JP2015032299A - Web content distribution device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent the erroneous detection of a Cross Site Scripting filter even in SPDY application using redirection from an HTTP request to an HTTPS request.SOLUTION: A main content acquisition part 101 acquires the index file of a Web page in response to a request message. A specific sub-content determination part 102 determines whether or not each sub-content described in the index file is a specific sub-content for dynamically generating link URL. A redirect request part 6 request redirection by an HTTPS to a client which has requested a Web page excluding the specific sub-content. A main content distribution part 701 distributes the index file to the client which has requested the Web page including the specific sub-content. A sub-content distribution part 702 distributes each sub-content to the client.

Description

  The present invention relates to a Web content distribution apparatus that acquires and distributes Web content requested from a client from a Web server, and in particular, when distributing Web content in an SPDY session established by redirection from an HTTP request to an HTTPS request. The present invention relates to a Web content distribution apparatus that can prevent a false detection of Cross Site Scripting that may occur in the future.

  Non-Patent Document 1 describes the integration of TCP connections, push delivery from the server to the client, multiplexed transmission of requests, deletion of redundant headers, and compression of communication data. SPDY has been disclosed to improve the delivery speed.

  In Patent Document 1, when a multi-domain web page is requested in which sub-contents constituting a web page are distributed and arranged on a plurality of web servers together with the index file (main content), the index of the web page is requested. By acquiring files and sub-contents from each Web server, storing them on the cache server, and managing them in the same domain, the client simply accesses the cache server. An acceleration server is disclosed that enables easy acquisition through distribution.

  On the other hand, since the SPDY protocol works for HTTPS requests, a single HTTP that is multiplexed on an HTTP Web page that establishes and distributes multiple HTTP sessions between a server and client that implement SPDY. In order to achieve push delivery by session (session aggregation), the client had to request an HTTP web page over HTTPS from the SPDY server.

  In order to deal with such technical problems, Patent Document 2 requests that an HTTP request from a client be redirected by HTTPS, so that even a web page request from a client can be speeded up by session aggregation. An acceleration server that pushes content by using SPDY is disclosed.

  Patent Document 3 describes that even when sub-contents constituting a multi-domain web page in Patent Document 2 are acquired from a plurality of web servers with different domains, the client can use the original web without causing a cross-domain problem. A method of rewriting an HTML file that enables playback of a page is disclosed.

Japanese Patent Application No. 2012-146859 Japanese Patent Application No. 2013-074597 Japanese Patent Application No. 2013-074596

IETF, M. Belshe, R. Peon, "SPDY Protocol", InternetDraft mbelshe-spdy-00, Feb. 2012.

  In the above prior art, if the Web page to be distributed is provided by HTTP and the sub-content includes dynamic content that dynamically generates a link URL, such as JavaScript (registered trademark) or Flash (registered trademark), the Web The page may not be displayed correctly. This is because the browser's Cross Site Scripting filter detects the difference between the domain that executes dynamic content and the domain that is accessed after execution, and the operation is blocked. Two points are affected: HTTP redirection and (2) URL generated by dynamic content cannot be rewritten.

  In (1), since the acceleration server requires SSL for SPDY, requests for HTTP Web pages are redirected to HTTPS. In (2), in order to make the client use a single SPDY session generated, the scheme part described in the HTML file is all changed to HTTPS, but the scheme part of the URL generated by dynamic content It has not been changed until. For this reason, if the sub-content includes dynamic content that generates a URL, an HTTP request is generated under the HTML file provided by HTTPS, and the browser determines that the script is invalid (phishing).

  In order to solve the above problems, for example, (i) the SPDY specification is changed to make SSL optional, and (ii) Object Notation with padding or crossdomain.xml is used to avoid the Cross Site Scripting filter. (Iii) A method of changing the scheme of the URL to be generated by rewriting dynamic content to HTTPS, and (iv) A method of relaxing the conditions of the browser Cross Site Scripting filter. However, each method is not easy to implement because it requires modification of the client and Web server.

  FIG. 5 is a sequence flow for explaining the false detection of the Cross Site Scripting filter implemented in the client. The Web page requested by the client is an index as the main content as described later with reference to FIG. File (index.html), image file img2.jp as sub-content pasted on the page of the index file, dynamic content test.js, and linked image file img1.jpg generated by the dynamic content Consists of The index file index.html, the image file img1.jpg, and the dynamic content test.js that generates the link URL for the image file img1.jpg are stored in the web server WS1 and the link URL is described in the index file The file img2.jpg is stored in the Web server WS2.

