JP2010055200A - Server explicit selection type reverse proxy device, data relay method therefor, and program thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To attain communication for allowing a transmission user to explicitly specifying a destination web server concerning the communication by way of a reverse proxy device. <P>SOLUTION: The reverse proxy device includes an identifier converting means and a transfer means. The identifier converting means specifies a destination host identifier, according to the content of a directory identifier, with respect to a destination integration resource position specifier 4-1 including a host identifier and a directory identifier, which are described in hypertext transfer protocol data received from the first network. Then, the host identifier is converted into a specified destination host, and also the directory identifier described in the destination integration resource position specifier is converted into the directory identifier which is obtained by partially deleting the content of the directory identifier. The transfer means transfers the hypertext transfer protocol, which describes the destination integration resource position specifier 4-2 where the host identifier and the directory identifier are converted, to the second network. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention is a technology that constitutes an Internet communication technology for performing data communication using hypertext transfer protocol data represented by WWW (World Wide Web). In particular, the Internet communication field belongs to the VPN communication field for securely accessing a VPN (Virtual Private Network) outside the company from an intranet closed within the company.

   A conventional reverse proxy device is positioned as a relay device using hypertext transfer protocol data between a user and a web server, and is mainly realized by using a program called apache or squid. For example, it is effective for interconnecting a company intranet (first network) in which a user is arranged with an application service provider network (second network) in which a web server is arranged. In such a network configuration, the user describes the identifier of the reverse proxy device in the host identifier of the destination unified resource location specifier, and transmits data to the reverse proxy device. The reverse proxy device converts the host identifier addressed to itself into the host identifier of the actual web server, and transfers the data to the web server. At this time, by converting the data to a different web server host identifier for each data relay and transferring the data, it is possible to distribute the load among the plurality of web servers.

  For example, Non-Patent Document 1 and Patent Document 1 are cited as documents describing the reverse proxy device.

Performance evaluation of a load balancing control algorithm and its application area, Performance Evaluation of a Load Balancing Routing Algorithm for a Cache Server Array, Hiroyoshi Tonami, Kazunori Kumagai, Shinya Nogami, Takeo Abe, IEICE Technical Report, NS, Network System, IEICE technical report, Vol. 101, no. 8, (20010412), pp. 15-20, NS2001-3 JP 2003-050756 A (Reverse proxy network communication method and internal network device)

  In the conventional reverse proxy device, it is possible to specify a plurality of transfer destination web servers. However, when relaying hypertext transfer protocol data via a reverse proxy device, a user can only specify a uniform resource location specifier with the identifier of the reverse proxy device as a host identifier as a destination. Could not be specified explicitly. For this reason, even if load balancing can be performed among web servers having similar contents, it is not possible to deploy different contents for each web server and select the web server according to the requested contents. . Therefore, in the present invention, it is an object to be solved to realize communication in which a transmission user explicitly designates a destination web server in communication via a reverse proxy device.

  Of the inventions disclosed in this specification, the outline of typical ones will be briefly described as follows.

  In the first aspect of the invention, the reverse proxy device specifies and converts a different host identifier according to the contents of the directory identifier and converts a part of the contents of the directory identifier when converting the destination uniform resource locator. Thus, the directory identifier is converted by reconstructing.

  In the invention of claim 2, the reverse proxy device further interprets and converts a partial area of the directory identifier as an identifier of the destination host when converting the destination uniform resource locator. Features.

  On the other hand, in the third aspect of the invention, when the reverse proxy device interprets a part of the directory identifier as a user identifier identifier and does not have a predetermined user identifier, The hypertext transfer protocol data is not relayed.

  In the invention of claim 4, a pair of a user identifier of a transmission source user and an identifier of a destination network, an authentication table for registering processing contents of either transfer or discard corresponding to the pair, and transfer of hypertext transfer protocol data Or an authentication unit that determines discarding, and the authentication unit refers to the authentication table based on the user identifier described in the directory identifier of the received hypertext transfer protocol data and the identifier of the destination network. Or it is characterized by making a judgment of disposal.

  Further, the invention of claim 5 is characterized in that each reverse proxy device has an interface function for accommodating two networks having different unified resource locator and Internet protocol address systems.

  The invention according to claim 6 further comprises a conversion table for registering a correspondence relationship between the host identifier defined in the first network and the host identifier defined in the second network, and the identifier conversion means includes: The host defined in the second network by referring to the conversion table from the host identifier defined in the first network described in the directory identifier of the destination uniform resource locator of the received hypertext transfer protocol data An identifier is obtained, and this is used as a destination host identifier.

