pass and enabling the detection frequency to meet the specification, adding a client IP of the detection request into a hash dictionary for storage for effective detection request, and updating IP expiration time; if the detection of the anti-theft chain fails, the hash dictionary storage is not added; if the detection anti-theft chain passes, but the detection frequency is not consistent, rejecting the request and eliminating the client IP stored in the hash dictionary.
In this embodiment, the edge node detects the link, and the father layer node registers and stores the client IP of the detection link to identify whether the link is stolen, so as to reduce the authentication head dependence of the father layer on each link request, and prevent the legal client service request from being refused due to missing addition of the service code authentication head. The risk of introducing different business logic and customer requirements due to the newly added authentication head is reduced, and short hotlinking caused by the leakage of the internal authentication head is avoided. And the edge node IP list can be dynamically updated along with the adjustment of the edge node planning. The detection request is subjected to double checking of the built-up IP anti-theft chain and the detection frequency, the IP registration of the non-edge node is prevented from being successful due to the access of the illegal detection request, the coupling of the father-layer anti-theft chain system and the client request service logic is completely stripped by utilizing the single controllability and the accuracy of the detection request, the influence on the client service logic due to the introduction of the father-layer anti-theft chain system is prevented, and meanwhile, the accuracy of the father-layer anti-theft chain is ensured.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a first embodiment of a CDN parent node anti-hotlinking device according to the present application, where the CDN parent node anti-hotlinking device is configured to execute the foregoing CDN parent node anti-hotlinking method. The CDN parent node hotlink protection device may be configured in a server.
As shown in fig. 7, the CDN parent node hotlink protection device 400 includes: an access request judgment module 401, a hotlinking behavior verification module 402, a request passing module 403 and an access rejecting module 404.
An access request judging module 401, configured to obtain a client IP of a build client when an available parent layer node receives an access request initiated by the build client, and judge whether the access request is a probe request;
A hotlinking behavior verification module 402, configured to verify, based on the client IP, whether the access request is a hotlinking behavior when the access request is a non-probe request;
A request passing module 403, configured to pass the access request when the non-probe request is a non-hotlinking action;
An access rejecting module 404, configured to reject the access request when the non-probe request is a hotlinking action.
In one embodiment, the hotlinking verification module 402 includes:
the local IP acquisition unit is used for acquiring the local IP corresponding to the available parent layer node and comparing the client IP with the local IP;
and the non-hotlinking behavior determining first unit is used for determining the non-detection request as the non-hotlinking behavior if the client IP is consistent with the local IP.
In one embodiment, the hotlinking verification module 402 further includes:
the IP query unit is used for querying whether the client IP exists in a preset hash dictionary if the client IP is inconsistent with the local IP;
The effective period obtaining unit is used for obtaining the effective period of the client IP if the client IP exists in the hash dictionary;
And the non-hotlinking action determining second unit is used for determining that the non-detection request is the non-hotlinking action if the effective period is currently valid.
In one embodiment, the hotlinking verification module 402 further includes:
A client domain name obtaining unit, configured to obtain a client domain name of the non-probe request if it is queried that the client IP does not exist in the hash dictionary, or if it is queried that the client IP exists in the hash dictionary and the validity period of the client IP is currently invalid;
The white list acquisition unit is used for acquiring a preset white list and inquiring whether the client domain name and/or the client IP exist in the white list;
And the non-hotlinking behavior determination third unit is used for determining that the non-detection request is the non-hotlinking behavior if the client domain name and/or the client IP exist in the white list.
In an embodiment, the CDN parent node hotlink protection device 400 further includes a probe request verification module, including:
A probe request legal verification unit, configured to verify whether the probe request is a legal probe request when the access request is a probe request;
The detection frequency verification unit is used for obtaining the detection frequency of the detection request when the detection request is a legal detection request and verifying whether the detection frequency of the detection request is in the legal frequency range;
And the access request response unit is used for registering or updating the client IP when the detection frequency is within the legal frequency range, and sending a response signal to the connection establishment client to respond to the access request.
