JP5049172B2 - Reverse proxy system - Google Patents

Description

  The present invention relates to a reverse proxy system using a reverse proxy that relays an access request from an external client to an internal server.

  In a reverse proxy system using a reverse proxy that relays an access request from an external client to an internal server, an access request from the external client to the internal server is always made through the reverse proxy system. There is no access to the server. For this reason, the reverse proxy system is provided with an authentication function for an external client that checks whether or not the external client that made the access request is permitted to access the internal server, and a function for checking the content of data to be relayed. As a result, security can be enhanced.

  Hereinafter, an operation example of the reverse proxy system will be briefly described with reference to FIG. Here, FIG. 10 shows a configuration example of the conventional reverse proxy system 100 and its peripheral devices.

  The reverse proxy system 100 is installed in a DMZ (DeMilitized Zone, demilitarized zone), and is configured to be accessible via a communication network 4 such as the Internet and a client terminal 2 i (i = 1 to m) operated by an external client 2, The client terminal 2 i is configured to relay an access request to the Web server 3 j (j = 1 to n) as an example of the internal server 3.

  In the reverse proxy system 100 shown in FIG. 10, the external URL specified by the client terminal 2 i for accessing the internal server 3 is different from the internal URL that the internal server 3 actually has. The reverse proxy system 100 converts the external URL into an internal URL in the access request (up) from the external client 2 to the internal server 3, and converts the internal URL into the external URL in the response (down) from the internal server 3 to the external client 2. Convert to

  The external URL here is defined by “http: // [URL of the reverse proxy system 100] / [Mount point for specifying the internal server 3 to which the reverse proxy system relays the access request] /”. For example, in the case of the Web server 3j shown in FIG. 10, the external URL is “http://proxy.xxx.co.jp/web0j/”, and the internal URL is “http://web0j.xxx.co.jp/”. "And the mount point is" web0j ".

  More specifically, for example, when the client terminal 21 receives an access request (uplink) for “http://proxy.xxx.co.jp/web01/” by the client terminal 21, first, the external proxy The mount point “web01” is extracted from the URL. Subsequently, the reverse proxy system 100 replaces the external URL with the internal URL “http://web01.xxx.co.jp/” of the Web server 31 indicated by the mount point “web01”.

  Furthermore, when the content is returned from the Web server 31 to the client terminal 21 (downlink), the reverse proxy system 100 reverses the internal URL “http://web01.xxx.co.jp/” of the content. Using the URL “http://proxy.xxx.co.jp/” of the proxy system 100 and the mount point “web01”, replace with the external URL “http://proxy.xxx.co.jp/web01/” .

  By the way, in the reverse proxy system, generally, for example, in the case of text format data, it is possible to replace the internal URL described in the data with the external URL, but programming such as Javascript (registered trademark) is possible. It is very difficult to replace an internal URL of a program written in a language with an external URL.

  For this reason, in the case of a Web server that has not been developed so as to be compatible with the reverse proxy system, for example, content including a program that generates a URL on a client terminal may not correctly generate an external URL. More specifically, when the Web server returns content including a program for generating a URL on the client terminal to the client terminal, an information-missing URL with a missing mount point is generated by the program on the client terminal. There is a possibility. In such a case, if the client terminal tries to access the reverse proxy system again based on the generated information missing URL, the reverse proxy system may not correctly convert the information missing URL into an internal URL. There was a problem.

  On the other hand, as a technique for complementing the mount point, for example, a keyword unique to the Web server is set for each of all Web servers that relay access requests from external clients, and the relationship between the Web server and the keyword When an internal URL is converted into an external URL, an external URL including a mount point and a keyword is generated, and an access request is received from the external URL with a missing mount point. There is a reverse proxy system that searches a correspondence table using a keyword extracted from an external URL lacking the mount point, acquires the mount point, and supplements the external URL using the mount point. Here, FIG. 11 shows an outline of the operation of the reverse proxy system that performs mount complementation using the correspondence table. Here, the keyword matches the top directory name of each Web server.

  As a technique for complementing the mount point, for example, in the response (downstream) from the Web server to the external client, the mount point is stored in Cookie, and there is an access request from the external client to the Web server. In some cases, a reverse proxy system has been proposed that generates an internal URL using a mount point stored in Cookie when it is recognized that a mount point is missing (see, for example, Patent Document 1). Here, FIG. 12 shows an outline of the operation of the reverse proxy system described in Patent Document 1.

JP 2004-94805 A

  However, in the case of a reverse proxy system that performs mount point complementation using the correspondence table shown in FIG. 11, it is necessary to set a keyword (directory name) unique to the Web server. Adjustment is indispensable, and it takes time to develop a Web server. In addition, for an existing Web server, it may be necessary to change the directory name of the top directory, which is difficult to apply.

  Also, in the case of the reverse proxy system that performs mount point complementation by Cookie described in Patent Document 1, if the same external client uses a plurality of browsers, Cookie is overwritten every time the page is viewed. . For this reason, there is a possibility that the mount point may not be complemented correctly in access requests from pages browsed in the past. Here, FIG. 13 shows an example of the operation in the reverse proxy system that complements the mount point by Cookie. If there is a response from the Web server having the mount point “web02” after the response from the Web server having the mount point “web01”, the web02 is overwritten in the cookie. In this case, when an access request is made to the Web server having the mount point “web01”, if the mount point is missing, “http://web01.xxx.co.jp/info/” should be complemented. , “Http://web02.xxx.co.jp/info/”, and the mount point cannot be correctly completed.

