WO2018059578A1 - Https acceleration method and system based on content distribution network - Google Patents

Https acceleration method and system based on content distribution network Download PDF

Info

Publication number
WO2018059578A1
WO2018059578A1 PCT/CN2017/104806 CN2017104806W WO2018059578A1 WO 2018059578 A1 WO2018059578 A1 WO 2018059578A1 CN 2017104806 W CN2017104806 W CN 2017104806W WO 2018059578 A1 WO2018059578 A1 WO 2018059578A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
session
https
unified
client
Prior art date
Application number
PCT/CN2017/104806
Other languages
French (fr)
Chinese (zh)
Inventor
苗辉
江桂林
杨洋
林胜恩
Original Assignee
贵州白山云科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 贵州白山云科技有限公司 filed Critical 贵州白山云科技有限公司
Publication of WO2018059578A1 publication Critical patent/WO2018059578A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the embodiment of the invention relates to a website optimization method, and in particular to a content distribution network (CDN)-based HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) acceleration method and system.
  • CDN content distribution network
  • HTTPS Hyper Text Transfer Protocol over Secure Socket Layer
  • HTTPS security protocol is a security-oriented HTTP channel.
  • SSL layer By adding an SSL layer under HTTP, transmission encryption can be implemented to prevent important data such as user data and transaction data from being stolen.
  • HTTPS plays a key role in protecting user privacy and preventing traffic hijacking. But at the same time, HTTPS will also reduce user access speed and increase the computing resource consumption of the web server.
  • SSL Secure Sockets Layer
  • SSL has two main types of handshakes, one based on RSA and one based on Deiffie-Hellman (DH).
  • the public key algorithms of RSA and DH use a lot of CPU processing power and are the slowest part of the handshake.
  • a laptop can perform hundreds of RSA encryptions per second, compared to approximately 10 million symmetric encryption AES per second.
  • the main task of this phase is to negotiate the session key, which is usually a symmetric key, which will be applied throughout the corresponding session; at the same time, the encryption and signature of the SSL handshake itself is included in the certificate.
  • a symmetric key that uses this asymmetric key to consume more computing resources than a symmetric key.
  • the server's processor is responsible for the initial key exchange of each session and subsequent data encryption and decryption. This intensive computing process puts the server under great pressure and greatly reduces other transaction processing capabilities. Therefore, the software-based SSL implementation is only applicable to scenarios that manage a small amount of SSL traffic.
  • the CDN network is characterized by a small node size and a small number of servers per node. However, CDN nodes are distributed more and are geographically divergent. HTTPS acceleration in CDN networks, software-based SSL implementation can not meet the acceleration needs.
  • the SSL acceleration board can effectively share the pressure of the server CPU to handle SSL transactions.
  • One or more coprocessors are used to implement SSL computing. These coprocessors may use general-purpose CPUs or custom ASIC chips and RISC instruction set chips.
  • a server with an SSL acceleration board is assigned to complete the handshake, encryption and decryption process, which wastes resources and has a high stand-alone management cost.
  • each server must have a unique digital certificate, so many certificates are easy to leak, there are security issues.
  • the SSL acceleration device is an independent device embedded in the SSL acceleration board, decrypts the encrypted traffic, and sends the decrypted data information to the background server; in the opposite direction, it is responsible for encrypting the plaintext data sent by the background server. Forward it to the client; the SSL acceleration device terminates the SSL session, and the backend server can be completely freed for data services or running applications, but the overall cost of the SSL acceleration device is not an ideal alternative.
  • the embodiment of the invention provides an HTTPS acceleration method and system based on a content distribution network, which adopts an SSL acceleration board solution, and solves the problem that the performance of the software-based SSL implementation is under pressure and the transaction processing capability is inefficient; and the SSL is accelerated.
  • the board is deployed on the server of the edge node of the CDN network to implement centralized management of the certificate, and an SSL acceleration board can serve multiple clients for encryption and decryption, which solves the problem that each acceleration board is only bound to a specific client request. The problem of wasted resources and high management costs.
  • the content distribution network-based HTTPS acceleration method includes: the content distribution network includes a content distribution network CDN network management center located in a central part, and a domain name system DNS redirection analysis center, and multiple CDN network edges located at an edge portion a node and a source server located at the back end; each CDN network edge node respectively deploys a session & cache server at the front end and a unified authentication server at the back end;
  • the HTTPS acceleration method includes:
  • Step 1 The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;
  • Step 2 During the handshake process, the assigned session & cache server is responsible for HTTPS session management.
  • the session & cache server interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and returns the interaction result to the client;
  • Step 3 After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
  • the method may further include: providing a user certificate and a private key on the unified verification server, integrating at least one SSL acceleration board, and one or more unified verification servers corresponding to one user certificate, and the unified verification server is set to process plus Decrypt.
  • the above method may further include: if there are multiple clients, mapping each client to a unified authentication server through the session & cache server.
  • the method may further include: linearly deploying the proportion of the unified verification server with the traffic, linearly expanding the unified verification server, and inserting at least one SSL acceleration board on each unified verification server.
  • the method may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
  • the embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location.
  • the HTTPS acceleration system includes the following units:
  • the HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
  • the three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs three-way handshake with the client; the three-way handshake processing unit is set to execute: during the handshake process, the allocation is performed.
  • the good session & cache server is responsible for HTTPS session management.
  • the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.
  • the HTTPS access response unit is set to execute: after the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if The data can be cached and obtained directly at the session & cache server. If it is non-cacheable, it is obtained from the source server.
  • the system may further include: a user certificate and a private key are provided on the unified verification server, and at least one SSL acceleration board is integrated, and one or more unified verification servers correspond to a user certificate, and the unified verification server is set to process plus Decrypt.