In an embodiment, the probe request verification module further includes:
And the access request rejecting unit is used for deleting the client IP stored in a preset database and sending a request rejecting signal to the establishing connection client so as to reject the access request when the detection frequency is not in the legal frequency range.
In an embodiment, the CDN parent node hotlink protection device 400 further includes a service data response module, including:
the target service data determining unit is used for determining target service data based on the access request and inquiring whether the target service data exists in the cache server of the available parent layer node;
A data response first unit, configured to respond, when the target service data exists in the cache server, the target service data to the connection establishment client;
And the data response second unit is used for executing a source returning operation when the target service data does not exist in the cache server, acquiring the target service data and responding the target service data to the build-up client.
It should be noted that, for convenience and brevity of description, a person skilled in the art may clearly understand that, for the specific working process of the above-described device and each module, reference may be made to a corresponding process in the foregoing embodiment of the CDN parent node hotlink protection method, which is not repeated herein.
The apparatus provided by the above embodiments may be implemented in the form of a computer program which may be run on a computer device as shown in fig. 8.
Referring to fig. 8, fig. 8 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device may be a server.
With reference to FIG. 8, the computer device includes a processor, memory, and a network interface connected by a system bus, where the memory may include a non-volatile storage medium and an internal memory.
The non-volatile storage medium may store an operating system and a computer program. The computer program comprises program instructions which, when executed, cause the processor to perform any of a number of CDN parent node hotlinking methods.
The processor is used to provide computing and control capabilities to support the operation of the entire computer device.
The internal memory provides an environment for the execution of a computer program in the non-volatile storage medium, which when executed by the processor, causes the processor to perform any of the CDN parent node hotlinking methods.
The network interface is used for network communication such as transmitting assigned tasks and the like. It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
It should be appreciated that the processor may be a central processing unit (CentralProcessingUnit, CPU), which may also be other general purpose processors, digital signal processors (DigitalSignalProcessor, DSP), application specific integrated circuits (ApplicationSpecificIntegratedCircuit, ASIC), field programmable gate arrays (Field-ProgrammableGateArray, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein in one embodiment the processor is configured to run a computer program stored in the memory to implement the steps of:
When an available father layer node receives an access request initiated by a build-up client, acquiring a client IP of the build-up client, and judging whether the access request is a detection request or not;
when the access request is a non-detection request, based on the client IP, verifying whether the non-detection request is a hotlinking action;
When the non-detection request is a non-hotlinking action, passing the access request;
and rejecting the access request when the non-detection request is a hotlinking action.
In an embodiment, when implementing the verification, based on the client IP, whether the non-probe request is a hotlinking action, the processor is configured to implement:
Acquiring a local IP corresponding to the available parent layer node, and comparing the client IP with the local IP;
and if the client IP is consistent with the local IP, determining that the non-detection request is the non-hotlinking behavior.
In an embodiment, after implementing the obtaining the local IP corresponding to the available parent layer node and comparing the client IP with the local IP, the processor is further configured to implement:
if the client IP is inconsistent with the local IP, inquiring whether the client IP exists in a preset hash dictionary;
if the client IP exists in the hash dictionary, acquiring the effective period of the client IP;
and if the effective period is currently valid, determining that the non-detection request is the non-hotlinking action.
In an embodiment, after implementing that if the client IP and the local IP are inconsistent, the processor is further configured to, after querying whether the client IP exists in a preset hash dictionary, implement:
If the client IP does not exist in the hash dictionary or the client IP exists in the hash dictionary and the effective period of the client IP is invalid currently, acquiring the client domain name of the non-detection request;
Acquiring a preset white list, and inquiring whether the domain name of the client and/or the IP of the client exist in the white list;
and if the client domain name and/or the client IP exist in the white list, determining that the non-detection request is a non-hotlinking behavior.