  The present invention has been made in view of the above-described problems, and the purpose thereof is to perform mount point information complementation more accurately without requiring special development on the internal server side and without using Cookie. It is in providing a reverse proxy system that can be performed.

  In order to achieve the above object, a reverse proxy system according to the present invention is a reverse proxy system using a reverse proxy that relays an access request from an external client to an internal server, and identifies the internal server from the external client. When there is a first access request with a first external address including mount point information, the first external address is converted into an internal address unique to the internal server using the mount point information, and the corresponding When there is a first conversion process for delivering the first access request to an internal server, and when there is a response from the internal server to the first access request of the external client, the internal address related to the response is changed to the mount point. Second to convert to the first external address containing information An address conversion unit that executes conversion processing, and when there is the first access request, at least one of the first conversion processing and the second conversion processing related to the first access request, An access history in which the mount point information and first location information indicating the location of the target file of the first access request are extracted from an address, and the mount point information and the first location information are stored in association with each other as access history information When there is a second access request from the storage unit and the external client with a second external address that does not include the mount point information, the second external address indicates the location of the target file of the second access request. 2 position information is extracted, and the second position information and a part or all of the second position information are extracted using the second position information as a key. Address complement means for searching the access history information having the first location information to pass through, extracting the mount point information, and converting the second external address to the internal address using the mount point information; The first feature is to include

  The reverse proxy system according to the present invention having the above characteristics includes an authentication information database storing client identification information unique to the external client for each external client, and the access request from the external client to the internal server is made When the client identification information of the external client is acquired from the external client to be authenticated that has made the access request, and the client identification information of the external client to be authenticated is stored in the authentication information database. An authentication unit that authenticates the external client, wherein the access history storage unit stores the client identification information in association with the access history information, and the address complementing unit performs the second access request. Client Using the access history information having the serial client identification information, the second characterized by converting the second external address to said internal address.

  In the reverse proxy system according to the present invention of any one of the above features, the access history storage unit stores time information indicating a time when the first access request is made in association with the access history information, and the address complement A third feature is that the means converts the second external address into the internal address using the access history information having the time information within a predetermined time condition range.

  In the reverse proxy system according to the present invention having the above characteristics, when the access history storage unit stores the mount point information and the first location information acquired from the first external address as the access history information, the same When the access history information having the mount point information and the first position information is stored, the time information of the access history information already stored is used as the time information of the new first access request. Updating is a fourth feature.

  In the reverse proxy system according to the present invention having any one of the above features, the access history storage means is preset from the first external address from the highest level in the internal server when the internal server has a hierarchical structure. A fifth feature is that a layer name within a predetermined number of layers is extracted as the first position information.

  In the reverse proxy system according to the present invention having the above characteristics, when the address complementing unit has a hierarchical structure, the predetermined number of hierarchies set in advance from the second highest external address from the second external address when the internal server has a hierarchical structure. It is a sixth feature that an inner hierarchical name is extracted as the second position information.

  In the reverse proxy system according to the present invention of any one of the above features, when the address complementing unit searches the access history information using the second location information as a key when the internal server has a hierarchical structure, When the first location information including the second location information in the access history information is not searched, the hierarchy name constituting the second location information except the lowest hierarchy name is A reset process for resetting as the second position information; a search process for searching for the access history information using the second position information as a key; and the first position information including the second position information in the access history information. It is a seventh feature that the second position information is repeatedly executed until the second position information cannot be reset or is searched.

  In the reverse proxy system according to the present invention having the above characteristics, each of the access history information is configured so that the access history storage means includes a plurality of hierarchical names in the first location information when the internal server has a hierarchical structure. In the first position information, partial position information composed of hierarchical names of a predetermined number of layers from the top is obtained, and there are a plurality of integration target access history information in which the partial position information and the mount point information completely match. In an eighth aspect, an eighth feature is that an integration process of integrating the integration target access history information using the partial position information as the first position information is executed.

  According to the reverse proxy system of the above feature, when there is an access request by the first external address including the mount point information, the mount point information and the first location information of the access request target are associated and stored as access history information. Since the second external address lacking the mount point information is supplemented using the access history information, special development on the Web server side, such as setting a keyword in the Web server, as in the prior art, Since no change work is required, it can be easily applied by an existing reverse proxy system.

  Further, according to the reverse proxy system having the above characteristics, since the second external address lacking the mount point information is supplemented using the access history information, the mount point information can be more accurately detected without using Cookie. It becomes possible to complement.

  According to the reverse proxy system of the second feature, the access history information is created in association with the client identification information when there is a first access request using an authentication means for authenticating an external client. The same directory name is used in multiple internal servers, and even when there are second access requests from multiple external clients to the internal server at the same time, it is possible to more accurately infer the access request destination of the external client Thus, it becomes possible to complement the mount point information more accurately.

  According to the reverse proxy system of the third feature, the access history information is created by associating the time information indicating the time when the first access request was made with the client identification information. The name is used, and even when there is a second access request to the internal server from multiple external clients at the same time, it is possible to more accurately infer the access request destination of the external client and mount point information more accurately. It becomes possible to perform complementation.