  • the system may further include: the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
  • the above system may further include: the proportion of the unified verification server is linearly distributed with the traffic, and the unified verification server is linearly expanded, and each unified verification server is plugged with at least one SSL acceleration board.
  • the above system may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
  • the embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
  • the unified authentication server can perform encryption and decryption work by plugging in the SSL acceleration board. It can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate scheme and Cloudflare keyless-SSL scheme.
  • the embodiments of the present invention can effectively support; realize the interaction with the front-end server at the edge node, reduce the round-trip RTT between servers, and improve the efficiency.
  • the SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
  • FIG. 1 is a schematic diagram of client access according to an embodiment of the present invention.
  • An embodiment of the present invention provides an HTTPS acceleration method based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located in a central portion, a plurality of CDN network edge nodes located at an edge portion, and a source located at the back end. server.
  • the central part of the CDN network management center and the DNS redirection analysis center are responsible for global load balancing, and the equipment system is installed in the management center equipment room.
  • the CDN network edge node is a carrier for CDN distribution. It is mainly composed of a cache (Cache) and a load balancer. Each CDN network edge node deploys a session & cache at the front end and a unified authentication server (UAS) at the back end. Among them, the session & cache server is provided with multiple, responsible for HTTPS session management, and interacts with the back-end unified authentication server; after the interaction is completed, the role is changed to a cache server to provide CDN services for the client. In an optional example, the session & cache server performs the above functions using the configured OpenSSL and Nginx software.
  • the unified authentication server is provided with multiple user certificates and private keys, and integrates several SSL acceleration boards (such as Intel or NAVIMN), which is the main processing server for user encryption and decryption.
  • SSL acceleration board the single card throughput can usually reach 20Gbps, and the 1024-bit RSA and 2048-bit RSA are encrypted and decrypted, and the processing rates are 35K-200Kqps and 6K-35Kqps, respectively.
  • the unified authentication server can be run on Linux (RedHat/CentOS, Debian and Ubuntu, and others), other Unix operating systems (including FreeBSD) and Microsoft Windows servers.
  • each unified authentication server can be shared, that is, multiple unified authentication servers can use the same certificate, or one unified authentication server can correspond to one user certificate.
  • the unified authentication server is stateless, allowing the client to use off-the-shelf hardware and deploying a uniform authentication server scale with traffic; by running multiple unified authentication servers and load balancing through DNS, The customer's site can be kept highly available.
  • the source server contains cacheable data and non-cacheable data.
  • the cacheable data is used to update the cache with the session & cache server.
  • the non-cacheable data is used by the client after establishing a session with the edge node.
  • the HTTPS acceleration method of the embodiment of the present invention includes the following steps:
  • Step 1 The client initiates HTTPS access, and allocates a corresponding session & cache server through the front-end load balancing to initiate a three-way handshake (RSA/DH) process.
  • the client is a network terminal user and may use the current popular browsing. (Chrome, Firefox, IE, etc.) browse the webpage, the client 1, the client 2, and the client 3 in the figure respectively refer to the client representative access of different websites to accelerate the customer, such as Sina, Tencent, Netease, etc. Different websites accelerate customers;
  • Step 2 During the handshake process, the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate (depending on different implementations), and returns the interaction result to the client; for multiple clients, The session & cache server maps each client to a unified authentication server, so that each client shares the hardware acceleration capability of the unified authentication server;
  • Step 3 After the handshake process is completed, the session & cache server performs the cache service to provide the CDN service for the client, and the client normally uses the CDN service. For the data requested by the client, if the data is cacheable, the server directly at the edge node Get, if it is non-cacheable data, get it from the source server.
  • Step 4 The number of unified authentication servers can be deployed linearly with the proportion of the traffic.
  • the unified authentication server can be linearly extended, and at least one SSL acceleration board is inserted into each server to cope with the larger Scale SSL transaction processing requirements; or form an active/standby to handle fault handling.
  • the embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location.
  • the HTTPS acceleration system includes the following units:
  • the HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
  • the three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;
  • the three-way handshake processing unit is set to execute: during the handshake process, the assigned session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encryption and decryption of the private key and the user certificate, and interacts with each other.
  • the result is returned to the client; if there are multiple clients, each client is mapped to a unified authentication server through the session & cache server, so that each client shares the hardware acceleration capability of the unified authentication server.
  • the HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
  • the unified authentication server is provided with a user certificate and a private key, and integrates a plurality of SSL acceleration boards, one or more unified authentication servers corresponding to one user certificate, the unified verification server is set to handle encryption and decryption;
  • the number can be distributed with the linearity of the traffic to the proportion of the unified authentication server.
  • the unified authentication server can be linearly extended, and several SSL acceleration boards are inserted into each server to cope with the larger-scale SSL transaction processing requirements; or Form the master and backup to deal with the fault handling.
  • the embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
  • the unified authentication server can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate.
  • the scheme, the keyless-SSL scheme of Cloudflare, etc. can be effectively supported by the embodiments of the present invention; the interaction with the front-end server at the edge node is realized, the round-trip RTT between servers is reduced, and the efficiency is improved.
  • the SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • the embodiment of the present invention uses the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server reduces the load and deploys the SSL acceleration board to the unified verification server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.