  The directory identifier after conversion is a directory identifier in the destination host described in the directory identifier of the destination unified resource location specifier of the received hypertext transfer protocol data.

  Further, the invention of claim 8 is a data relay method for realizing the contents of the invention of claim 1, and the invention of claim 9 is the reverse proxy device according to any one of claims 1 to 7. A program for causing a computer to function.

  According to the present invention, in a single reverse proxy device, a transmission user can explicitly designate and transfer a destination web server.

  A configuration example of the present invention will be described.

  FIG. 1 shows a network configuration of the present invention. 1-1 is a network, 1-2 is VPN # 1, and 1-3 is VPN # 2. 1-5 is a server explicit selection type reverse proxy device according to the embodiment of the present invention. 1-6 is the user # 1 (more precisely, the terminal of the user # 1), and 1-7 is the user # 2 (more precisely, the terminal of the user # 2). 1-8 is the proxy device # 1, 1-9 is the proxy device # 2, 1-10 is the server terminal # 1, and 1-11 is the server terminal # 2.

  In this configuration, the network 1-1 is configured with VPN # 1 and VPN # 2. VPN # 1 accommodates user # 1 and user # 2. VPN # 1 has a proxy device # 1 as a relay device. VPN # 2 accommodates server terminal # 1 and server terminal # 2. The VPN # 2 has a proxy device # 2 as a relay device. VPN # 1 and VPN # 2 are connected via a server explicit selection type reverse proxy device 1-5. The server explicit selection type reverse proxy device 1-5 accommodates VPN # 1 through the VPN interface # 1, and accommodates VPN # 2 through the VPN interface # 2.

  FIG. 2 shows the name system as seen from VPN # 1. VPN # 1 is vpn1, VPN # 2 is vpn2, user # 1 is user1, user # 2 is user2, server terminal # 1 is server1, server terminal # 2 is server2, The proxy device # 1 is assigned a name proxy1, the proxy device # 2 is assigned a proxy2, and the server explicit selection type reverse proxy device 1-5 is assigned a name r_proxy1.

  FIG. 3 shows the name system as seen from VPN # 2. VPN # 1 is vpn1, VPN # 2 is vpn0, server terminal # 1 is server0, server terminal # 2 is server1, proxy device # 2 is proxy0, server explicit selection type reverse proxy device 1-5 is given the name r_proxy0. Here, it should be noted that the name system seen from VPN # 1 is different from the name system seen from VPN # 2.

  FIG. 4 shows an example of conversion processing of the destination unified resource location specifier in the server explicit selection type reverse proxy device. This figure is composed of a destination uniform resource location specifier 4-1 before input shown at the top and a destination uniform resource location specifier 4-2 after output shown at the bottom.

  The destination uniform resource location specifier includes an access means identifier, a host identifier, and a directory identifier.

  In the destination uniform resource location specifier 4-1 before input, the host identifier is composed of an identifier of the server explicit selection type reverse proxy device viewed from the VPN to which the transmission source user belongs, and an identifier of the VPN to which the transmission source user belongs. The directory identifier is the identifier of the transmission source user as seen from the VPN to which the transmission source user belongs, the identifier of the destination server as seen from the VPN to which the transmission source user belongs, and the attribution of the destination server as seen from the VPN to which the transmission source user belongs VPN identifiers and directory identifiers in the destination server.

  In this example, in the destination unified resource location specifier 4-1 before input, http is used as the access means identifier, and r_proxy1 is the sender explicit identifier of the server as seen from the VPN to which the sender belongs. Vpn1 as the VPN identifier to which the user belongs, user1 as the source user identifier as seen from the VPN to which the source user belongs, server1 as the destination server identifier as seen from the VPN to which the source user belongs, and source user Vpn2 is specified as the VPN identifier to which the destination server belongs as seen from the VPN to which the server belongs, and folder1 / file1 is specified as the directory identifier in the destination server.

  In the destination unified resource location specifier 4-2 after output, the host identifier is the identifier of the destination server viewed from the VPN to which the destination server belongs, and the VPN to which the destination server belongs from the VPN to which the destination server belongs. The directory identifier is composed of a directory identifier in the destination server.

  In this example, in the destination unified resource location specifier 4-2 after output, the access means identifier is http, the destination server identifier as seen from the VPN to which the destination server belongs, server0, and the destination server as seen from the VPN to which the destination server belongs. In addition, vpn0 is designated as the VPN identifier to which the destination server belongs, and folder1 / file1 is designated as the directory identifier in the destination server.