  Also, according to the reverse proxy system of the fourth feature, the latest access history information is stored based on the time information, so that access history information considered to have become less reliable after a certain period of time is excluded. And mount point information can be complemented more accurately.

  According to the reverse proxy system of the fifth feature, when the internal server has a hierarchical structure, a hierarchical name within a predetermined number of layers set in advance from the highest hierarchical level is used as the first location information from the first external address. As a result of the extraction, the processing efficiency in creating and searching access history information can be improved. In general, it can be said that the position information of the content to be requested for access has a higher reliability as it is deeper. Therefore, as in the reverse proxy system of the fifth feature, when configured to extract the hierarchy name within the predetermined hierarchy from the highest hierarchy as the first position information, without reducing the reliability of the access history information, It becomes possible to increase the processing efficiency in creation and retrieval of access history information.

  Further, according to the reverse proxy system of the sixth feature, the hierarchy name within the predetermined hierarchy from the highest hierarchy is extracted as the second position information from the second external address, so access history information search and mount point information It is possible to further increase the processing efficiency in the complementation.

  According to the reverse proxy system of the seventh feature, even when the entire second position information does not completely match the first position information, if the first position information matches within a certain range, the first position information The mount point information corresponding to can be specified as the mount point information lacking the second access request. Accordingly, it is possible to flexibly correspond to the second external address in the second access request and improve the achievement rate of the mount point information complement.

  Furthermore, according to the reverse proxy system of the eighth feature, when the number of layers of the internal server is considerably large or the hierarchical structure is complicated, the partial position information obtained by removing the lowest hierarchy name from the first position information and the mount Since access history information with matching point information can be integrated, it is possible to increase the search efficiency of access history information.

  DESCRIPTION OF EMBODIMENTS Hereinafter, an embodiment of a reverse proxy system according to the present invention (hereinafter, abbreviated as “the present system” as appropriate) will be described with reference to the drawings.

<First Embodiment>
A first embodiment of the system of the present invention will be described with reference to FIGS.

  First, the configuration of the system 1 of the present invention will be described with reference to FIGS. Here, FIG. 1 shows a configuration example of the system 1 of the present invention and its peripheral devices, and FIG. 2 shows a schematic configuration of the system 1 of the present invention.

  In the present embodiment, the system 1 of the present invention is installed in the DMZ, has a function as an authentication authorization system that restricts browsing of the internal server 3 to a specific external client 2, and is a client terminal 2 i (i) operated by the external client 2. = 1 to m) is a reverse proxy system using a reverse proxy that relays an access request to the internal server 3. In the present embodiment, a terminal such as a PC (Personal Computer) is assumed as the client terminal 2i. In the present embodiment, for the sake of explanation, the web server 3j (j = 1 to n) such as a portal site is assumed as the internal server 3, but another server such as a mail server may be used. .

  As shown in FIG. 2, the system 1 of the present invention includes an authentication information database storing client identification information unique to the external client 2 for each external client 2 as a function related to the authentication authorization system, and the client server 2i to the Web server 3j. When there is an access request to the client, the client identification information of the external client 2 that operates the client terminal 2i is acquired from the authentication target client terminal 2i that has made the access request, and the authentication target external client 2 is stored in the authentication information database. Authentication means 14 for authenticating the external client 2 when the client identification information is stored.

  As shown in FIG. 2, the system 1 of the present invention receives a first access request from a client terminal 2i by a first external URL (corresponding to a first external address) including mount point information for specifying the Web server 3j. In addition, the first external URL is converted into an internal address unique to the Web server 3j using the mount point information, and the first access request is transferred to the corresponding Web server 3j, and the client from the Web server 3j When there is a response to the first access request of the terminal 2i, an address conversion unit 11 that executes a second conversion process for converting an internal address related to the response into a first external URL including mount point information, and a first access Mounted from the first external URL in the first conversion process related to the first access request when requested Access history storage means 12 for extracting the location information and the first location information indicating the location of the target file of the first access request, associating the mount point information and the first location information and storing them as access history information, and a client terminal When there is a second access request from 2i using a second external URL (second external address) that does not include mount point information, second location information indicating the location of the target file of the second access request from the second external URL And the second location information is used as a key to search the access history information having the first location information that is in common with the second location information to extract the mount point information, and the mount point information is used to obtain the second An address complementing means 13 for converting an external URL into an internal address and a network via a communication network 4 such as the Internet. A function for performing ant terminal 2i and data communication is configured by a communication interface 10 and a function for performing a Web server 3j data communication via the internal LAN 5.

  Hereinafter, the processing operation of the system 1 of the present invention will be described with reference to FIG. Here, FIG. 4 shows a schematic configuration example of the processing operation of the system 1 of the present invention.

  In the present embodiment, the Web server 3j has a hierarchical structure, and the first external URL is defined as “http: // [URL of the present system 1] / [prefix] / [directory] / [filename]”. The case where the internal URL is defined by “http: // [URL of Web server 3j] / [directory] / [filename]” will be described. The “[directory]” and “[filename]” portions are not necessarily provided.