Abstract

Embodiments of the present invention disclose an HTTPS acceleration method and system based on a content distribution network. The method comprises: step 1), a client end initiating an HTTPS access request to a CDN network border node, and the CND network border node allocating in balance a session and buffer server via a front-end load to perform three handshakes with the client end; step 2), during the handshaking process, the allocated session and buffer server performing HTTPS session management, and simultaneously performing interaction, by means of a private key and encryption/decryption of a user certificate, with a centralized authentication server, and returning a result of the interaction to the client end; and step 3), after completing the handshaking process, the session and buffer server launching a buffer service to provide the client end with a CDN service, wherein, if data requested by the client end is bufferable, the data is acquired directly from the session and buffer server, and if the data requested by the client end is non-bufferable, the data is acquired from a source server.

Description

一种基于内容分发网络的HTTPS加速方法和系统HTTPS acceleration method and system based on content distribution network
本申请要求在2016年9月30日提交中国专利局、申请号为201610873442.6、发明名称为“一种基于内容分发网络的HTTPS加速方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610873442.6, entitled "A HTTPS Acceleration Method and System Based on Content Distribution Network", filed on September 30, 2016, the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本发明实施例涉及一种网站优化方法,具体涉及一种基于内容分发网络(ContentDeliveryNetwork,CDN)的HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer)加速方法和系统。The embodiment of the invention relates to a website optimization method, and in particular to a content distribution network (CDN)-based HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) acceleration method and system.
背景技术Background technique
HTTPS安全协议是以安全为目标的HTTP通道,通过在HTTP下加入SSL层,能够实现传输加密,避免用户数据、交易数据等重要数据被窃取。HTTPS在保护用户隐私和防止流量劫持方面发挥着非常关键的作用。但与此同时,HTTPS也会降低用户访问速度,增加网站服务器的计算资源消耗。The HTTPS security protocol is a security-oriented HTTP channel. By adding an SSL layer under HTTP, transmission encryption can be implemented to prevent important data such as user data and transaction data from being stolen. HTTPS plays a key role in protecting user privacy and preventing traffic hijacking. But at the same time, HTTPS will also reduce user access speed and increase the computing resource consumption of the web server.
在SSL会话中,计算量最大的部分是安全套接层(Secure Sockets Layer,SSL)握手阶段,SSL有两种主要的握手类型,一种是基于RSA,一种是基于Deiffie-Hellman(DH)。RSA和DH的公钥算法使用了很多CPU的处理能力且是握手中最慢的部分。一个笔记本电脑上可以每秒进行几百次RSA加密,对比每秒大约一千万次对称加密AES。这个阶段的主要工作是协商会话密钥,该密钥通常是对称密钥,将被贯穿应用于相应的会话过程中;与此同时,SSL握手本身的加密和签名则是包含在证书中的非对称密钥,使用这种非对称密钥比对称密钥对计算资源的消耗更大。In the SSL session, the most computationally intensive part is the Secure Sockets Layer (SSL) handshake phase. SSL has two main types of handshakes, one based on RSA and one based on Deiffie-Hellman (DH). The public key algorithms of RSA and DH use a lot of CPU processing power and are the slowest part of the handshake. A laptop can perform hundreds of RSA encryptions per second, compared to approximately 10 million symmetric encryption AES per second. The main task of this phase is to negotiate the session key, which is usually a symmetric key, which will be applied throughout the corresponding session; at the same time, the encryption and signature of the SSL handshake itself is included in the certificate. A symmetric key that uses this asymmetric key to consume more computing resources than a symmetric key.
基于软件的SSL实现,服务器的处理器负责各个会话初始的密钥交换以及后续的数据加解密,这种密集的计算过程会使服务器承受极大的压力,使得其他事务处理能力大大降低。因此基于软件的SSL实现,只适用于管理少量SSL流量的场景;而CDN网络的特点,是节点规模小,每个节点的服务器数量较少,然而CDN节点分布较多,呈地理性发散分布。在CDN网络中做HTTPS加速,基于软件的SSL实现明显不能满足加速需求。Based on the software-based SSL implementation, the server's processor is responsible for the initial key exchange of each session and subsequent data encryption and decryption. This intensive computing process puts the server under great pressure and greatly reduces other transaction processing capabilities. Therefore, the software-based SSL implementation is only applicable to scenarios that manage a small amount of SSL traffic. The CDN network is characterized by a small node size and a small number of servers per node. However, CDN nodes are distributed more and are geographically divergent. HTTPS acceleration in CDN networks, software-based SSL implementation can not meet the acceleration needs.
基于上述现状,CDN厂商提出了基于硬件的SSL加速方案,如SSL加速板卡 或SSL加速设备。Based on the above situation, CDN vendors have proposed hardware-based SSL acceleration solutions, such as SSL acceleration boards. Or SSL acceleration device.
SSL加速板卡能够有效分担服务器CPU处理SSL事务的压力,一个或多个协处理器用于实现SSL计算,这些协处理器可能采用通用CPU,也可能采用定制的ASIC芯片和RISC指令集芯片。但是,对每个客户访问,都要分配一个插接有SSL加速板卡的服务器完成握手、加解密过程,浪费资源的同时,单机管理成本也高。另外,每台服务器上必须具备唯一性数字证书,这么多证书容易泄露,存在安全问题。The SSL acceleration board can effectively share the pressure of the server CPU to handle SSL transactions. One or more coprocessors are used to implement SSL computing. These coprocessors may use general-purpose CPUs or custom ASIC chips and RISC instruction set chips. However, for each customer access, a server with an SSL acceleration board is assigned to complete the handshake, encryption and decryption process, which wastes resources and has a high stand-alone management cost. In addition, each server must have a unique digital certificate, so many certificates are easy to leak, there are security issues.