In an embodiment, after implementing the obtaining the client IP of the connection client and determining whether the access request is a probe request, the processor is further configured to implement:
When the access request is a detection request, verifying whether the detection request is a legal detection request or not;
When the detection request is a legal detection request, acquiring the detection frequency of the detection request, and verifying whether the detection frequency of the detection request is in the legal frequency range;
and when the detection frequency is within the legal frequency range, performing registration or updating operation on the client IP, and sending a response signal to the establishing connection client to respond to the access request.
In an embodiment, after the processor obtains the detection frequency of the detection request when the detection request is a legal detection request, and verifies whether the detection frequency of the detection request is within a legal frequency range, the processor is further configured to implement:
And deleting the client IP stored in a preset database and sending a request rejection signal to the connection establishment client to reject the access request when the detection frequency is not in the legal frequency range.
In an embodiment, when implementing the non-probe request is a non-hotlinking action, the processor is further configured to, after passing the access request:
determining target service data based on the access request, and inquiring whether the target service data exists in a cache server of the available parent layer node;
When the target service data exist in the cache server, responding the target service data to the establishing connection client;
And when the target service data does not exist in the cache server, executing a source returning operation, acquiring the target service data, and responding the target service data to the connection establishment client.
The embodiment of the application also provides a computer readable storage medium which stores a computer program, wherein the computer program comprises program instructions, and the processor executes the program instructions to realize any CDN father layer node anti-theft method provided by the embodiment of the application.
The computer readable storage medium may be an internal storage unit of the computer device according to the foregoing embodiment, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk provided on the computer device, a smart memory card (SMARTMEDIACARD, SMC), a secure digital (SecureDigital, SD) card, a flash memory card (FLASHCARD), or the like.
While the application has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (10)
1. A method for preventing hotlinking of a CDN parent node, the method comprising:
When an available father layer node receives an access request initiated by a build-up client, acquiring a client IP of the build-up client, and judging whether the access request is a detection request or not;
when the access request is a non-detection request, based on the client IP, verifying whether the non-detection request is a hotlinking action;
When the non-detection request is a non-hotlinking action, passing the access request;
and rejecting the access request when the non-detection request is a hotlinking action.
2. The CDN parent node hotlinking prevention method of claim 1, wherein verifying whether the non-probe request is hotlinking based on the client IP comprises:
Acquiring a local IP corresponding to the available parent layer node, and comparing the client IP with the local IP;
and if the client IP is consistent with the local IP, determining that the non-detection request is the non-hotlinking behavior.
3. The method for preventing hotlinking of CDN parent nodes according to claim 2, wherein after obtaining the local IP corresponding to the available parent node and comparing the client IP with the local IP, further comprising:
if the client IP is inconsistent with the local IP, inquiring whether the client IP exists in a preset hash dictionary;
if the client IP exists in the hash dictionary, acquiring the effective period of the client IP;
and if the effective period is currently valid, determining that the non-detection request is the non-hotlinking action.
4. The method for preventing hotlinking of CDN parent nodes according to claim 3, wherein if the client IP and the native IP are inconsistent, querying whether the client IP exists in a preset hash dictionary further comprises:
If the client IP does not exist in the hash dictionary or the client IP exists in the hash dictionary and the effective period of the client IP is invalid currently, acquiring the client domain name of the non-detection request;
Acquiring a preset white list, and inquiring whether the domain name of the client and/or the IP of the client exist in the white list;
and if the client domain name and/or the client IP exist in the white list, determining that the non-detection request is a non-hotlinking behavior.
5. The CDN parent node hotlinking prevention method of claim 1, wherein after obtaining the client IP of the linking client and determining whether the access request is a probe request, further comprises:
When the access request is a detection request, verifying whether the detection request is a legal detection request or not;
When the detection request is a legal detection request, acquiring the detection frequency of the detection request, and verifying whether the detection frequency of the detection request is in the legal frequency range;
and when the detection frequency is within the legal frequency range, performing registration or updating operation on the client IP, and sending a response signal to the establishing connection client to respond to the access request.