  More specifically, the external URL of the Web server 3j shown in FIG. 1 is configured to start with “http://proxy.xxx.co.jp/web0j/”. In this case, “web0j” is mount point information that identifies the Web server 3j. Further, the internal URL of the Web server 3j is configured to start from “http://web0j.xxx.co.jp/” (j = 1 to n). 3A shows an example of the directory structure of the Web server 31, FIG. 3B shows an example of the directory structure of the Web server 32, and FIG. 3C shows the directory structure of the Web server 33. Each example is shown.

  As shown in FIG. 4, the system 1 of the present embodiment receives an authentication request from the client terminal 2 i (step # 121), and the authentication unit 14 instructs the client terminal 2 i as an example of client identification information. A user ID and password input request is made (step # 111).

  When the user ID and password are returned from the client terminal 2i (step # 122), the authentication unit 14 searches the authentication database that manages the user ID and password of the external client 2 that is permitted to request access to the internal server 3. When the user ID and password of the external client 2 input from the client terminal 2i are registered, the external client 2 is authenticated (step # 112).

  When the external client 2 is authenticated, the authentication unit 14 permits an access request to the internal server 3 from the client terminal 2 i operated by the authenticated external client 2.

  Subsequently, when there is an access request from the client terminal 2i operated by the authenticated external client 2 (step # 123), first, the address translation unit 11 of the present system 1 includes the mount point information in the access request. It is determined whether the request is a first access request based on the first external URL or a second access request based on the second external URL from which mount point information is missing (step # 113).

  More specifically, the address conversion unit 11 includes a mount point information table that stores mount point information for all internal servers 3 to which the system 1 of the present invention relays access requests. Here, FIG. 5 shows an example of the mount point information table. The address conversion unit 11 extracts a portion corresponding to [prefix] of the first external URL from the external URL related to the access request, and when the extracted portion is registered in the mount point information table as mount point information, It is determined that the request is a first access request by one external URL. On the other hand, when there is no registration in the mount point information table, the address conversion unit 11 determines that the second access request is based on the second external URL.

  If it is determined in step # 113 that the external URL related to the access request is the first external URL, the address conversion unit 11 converts the first external URL into the internal URL (step # 114), and the corresponding Web server The access request is relayed to 3j (step # 116).

  In step # 113, when the address conversion unit 11 determines that the access request from the client terminal 2i is the first access request, the access history storage unit 12 stores the access history information for the first access request ( Step # 115). The access history information storage process and the access request relay process to the Web server 3j may be executed simultaneously or sequentially.

  Specifically, for example, when the first external URL of the first access request is “http://proxy.xxx.co.jp/web01/WebApplication01/html/index.html”, the access history storage unit 12 The mount point information “web01” and the first location information “/ WebApplication01 / html” are extracted from the first external URL and stored as access history information in association with each other. Here, FIG. 6 shows an example of access history information. In the present embodiment, the access history information stores a user ID as client identification information, an access date / time as time information indicating a time when the first access request is met, mount point information, and first position information. Yes.

  Further, the access history storage unit 12 of the present embodiment stores the same mount point information and first position information when storing the mount point information and the first position information acquired from the first external URL as access history information. When the history information is stored, the access date and time of the access history information that is already stored is updated to the access date and time of the new first access request. If the access history information stores information other than the mount point information and the first position information, the access date is updated when all other information except the access date is completely matched. . In this embodiment, since the user ID is recorded in addition to the mount point information and the first position information, the access history information is accessed when the mount point information, the first position information, and the user ID all match. Update the date and time.

  Since the access request to the internal server 3 immediately after the authentication is considered to be the first access request by the first external URL correctly including the mount point information, the access described later is performed without executing Step # 113. The history information may be stored (step # 115) and the first access request relay process (step # 116) may be executed.

  Subsequently, when there is a response to the first access request from the internal server 3 (step # 131), the address conversion unit 11 executes a second conversion process for converting the internal URL related to the response into an external URL (step # 211). ).

  There is a second or subsequent access request from the client terminal 2i operated by the authenticated external client 2 (step # 321), and the address conversion unit 11 determines that the access request is based on the second external URL from which mount point information is missing. When it is determined that the request is the second access request (step # 311), the address complementing unit 13 uses the access history information stored by the access history storage unit 12 to specify the second external URL related to the second access request. Complement processing is performed (step # 312).

  More specifically, the address complementing unit 13 according to the present embodiment performs a predetermined time condition in the access request history storing the user ID of the external client 2 that operates the client terminal 2i that has made the second access request. The second external URL is converted into an internal address using access history information having an access date and time within a range, for example, within one year. The time condition is set to one year in this embodiment, but is set appropriately according to the usage status of the external client 2, the function of the internal server 3, and the like. The time condition may be set for each external client 2 and each internal server 3 (contents).

  Here, since the [prefix] portion of the first external URL is missing from the second external URL, the configuration of the second external URL is “http: // [URL of the system 1 of the present invention] / [ directory] / [filename] ". The “/ [filename]” portion is not necessarily provided. The address complementing means 13 extracts the [directory] part as the second position information from the second external URL. Specifically, for example, when the second external URL is “http://proxy.xxx.co.jp/WebApplication01/html/index.html”, “/ WebApplication01 / html” is extracted as the second position information. .

  When the second position information is extracted, the address complementing means 13 searches the access history information having the first position information common to the extracted second position information, and acquires the mount point information. More specifically, in the present embodiment, in the case of the access history information shown in FIG. 6, first of all of the access history information whose user ID is “1234567” and the second location information “/ WebApplication01 / html” are common. The No. 1 address history information in which the position information is stored is extracted.

  When the address history information is extracted, the address complementing means 13 uses the mount point information “/ web01” stored in the extracted No. 1 address history information, and uses the second external URL “http://proxy.xxx.co”. .Jp / WebApplication01 / html / index.html ”is converted to an internal address“ http://web01.xxx.co.jp/WebApplication01/html/index.html ”.

  The system 1 of the present invention relays an access request to the internal server 3 using the internal address supplemented by the address complementing means 13 (step # 313). When there is a response to the second access request from the internal server 3, here, the Web server 31 (step # 331), the address conversion unit 11 executes a second conversion process for converting the internal URL related to the response into an external URL. (Step # 314).

  In the present embodiment, the address complementing means 13 is configured to search for access history information having the first position information that is in common with the second position information. However, the present invention is not limited to this. You may comprise so that the access history information which has the 1st location information in common may be searched. For example, a configuration for searching access history information having first location information that matches a preset number of layers from the highest level, or a configuration for searching access history information having first location information having the highest degree of matching For example, the access history information may be searched according to other search conditions. In this case, the search success rate can be improved.

Second Embodiment
A second embodiment of the system 1 of the present invention will be described with reference to FIG. In the present embodiment, a case will be described in which the access history storage unit 12 and the address complementing unit 13 are different from the first embodiment. More specifically, in the first embodiment, the access history storage unit 12 extracts all hierarchical names (directory names) of the first external URL as the first location information. In the present embodiment, the first external URL A case will be described in which the number of hierarchies of the hierarchy name extracted from is restricted.

  The system 1 of the present embodiment is a reverse proxy system that is installed in the DMZ and has a function as an authentication authorization system, as in the first embodiment. As in the first embodiment, the system 1 of the present invention includes an authentication unit 14 that performs authentication processing of the external client 2 when the access request from the client terminal 2i to the Web server 3j is received, and a mount from the client terminal 2i. A first conversion process for converting a first external URL into an internal address and delivering the first access request to a corresponding Web server 3j when there is a first access request by a first external URL including point information; When there is a response to the first access request from the Web server 3j, there is an address conversion unit 11 that executes a second conversion process for converting an internal address related to the response into a first external URL, and a first access request. In the first conversion process related to the first access request, the mount point information and the first position information are obtained from the first external URL. When there is a second access request by the second external URL not including mount point information from the access history storage means 12 that extracts and associates and stores it as access history information, and from the client terminal 2i, the second external URL The second position information is extracted, the access history information having the first position information partially or entirely in common with the second position information is searched to extract the mount point information, and the mount point information is used to (2) An address complementing means 13 for converting an external URL into an internal address and a communication interface 10 for data communication with a user terminal via a communication network 4 such as the Internet are provided. The configurations of the authentication unit 14, the address conversion unit 11, and the communication interface 10 are the same as those in the first embodiment.

  In the present embodiment, the access history storage unit 12 starts from the first external URL from the top in the Web server 3j when the Web server 3j has a hierarchical structure in the access history storage process of Step # 115 shown in FIG. Layer names within a predetermined number of layers set in advance are extracted as the first position information.

  More specifically, for example, when the configuration is such that a hierarchy name within two layers including the highest layer is extracted as the first position information, the first external URL of the first access request is “http: // /Proxy.xxx.co.jp/web03/WebApplication01/aaa/html/index.html ”, the access history storage means 12 receives the mount point information“ web03 ”and the first location information from the first external URL. Extract “/ WebApplication01 / aaa”. Here, FIG. 7 shows an example of access history information in the present embodiment.

  In the present embodiment, the address complementing means 13 is preset from the second external URL from the top in the web server 3j when the web server 3j has a hierarchical structure in the address complementing process of step # 312 shown in FIG. The layer names within the predetermined number of layers are extracted as the second position information. In the present embodiment, as in the case of the first position information, the layer names within two layers including the highest layer are extracted as the second position information from the highest layer of the first external URL.

  More specifically, for example, when the second external URL is “http://proxy.xxx.co.jp/WebApplication01/aaa/html/index.html”, the address complementing means 13 of the present embodiment is: “/ WebApplication01 / aaa” is extracted as the second position information. When the second position information is extracted, the address complementing means 13 retrieves the access history information having the first position information common to the extracted second position information and acquires the mount point information, as in the first embodiment. To do. Here, the access history information of No. 4 having the extracted second location information “/ WebApplication01 / aaa” is extracted from the access history information shown in FIG. 7, and the mount point information “web03” is acquired.

  Subsequently, the address complementing unit 13 of the present embodiment supplements the second external URL using the mount point information “web03”, and the internal URL “http://web03.xxx.co.jp/WebApplication01/aaa”. /Html/index.html ”.

  The system 1 of the present embodiment of the present embodiment is configured to store the access history information when the Web server 3j has a hierarchical structure, in particular, when the Web server 3j has a very large number of layers or the hierarchical structure is complicated. Since the first position information and the second position information extracted from the second external URL can be simplified (degenerate), the access history information is simplified and the search efficiency of the access history information with respect to the first position information is improved. be able to.

  Furthermore, in general, even if all hierarchy names do not match, if the hierarchy names of a certain number of levels match, it can be inferred that they have the same mount point information. If the configuration is made such that the name of the hierarchy within the predetermined number of hierarchies from which the mount point information can be analogized is extracted as the second information like the address complementing means 13, the first position information and the second information are obtained as a result. In addition to the case where all the position information is common, the address history information can be uniquely searched when only a part is common. As a result, particularly when the Web server 3j has a very large number of layers or when the layer structure is complicated, the address history information can be uniquely retrieved with higher probability. It is possible to improve the conversion success rate to the external URL.

<Third Embodiment>
A third embodiment of the system 1 of the present invention will be described with reference to FIG. In the present embodiment, a case will be described in which the first location information search method of the access history information is different from the first and second embodiments.

  The system 1 of the present embodiment of the present embodiment is a reverse proxy system that is installed in the DMZ and has a function as an authentication authorization system, as in the first and second embodiments. As in the first embodiment, the system 1 of the present invention includes an authentication unit 14 that performs authentication processing of the external client 2 when the access request from the client terminal 2i to the Web server 3j is received, and a mount from the client terminal 2i. A first conversion process for converting a first external URL into an internal address and delivering the first access request to a corresponding Web server 3j when there is a first access request by a first external URL including point information; When there is a response to the first access request from the Web server 3j, there is an address conversion unit 11 that executes a second conversion process for converting an internal address related to the response into a first external URL, and a first access request. In the first conversion process related to the first access request, the mount point information and the first position information are obtained from the first external URL. When there is a second access request by the second external URL not including mount point information from the access history storage means 12 that extracts and associates and stores it as access history information, and from the client terminal 2i, the second external URL The second position information is extracted, the access history information having the first position information partially or entirely in common with the second position information is searched to extract the mount point information, and the mount point information is used to (2) An address complementing means 13 for converting an external URL into an internal address and a communication interface 10 for data communication with a user terminal via a communication network 4 such as the Internet are provided. The configurations of the authentication unit 14, the address conversion unit 11, the access history storage unit 12, and the communication interface 10 are the same as those in the first embodiment.

  In the present embodiment, in the address complementing process of step # 312 shown in FIG. 4, the address complementing means 13 has a hierarchical structure, and when the access history information is searched using the second location information as a key, When the first position information including the second position information is not searched for in the access history information, the layer name constituting the second position information excluding the lowest layer name is re-used as the second position information. A reset process for setting and a search process for searching for access history information using the second position information as a key until the first position information including the second position information in the access history information is searched, or the second position Repeat until information cannot be reset.

  Hereinafter, the operation of the address complementing means 13 in this embodiment will be described with reference to FIG. Here, FIG. 8 shows the detailed processing operation of step # 312 shown in FIG.

  In step # 312 shown in FIG. 4, the address complementing unit 13 of the present embodiment first extracts second position information from the second external URL (step # 321). More specifically, for example, when the second external URL is “http://proxy.xxx.co.jp/WebApplication01/images/jpg/***.jpg”, the address complementing means 13 is in the second position. “/ WebApplication01 / images / jpg” is extracted as information.

  Subsequently, the address complementing means 13 searches the access history information using the second position information as a key (step # 322).

  In step # 323, when the access history information having the first position information including the second position information is not searched (“NO” branch in step # 323), the address complementing unit 13 resets the second position information. It is determined whether or not it is possible (step # 324).

  More specifically, for example, when the current second location information is “/ WebApplication01 / images / jpg”, the access history information illustrated in FIG. 6 does not include access history information including the second location information. In this case, since the second position information is composed of a plurality of hierarchical names, the address complementing means 13 determines in step # 324 that the second position information can be reset.

  If it is determined in step # 324 that the second position information can be reset, that is, if the second position information is composed of a plurality of directory names ("YES" branch in step # 324), By removing the lowest hierarchy name from the second position information, it is reset as new second position information (step # 325). More specifically, for example, when the current second position information is “/ WebApplication01 / images / jpg”, the address complementing unit 13 sets “/ WebApplication01 / images” excluding the lowest hierarchy name “jpg”. Reset as new second position information.

  If it is determined in step # 324 that the second position information cannot be reset, the address complementing unit 13 outputs error information because the mount point information cannot be complemented normally. In this case, the system 1 of the present invention outputs error information to the client terminal.

  In step # 323, when access history information having the first position information including the second position information is searched ("YES" branch in step # 323), the address complementing means 13 mounts from the searched access history information. Point information is extracted (step # 327), and the second external URL is converted into an internal URL using the extracted mount point information (step # 328).

  More specifically, for example, the second location information “/ WebApplication01 / images” reset at step # 325 is included in the first location information of the access history information of No. 3 shown in FIG. In this case, the address complementing unit 13 extracts the mount point information “web01” from the access history information of No3. The address complementing means 13 uses the extracted mount point information “web01” to store the second external URL “http://proxy.xxx.co.jp/WebApplication01/images/jpg/***.jpg” It is complemented by the URL “http://web01.xxx.co.jp/WebApplication01/images/jpg/***.jpg”.