其次,SSL加速设备是嵌入SSL加速板卡的独立设备,对加密流量进行解密,并将解过密的数据信息发送给后台服务器;在相反方向上,负责加密由后台服务器发来的明文数据再将其转发给客户端;SSL加速设备终结了SSL会话,后台服务器可以完全被释放出来用于数据服务或者运行应用程序,但是SSL加速设备整体成本偏高,并不是一个理想的替代方案。Secondly, the SSL acceleration device is an independent device embedded in the SSL acceleration board, decrypts the encrypted traffic, and sends the decrypted data information to the background server; in the opposite direction, it is responsible for encrypting the plaintext data sent by the background server. Forward it to the client; the SSL acceleration device terminates the SSL session, and the backend server can be completely freed for data services or running applications, but the overall cost of the SSL acceleration device is not an ideal alternative.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提出一种基于内容分发网络的HTTPS加速方法和系统,采用SSL加速板卡方案,解决了基于软件的SSL实现的性能承受压力大、事务处理能力低效的问题;并将SSL加速板卡部署在CDN网络边缘节点的服务器上,对证书实现集中式管理,且一张SSL加速板卡能够服务多个客户进行加解密工作,解决了每个加速板卡只绑定特定客户端请求的资源浪费、管理成本高的问题。The embodiment of the invention provides an HTTPS acceleration method and system based on a content distribution network, which adopts an SSL acceleration board solution, and solves the problem that the performance of the software-based SSL implementation is under pressure and the transaction processing capability is inefficient; and the SSL is accelerated. The board is deployed on the server of the edge node of the CDN network to implement centralized management of the certificate, and an SSL acceleration board can serve multiple clients for encryption and decryption, which solves the problem that each acceleration board is only bound to a specific client request. The problem of wasted resources and high management costs.
本发明实施例提供的基于内容分发网络的HTTPS加速方法,包括:该内容分发网络包括位于中心部分的内容分发网络CDN网管中心和域名系统DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;The content distribution network-based HTTPS acceleration method provided by the embodiment of the present invention includes: the content distribution network includes a content distribution network CDN network management center located in a central part, and a domain name system DNS redirection analysis center, and multiple CDN network edges located at an edge portion a node and a source server located at the back end; each CDN network edge node respectively deploys a session & cache server at the front end and a unified authentication server at the back end;
该HTTPS加速方法包括:The HTTPS acceleration method includes:
步骤1:客户端向CDN网络边缘节点发起HTTPS访问请求;CDN网络边缘节点通过前端的负载均衡分配一台会话&缓存服务器与客户端进行三次握手;Step 1: The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;
步骤2:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理, 该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;Step 2: During the handshake process, the assigned session & cache server is responsible for HTTPS session management. The session & cache server interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and returns the interaction result to the client;
步骤3:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是为可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
上述方法还可包括:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The method may further include: providing a user certificate and a private key on the unified verification server, integrating at least one SSL acceleration board, and one or more unified verification servers corresponding to one user certificate, and the unified verification server is set to process plus Decrypt.
上述方法还可包括:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The above method may further include: if there are multiple clients, mapping each client to a unified authentication server through the session & cache server.
上述方法还可包括:将统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接至少一个SSL加速板卡。The method may further include: linearly deploying the proportion of the unified verification server with the traffic, linearly expanding the unified verification server, and inserting at least one SSL acceleration board on each unified verification server.
上述方法还可包括:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The method may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
本发明实施例还同时提供一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;The embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location. The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end;
该HTTPS加速系统包括如下单元:The HTTPS acceleration system includes the following units:
HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求;The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;三次握手处理单元,设置为执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs three-way handshake with the client; the three-way handshake processing unit is set to execute: during the handshake process, the allocation is performed. The good session & cache server is responsible for HTTPS session management. The session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.
HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是 可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if The data can be cached and obtained directly at the session & cache server. If it is non-cacheable, it is obtained from the source server.
上述系统还可包括:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The system may further include: a user certificate and a private key are provided on the unified verification server, and at least one SSL acceleration board is integrated, and one or more unified verification servers correspond to a user certificate, and the unified verification server is set to process plus Decrypt.
上述系统还可包括:所述三次握手处理单元还设置为执行如下操作:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The system may further include: the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
上述系统还可包括:所述统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接有至少一个SSL加速板卡。The above system may further include: the proportion of the unified verification server is linearly distributed with the traffic, and the unified verification server is linearly expanded, and each unified verification server is plugged with at least one SSL acceleration board.
上述系统还可包括:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The above system may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
本发明实施例有效地结合SSL加速板卡和CDN网络边缘节点各自的技术优势,具有以下优点:The embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