  At time t1, a TCP connection is established between the client and the acceleration server (Port 80: HTTP). At time t2, the client sends a request message for acquiring the index.html file to the acceleration server. At time t3, an HTTPS redirect URL for requesting HTTPS redirection from the client is generated based on the original request message. In this embodiment, https://site1.ipcq.com/index.html is generated from http://site1.ipcq.com/index.html and notified to the client at time t4.

  At time t5, a TCP connection is established between the client and the acceleration server (Port 443: HTTPS). At time t6, an SPDY session is established between the client and port 443 of the acceleration server. At time t7, the client connects to the HTTPS redirect URL and transmits a request message. At time t8, the request message is transferred to the cache.

  If the index file index.html file is not cached, the acceleration server transmits a request message for the index.html file to the Web server WS1 at time t9. At time t10, the index.html file is returned from the Web server WS1 to the acceleration server. At time t11, the index.html file is transferred from the cache to Port 443. At time t12, the index.html file is distributed from Port 443 to the client.

  In parallel with this, at time t13, a request message for requesting the sub content test.js is transmitted from the acceleration server to the Web server WS1. At time t14, a request message requesting the sub content img2.jpg is transmitted from the acceleration server to the Web server WS2. At time t15, the sub content test.js is returned from the Web server WS1 to the acceleration server. At time t16, the sub-content img2.jpg is returned from the Web server WS2 to the acceleration server. At times t17 and t18, the sub contents test.js and img2.jpg are transferred from the cache of the acceleration server to Port 443, respectively. At time t19, the sub contents (test.js and img2.jpg) are delivered to the client through the SPDY session.

  At time t20, the sub-content test.js is executed on the client. At this time, the Cross Site Scripting filter of the browser uses the URL http://site1.ipcq.com/img1.jpg generated by test.js and the URL of the HTML file where test.js is executed "https: // site1 .ipcq.com / index.html "is matched, but here the scheme part is judged to be inconsistent (http and https), so the request message of img1.jpg is blocked by the browser's Cross Site Scripting filter . Therefore, the client cannot obtain img1.jpg and cannot display the Web page correctly.

  The object of the present invention is to solve the above-mentioned problems of the prior art and to prevent the false detection of the Cross Site Scripting filter and correctly display the web contents even when applying SPDY using redirection from HTTP request to HTTPS request. It is to provide a content distribution apparatus.

  In order to achieve the above-mentioned purpose, in response to a web page request from a client, a web page is requested in a web content distribution apparatus that acquires the main content and sub-content of the web page from a web server and distributes it to the client. Main content acquisition means for acquiring the main content in response to an HTTP request, rewriting means for rewriting the link URL scheme of each sub-content described in the main content to HTTPS, and each sub-content dynamically generating a link URL A specific sub-content determining means for determining whether or not the specific sub-content is included; a redirect request means for requesting a redirect request by HTTPS to a client that has requested a Web page not including the specific sub-content; and a Web page including the specific sub-content. Requested cry Main content distribution means for distributing the main content to the client, sub-content acquisition means for acquiring each sub-content based on the link URL of each sub-content, and integration of each sub-content to the client that requested the Web page including the specific sub-content And a sub-content distribution unit for distributing the sub-content in response to a request message to the link URL generated by the specific sub-content.

  According to the present invention, even when dynamic content that generates a link destination URL is included in a multi-domain web page that the client is trying to acquire, a request to the link destination generated by the dynamic content is made. Since the message is not blocked by the Cross Site Scripting filter, the client can retrieve all sub-contents.

It is a system outline figure showing the network composition of the Web contents distribution system concerning one embodiment of the present invention. It is the figure which showed an example of the web page of a multi domain structure. It is the functional block diagram which showed the structure of the acceleration server. It is the sequence flow which showed the operation | movement of one Embodiment of this invention. It is the figure which showed a mode that acquisition of a subcontent was prevented by the false detection of a Cross Site Scripting filter.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a system outline diagram showing a network configuration of a Web content distribution system according to an embodiment of the present invention. For a Web page having a multi-domain configuration, the index file index.html (main content) and the index file are included. Multiple web servers (WS1, WS2) with distributed image files (sub-contents) to be pasted, and web page content requests from clients are detected to determine the original web server, and the main content from the web server The main configuration is an acceleration server that acquires and caches sub-contents and distributes them to clients via a TCP connection or SPDY session.

  Each web server is assigned a different domain. In this embodiment, "site1.ipcq.com" is assigned to the web server WS1, and "site2.ipcq.com" is assigned to the web server WS2. . The client and the acceleration server are connected via a TCP connection and SPDY session. The acceleration server and each Web server are connected by HTTP connection.