  In the present embodiment, for the sake of explanation, the description has been made assuming that the access history storage unit 12 has the same configuration as that of the first embodiment. You may comprise so that the hierarchy name of the number of hierarchy may be extracted as 1st position information.

  Further, in the present embodiment, the address complementing unit 13 performs a resetting process for setting the second position information excluding the lowest hierarchy name as new second position information when the access history information is not searched. Since the search process using the new second position information is executed, in addition to the case where the first position information and the second position information are all in common as in the second embodiment, a part of It is possible to uniquely search the address history information even when only the same is shared. As a result, particularly when the Web server 3j has a very large number of layers or when the layer structure is complicated, the address history information can be uniquely retrieved with higher probability. It is possible to improve the conversion success rate to the external URL.

<Fourth embodiment>
A third embodiment of the system 1 of the present invention will be described with reference to FIG. In the present embodiment, a case will be described in which the method of generating access history information in the access history storage unit 12 is different from that of the second embodiment.

  As in the first embodiment, the system 1 of the present invention includes an authentication unit 14 that performs authentication processing of the external client 2 when the access request from the client terminal 2i to the Web server 3j is received, and a mount from the client terminal 2i. A first conversion process for converting a first external URL into an internal address and delivering the first access request to a corresponding Web server 3j when there is a first access request by a first external URL including point information; When there is a response to the first access request from the Web server 3j, there is an address conversion unit 11 that executes a second conversion process for converting an internal address related to the response into a first external URL, and a first access request. In the first conversion process related to the first access request, the mount point information and the first position information are obtained from the first external URL. When there is a second access request by the second external URL not including mount point information from the access history storage means 12 that extracts and associates and stores it as access history information, and from the client terminal 2i, the second external URL The second position information is extracted, the access history information having the first position information partially or entirely in common with the second position information is searched to extract the mount point information, and the mount point information is used to (2) An address complementing means 13 for converting an external URL into an internal address and a communication interface 10 for data communication with a user terminal via a communication network 4 such as the Internet are provided. The configurations of the authentication unit 14, the address conversion unit 11, the address complementing unit 13, and the communication interface 10 are the same as those in the second or third embodiment.

  In this embodiment, when the internal server 3 has a hierarchical structure, the access history storage unit 12 includes, for each of the access history information in which the first location information is composed of a plurality of hierarchy names, First, the partial position information is obtained from the highest position, and the partial position information is determined as the first position information when there are a plurality of integration target access history information in which the partial position information and the mount point information completely match. As a result, integration processing for integrating the integration target access history information is executed.

  Hereinafter, the integration processing of the access history storage unit 12 in this embodiment will be described with reference to FIG. Here, FIG. 9A shows an example of access history information before integration, and FIG. 9B shows an example of access history information after integration. In this embodiment, for the sake of explanation, a case will be described in which access history information whose user ID is “1234567” and mount point information is “web03” is integrated.

  More specifically, in FIG. 9A, the access history information of NO4 and the access history information of NO5 are stored as the access history information of the user ID “1234567” and the mount point information “web03”. Since the number of hierarchies of the first position information of NO4 is 3 and the number of hierarchies of the first position information of NO5 is 4, the access history storage unit 12 sets the number of hierarchies of the partial position information to 3, for example. Then, the partial position information is compared. In this case, the partial position information of NO4 is “/ WebApplication01 / aaa / html”, and the partial position information of NO5 is “/ WebApplication01 / aaa / images”, which does not match.

  If the partial position information does not match, the access history storage unit 12 resets the number of layers of the partial position information to 2 and compares the partial position information with each other. In this case, the partial position information of NO4 is “/ WebApplication01 / aaa”, and the partial position information of NO5 is “/ WebApplication01 / aaa”, which completely matches.

  When the partial position information matches, the access history storage unit 12 integrates the access history information whose partial position information matches. Specifically, the first position information of the access history information having the latest access date and time is replaced with the partial position information, and the other access history information is deleted. More specifically, for example, the partial history information “/ WebApplication01 / aaa” of the access history information of NO4 is used as the first location information, and the access history information of NO5 is deleted. Here, FIG. 9B shows an example of the access history information after integration. As a result, the access history information can be integrated, and the address complementing means 13 can efficiently perform a search process and the like.

<Another embodiment>
<1> In the first to fourth embodiments, the case where the access history information is stored in the first conversion process has been described. However, the present invention is not limited to this. The access history information may be stored in the second conversion process, or the access history information may be stored and compared in both the first conversion process and the second conversion process.

  <2> In the first to fourth embodiments, when the access history storage unit 12 stores the access history information, if there is access history information that completely matches information other than the access date and time, it is already stored. However, the present invention is not limited to this. For example, all access history information is stored and access history information within a predetermined time condition range, for example, access history information stored within the past year is used, or information other than the access date / time is completely Of the matching access history information, only the latest access history information may be used.

  <3> In the first to fourth embodiments, the security level is set for each of the external client 2 and the internal server 3 according to, for example, the title and department name of the external client 2 and the sensitivity of the internal server 3. The access requests may be permitted or prohibited for each external client 2 according to the security level for each internal server 3 or for each content of the internal server 3.