(1)使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。(1) Using the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server can reduce the load and deploy the SSL acceleration board to the unified authentication server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.
(2)使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大节省了成本。(2) Using an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to one pair of N, which greatly saves costs for CDN vendors.
(3)从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。(3) From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.
(4)统一验证服务器除了通过插SSL加速板卡做加解密工作,还可以根据客户的不同需求情况,在统一验证服务器上部署软件,如CDN服务器申请证书方案、Cloudflare的keyless-SSL方案等,本发明实施例都能有效支持;在实现与前端服务器同在边缘节点的交互,减少了服务器间往返RTT,提高了效率。(4) The unified authentication server can perform encryption and decryption work by plugging in the SSL acceleration board. It can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate scheme and Cloudflare keyless-SSL scheme. The embodiments of the present invention can effectively support; realize the interaction with the front-end server at the edge node, reduce the round-trip RTT between servers, and improve the efficiency.
(5)SSL加速板卡可以在边缘统一验证服务器集群中线性扩展,以增加其事务处理能力,不影响集中管理,也节省了扩容成本。 (5) The SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明实施例的示意性实施例及其说明用于解释本发明实施例,并不构成对本发明实施例的不当限定。在附图中:The accompanying drawings are intended to provide a further understanding of the embodiments of the embodiments of the invention Improper limitations. In the drawing:
图1为本发明实施例的客户端访问示意图。FIG. 1 is a schematic diagram of client access according to an embodiment of the present invention.
具体实施方式detailed description
现结合附图和具体实施方式对本发明实施例进一步说明。The embodiments of the present invention will be further described with reference to the drawings and specific embodiments.
本发明实施例提供一种基于内容分发网络的HTTPS加速方法,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器。An embodiment of the present invention provides an HTTPS acceleration method based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located in a central portion, a plurality of CDN network edge nodes located at an edge portion, and a source located at the back end. server.
中心部分的CDN网管中心和DNS重定向解析中心负责全局负载均衡,设备系统安装在管理中心机房。The central part of the CDN network management center and the DNS redirection analysis center are responsible for global load balancing, and the equipment system is installed in the management center equipment room.
CDN网络边缘节点为CDN分发的载体,主要由缓存(Cache)和负载均衡器等组成,各CDN网络边缘节点分别部署了位于前端的会话&缓存和位于后端的统一验证服务器(UAS)。其中,会话&缓存服务器设有多个,负责HTTPS会话管理,并与后端统一验证服务器交互;完成交互后,则转变角色为缓存服务器,为客户提供CDN服务。在一个可选的例子中,该会话&缓存服务器使用配置的OpenSSL和Nginx软件完成上述功能。统一验证服务器设有多个,其含用户证书、私钥,集成了若干SSL加速板卡(如Intel或者NAVIMN),是用户加解密的主要处理服务器。对SSL加速板卡,其单卡吞吐量通常可以达到20Gbps,对1024位RSA和2048位RSA加解密,其处理速率分别为35K-200Kqps和6K-35Kqps。统一验证服务器可以是在Linux上运行(RedHat/CentOS、Debian和Ubuntu,和其他的),其他的Unix操作系统(包含FreeBSD)和微软Windows服务器。各统一验证服务器上的用户证书可共享,也就是说多个统一验证服务器可以使用同一个证书,也可以是各统一验证服务器对应一个用户证书。统一验证服务器是无状态的、允许客户端使用现成的硬件,并随着流量线性部署统一验证服务器的比例;通过运行多个统一验证服务器和通过DNS的负载均衡, 客户的站点可以被保持高可用的。The CDN network edge node is a carrier for CDN distribution. It is mainly composed of a cache (Cache) and a load balancer. Each CDN network edge node deploys a session & cache at the front end and a unified authentication server (UAS) at the back end. Among them, the session & cache server is provided with multiple, responsible for HTTPS session management, and interacts with the back-end unified authentication server; after the interaction is completed, the role is changed to a cache server to provide CDN services for the client. In an optional example, the session & cache server performs the above functions using the configured OpenSSL and Nginx software. The unified authentication server is provided with multiple user certificates and private keys, and integrates several SSL acceleration boards (such as Intel or NAVIMN), which is the main processing server for user encryption and decryption. For the SSL acceleration board, the single card throughput can usually reach 20Gbps, and the 1024-bit RSA and 2048-bit RSA are encrypted and decrypted, and the processing rates are 35K-200Kqps and 6K-35Kqps, respectively. The unified authentication server can be run on Linux (RedHat/CentOS, Debian and Ubuntu, and others), other Unix operating systems (including FreeBSD) and Microsoft Windows servers. The user certificates on each unified authentication server can be shared, that is, multiple unified authentication servers can use the same certificate, or one unified authentication server can correspond to one user certificate. The unified authentication server is stateless, allowing the client to use off-the-shelf hardware and deploying a uniform authentication server scale with traffic; by running multiple unified authentication servers and load balancing through DNS, The customer's site can be kept highly available.
源服务器包含可缓存数据和不可缓存数据,可缓存数据用于与会话&缓存服务器更新缓存,不可缓存数据在客户端与边缘节点建立会话后回源使用。The source server contains cacheable data and non-cacheable data. The cacheable data is used to update the cache with the session & cache server. The non-cacheable data is used by the client after establishing a session with the edge node.
基于内容分发网络,结合图1的示意图,本发明实施例的HTTPS加速方法包括如下步骤:Based on the content distribution network, in conjunction with the schematic diagram of FIG. 1, the HTTPS acceleration method of the embodiment of the present invention includes the following steps:
步骤1:客户端发起HTTPS访问,通过前端的负载均衡,分配一台对应的会话&缓存服务器,发起三次握手(RSA/DH)过程;其中,客户端为网络终端用户,可能采用当下流行的浏览器(Chrome、Firefox、IE等)浏览网页,图中的客户端1、客户端2、客户端3,分别指不同网站加速客户的客户端代表访问,如分别指新浪网、腾讯网、网易等不同网站加速客户;Step 1: The client initiates HTTPS access, and allocates a corresponding session & cache server through the front-end load balancing to initiate a three-way handshake (RSA/DH) process. The client is a network terminal user and may use the current popular browsing. (Chrome, Firefox, IE, etc.) browse the webpage, the client 1, the client 2, and the client 3 in the figure respectively refer to the client representative access of different websites to accelerate the customer, such as Sina, Tencent, Netease, etc. Different websites accelerate customers;
步骤2:握手过程中,该会话&缓存服务器就私钥和用户证书的加解密工作与统一验证服务器交互(视不同方案实现而定),将交互结果返回客户端;对于多个客户端,通过会话&缓存服务器将各客户端映射到一台统一验证服务器上,使每个客户端分享统一验证服务器的硬件加速能力;Step 2: During the handshake process, the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate (depending on different implementations), and returns the interaction result to the client; for multiple clients, The session & cache server maps each client to a unified authentication server, so that each client shares the hardware acceleration capability of the unified authentication server;
步骤3:完成握手过程后,会话&缓存服务器开展缓存服务为客户端提供CDN服务,客户端则正常使用CDN服务,对于客户端所请求的数据,如果是可缓存数据,直接在边缘节点的服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs the cache service to provide the CDN service for the client, and the client normally uses the CDN service. For the data requested by the client, if the data is cacheable, the server directly at the edge node Get, if it is non-cacheable data, get it from the source server.
步骤4:统一验证服务器的数量可以随流量线性来部署统一验证服务器的比例,需要扩展时,可将统一验证服务器进行线性扩展,每台服务器上插上至少一个SSL加速板卡,以应对更大规模的SSL事务处理需求;或者形成主备,以应对故障处理。Step 4: The number of unified authentication servers can be deployed linearly with the proportion of the traffic. When the expansion is required, the unified authentication server can be linearly extended, and at least one SSL acceleration board is inserted into each server to cope with the larger Scale SSL transaction processing requirements; or form an active/standby to handle fault handling.
本发明实施例还同时提供一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;该HTTPS加速系统包括如下单元:The embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location. The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end; the HTTPS acceleration system includes the following units:
HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求; The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;
三次握手处理单元,设置为执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上,使每个客户端分享统一验证服务器的硬件加速能力。The three-way handshake processing unit is set to execute: during the handshake process, the assigned session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encryption and decryption of the private key and the user certificate, and interacts with each other. The result is returned to the client; if there are multiple clients, each client is mapped to a unified authentication server through the session & cache server, so that each client shares the hardware acceleration capability of the unified authentication server.
HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
其中,统一验证服务器上设有用户证书和私钥,并集成了若干SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器设置为处理加解密;统一验证服务器的数量可以随流量线性来部署统一验证服务器的比例,需要扩展时,可将统一验证服务器进行线性扩展,每台服务器上插上若干SSL加速板卡,以应对更大规模的SSL事务处理需求;或者形成主备,以应对故障处理。The unified authentication server is provided with a user certificate and a private key, and integrates a plurality of SSL acceleration boards, one or more unified authentication servers corresponding to one user certificate, the unified verification server is set to handle encryption and decryption; The number can be distributed with the linearity of the traffic to the proportion of the unified authentication server. When the expansion is required, the unified authentication server can be linearly extended, and several SSL acceleration boards are inserted into each server to cope with the larger-scale SSL transaction processing requirements; or Form the master and backup to deal with the fault handling.
本发明实施例有效地结合SSL加速板卡和CDN网络边缘节点各自的技术优势,具有以下优点:The embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
(1)使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。(1) Using the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server can reduce the load and deploy the SSL acceleration board to the unified authentication server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.
(2)使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大节省了成本。(2) Using an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to one pair of N, which greatly saves costs for CDN vendors.
(3)从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。(3) From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.
(4)统一验证服务器除了通过插SSL加速板卡做加解密工作,还可以根据客户的不同需求情况,在统一验证服务器上部署软件,如CDN服务器申请证书 方案、Cloudflare的keyless-SSL方案等,本发明实施例都能有效支持;在实现与前端服务器同在边缘节点的交互,减少了服务器间往返RTT,提高了效率。(4) In addition to the encryption and decryption work, the unified authentication server can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate. The scheme, the keyless-SSL scheme of Cloudflare, etc. can be effectively supported by the embodiments of the present invention; the interaction with the front-end server at the edge node is realized, the round-trip RTT between servers is reduced, and the efficiency is improved.
(5)SSL加速板卡可以在边缘统一验证服务器集群中线性扩展,以增加其事务处理能力,不影响集中管理,也节省了扩容成本。(5) The SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,均应涵盖在权利要求范围当中。A person skilled in the art should understand that the technical solutions of the present invention may be modified or equivalent, without departing from the spirit and scope of the present invention, and should be included in the scope of the claims.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical The components work together. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
工业实用性Industrial applicability
本发明实施例使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大 节省了成本。从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。 The embodiment of the present invention uses the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server reduces the load and deploys the SSL acceleration board to the unified verification server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency. Use an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to a pair of N, so for CDN vendors, Save costs. From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.

Claims (10)

  1. 一种基于内容分发网络的HTTPS加速方法,包括:该内容分发网络包括位于中心部分的内容分发网络CDN网管中心和域名系统DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;An HTTPS acceleration method based on a content distribution network, comprising: the content distribution network comprises a content distribution network CDN network management center located in a central part, a domain name system DNS redirection analysis center, a plurality of CDN network edge nodes located at an edge portion, and a rear location The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end;
    该HTTPS加速方法包括:The HTTPS acceleration method includes:
    步骤1:客户端向CDN网络边缘节点发起HTTPS访问请求;CDN网络边缘节点通过前端的负载均衡分配一台会话&缓存服务器与客户端进行三次握手;Step 1: The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;
    步骤2:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;Step 2: During the handshake process, the assigned session & cache server is responsible for HTTPS session management. The session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.
    步骤3:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是为可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
  2. 根据权利要求1所述的HTTPS加速方法,其中:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The HTTPS acceleration method according to claim 1, wherein: the unified authentication server is provided with a user certificate and a private key, and at least one SSL acceleration board is integrated, and one or more unified authentication servers correspond to a user certificate, and the unified The authentication server is set to handle encryption and decryption.
  3. 根据权利要求2所述的HTTPS加速方法,其中:所述步骤2还包括以下过程:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The HTTPS acceleration method according to claim 2, wherein the step 2 further comprises the following process: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
  4. 根据权利要求1或2或3所述的HTTPS加速方法,其中:该HTTPS加速方法还包括如下步骤:将统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接至少一个SSL加速板卡。The HTTPS acceleration method according to claim 1 or 2 or 3, wherein the HTTPS acceleration method further comprises the steps of: linearly deploying the proportion of the unified verification server with the traffic, and linearly expanding the unified verification server, and each unified verification At least one SSL acceleration board is plugged into the server.
  5. 根据权利要求1或2或3所述的HTTPS加速方法,其中:该HTTPS加速方法还包括如下步骤:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The HTTPS acceleration method according to claim 1 or 2 or 3, wherein the HTTPS acceleration method further comprises the steps of: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form a master-slave relationship. .
  6. 一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于 中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;An HTTPS acceleration system based on a content distribution network, the content distribution network including CDN network management center and DNS redirection analysis center in the central part, multiple CDN network edge nodes in the edge part, and source servers located in the back end; each CDN network edge node deploys the session & cache server at the front end and the unified at the back end Verification server;
    该HTTPS加速系统包括如下单元:The HTTPS acceleration system includes the following units:
    HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求;The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
    三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;
    三次握手处理单元,用于执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;The three-way handshake processing unit is configured to perform: during the handshake process, the allocated session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and interacts with each other. The result is returned to the client;
    HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
  7. 根据权利要求6所述的HTTPS加速系统,其中:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The HTTPS acceleration system according to claim 6, wherein: the unified authentication server is provided with a user certificate and a private key, and at least one SSL acceleration board is integrated, and one or more unified authentication servers correspond to a user certificate, and the unified The authentication server is set to handle encryption and decryption.
  8. 根据权利要求6所述的HTTPS加速系统,其特征在于:所述三次握手处理单元还设置为执行如下操作:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The HTTPS acceleration system according to claim 6, wherein the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, mapping each client to one through the session & cache server Unified authentication on the server.
  9. 根据权利要求6、7或8所述的HTTPS加速系统,其中:所述统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接有至少一个SSL加速板卡。The HTTPS acceleration system according to claim 6, 7 or 8, wherein: the proportion of the unified verification server is linearly distributed with traffic, linearly expanding the unified verification server, and at least one SSL is inserted into each unified authentication server. Speed up the board.
  10. 根据权利要求6、7或8所述的HTTPS加速系统,其中:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。 The HTTPS acceleration system according to claim 6, 7 or 8, wherein: each of the unified authentication servers is connected to multiple SSL acceleration boards, and different SSL acceleration boards form an active/standby relationship.
PCT/CN2017/104806 2016-09-30 2017-09-30 Https acceleration method and system based on content distribution network WO2018059578A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610873442.6A CN106341417B (en) 2016-09-30 2016-09-30 A kind of HTTPS acceleration method and system based on content distributing network
CN201610873442.6 2016-09-30