  The Web page to be distributed has a multi-domain configuration, and as shown in FIG. 2 as an example, an index.html file as main content and an image file img2. As sub-content pasted on the page of the index.html file. jpg, dynamic content test.js, and a link destination image file img1.jpg generated by the dynamic content. In this embodiment, dynamic content test.js such as JavaScript (registered trademark) for generating an index.html file, an image file img1.jpg, and a link URL of the image file img1.jpg is accumulated in the web server WS1, and index. The following description assumes that the image file img2.jpg in which the URL is described in the .html file is stored in the Web server WS2.

  FIG. 3 is a functional block diagram showing the configuration of the main part of the acceleration server. Here, the configuration unnecessary for the description of the present invention is omitted.

  The request reception unit 4 receives a request message for a Web page transmitted from a client. In this embodiment, an HTTP request and an HTTPS request can be accepted as a request message.

  In the content acquisition unit 1, the main content acquisition unit 101 acquires the index.html file of the Web page from the Web server WS1 in response to the request message, and caches it in the storage unit 2. The specific sub-content determining unit 102 is a specific sub-content that dynamically generates a link URL such as JavaScript (registered trademark) or Flash (registered trademark) in which each sub-content described in the link URL in the index.html file It is determined whether or not.

  The sub-content acquisition unit 103 acquires a sub-content by transmitting a request message to the link URL described in the index.html file, and caches this in the storage unit 2. In the present embodiment, the sub content test.js is acquired from the Web server WS1, and the sub content img2.jpg is acquired from the Web server WS2.

  In the rewriting unit 3, the scheme rewriting unit 301 rewrites the scheme of the link URL of each sub-content described in the index.html file from HTTP to HTTPS. The domain rewriting unit 302 rewrites the domain of the sub-content img2.jpg from “site2.ipcq.com” to “site1.ipcq.com” so that all the sub-content domains are shared. The redirect request unit 6 requests redirection of a request message by HTTPS to a client that has requested a Web page that does not include the specific sub-content, as in the related art.

  In the content distribution unit 7, the main content distribution unit 701 distributes the main content to the client that has requested the Web page including the specific sub-content. The sub-content distribution unit 702 integrates and distributes each sub-content through the SPDY session to the client that has requested the Web page including the specific sub-content. The sub-content response unit 703 distributes the sub-content (img1.jpg) in response to a request message for the link URL generated by the specific sub-content (test.js).

  Next, the operation of the embodiment of the present invention will be described in detail with reference to the sequence flow of FIG. At time t1, a TCP connection is established between the client and the acceleration server (Port 80). At time t2, an HTTP request message (GET: index.html) for acquiring a Web page is transmitted from the client to the acceleration server (Port 80). The HTTP request message is received by the request receiving unit 4 of the acceleration server.

  At time t3, the acceleration server determines whether the requested index.html file is cached. If the index.html file is not cached, a request message for the index.html file is transmitted from the main content acquisition unit 101 to the web server WS1 at time t4. At time t5, the index.html file is returned from the Web server WS1 to the acceleration server.

  At time t6, the index.html file is analyzed, and it is determined whether the sub-content includes dynamic content such as JavaScript (registered trademark) or Flash (registered trademark). Furthermore, in order to send each sub-content collectively to the client by SPDY, the scheme is rewritten to HTTPS by the scheme rewriting unit 301 and the domain is rewritten to the domain of the Web server WS1 by the domain rewriting unit 302. It is done.

  In the present embodiment, the link URL “http://site1.ipcq.com/test.js” of the sub content test.js and the link URL “http: //site2.ipcq of the sub content img2.jpg are included in the index.html file. .com / img2.jpg ", and these link URLs are" https://site1.ipcq.com/test.js "and" https://site1.ipcq.com/img2.jpg ", respectively. Will be rewritten. Further, the sub content test.js is determined to be dynamic content.

  At time t7, a request message requesting the sub content test.js is transmitted from the sub content acquisition unit 103 of the acceleration server to the Web server WS1. At time t8, a request message for requesting the sub content img2.jpg is transmitted from the sub content acquisition unit 103 to the Web server WS2. At time t9, the sub content test.js is returned from the Web server WS1 to the acceleration server. At time t10, the sub-content img2.jpg is returned from the Web server WS2 to the acceleration server.

  At time t11, whether or not to request redirection by HTTPS to the client that sent the HTTP request, the dynamic content described in the index.html file is a specific sub-content that dynamically generates a URL. Judgment is made based on whether or not there is.

  In this embodiment, the specific sub-content determination unit 102 has a Web browser simulation function, and it is determined whether or not a URL is dynamically generated by executing the dynamic content test.js. Note that the Web browser simulation function does not need to be able to simulate all the functions of the Web browser. Is the URL generated dynamically when the browser installed in the client executes the dynamic content test.js? It suffices to have only a function that can determine whether or not.

  In the present embodiment, since the sub-content test.js “generates URL dynamically”, that is, test.js is determined as the specific sub-content, it is determined that redirection by HTTPS is unnecessary. At time t12, the index.html file is transferred from the cache to Port 80. At time t13, the main content distribution unit 701 returns the index.html file from Port 80 to the client by HTTP. If it is determined that the sub-content test.js does not dynamically generate a URL, the redirect request unit 6 requests the client to perform redirection by HTTPS, as in the conventional technique.

  At time t14, a TCP connection is established between the client and port 443 of the acceleration server. At time t15, an SPDY session is established between the client and port 443 of the acceleration server. At time t16, a sub-content is requested from the client to Port 443 of the acceleration server. At times t17 and t18, the request for the sub contents test.js and img2.jpg is transferred from the port 443 to the cache at the acceleration server. At times t19 and t20, the sub contents test.js and img2.jpg are transferred from the cache of the acceleration server to Port 443, respectively. At time t21, the sub-content distribution unit 702 distributes the sub-contents (test.js and img2.jpg) to the clients in a SPDY session.

  At time t22, the dynamic sub-content test.js is executed on the client. At this time, the Cross Site Scripting filter of the browser uses the URL http://site1.ipcq.com/img1.jpg generated by test.js and the URL of the HTML file where test.js is executed "http: // site1. "ipcq.com/index.html" is matched, and here both the scheme part and the FQDN match. Therefore, at time t23, the request message regarding the sub-content img1.jpg passes through the Cross Site Scripting filter and is transmitted to Port 80 of the acceleration server by HTTP.

  At time t24, the request message is transferred from the port 80 of the acceleration server to the cache. At time t25, the request message is transmitted from the cache to the Web server WS1 by HTTP. At time t26, the sub-content img1.jpg is transmitted by HTTP from the Web server WS1 to the acceleration server cache. At time t27, the sub-content img1.jpg is transferred from the cache to Port80. At time t28, the sub content response unit 703 of the acceleration server transmits the sub content img1.jpg to the client by HTTP. At time t29, the sub contents img1.jpg and img2.jpg are pasted on the index.html file, and a complete Web page is displayed.

  According to this embodiment, even when the dynamic content that generates the URL of the link destination is included in the Web page of the multi-domain configuration that the client intends to acquire, the link to the link destination generated by the dynamic content is included. The request message is not blocked by the Cross Site Scripting filter, so the client can retrieve all sub-contents.

  In addition, according to the present embodiment, even when dynamic content that generates a URL of a link destination is included in the Web page of the multi-domain configuration that the client intends to acquire, the link destination generated by the dynamic content All the sub-contents other than the sub-contents stored in can be integrated and sent from the acceleration server through the SPDY session, so that high-speed delivery of Web contents can be maintained.

  DESCRIPTION OF SYMBOLS 1 ... Content acquisition part, 101 ... Main content acquisition part, 102 ... Specific sub content determination part, 103 ... Sub content acquisition part, 2 ... Memory | storage part, 3 ... Rewriting part, 301 ... Scheme rewriting part, 302 ... Domain rewriting part, 4 Request accepting unit 6 Redirect request unit 7 Content delivery unit 701 Main content delivery unit 702 Sub content delivery unit 703 Sub content response unit

Claims (4)

In the Web content distribution apparatus that acquires the main content and sub-content of the Web page from the Web server in response to the Web page request from the client, and distributes it to the client,
Main content acquisition means for acquiring main content in response to an HTTP request for requesting a web page;
Rewriting means for rewriting the link URL scheme of each sub-content described in the main content to HTTPS,
Specific sub-content determination means for determining whether each sub-content is specific sub-content that dynamically generates a link URL;
A redirect request means for requesting a redirect by HTTPS to a client that has requested a Web page not including the specific sub-content;
Main content distribution means for distributing the main content to a client that has requested a Web page including the specific sub-content;
Sub-content acquisition means for acquiring each sub-content based on the link URL of each sub-content;
Sub-content distribution means for integrating and distributing each sub-content to the client that requested the Web page including the specific sub-content;
A Web content distribution apparatus comprising: sub-content response means for distributing sub-content in response to a request message for a link URL generated by the specific sub-content.   The Web content distribution apparatus according to claim 1, wherein the rewriting means rewrites the domain of the link URL of each sub-content to the same domain as the main content. SPDY control means to establish SPDY session with the client,
The Web content distribution apparatus according to claim 1, wherein the sub-content distribution unit distributes each sub-content to a client using an SPDY session. A cache for temporarily storing the main content and the sub-content;
4. The Web content distribution apparatus according to claim 1, wherein each content is acquired from a Web server, temporarily stored, and distributed from the cache.