  In such a case, one or a plurality of security groups composed of one or a plurality of external clients 2 set with the same or a predetermined range of security levels are set, and the address complementing means 13 is set separately for each external client 2. The second external URL is converted into an internal address using the access request history storing the user ID of the external client 2 belonging to the same security group as the external client 2 that has made the second access request. May be. Further, when time information such as access date and time is stored in the access request history, time conditions may be set for each internal server 3 and each content for each security level of the external client 2.

  Further, when the second external URL is converted into the internal address using the access request history for each security group, the access history information may be created for each security group.

Schematic block diagram showing a configuration example of a reverse proxy system and peripheral devices according to the present invention Schematic block diagram showing a schematic configuration example of a reverse proxy system according to the present invention Schematic block diagram showing an example of the internal server hierarchy Schematic flowchart showing an outline of processing operations of the reverse proxy system and peripheral device according to the present invention The figure which shows an example of the mount point information table used with the reverse proxy system which concerns on this invention Schematic block diagram showing a schematic configuration example of access history information generated in the first embodiment of the reverse proxy system according to the present invention Schematic block diagram showing a schematic configuration example of access history information generated in the second embodiment of the reverse proxy system according to the present invention Schematic flow chart showing an outline of processing operations related to complementation of mount point information in the third embodiment of the reverse proxy system according to the present invention Schematic block diagram showing a schematic configuration example of access history information before integration and access history information after integration in the fourth embodiment of the reverse proxy system according to the present invention Schematic block diagram showing a configuration example of a reverse proxy system and its peripheral devices according to the prior art Schematic showing a schematic operation example of a reverse proxy system according to the prior art Schematic showing a schematic operation example of a reverse proxy system according to the prior art Schematic showing a schematic operation example of a reverse proxy system according to the prior art

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Reverse proxy system 2 External client 2i Client terminal 3 Internal server 3j Web server 4 Communication network 5 Internal LAN
DESCRIPTION OF SYMBOLS 10 Communication interface 11 Address conversion means 12 Access history storage means 13 Address complementing means 14 Authentication means 15 Storage means 100 Reverse proxy system according to prior art

Claims (8)

A reverse proxy system using a reverse proxy that relays an access request from an external client to an internal server,
When there is a first access request from the external client using a first external address including mount point information for identifying the internal server, the first external address is unique to the internal server using the mount point information. The response when there is a response to the first access request of the external client from the internal server, and a first conversion process of converting the internal access address and passing the first access request to the corresponding internal server Address conversion means for performing a second conversion process for converting the internal address according to the above to the first external address including the mount point information;
When there is the first access request, at least one of the first conversion process and the second conversion process related to the first access request, the mount point information and the first Access history storage means for extracting first position information indicating a position of a target file of an access request, and storing the mount point information and the first position information in association with each other as access history information;
When there is a second access request by the second external address not including the mount point information from the external client, second location information indicating the location of the target file of the second access request from the second external address. Extracting the mount point information by extracting the access history information having the first position information partially or entirely in common with the second position information using the second position information as a key, and extracting the mount point information; Address complementing means for converting the second external address into the internal address using information;
A reverse proxy system comprising: An authentication information database storing client identification information unique to each external client is provided for each external client, and when there is an access request from the external client to the internal server, the authentication target that made the access request An authentication unit that acquires the client identification information of the external client from an external client and authenticates the external client when the client identification information of the external client to be authenticated is stored in the authentication information database,
The access history storage means stores the client identification information in association with the access history information;
The address complementing means converts the second external address into the internal address using the access history information including the client identification information of the external client that has made the second access request. Item 6. The reverse proxy system according to Item 1. The access history storage means stores time information indicating a time when the first access request is made in association with the access history information;
3. The address complementing unit converts the second external address into the internal address using the access history information having the time information within a predetermined time condition range. Reverse proxy system.   When the access history storage unit stores the mount point information and the first position information acquired from the first external address as the access history information, the access history storage unit has the same mount point information and the first position information. The access history information is stored, and the time information of the access history information already stored is updated to the time information of the new first access request. Reverse proxy system.   When the internal server has a hierarchical structure, the access history storage means uses, as the first position information, a hierarchy name within a predetermined number of hierarchies set in advance from the highest level in the internal server from the first external address. It extracts, The reverse proxy system of any one of Claims 1-4 characterized by the above-mentioned.   When the internal server has a hierarchical structure, the address complementing unit extracts, as the second position information, a hierarchical name within a predetermined number of hierarchical levels set in advance from the highest level in the internal server from the second external address. The reverse proxy system according to claim 5.   The first location where the address complementing means includes the second location information in the access history information when the internal server has a hierarchical structure and the access history information is searched using the second location information as a key. A reset process for resetting, as the second position information, the hierarchy name constituting the second position information excluding the lowest hierarchy name when the information is not searched; A search process for searching the access history information using the two position information as a key until the first position information including the second position information in the access history information is searched or the second position information is The reverse proxy system according to claim 1, wherein the reverse proxy system is repeatedly executed until setting cannot be performed. The access history storage means, when the internal server has a hierarchical structure, for each of the access history information in which the first location information is composed of a plurality of hierarchical names, To obtain partial position information consisting of a predetermined number of hierarchy names from
When there are a plurality of integration target access history information in which the partial position information and the mount point information completely match, an integration process is performed to integrate the integration target access history information using the partial position information as the first position information. The reverse proxy system according to claim 7.

Images