Publications (1)

Publication Number Publication Date
WO2018059578A1 true WO2018059578A1 (en) 2018-04-05

Family

ID=57839835

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/104806 WO2018059578A1 (en) 2016-09-30 2017-09-30 Https acceleration method and system based on content distribution network

Country Status (2)

Country Link
CN (2) CN106341417B (en)
WO (1) WO2018059578A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115460083A (en) * 2021-06-09 2022-12-09 贵州白山云科技股份有限公司 Security acceleration service deployment method, device, medium and equipment

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106341417B (en) * 2016-09-30 2019-11-05 贵州白山云科技股份有限公司 A kind of HTTPS acceleration method and system based on content distributing network
CN106789344B (en) * 2017-01-19 2019-11-12 上海帝联信息科技股份有限公司 Data transmission method, system, CDN network and client
CN107707514B (en) * 2017-02-08 2018-08-21 贵州白山云科技有限公司 One kind is for encrypted method and system and device between CDN node
CN107707517B (en) * 2017-05-09 2018-11-13 贵州白山云科技有限公司 A kind of HTTPs handshake methods, device and system
CN107257327B (en) * 2017-05-25 2020-12-29 中央民族大学 High-concurrency SSL session management method
CN108574687B (en) * 2017-07-03 2020-11-27 北京金山云网络技术有限公司 Communication connection establishment method and device, electronic equipment and computer readable medium
US11153289B2 (en) * 2017-07-28 2021-10-19 Alibaba Group Holding Limited Secure communication acceleration using a System-on-Chip (SoC) architecture
CN109428876B (en) * 2017-09-01 2021-10-08 腾讯科技(深圳)有限公司 Handshake connection method and device
CN109561027A (en) * 2017-09-26 2019-04-02 中兴通讯股份有限公司 Flow optimization method, load balancer and the storage medium of transparent caching
CN109842664A (en) * 2017-11-29 2019-06-04 苏宁云商集团股份有限公司 A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS
CN108401011B (en) * 2018-01-30 2021-09-24 网宿科技股份有限公司 Acceleration method and device for handshake request in content distribution network and edge node
CN108429682A (en) * 2018-02-26 2018-08-21 湖南科技学院 A kind of optimization method and system of network transmission link
CN110324365B (en) * 2018-03-28 2023-01-24 网易(杭州)网络有限公司 Keyless front-end cluster system, application method, storage medium and electronic device
CN110324290B (en) * 2018-03-30 2022-02-01 贵州白山云科技股份有限公司 Network equipment authentication method, network element equipment, medium and computer equipment
CN108804515B (en) * 2018-04-25 2021-05-28 网宿科技股份有限公司 Webpage loading method, webpage loading system and server
CN114338629A (en) * 2020-09-25 2022-04-12 北京金山云网络技术有限公司 Data processing method, device, equipment and medium
CN112187804B (en) * 2020-09-29 2023-01-20 北京金山云网络技术有限公司 Communication method and device of server, computer equipment and storage medium
US11579781B2 (en) 2020-10-23 2023-02-14 Red Hat, Inc. Pooling distributed storage nodes that have specialized hardware
CN113301159B (en) * 2021-05-26 2022-12-09 中国电子科技集团公司第五十四研究所 Service position obtaining method and device in edge computing system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7634650B1 (en) * 2004-07-22 2009-12-15 Xsigo Systems Virtualized shared security engine and creation of a protected zone
CN104732164A (en) * 2013-12-18 2015-06-24 国家计算机网络与信息安全管理中心 Device and method both for accelerating SSL (Security Socket Layer) data processing speed
CN106027646A (en) * 2016-05-19 2016-10-12 杜在东 HTTPS acceleration method and device
CN106230782A (en) * 2016-07-20 2016-12-14 腾讯科技(深圳)有限公司 A kind of information processing method based on content distributing network and device
CN106341417A (en) * 2016-09-30 2017-01-18 贵州白山云科技有限公司 Content delivery network-based HTTPS acceleration method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9531691B2 (en) * 2011-12-16 2016-12-27 Akamai Technologies, Inc. Providing forward secrecy in a terminating TLS connection proxy
US9647835B2 (en) * 2011-12-16 2017-05-09 Akamai Technologies, Inc. Terminating SSL connections without locally-accessible private keys
KR101491697B1 (en) * 2013-12-10 2015-02-11 주식회사 시큐아이 Security device including ssl acceleration card and operating method thereof
CN104702611B (en) * 2015-03-15 2018-05-25 西安电子科技大学 A kind of device and method for protecting Secure Socket Layer session key
CN105871797A (en) * 2015-11-19 2016-08-17 乐视云计算有限公司 Handshake method, device and system of client and server
CN106101007B (en) * 2016-05-24 2019-05-07 杭州迪普科技股份有限公司 Handle the method and device of message

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7634650B1 (en) * 2004-07-22 2009-12-15 Xsigo Systems Virtualized shared security engine and creation of a protected zone
CN104732164A (en) * 2013-12-18 2015-06-24 国家计算机网络与信息安全管理中心 Device and method both for accelerating SSL (Security Socket Layer) data processing speed
CN106027646A (en) * 2016-05-19 2016-10-12 杜在东 HTTPS acceleration method and device
CN106230782A (en) * 2016-07-20 2016-12-14 腾讯科技(深圳)有限公司 A kind of information processing method based on content distributing network and device
CN106341417A (en) * 2016-09-30 2017-01-18 贵州白山云科技有限公司 Content delivery network-based HTTPS acceleration method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115460083A (en) * 2021-06-09 2022-12-09 贵州白山云科技股份有限公司 Security acceleration service deployment method, device, medium and equipment

Also Published As

Publication number Publication date
CN106341417A (en) 2017-01-18
CN110808989B (en) 2022-01-21
CN106341417B (en) 2019-11-05
CN110808989A (en) 2020-02-18

Similar Documents

Publication Publication Date Title
WO2018059578A1 (en) Https acceleration method and system based on content distribution network
US10382408B1 (en) Computing instance migration
TWI632797B (en) Systems and methods for secured backup of hardware security modules for cloud-based web services
US20150358312A1 (en) Systems and methods for high availability of hardware security modules for cloud-based web services
US11303431B2 (en) Method and system for performing SSL handshake
CN106341375B (en) Method and system for realizing encrypted access of resources
US10318747B1 (en) Block chain based authentication
US10341118B2 (en) SSL gateway with integrated hardware security module
US10623186B1 (en) Authenticated encryption with multiple contexts
US10257171B2 (en) Server public key pinning by URL
US9749354B1 (en) Establishing and transferring connections
JP2020522164A (en) Method, device and program for TLS inspection
US8132246B2 (en) Kerberos ticket virtualization for network load balancers
US9191201B1 (en) Optimizing secure communications
US20220166605A1 (en) Cryptographic Key Storage System and Method
US11621856B2 (en) Generating a domain name system container image to create an instance of a domain name system container
EP3220604B1 (en) Methods for client certificate delegation and devices thereof
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
WO2020093609A1 (en) Block generation method, apparatus and device for blockchain, and non-volatile readable storage medium
US11805116B2 (en) Technologies for securing network function virtualization images
US11271968B2 (en) Zero round trip time transmission for anticipatory request messages
CN112235274B (en) Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication
US11121864B1 (en) Secure private key distribution between endpoint instances
WO2022063213A1 (en) Network access method and system based on cloud delivery, and medium and device
US10819515B1 (en) Derived unique recovery keys per session

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17855028

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17855028

Country of ref document: EP

Kind code of ref document: A1