  FIG. 5 shows the conversion table 5-1. In this conversion table 5-1, a conversion is made from a pair of the identifier of the destination server seen from the VPN to which the transmission source user belongs and the VPN identifier to which the destination server belongs seen from the VPN to which the transmission source user belongs. A set of the identifier of the destination server seen from the VPN to which the destination server belongs and the identifier of the VPN to which the destination server belongs seen from the VPN to which the destination server belongs is derived.

  For example, server1. From vpn2, converted server0. If vpn0 is server2. From vpn2, converted server1. vpn0 is derived. Here, “.” Is a symbol indicating a boundary point between identifiers.

  FIG. 6 shows the authentication table 6-1. In this authentication table 6-1, “transfer” or “transfer” or “data transfer” is selected as the data processing content from the set of the identifier of the transmission source user viewed from the VPN to which the transmission source user belongs and the identifier of the destination VPN viewed from the VPN to which the transmission source user belongs. “Discard” is led.

  For example, “transfer” is derived from the set of user1 and vpn2, and “discard” is derived from the set of user2 and vpn2.

  FIG. 7 is a system configuration diagram of the server explicit selection type reverse proxy device 1-5 according to the embodiment of this invention.

  Reference numeral 7-1 denotes an authentication unit that refers to the authentication table 6-1 and determines whether to transfer or discard the user identifier described in the directory identifier of the received hypertext transfer protocol data and the identifier of the destination network. 7-2 is a destination according to the contents of the directory identifier for the destination uniform resource location specifier including the host identifier and the directory identifier described in the hypertext transfer protocol data received from VPN # 1. A host identifier is specified, the host identifier described in the destination uniform resource location specifier is converted into the specified destination host, and the directory identifier described in the destination uniform resource location specifier is converted to the contents of the directory identifier. Is an identifier converting means for converting a part of the directory identifier into a deleted directory identifier. Reference numeral 7-3 denotes address resolution means for performing address resolution. 7-4 is a transfer means for transferring the hypertext transfer protocol in which the destination uniform resource location specifier in which the host identifier and the directory identifier are converted is described to VPN # 2.

  6-1 is an authentication table shown in FIG. In the authentication table 6-1, a set of the user identifier of the transmission source user and the identifier of the destination network and the processing contents of either transfer or discard corresponding to the set are registered. 5-1 is a conversion table shown in FIG. In the conversion table, the correspondence between the host identifier defined by VPN # 1 and the host identifier defined by VPN # 2 is registered.

  The identifier conversion unit 7-2 obtains the conversion table 5-1 from the host identifier defined by VPN # 1 described in the directory identifier of the destination uniform resource location specifier of the hypertext transfer protocol data received from VPN # 1. Referring to the host identifier defined by VPN # 2, this is used as the destination host identifier.

  When the hypertext transfer protocol data is transmitted from the VPN interface # 2 to the VPN # 2, the address resolution unit 7-3 uses a DNS (Domain Name System) server in the VPN # 2 (not shown) and uses the VPN # 2 When the destination Internet protocol address defined by VPN # 2 is resolved from the host identifier of the destination unified resource location specifier defined in, and hypertext transfer protocol data is transmitted from VPN interface # 1 to VPN # 1, Using a DNS server in VPN # 1 (not shown), the destination Internet protocol address defined in VPN # 1 is resolved from the host identifier of the destination unified resource location specifier defined in VPN # 1. In this embodiment, address resolution is performed using a DNS server, but other methods may be used.

  An operation example in the above configuration will be described.

  Here, an example in which the user # 1 accesses the folder1 / file1 of the server terminal # 1 in the hypertext transfer protocol layer in FIG. 1 will be described.

  The user # 1 uses the destination unified resource location specifier http: // r_proxy1. vpn1 / user1 / server1. The hypertext transfer protocol data to which vpn2 / folder1 / file1 is assigned is transmitted. At this time, if a proxy device (proxy1) is assigned as a proxy, the transmission data reaches the proxy device # 1.

  The proxy device # 1 refers to the destination uniform resource locator of the received hypertext transfer protocol data and specifies the host identifier r_proxy1 of the server explicit selection type reverse proxy device 1-5 as the destination host identifier. Is transferred to the server explicit selection type reverse proxy device 1-5.

  The server explicit selection type reverse proxy device 1-5 basically operates in the same manner as the reverse proxy. However, the following explanation is different from the reverse proxy.

  When the server explicit selection type reverse proxy device 1-5 receives the hypertext transfer protocol data in the VPN interface # 1, the authentication unit 7-1 uses the destination unified resource location specifier http based on the authentication table of FIG. // r_proxy1. vpn1 / user1 / server1. In vpn2 / folder1 / file1, "transfer" as data processing content is determined from the sender user identifier user1 seen from the VPN to which the sender user belongs and the destination VPN identifier vpn2 seen from the VPN to which the sender user belongs. Lead.

  If the source user identifier seen from the VPN to which the source user belongs is user2 and the destination VPN identifier seen from the VPN to which the source user belongs is vpn2, “discard” is set as the data processing content. Therefore, the corresponding data is discarded and the processing ends here.

  Here, since “transfer” is derived as the data processing content, the transfer processing of the corresponding data is performed. Specifically, the identifier conversion unit 7-2 refers to the conversion table 5-1 in FIG. 5 and sees from the destination server identifier server1 and the VPN to which the transmission source user belongs, as viewed from the VPN to which the transmission source user belongs. From the set of VPN identifiers vpn2 to which the destination server belongs, the destination server identifier server0 seen from the VPN to which the destination server belongs after conversion and the VPN identifier to which the destination server belongs as seen from the VPN to which the destination server belongs. A set of vpn0 is derived.

  From this result, as shown in FIG. 4, the destination unified resource location specifier is changed to http: // r_proxy1. vpn1 / user1 / server1. vpn2 / folder1 / file1 to http: // server0. Convert to vpn0 / folder1 / file1.

  Thereafter, the address resolving means 7-3 resolves the destination Internet protocol address defined by VPN # 2 from the host identifier (server0.vpn0) of the destination uniform resource locator defined by VPN # 2, and transfers the address. The means 7-4 transmits the hypertext transfer protocol data to which the converted destination unified resource position specifier is assigned from the VPN interface # 2.

  Eventually, the corresponding data is transferred to the server terminal # 1 in the VPN # 2 according to the host identifier server0 of the destination unified resource location specifier after conversion. The server terminal # 1 extracts the corresponding data by referring to the directory identifier folder1 / file1 of the destination uniform resource location specifier, and returns it.

  Return data from the server terminal # 1 to the user # 1 is transferred in a conventional sequence by the server explicit selection type reverse proxy device 1-5 operating in the same manner as the reverse proxy device. In this case, it goes without saying that the address resolving means 7-3 resolves the destination Internet protocol address defined by VPN # 1 from the host identifier of the destination unified resource locator defined by VPN # 1.

  As a result, the user # 1 can access the folder1 / file1 of the server terminal # 1 in the hypertext transfer protocol layer.

  As described above, according to the embodiment of the present invention, in a single reverse proxy apparatus, a transmission user can explicitly designate and transfer a destination web server. For this reason, it is possible to provide a service by arranging a user on the first network and preparing a web server having different contents on the second network. Here, the first network and the second network may be operated with different host identifiers and addresses.

  As a result, the first network is positioned as the corporate intranet, the user is positioned, the second network is positioned as the application service provider network, the web server is positioned, and then the first network and the second network are positioned. Are connected to each other only through the reverse proxy device of the present invention, the unified resource location specifier addressed to the reverse proxy device in the first network regardless of the addition of the web server in the second network, etc. In the second network, there is an effect that only the host identifier and the address need to be managed. On the other hand, in the second network, it is possible to increase the number of web servers without affecting the first network.

  The server explicit selection type reverse proxy device according to the embodiment of the present invention can be configured by a computer and a program. Moreover, you may comprise a part or all of the program with a hardware.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Of course.

2 shows a network configuration example according to an embodiment of the present invention. The example of the name system seen from one VPN of embodiment of this invention is shown. The example of the name system seen from the other VPN of embodiment of this invention is shown. The example of a conversion process of the destination uniform resource position specifier of embodiment of this invention is shown. The conversion table example of embodiment of this invention is shown. The example of the authentication table of embodiment of this invention is shown. It is a system configuration figure of a server explicit selection type reverse proxy device of an embodiment of the present invention.

Explanation of symbols

1-1 Network 1-2 VPN # 1
1-3 VPN # 2
1-5 Server explicit selection type reverse proxy device 1-6 User # 1
1-7 User # 2
1-8 Proxy device # 1
1-9 Proxy device # 2
1-10 Server terminal # 1
1-11 Server terminal # 2
4-1 Unified Resource Location Specifier Before Input 4-2 Unified Resource Location Specifier After Output 5-1 Conversion Table 6-1 Authentication Table 7-1 Authentication Unit 7-2 Identifier Conversion Unit 7-3 Address Resolution Unit 7 -4 Transfer means

Claims (9)

A reverse proxy device that relays hypertext transfer protocol data between a first network and a second network,
The destination host identifier is specified according to the contents of the directory identifier for the destination uniform resource location specifier that includes the host identifier and directory identifier described in the hypertext transfer protocol data received from the first network. And converting the host identifier described in the destination uniform resource location specifier to the specified destination host, and converting the directory identifier described in the destination uniform resource location specifier into a part of the contents of the directory identifier. An identifier conversion means for converting to a deleted directory identifier;
Transfer means for transferring a hypertext transfer protocol in which a destination uniform resource location specifier in which a host identifier and a directory identifier are converted is described to a second network;
The reverse proxy apparatus characterized by having. The reverse proxy device according to claim 1,
The reverse proxy apparatus characterized in that the identifier converting means interprets and converts a partial area of the directory identifier as an identification unit of a destination host. The reverse proxy device according to claim 1 or 2,
When a partial area of the directory identifier is interpreted as a user identifier identifier and does not have a predetermined user identifier, hypertext transfer protocol data is not relayed to a transfer destination host. Reverse proxy device to do. The reverse proxy device according to claim 3,
An authentication table for registering a combination of a user identifier of a transmission source user and an identifier of a destination network, and processing contents of either transfer or discard corresponding to the combination;
An authentication means for determining whether to transfer or discard the hypertext transfer protocol data;
With
The authentication unit refers to the authentication table based on the user identifier described in the directory identifier of the received hypertext transfer protocol data and the identifier of the destination network, and determines whether to transfer or discard.
A reverse proxy device characterized by that. The reverse proxy device according to any one of claims 1 to 4,
A first network interface that accommodates the first network, a second network interface that accommodates the second network, and an address resolution means;
The first network interface is given the host identifier of the unified resource locator defined in the first network, the Internet protocol address defined in the first network,
The second network interface is given the host identifier of the unified resource locator defined in the second network, the Internet protocol address defined in the second network,
When the identifier conversion means receives the hypertext transfer protocol data from the first network interface, the identifier conversion means is defined in the second network from a part of the directory identifier of the destination uniform resource location specifier defined in the first network. Destination uniform resource locator host identifier is generated, a part of the destination uniform resource locator directory identifier defined in the first network is deleted, and the destination uniform resource defined in the second network Generate a directory identifier for the location specifier, and use these to convert the destination uniform resource location specifier defined in the first network to the destination uniform resource location specifier defined in the second network,
When the hypertext transfer protocol data is transmitted from the second network interface to the second network, the address resolution means uses the host identifier of the destination unified resource locator defined in the second network, When resolving the destination Internet protocol address defined in the network and sending hypertext transfer protocol data from the first network interface to the first network, the destination unified resource locator defined in the first network Resolving the destination internet protocol address defined in the first network from the host identifier,
A reverse proxy device characterized by that. The reverse proxy device according to claim 5,
A conversion table for registering the correspondence between the host identifier defined in the first network and the host identifier defined in the second network;
The identifier converting means refers to the conversion table from the host identifier defined in the first network described in the directory identifier of the destination uniform resource locator of the hypertext transfer protocol data received from the first network. To obtain a host identifier defined in the second network and use this as the destination host identifier.
A reverse proxy device characterized by that. The reverse proxy device according to any one of claims 1 to 6,
The reverse proxy device, wherein the converted directory identifier is a directory identifier in the destination host described in the directory identifier of the destination unified resource locator of the received hypertext transfer protocol data. A data relay method in a reverse proxy device that relays hypertext transfer protocol data between a first network and a second network,
The reverse proxy device includes an identifier conversion unit and a transfer unit,
Depending on the contents of the directory identifier for the destination uniform resource location specifier including the host identifier and the directory identifier described in the hypertext transfer protocol data received from the first network by the identifier conversion means. The destination host identifier is specified, the host identifier described in the destination uniform resource location specifier is converted into the specified destination host, and the directory identifier described in the destination uniform resource location specifier is converted to the directory identifier. Is converted to a deleted directory identifier,
The transfer means transfers a hypertext transfer protocol in which a destination uniform resource locator in which a host identifier and a directory identifier are converted is described to a second network;
A data relay method.   The program for functioning a computer as a reverse proxy apparatus of any one of Claims 1 thru | or 7.

Images