6. The CDN parent node hotlinking prevention method of claim 5, wherein when the probe request is a legitimate probe request, obtaining a probe frequency of the probe request and verifying whether the probe frequency of the probe request is within a legitimate frequency range, further comprising:
And deleting the client IP stored in a preset database and sending a request rejection signal to the connection establishment client to reject the access request when the detection frequency is not in the legal frequency range.
7. The CDN parent node hotlinking method according to any one of claims 1 to 6, wherein when the non-probe request is a non-hotlinking act, then after passing the access request, further comprising:
determining target service data based on the access request, and inquiring whether the target service data exists in a cache server of the available parent layer node;
When the target service data exist in the cache server, responding the target service data to the establishing connection client;
And when the target service data does not exist in the cache server, executing a source returning operation, acquiring the target service data, and responding the target service data to the connection establishment client.
8. The utility model provides a CDN father layer node anti-theft chain device which characterized in that, CDN father layer node anti-theft chain device includes:
The access request judging module is used for acquiring the client IP of the establishing and connecting client when the available father layer node receives the access request initiated by the establishing and connecting client, and judging whether the access request is a detection request or not;
The hotlinking behavior verification module is used for verifying whether the non-detection request is a hotlinking behavior or not based on the client IP when the access request is the non-detection request;
the request passing module is used for passing the access request when the non-detection request is a non-hotlinking action;
And the access rejecting module is used for rejecting the access request when the non-detection request is a hotlinking action.
9. A computer device comprising a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program when executed by the processor implements the steps of the CDN parent node hotlinking method of any one of claims 1 to 7.
10. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and wherein the computer program, when executed by a processor, implements the steps of the CDN parent node hotlinking method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695819.XA CN118118210A (en) | 2023-12-11 | 2023-12-11 | CDN parent layer node anti-theft chain method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695819.XA CN118118210A (en) | 2023-12-11 | 2023-12-11 | CDN parent layer node anti-theft chain method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118118210A true CN118118210A (en) | 2024-05-31 |
Family
ID=91215049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311695819.XA Pending CN118118210A (en) | 2023-12-11 | 2023-12-11 | CDN parent layer node anti-theft chain method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118118210A (en) |
-
2023
- 2023-12-11 CN CN202311695819.XA patent/CN118118210A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10862870B2 (en) | Privacy as a service by offloading user identification and network protection to a third party | |
| CN107135073B (en) | Interface calling method and device | |
| US8578487B2 (en) | System and method for internet security | |
| US8806629B1 (en) | Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks | |
| US9148435B2 (en) | Establishment of a trust index to enable connections from unknown devices | |
| US8904521B2 (en) | Client-side prevention of cross-site request forgeries | |
| CN108667799B (en) | Defense method and system for browser cache poisoning | |
| US9490986B2 (en) | Authenticating a node in a communication network | |
| US10819731B2 (en) | Exception remediation logic rolling platform | |
| US9444830B2 (en) | Web server/web application server security management apparatus and method | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| US11265340B2 (en) | Exception remediation acceptable use logic platform | |
| CN115996122A (en) | Access control method, device and system | |
| CN111131303A (en) | Request data verification system and method | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| US20210136038A1 (en) | Method and system for web filtering implementation consisting of integrated web extension and connected hardware device | |
| CN111931210A (en) | Access control method, device, equipment and computer storage medium | |
| US20170149831A1 (en) | Apparatus and method for verifying detection rule | |
| CN116980167A (en) | Zero-trust access control policy processing method, device, medium and program product | |
| CN118118210A (en) | CDN parent layer node anti-theft chain method, device, equipment and medium | |
| CN112769731B (en) | Process control method, device, server and storage medium | |
| US20210400083A1 (en) | Method and system for privacy and security policy delivery | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN115795493A (en) | Access control policy deployment method, related device and access control system | |
| US20230216830A1 (en) | Client-side firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |