WO2020098773A1 - Request response method and device, edge node and authentication system - Google Patents

Request response method and device, edge node and authentication system Download PDF

Info

Publication number
WO2020098773A1
WO2020098773A1 PCT/CN2019/118711 CN2019118711W WO2020098773A1 WO 2020098773 A1 WO2020098773 A1 WO 2020098773A1 CN 2019118711 W CN2019118711 W CN 2019118711W WO 2020098773 A1 WO2020098773 A1 WO 2020098773A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
edge node
access
blacklist
service request
Prior art date
Application number
PCT/CN2019/118711
Other languages
French (fr)
Chinese (zh)
Inventor
王永强
Original Assignee
北京金山云网络技术有限公司
北京金山云科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京金山云网络技术有限公司, 北京金山云科技有限公司 filed Critical 北京金山云网络技术有限公司
Publication of WO2020098773A1 publication Critical patent/WO2020098773A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present application relates to the field of Internet technology, specifically, to a request response method, device, edge node, and authentication system.
  • CDN Content Delivery Network
  • the edge node the network device closest to the user
  • the edge node Based on the user's proximity and the judgment of the server load, the user can obtain the required content nearby .
  • the edge node of the CDN needs to perform authentication when receiving a request from the user equipment to access certain specific URLs (Uniform Resource Locator) or specific encrypted data. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the entire network. If this number is exceeded, the next user device that accesses the encrypted data will be denied access during the authentication process.
  • URLs Uniform Resource Locator
  • the edge node when the user equipment requests the CDN's edge node to obtain data, the edge node needs to first send an authentication request to the CDN's authentication server, and the edge node only receives the authentication pass information returned by the authentication server. It will respond to the data acquisition request of the user equipment, obtain the data from the local cache or request the data source to obtain the data, and send it to the user equipment.
  • the above process will extend the response time of the CDN edge node to return data to the user equipment. If the authentication server receives more authentication requests, the feedback speed of the authentication server is slower, which further causes the edge node to return the first packet of data to the user equipment The longer the time, the lower the service quality and the lower the user experience.
  • the present application provides a request response method, device, edge node and authentication system, which can improve the response speed of the edge node and improve the user experience.
  • an embodiment of the present application provides a request response method, which is applied to an edge node of a CDN.
  • the method includes:
  • the embodiments of the present application provide a first possible implementation manner of the first aspect, wherein the first service request includes at least one of the following: device information of the first user equipment, the first URL information of a uniform resource locator that a user equipment needs to access, and identification information of encrypted data that the first user equipment needs to access.
  • the embodiments of the present application provide a second possible implementation manner of the first aspect, wherein the condition includes at least one of the following: specifying a uniform resource locator URL does not allow user equipment to access, and specifying encrypted data is not Allow user device access, specify a uniform resource locator URL, do not allow user device access in a specified area, and specify encrypted data do not allow user device access in a specified area.
  • the embodiments of the present application provide a third possible implementation manner of the first aspect, wherein, after receiving the first service request sent by the first user equipment, the method further includes:
  • the embodiments of the present application provide a fourth possible implementation manner of the first aspect, wherein the method further includes:
  • an embodiment of the present application further provides a request response device, which is applied to an edge node of a CDN.
  • the device includes:
  • a service request receiving unit configured to receive the first service request sent by the first user equipment
  • the authentication unit is configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, where the blacklist is used to indicate The condition that the edge node refuses to respond to the service request sent by the user equipment.
  • the embodiments of the present application provide a first possible implementation manner of the second aspect, wherein the first service request includes at least one of the following: device information of the first user equipment, the first URL information of a uniform resource locator that a user equipment needs to access, and identification information of encrypted data that the first user equipment needs to access.
  • the embodiments of the present application provide a second possible implementation manner of the second aspect, wherein the condition includes at least one of the following: specifying a uniform resource locator URL does not allow user equipment to access, and specifying encrypted data is not Allow user device access, specify a uniform resource locator URL, do not allow user device access in a specified area, and specify encrypted data do not allow user device access in a specified area.
  • the embodiments of the present application provide a third possible implementation manner of the second aspect, wherein the device further includes:
  • the access request sending unit is configured to send the access request to the authentication server, so that the authentication server is used to update the blacklist based on the access request and the rejection rule.
  • the embodiments of the present application provide a fourth possible implementation manner of the second aspect, wherein the device further includes:
  • the blacklist receiving unit is set to receive and save the blacklist or the amount of change of the blacklist sent by the authentication server every set time period.
  • an embodiment of the present application further provides an edge node, including a first processor and a first memory connected to the first processor;
  • the first memory stores machine executable instructions that can be executed by the first processor, and the first processor executes the machine executable instructions to implement the method of any one of the first aspects.
  • an embodiment of the present application further provides an authentication system, including the edge node and the authentication server according to the third aspect; the authentication server is connected to at least one of the edge nodes.
  • an embodiment of the present application further provides a computer-readable storage medium that stores computer program instructions used to implement the request response method of the first aspect.
  • the edge node when receiving the first service request sent by the first user equipment, the edge node can determine whether to respond to the first according to the locally stored blacklist
  • the first service request of the user equipment that is, the edge node performs authentication based on the locally stored blacklist, and then determines whether to respond to the first service request of the first user equipment without waiting for the authentication server to perform authentication and feedback the authentication result, Therefore, the response speed of the edge node can be improved and the user experience can be improved.
  • FIG. 1 is a schematic diagram of a response process of a CDN edge node to a service request of a user equipment in the prior art
  • FIG. 3 is a flowchart of an information sending method provided by another embodiment of this application.
  • FIG. 5 is a schematic diagram of a response process of a CDN edge node to a service request of a user equipment in an embodiment of the present application
  • FIG. 6 is a structural block diagram of a request response device provided by an embodiment of the present application.
  • FIG. 7 is a structural block diagram of an information sending apparatus provided by another embodiment of this application.
  • FIG. 8 is a structural block diagram of an edge node provided by an embodiment of this application.
  • FIG. 9 is a structural block diagram of an authentication server provided by an embodiment of this application.
  • FIG. 10 is a structural block diagram of an authentication system provided by an embodiment of this application.
  • the edge node of the CDN needs to perform authentication when receiving a request from the user equipment to access certain specific URLs (Uniform Resource Locator) or specific encrypted data. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the entire network. If this number is exceeded, the next user device that accesses the encrypted data will be denied access during the authentication process.
  • URLs Uniform Resource Locator
  • FIG. 1 the process of the user equipment in the related art requesting the edge node of the CDN to obtain data is shown in FIG. 1 and includes the following steps:
  • Step 1 The user equipment sends a data acquisition request to the edge node
  • Step 2 The edge node sends an authentication request to the authentication server of the CDN;
  • Step 3 The authentication server feeds back authentication information to the edge node
  • Step 4 The edge node sends a data access request to the upper node of the CDN;
  • Step 5 The upper node sends a data acquisition request to the source server
  • Step 6 The source server sends the data to the upper node
  • Step 7 The upper node sends the data to the edge node
  • Step 8 The edge node sends the data to the user equipment.
  • the process of the existing user equipment requesting the edge node of the CDN to obtain the data includes the following steps:
  • Step 1 The user equipment sends a data acquisition request to the edge node
  • Step 2 The edge node sends an authentication request to the authentication server of the CDN;
  • Step 3 The authentication server feeds back authentication information to the edge node
  • Step 8 The edge node extracts the data from the local cache data and sends it to the user equipment.
  • the edge node needs to first send an authentication request to the CDN's authentication server, and the edge node only receives the authentication pass information returned by the authentication server. Will respond to the data acquisition request of the user device. That is, for the edge node, after sending an authentication request to the authentication server and responding to the data acquisition request of the user equipment at the edge node, there is a process of waiting for the authentication server to feed back the authentication pass information. This process will extend the edge node of the CDN to The response time of the data returned by the user equipment makes the first packet time of the data returned by the edge node longer.
  • the authentication server receives many authentication requests and the QPS (Query Per Second) of the authentication server is very high, the pressure on the authentication server is high and the feedback speed is slow, resulting in the edge node The response speed is slower, the service quality is reduced, and the user experience is reduced.
  • QPS Quality of Service
  • embodiments of the present application provide a request response method, device, edge node, authentication server, and authentication system. The following first describes the request response method of the present application in detail.
  • An embodiment of the present application provides a request response method, which is applied to an edge node of a CDN. As shown in FIG. 2, the method includes the following steps:
  • Step 202 Receive a first service request sent by a first user equipment.
  • the user sends a first service request to the edge node of the CDN through the first user equipment.
  • the first service request may be a request to access a certain URL or a certain encrypted data.
  • the information included in the first service request may be different.
  • the first service request may include device information of the first user equipment and URL information of the uniform resource locator that the first user equipment needs to access.
  • the first service request may include device information of the first user equipment and identification information of the encrypted data that the first user equipment needs to access.
  • the device information of the first user equipment may include a device identifier, an IP (Internet Protocol, Internet Protocol) address of the user equipment, and so on.
  • Step 204 Determine whether to respond to the first service request of the first user equipment according to the first service request and the blacklist pre-stored on the edge node.
  • the blacklist is used to indicate the condition that the edge node refuses to respond to the service request sent by the user equipment.
  • the conditions may include at least one of the following: specifying a uniform resource locator URL not allowing user device access, specifying encrypted data not allowing user device access, specifying uniform resource locator URL not allowing user device access in a specified area, and specifying encrypted data not Allow user device access in the specified area.
  • the edge node authenticates the first service request of the first user equipment based on the pre-stored blacklist.
  • the following uses a blacklist to indicate that a specified URL does not allow access to user equipment in the first specified area as an example.
  • the edge node receives the service request for the first user equipment to access the URL, and then, based on the device information of the first user equipment Determine whether the first user equipment belongs to the first designated area; if the first user equipment belongs to the first designated area, the edge node will refuse to respond to the service request of the first user equipment. If the first user equipment does not belong to the first designated area, the edge node will respond to the service request of the first user equipment. According to different application scenarios, the edge node may respond to the service request in different ways.
  • the edge node may Send a request to access the URL to the upper node of the CDN.
  • the upper node obtains the data or link from the source server and returns it to the edge node.
  • the edge node then sends the data or link to the first user device so that the first user device can access the URL URL.
  • the blacklist stored on the edge node may be generated by the authentication server and sent to the edge node. For example, in a possible embodiment, after receiving the first service request sent by the first user equipment, the edge node may send an access request to the authentication server, so that the authentication server updates the black based on the access request and the denial rule
  • the list and rejection rules can be preset.
  • the edge node may determine whether to respond to the first service request of the first user equipment, and if it responds to the first service Request, the edge node may simultaneously send an access request to the authentication server, where the access request includes the first service request of the first user equipment, so that the authentication server updates the blacklist based on the access request and the rejection rule. It should be noted that after receiving the first service request sent by the first user equipment, the edge node does not need to send an access request to the authentication server if the edge node refuses to respond to the first service request of the first user equipment.
  • the edge node sends the access request to the authentication server, and the authentication server can perform statistics according to the access request, and generate or revise a blacklist according to the statistical results.
  • the authentication server records the information contained in the access request, such as recording the URL accessed by the IP address of the user equipment.
  • the blacklist may be formed by the authentication server according to preset rules. For example, if it is specified in advance that a certain URL only allows user devices with n different IP addresses to access, after receiving access requests from user devices with n different IP addresses, the blacklist is added: the specified URL does not allow access.
  • the blacklist is added: the specified encrypted data is not allowed to be accessed. If specified in advance, a URL only allows access to user devices with a maximum of n different IP addresses in the specified area. You can determine whether the user device belongs to the specified area based on the IP address of the user device, and receive n different differences in the specified area After the access request of the user device with the IP address is added to the blacklist: the specified encrypted data does not allow the user device of the specified area to access. If it is detected that user equipment goes offline in the specified area, the blacklist can be dynamically adjusted to remove this condition from the blacklist.
  • the edge node will receive and save the blacklist or blacklist change amount sent by the authentication server, so that the blacklist stored on the edge node and the single list on the authentication server can be maintained Synchronize.
  • the set time period may be set according to user needs or experience. Exemplarily, the time period may be 2 minutes.
  • the edge node when receiving a service request sent by a user equipment, the edge node can determine whether to respond to the service request of the user equipment according to a locally stored blacklist; there is no need to wait for the authentication server to perform authentication and feedback The authentication result can therefore improve the response speed of the edge node and improve the user experience.
  • the embodiment of the present application provides another method for sending information, which is applied to the CDN authentication server. As shown in FIG. 3, the method includes the following steps:
  • Step S302 When receiving the access request sent by the edge node, count the access request.
  • the required statistical information can be different. For example, suppose that URL1 is only allowed to be accessed by user devices with n different IP addresses in the entire network. Then the number of IP addresses accessing URL1 can be counted. When the access request contains a user device with an IP address of IP1 to request access to URL1, the number can be increased by 1, and when the number reaches n, the IP address of accessing URL1 can be known Reach n.
  • Step S304 Adjust the blacklist according to the statistical results.
  • Step S306 Send the blacklist or the change amount of the blacklist to each edge node connected to the authentication server every set time period.
  • the change amount of the blacklist refers to the change of the blacklist between the current transmission and the last transmission, including the increased content, the decreased content, and the changed content in the blacklist.
  • the set time period can be 2 minutes.
  • FIG. 4 shows an interaction diagram between an authentication server and an edge node.
  • the authentication server may be connected to multiple edge nodes.
  • edge node A and edge node B are used as examples for illustration.
  • edge node A receives the During the first service request, it is determined whether to respond to the first service request of the first user equipment according to the first service request and the black list pre-stored on the edge node A, without waiting for the feedback information of the authentication server.
  • the blacklist is used to indicate the condition that the edge node A refuses to respond to the service request sent by the user equipment.
  • the edge node A determines to respond to the first service request of the first user equipment, it will generate an access request according to the first service request of the first user equipment and send it to the authentication server.
  • the authentication server performs statistics based on the received access request, and adjusts the blacklist based on the statistical results.
  • the edge node B receives the second service request sent by the second user equipment, the execution logic is the same as that of the edge node A.
  • the second user equipment and the first user equipment may be the same user equipment or different users. The equipment is not limited here.
  • the authentication server receives the access requests sent by each edge node, performs statistics and adjusts the blacklist. Every set time period, the authentication server sends the blacklist to each edge node synchronously, so that the blacklist on each edge node is consistent with the authentication server.
  • the process of the user equipment requesting the edge node to obtain data is shown in FIG. 5 and includes the following steps:
  • Step a The user equipment sends a data acquisition request to the edge node; the edge node determines whether to respond to the user equipment request according to the pre-stored blacklist. If the response is determined, the following steps are performed:
  • Step b The edge node sends an access request to the authentication server of the CDN; at the same time, the edge node sends an access data request to the upper node of the CDN;
  • the authentication server updates the blacklist based on the access request and the rejection rule, and synchronizes the updated blacklist to the edge node every set time period.
  • Step c The upper node sends a request to obtain data to the source server
  • Step d The source server sends the data to the upper node
  • Step e The upper node sends the data to the edge node
  • Step f The edge node sends the data to the user equipment.
  • the embodiment of the present application changes the existing synchronous authentication method (sending authentication request to the authentication server authentication) to asynchronous authentication method (no need to send each time (Authentication request to the authentication server).
  • sending authentication request to the authentication server authentication sending authentication request to the authentication server authentication
  • asynchronous authentication method no need to send each time
  • Authentication request to the authentication server the edge node authenticates the user equipment according to the locally stored blacklist, and does not need to receive a response from the authentication server.
  • the access request may be sent when the edge node determines to respond to the data acquisition request.
  • the authentication server When the edge node determines not to respond to the data acquisition request, the authentication server will not receive the access request, so the authentication can be reduced
  • the QPS of the weight server does not need to wait for the result of the authentication server for the edge node, which is equivalent to no time-consuming connection and communication with the authentication server. Quality of service.
  • an embodiment of the present application provides a request response device, which is applied to an edge node of a CDN.
  • the device includes:
  • the service request receiving unit 61 is configured to receive the first service request sent by the first user equipment
  • the authentication unit 62 is configured to determine whether to respond to the first service request of the first user equipment according to the first service request and the blacklist pre-stored on the edge node, wherein the blacklist is used for It indicates the condition that the edge node refuses to respond to the service request sent by the user equipment.
  • the first service request includes at least one of the following: device information of the first user equipment, URL information of a uniform resource locator that the first user equipment needs to access, and encrypted data of the first user equipment that needs to be accessed Identification information.
  • the conditions include at least one of the following: specifying a uniform resource locator URL does not allow user device access, specifying encrypted data does not allow user device access, specifying uniform resource locator URL does not allow user device access in a specified area, and specifying encrypted data does not allow User device access in the specified area.
  • the above device may further include an access request sending unit connected to the authentication unit 62, and configured to send an access request to an authentication server, so that the authentication server is used to based on the access request and Reject rule update blacklist.
  • an access request sending unit connected to the authentication unit 62, and configured to send an access request to an authentication server, so that the authentication server is used to based on the access request and Reject rule update blacklist.
  • the above device may further include a blacklist receiving unit, which is set to receive and store the blacklist or the amount of change of the blacklist sent by the authentication server every set time period.
  • the blacklist receiving unit may be connected to the service request receiving unit 61, the authentication unit 62, or the service request receiving unit 61 and the authentication unit 62.
  • the embodiments of the present application provide an information sending device, which is applied to an authentication server of a CDN.
  • the device includes:
  • the statistics unit 71 is configured to perform statistics on the access information when receiving the access request sent by the edge node;
  • the blacklist revision unit 72 adjusts the blacklist based on statistical results.
  • the above-mentioned device may further include: a blacklist sending unit 73 configured to send the blacklist or the amount of change of the blacklist to each edge node connected to the authentication server every set time period.
  • a blacklist sending unit 73 configured to send the blacklist or the amount of change of the blacklist to each edge node connected to the authentication server every set time period.
  • the edge node includes a first processor 81 and a first memory 82 connected to the first processor 81, and further includes a first communication interface 84.
  • the first processor 81, the first communication interface 84, and the first memory 82 may be connected through the first bus 83.
  • the first memory 82 may include a high-speed random access memory (RAM, Random Access Memory), or may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the communication connection between the network element of the system and at least one other network element (such as a cooking appliance) is achieved through at least one first communication interface 84 (which may be wired or wireless), and the Internet, wide area network, local network, metropolitan area network, etc. .
  • the first bus 83 may be an ISA bus, a PCI bus, an EISA bus, or the like.
  • the bus can be divided into an address bus, a data bus, and a control bus. For ease of representation, only one bidirectional arrow is used in FIG. 8, but it does not mean that there is only one bus or one type of bus.
  • the first processor 81 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the first processor 81 or instructions in the form of software.
  • the above-mentioned first processor 81 may be a general-purpose processor, and may implement or execute the disclosed methods, steps, and logical block diagrams in the embodiments of the present disclosure.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure may be directly embodied and executed by a hardware decoding processor, or may be executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a mature storage medium in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, an electrically erasable programmable memory, and a register.
  • the storage medium is located in the first memory 82.
  • the first processor 81 reads the information in the first memory 82 and completes the above request response method in combination with its hardware.
  • the following operations may be implemented:
  • the edge node includes a second processor 91 and a second memory 92 connected to the second processor 91, and further includes a second communication interface 94 .
  • the second processor 91, the second communication interface 94, and the second memory 92 may be connected through the second bus 93.
  • the second memory 92 may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the communication connection between the network element of the system and at least one other network element (such as a cooking appliance) is achieved through at least one second communication interface 94 (which may be wired or wireless), and the Internet, wide area network, local network, metropolitan area network, etc. can be used .
  • the second bus 93 may be an ISA bus, a PCI bus, an EISA bus, or the like.
  • the bus can be divided into an address bus, a data bus, and a control bus. For ease of representation, only one bidirectional arrow is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
  • the second processor 91 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the second processor 91 or an instruction in the form of software.
  • the above-mentioned second processor 91 may be a general-purpose processor, and may implement or execute the disclosed methods, steps, and logical block diagrams in the embodiments of the present disclosure.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure may be directly embodied and executed by a hardware decoding processor, or may be executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a mature storage medium in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, an electrically erasable programmable memory, and a register.
  • the storage medium is located in the second memory 92.
  • the second processor 91 reads the information in the second memory 92 and completes the above information sending method in combination with its hardware.
  • the following operations may be implemented:
  • the blacklist or the amount of change of the blacklist is sent to each edge node connected to the authentication server.
  • an embodiment of the present application further provides a machine-readable storage medium that stores machine-executable instructions.
  • the machine-executable instructions When the machine-executable instructions are called and executed by the processor, the machine-executable instructions cause The processor implements the method described in any of the above method embodiments.
  • the system includes an authentication server 90 and an edge node 80.
  • the authentication server 90 in the system is connected to multiple edge nodes 80.
  • the edge node 80 When receiving the service request sent by the user equipment, the edge node 80 generates access information and sends it to the authentication server 90 according to the device information and service request of the user equipment.
  • the edge node 80 determines whether to respond to the user equipment according to the locally stored blacklist Business request.
  • the authentication server 90 performs statistics based on the received access information, and revises the blacklist according to the statistical results. Every set time period, the authentication server 90 sends the blacklist to each edge node 80 synchronously, so that the blacklist on each edge node 80 is consistent with the authentication server 90.
  • This embodiment provides a computer-readable storage medium that stores computer program instructions used to implement the request response method described in any one of the above.
  • This embodiment provides a computer program product, which when run on a computer, causes the computer to execute any of the above-mentioned request response methods.
  • the request response method, device, edge node and authentication system, computer readable storage medium, and computer program product provided by the embodiments of the present application have the same technical characteristics, so they can also solve the same technical problems and achieve the same technical effect.
  • the disclosed system and method may be implemented in other ways.
  • the device embodiments described above are only schematics.
  • the division of the units is only a division of logical functions. In actual implementation, there may be other divisions.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the functional units in the embodiments provided in this application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application essentially or part of the contribution to the existing technology or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to enable a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
  • the edge node when receiving the first service request sent by the first user equipment, the edge node can determine whether to respond to the first request according to the locally stored blacklist The first service request of a user equipment; there is no need to wait for the authentication server to perform authentication and feedback the authentication result, so the response speed of the edge node can be improved and the user experience can be improved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A request response method and device, an edge node and an authentication system, belonging to the field of Internet technology. According to the request response method and device, the edge node and the authentication system provided in the embodiments of the present application, upon reception of a first service request sent by first user equipment, the edge node can determine, according to a locally stored blacklist, whether to respond to the first service request of the first user equipment. It is not necessary to wait for an authentication server to perform authentication and feed back the authentication result, so the response speed of the edge node can be improved, improving the user experience.

Description

一种请求响应方法、装置、边缘节点和鉴权系统Request response method, device, edge node and authentication system
本申请要求于2018年11月15日提交中国专利局、申请号为201811371745.3发明名称为“请求响应方法、装置、边缘节点和鉴权系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application filed on November 15, 2018 in the Chinese Patent Office with the application number 201811371745.3 and the invention titled "Request Response Method, Device, Edge Node, and Authentication System", the entire contents of which are incorporated by reference In this application.
技术领域Technical field
本申请涉及互联网技术领域,具体而言,涉及一种请求响应方法、装置、边缘节点和鉴权系统。The present application relates to the field of Internet technology, specifically, to a request response method, device, edge node, and authentication system.
背景技术Background technique
CDN(Content Delivery Network,内容分发网络)用于将网站的内容发布到最接近用户的网络设备(下文称边缘节点),基于用户就近性和对服务器负载的判断,用户可以就近取得所需的内容。在当前的内容分发网络中,CDN的边缘节点在接收到用户设备请求访问某些特定的URL(Uniform Resource Locator,统一资源定位符)或特定的加密数据时,需要进行鉴权。例如,对于某个加密数据,在全网中只允许限定数量的用户设备进行访问,如果超过这个数量,则下一个访问该加密数据的用户设备在鉴权过程中将被拒绝访问。CDN (Content Delivery Network) is used to publish the content of the website to the network device closest to the user (hereinafter referred to as the edge node). Based on the user's proximity and the judgment of the server load, the user can obtain the required content nearby . In the current content distribution network, the edge node of the CDN needs to perform authentication when receiving a request from the user equipment to access certain specific URLs (Uniform Resource Locator) or specific encrypted data. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the entire network. If this number is exceeded, the next user device that accesses the encrypted data will be denied access during the authentication process.
相关技术中,用户设备向CDN的边缘节点请求获取数据时,边缘节点需先向CDN的鉴权服务器发送鉴权请求,并且只有在接收到鉴权服务器反馈的鉴权通过信息后,边缘节点才会响应用户设备的数据获取请求,从本地缓存中获取数据或向数据的源站请求获取数据,发送至用户设备。In the related art, when the user equipment requests the CDN's edge node to obtain data, the edge node needs to first send an authentication request to the CDN's authentication server, and the edge node only receives the authentication pass information returned by the authentication server. It will respond to the data acquisition request of the user equipment, obtain the data from the local cache or request the data source to obtain the data, and send it to the user equipment.
上述过程会延长CDN的边缘节点向用户设备返回数据的响应时间,如果鉴权服务器接收到的鉴权请求较多时,鉴权服务器的反馈速度慢,更加导致边缘节点向用户设备返回数据的首包时间变长,服务质量下降,用户体验降低。The above process will extend the response time of the CDN edge node to return data to the user equipment. If the authentication server receives more authentication requests, the feedback speed of the authentication server is slower, which further causes the edge node to return the first packet of data to the user equipment The longer the time, the lower the service quality and the lower the user experience.
发明内容Summary of the invention
针对上述现有技术中存在的问题,本申请提供了一种请求响应方法、装置、边缘节点和鉴权系统,可以提高边缘节点的响应速度,提高用户体验。In response to the above problems in the prior art, the present application provides a request response method, device, edge node and authentication system, which can improve the response speed of the edge node and improve the user experience.
第一方面,本申请实施例提供了一种请求响应方法,应用于CDN的边缘节点,所述方法包括:In a first aspect, an embodiment of the present application provides a request response method, which is applied to an edge node of a CDN. The method includes:
接收第一用户设备发送的第一业务请求;Receiving the first service request sent by the first user equipment;
根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。Determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, wherein the blacklist is used to indicate that the edge node refuses to respond to the user The condition of the service request sent by the device.
结合第一方面,本申请实施例提供了第一方面的第一种可能的实施方式,其中,所述第一业务请求包括以下至少之一:所述第一用户设备的设备信息,所述第一用户设备需要访问的统一资源定位符URL信息,所述第一用户设备需要访问的加密数据的标识信息。With reference to the first aspect, the embodiments of the present application provide a first possible implementation manner of the first aspect, wherein the first service request includes at least one of the following: device information of the first user equipment, the first URL information of a uniform resource locator that a user equipment needs to access, and identification information of encrypted data that the first user equipment needs to access.
结合第一方面,本申请实施例提供了第一方面的第二种可能的实施方式,其中,所述条件包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。With reference to the first aspect, the embodiments of the present application provide a second possible implementation manner of the first aspect, wherein the condition includes at least one of the following: specifying a uniform resource locator URL does not allow user equipment to access, and specifying encrypted data is not Allow user device access, specify a uniform resource locator URL, do not allow user device access in a specified area, and specify encrypted data do not allow user device access in a specified area.
结合第一方面,本申请实施例提供了第一方面的第三种可能的实施方式,其中,在接收第一用户设备发送的第一业务请求之后,所述方法还包括:With reference to the first aspect, the embodiments of the present application provide a third possible implementation manner of the first aspect, wherein, after receiving the first service request sent by the first user equipment, the method further includes:
向鉴权服务器发送访问请求,以使得所述鉴权服务器用于基于所述访问请求和拒绝规则更新黑名单。Sending an access request to the authentication server, so that the authentication server is used to update the blacklist based on the access request and the rejection rule.
结合第一方面,本申请实施例提供了第一方面的第四种可能的实施方式,其中,所述方法还包括:With reference to the first aspect, the embodiments of the present application provide a fourth possible implementation manner of the first aspect, wherein the method further includes:
每隔设定的时间周期,接收并保存鉴权服务器发送的黑名单或黑名单的变化量。Every set time period, receive and save the blacklist or blacklist change amount sent by the authentication server.
第二方面,本申请实施例还提供了一种请求响应装置,应用于CDN的边缘节点,所述装置包括:In a second aspect, an embodiment of the present application further provides a request response device, which is applied to an edge node of a CDN. The device includes:
业务请求接收单元,用于接收第一用户设备发送的第一业务请求;A service request receiving unit, configured to receive the first service request sent by the first user equipment;
鉴权单元,设置为根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。The authentication unit is configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, where the blacklist is used to indicate The condition that the edge node refuses to respond to the service request sent by the user equipment.
结合第二方面,本申请实施例提供了第二方面的第一种可能的实施方式,其中,所述第一业务请求包括以下至少之一:所述第一用户设备的设备信息,所述第一用户设备需要访问的统一资源定位符URL信息,所述第一用户设备需要访问的加密数据的标识信息。With reference to the second aspect, the embodiments of the present application provide a first possible implementation manner of the second aspect, wherein the first service request includes at least one of the following: device information of the first user equipment, the first URL information of a uniform resource locator that a user equipment needs to access, and identification information of encrypted data that the first user equipment needs to access.
结合第二方面,本申请实施例提供了第二方面的第二种可能的实施方式,其中,所述条件包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。With reference to the second aspect, the embodiments of the present application provide a second possible implementation manner of the second aspect, wherein the condition includes at least one of the following: specifying a uniform resource locator URL does not allow user equipment to access, and specifying encrypted data is not Allow user device access, specify a uniform resource locator URL, do not allow user device access in a specified area, and specify encrypted data do not allow user device access in a specified area.
结合第二方面,本申请实施例提供了第二方面的第三种可能的实施方式,其中,所述装置还包括:With reference to the second aspect, the embodiments of the present application provide a third possible implementation manner of the second aspect, wherein the device further includes:
访问请求发送单元,设置为向鉴权服务器发送访问请求,以使得所述鉴权服务器用于基于所述访问请求和拒绝规则更新黑名单。The access request sending unit is configured to send the access request to the authentication server, so that the authentication server is used to update the blacklist based on the access request and the rejection rule.
结合第二方面,本申请实施例提供了第二方面的第四种可能的实施方式,其中,所述装置还包括:With reference to the second aspect, the embodiments of the present application provide a fourth possible implementation manner of the second aspect, wherein the device further includes:
黑名单接收单元,设置为每隔设定的时间周期,接收并保存鉴权服务器发送的黑名单或黑名单的变化量。The blacklist receiving unit is set to receive and save the blacklist or the amount of change of the blacklist sent by the authentication server every set time period.
第三方面,本申请实施例还提供了一种边缘节点,包括第一处理器和与所述第一处理器连接的第一存储器;In a third aspect, an embodiment of the present application further provides an edge node, including a first processor and a first memory connected to the first processor;
所述第一存储器存储有能够被所述第一处理器执行的机器可执行指令,所述第一处理器执行所述机器可执行指令以实现第一方面中任一项所述的方法。The first memory stores machine executable instructions that can be executed by the first processor, and the first processor executes the machine executable instructions to implement the method of any one of the first aspects.
第四方面,本申请实施例还提供了一种鉴权系统,包括第三方面所述的边缘节点和鉴权服务器;所述鉴权服务器与至少一个所述边缘节点连接。According to a fourth aspect, an embodiment of the present application further provides an authentication system, including the edge node and the authentication server according to the third aspect; the authentication server is connected to at least one of the edge nodes.
第五方面,本申请实施例还提供了一种计算机可读存储介质,存储有为实现上述第一方面的请求响应方法所使用的计算机程序指令。According to a fifth aspect, an embodiment of the present application further provides a computer-readable storage medium that stores computer program instructions used to implement the request response method of the first aspect.
本申请实施例带来了以下有益效果:The embodiments of the present application bring the following beneficial effects:
本申请实施例提供的请求响应方法、装置、边缘节点和鉴权系统,当接收到第一用户设备发送的第一业务请求时,边缘节点根据本地存储的黑名单,即可确定是否响应第一用户设备的第一业务请求;即边缘节点基于本地存储的黑名单进行鉴权,进而确定是否响应第一用户设备的第一业务请求,而无需等待鉴权服务器进行鉴权并反馈鉴权结果,因此可以提高边缘节点的响应速度,提高用户体验。The request response method, apparatus, edge node and authentication system provided in the embodiments of the present application, when receiving the first service request sent by the first user equipment, the edge node can determine whether to respond to the first according to the locally stored blacklist The first service request of the user equipment; that is, the edge node performs authentication based on the locally stored blacklist, and then determines whether to respond to the first service request of the first user equipment without waiting for the authentication server to perform authentication and feedback the authentication result, Therefore, the response speed of the edge node can be improved and the user experience can be improved.
本申请的其他特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present application will be explained in the subsequent description, and partly become obvious from the description, or be understood by implementing the present application. The purpose and other advantages of the present application are achieved and obtained by the structures specified in the description, claims and drawings.
为使本申请的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present application more obvious and understandable, preferred embodiments are described below in conjunction with the accompanying drawings, which are described in detail below.
附图说明BRIEF DESCRIPTION
为了更清楚地说明本申请实施例和现有技术的技术方案,下面对实施例和现有技术中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the embodiments of the present application and the technical solutions of the prior art, the following briefly introduces the drawings required in the embodiments and the prior art. Obviously, the drawings in the following description are only For some embodiments of the application, for those of ordinary skill in the art, without paying any creative labor, other drawings may be obtained based on these drawings.
图1为现有技术中CDN的边缘节点对用户设备的业务请求的响应过程示意图;1 is a schematic diagram of a response process of a CDN edge node to a service request of a user equipment in the prior art;
图2为本申请一实施例所提供的请求响应方法的流程图;2 is a flowchart of a request response method provided by an embodiment of this application;
图3为本申请另一实施例所提供的信息发送方法的流程图;3 is a flowchart of an information sending method provided by another embodiment of this application;
图4为本申请一实施例所提供的请求响应方法的交互图;4 is an interaction diagram of a request response method provided by an embodiment of this application;
图5为本申请一实施例中CDN的边缘节点对用户设备的业务请求的响应过程示意图;5 is a schematic diagram of a response process of a CDN edge node to a service request of a user equipment in an embodiment of the present application;
图6为本申请一实施例所提供的请求响应装置的结构框图;6 is a structural block diagram of a request response device provided by an embodiment of the present application;
图7为本申请另一实施例所提供的信息发送装置的结构框图;7 is a structural block diagram of an information sending apparatus provided by another embodiment of this application;
图8为本申请一实施例所提供的边缘节点的结构框图;8 is a structural block diagram of an edge node provided by an embodiment of this application;
图9为本申请一实施例所提供的鉴权服务器的结构框图;9 is a structural block diagram of an authentication server provided by an embodiment of this application;
图10为本申请一实施例所提供的鉴权系统的结构框图。10 is a structural block diagram of an authentication system provided by an embodiment of this application.
具体实施方式detailed description
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本申请实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本申请的实施例的详细描述并非旨在限制要求保护的本申请的范围,而是仅仅表示本申请的选定实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。To make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be described clearly and completely in conjunction with the drawings. Obviously, the described embodiments are part of the embodiments of the present application, but not all的 实施 例。 Examples. The components of the embodiments of the present application that are generally described and illustrated in the drawings herein can be arranged and designed in various configurations. Therefore, the following detailed description of the embodiments of the present application provided in the drawings is not intended to limit the scope of the claimed application, but merely represents selected embodiments of the present application. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative work fall within the protection scope of the present application.
在当前的内容分发网络中,CDN的边缘节点在接收到用户设备请求访问某些特定的URL(Uniform Resource Locator,统一资源定位符)或特定的加密数据时,需要进行鉴权。例如,对于某个加密数据,在全网中只允许限定数量的用户设备进行访问,如果超过这个数量,则下一个访问该加密数据的用户设备在鉴权过程中将被拒绝访问。In the current content distribution network, the edge node of the CDN needs to perform authentication when receiving a request from the user equipment to access certain specific URLs (Uniform Resource Locator) or specific encrypted data. For example, for a certain encrypted data, only a limited number of user devices are allowed to access the entire network. If this number is exceeded, the next user device that accesses the encrypted data will be denied access during the authentication process.
在CDN的边缘节点中没有缓存数据而需要从源站获取数据的情况下,相关技术中的用户设备向CDN的边缘节点请求获取数据的过程如图1所示,包括如下步骤:In the case where there is no cached data in the edge node of the CDN and data needs to be obtained from the source station, the process of the user equipment in the related art requesting the edge node of the CDN to obtain data is shown in FIG. 1 and includes the following steps:
步骤1:用户设备向边缘节点发送获取数据请求;Step 1: The user equipment sends a data acquisition request to the edge node;
步骤2:边缘节点向CDN的鉴权服务器发送鉴权请求;Step 2: The edge node sends an authentication request to the authentication server of the CDN;
步骤3:鉴权服务器向边缘节点反馈鉴权通过信息;Step 3: The authentication server feeds back authentication information to the edge node;
步骤4:边缘节点向CDN的上层节点发送访问数据请求;Step 4: The edge node sends a data access request to the upper node of the CDN;
步骤5:上层节点向源站服务器发送获取数据请求;Step 5: The upper node sends a data acquisition request to the source server;
步骤6:源站服务器将数据发送至上层节点;Step 6: The source server sends the data to the upper node;
步骤7:上层节点将数据发送至边缘节点;Step 7: The upper node sends the data to the edge node;
步骤8:边缘节点将数据发送至用户设备。Step 8: The edge node sends the data to the user equipment.
如果边缘节点的缓存数据中包含用户设备请求获取的数据,现有的用户设备向CDN的边缘节点请求获取数据的过程包括如下步骤:If the cache data of the edge node contains the data requested by the user equipment, the process of the existing user equipment requesting the edge node of the CDN to obtain the data includes the following steps:
步骤1:用户设备向边缘节点发送获取数据请求;Step 1: The user equipment sends a data acquisition request to the edge node;
步骤2:边缘节点向CDN的鉴权服务器发送鉴权请求;Step 2: The edge node sends an authentication request to the authentication server of the CDN;
步骤3:鉴权服务器向边缘节点反馈鉴权通过信息;Step 3: The authentication server feeds back authentication information to the edge node;
步骤8:边缘节点从本地缓存数据中提取数据发送至用户设备。Step 8: The edge node extracts the data from the local cache data and sends it to the user equipment.
总之,现有的用户设备向CDN的边缘节点请求获取数据时,边缘节点需先向CDN的鉴权服务器发送鉴权请求,并且只有在接收到鉴权服务器反馈的鉴权通过信息,边缘节点才会响应用户设备的数据获取请求。即对于边缘节点,在向鉴权服务器发送鉴权请求,到边缘节点响应用户设备的数据获取请求,中间存在一个等待鉴权服务器反馈鉴权通过信息的过程,该过程会延长CDN的边缘节点向用户设备返回数据的响应时间,使边缘节点返回数据的首包时间变长。如果鉴权服务器接收到的鉴权请求较多,鉴权服务器的QPS(Query Per Second,每秒查询率)非常高时,鉴权服务器的压力大,反馈速度慢,导致边缘节点对用户设备的响应速度更慢,服务质量下降,降低了用户体验。In short, when the existing user equipment requests the CDN's edge node to obtain data, the edge node needs to first send an authentication request to the CDN's authentication server, and the edge node only receives the authentication pass information returned by the authentication server. Will respond to the data acquisition request of the user device. That is, for the edge node, after sending an authentication request to the authentication server and responding to the data acquisition request of the user equipment at the edge node, there is a process of waiting for the authentication server to feed back the authentication pass information. This process will extend the edge node of the CDN to The response time of the data returned by the user equipment makes the first packet time of the data returned by the edge node longer. If the authentication server receives many authentication requests and the QPS (Query Per Second) of the authentication server is very high, the pressure on the authentication server is high and the feedback speed is slow, resulting in the edge node The response speed is slower, the service quality is reduced, and the user experience is reduced.
为了解决上述问题,本申请实施例提供了一种请求响应方法、装置、边缘节点、鉴权服务器和鉴权系统,以下首先对本申请的请求响应方法进行详细介绍。In order to solve the above problems, embodiments of the present application provide a request response method, device, edge node, authentication server, and authentication system. The following first describes the request response method of the present application in detail.
本申请实施例提供了一种请求响应方法,应用于CDN的边缘节点,如图2所示,该方法包括如下步骤:An embodiment of the present application provides a request response method, which is applied to an edge node of a CDN. As shown in FIG. 2, the method includes the following steps:
步骤202,接收第一用户设备发送的第一业务请求。Step 202: Receive a first service request sent by a first user equipment.
用户通过第一用户设备向CDN的边缘节点发送第一业务请求,第一业务请求可以是请求访问某个URL或请求访问某个加密数据等等。根据应用场景的不同,第一业务请求中所包括的信息可以不同。例如,如果第一业务请求是请求访问某个URL,则第一业务请求可以包括第一用户设备的设备信息和第一用户设备需要访问的统一资源定位符URL信息。又例如,如果第一业务请求是请求访问某个加密数据,则第一业务请求可以包括第一用户设备的设备信息和第一用户设备需要访问的加密数据的标识信息。第一用户设备的设备信息可以包括设备标识、用户设备的IP(Internet Protocol,互联网协议)地址等。The user sends a first service request to the edge node of the CDN through the first user equipment. The first service request may be a request to access a certain URL or a certain encrypted data. According to different application scenarios, the information included in the first service request may be different. For example, if the first service request is to request access to a certain URL, the first service request may include device information of the first user equipment and URL information of the uniform resource locator that the first user equipment needs to access. For another example, if the first service request is to request access to certain encrypted data, the first service request may include device information of the first user equipment and identification information of the encrypted data that the first user equipment needs to access. The device information of the first user equipment may include a device identifier, an IP (Internet Protocol, Internet Protocol) address of the user equipment, and so on.
步骤204,根据第一业务请求和边缘节点上预先存储的黑名单,确定是否响应第一用户设备的第一业务请求。Step 204: Determine whether to respond to the first service request of the first user equipment according to the first service request and the blacklist pre-stored on the edge node.
其中,黑名单中用于表示边缘节点拒绝响应用户设备发送的业务请求的条件。所述条件可以包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。The blacklist is used to indicate the condition that the edge node refuses to respond to the service request sent by the user equipment. The conditions may include at least one of the following: specifying a uniform resource locator URL not allowing user device access, specifying encrypted data not allowing user device access, specifying uniform resource locator URL not allowing user device access in a specified area, and specifying encrypted data not Allow user device access in the specified area.
边缘节点基于预先存储的黑名单对第一用户设备的第一业务请求进行鉴权。以下以黑名单用于表示某个指定URL不允许第一指定区域的用户设备访问为例进行说明,边缘节点接收到第一用户设备访问该URL的业务请求后,根据第一用户设备的设备信息判断第一用户设备是否属于第一指定区域;如果第一用户设备属于第一指定区域,则边缘节点将拒绝响应第一用户设备的该业务请求。如果第一用户设备不属于第一指定区域,则边缘节点将响应第一用户设备的该业务请求,根据应用场景的不同,边缘节点响应该业务请求的方式可以不同,示例性地,边缘节点可以向CDN的上层节点发送访问该URL的请求,上层节点从源站服务器获取数据或链接返回至边缘节点,边缘节点再将数据或链接发送至第一用户设备,以使第一用户设备可以访问该URL。The edge node authenticates the first service request of the first user equipment based on the pre-stored blacklist. The following uses a blacklist to indicate that a specified URL does not allow access to user equipment in the first specified area as an example. The edge node receives the service request for the first user equipment to access the URL, and then, based on the device information of the first user equipment Determine whether the first user equipment belongs to the first designated area; if the first user equipment belongs to the first designated area, the edge node will refuse to respond to the service request of the first user equipment. If the first user equipment does not belong to the first designated area, the edge node will respond to the service request of the first user equipment. According to different application scenarios, the edge node may respond to the service request in different ways. Exemplarily, the edge node may Send a request to access the URL to the upper node of the CDN. The upper node obtains the data or link from the source server and returns it to the edge node. The edge node then sends the data or link to the first user device so that the first user device can access the URL URL.
边缘节点上存储的黑名单可以是由鉴权服务器生成,并发送至边缘节点的。例如,在一种可能的实施例中,边缘节点可以在接收第一用户设备发送的第一业务请求之后,向鉴权服务器发送访问请求,以使得鉴权服务器基于该访问请求和拒绝规则更新黑名单,拒绝规则可以是预先设置的。The blacklist stored on the edge node may be generated by the authentication server and sent to the edge node. For example, in a possible embodiment, after receiving the first service request sent by the first user equipment, the edge node may send an access request to the authentication server, so that the authentication server updates the black based on the access request and the denial rule The list and rejection rules can be preset.
又例如,在另一种可能的实施例中,边缘节点可以在接收到第一用户设备发送的第一业务请求后,确定是否响应第一用户设备的第一业务请求,如果响应该第一业务请求,则边缘节点可以同时向鉴权服务器发送访问请求,该访问请求包括第一用户设备的第一业务请求,以使得鉴权服务器基于该访问请求和拒绝规则更新黑名单。需要说明的是,边缘节点在接收第一用户设备发送的第一业务请求之后,如果边缘节点拒绝响应第一用户设备的第一业务请求,则无需向鉴权服务器发送访问请求。For another example, in another possible embodiment, after receiving the first service request sent by the first user equipment, the edge node may determine whether to respond to the first service request of the first user equipment, and if it responds to the first service Request, the edge node may simultaneously send an access request to the authentication server, where the access request includes the first service request of the first user equipment, so that the authentication server updates the blacklist based on the access request and the rejection rule. It should be noted that after receiving the first service request sent by the first user equipment, the edge node does not need to send an access request to the authentication server if the edge node refuses to respond to the first service request of the first user equipment.
边缘节点将访问请求发送至鉴权服务器,鉴权服务器可以根据该访问请求进行统计,并根据统计结果生成或修订黑名单。示例性的,鉴权服务器对访问请求中包含的信息进行记录,如记录下用户设备的IP地址所访问的URL。黑名单可以是鉴权服务器按照预先设定的规则形成的。例如,如果预先规定,某个URL只允许n个不同IP地址的用户设备进行访问,则在接收到n个不同IP地址的用户设备的访问请求之后,在黑名单中增加:该指定URL不允许访问。如果预先规定,某个加密数据只允许n个不同IP地址的用户设备进行访问,则接收到n个IP地址的用户设备的访问请求之后,在黑名单中增加:该指定加密数据不允许访问。如果预先规定,某个URL只允许指定区域内最多有n个不同IP地址的用户设备进行访问,可以根据用户设备的IP地址判断该用户设备是否属于指定区域,接收到该指定区域内n个不同IP地址的用户设备的访问请求之后,在黑名单中增加:该指定加密数据不允许该指定区域的用户设备访问。如果监测到该指定区域有用户设备下线,则可以动态调整黑名单,在黑名单中除去这条条件。The edge node sends the access request to the authentication server, and the authentication server can perform statistics according to the access request, and generate or revise a blacklist according to the statistical results. Exemplarily, the authentication server records the information contained in the access request, such as recording the URL accessed by the IP address of the user equipment. The blacklist may be formed by the authentication server according to preset rules. For example, if it is specified in advance that a certain URL only allows user devices with n different IP addresses to access, after receiving access requests from user devices with n different IP addresses, the blacklist is added: the specified URL does not allow access. If it is specified in advance that certain encrypted data is only allowed to be accessed by user equipment with n different IP addresses, after receiving the access request of the user equipment with n IP addresses, the blacklist is added: the specified encrypted data is not allowed to be accessed. If specified in advance, a URL only allows access to user devices with a maximum of n different IP addresses in the specified area. You can determine whether the user device belongs to the specified area based on the IP address of the user device, and receive n different differences in the specified area After the access request of the user device with the IP address is added to the blacklist: the specified encrypted data does not allow the user device of the specified area to access. If it is detected that user equipment goes offline in the specified area, the blacklist can be dynamically adjusted to remove this condition from the blacklist.
可选地,每隔设定的时间周期,边缘节点将接收并保存鉴权服务器发送的黑名单或黑名单的变化量,使边缘节点上存储的黑名单与鉴权服务器上的 单名单可以保持同步。所设定的时间周期可以是根据用户的需求或者经验设置的,示例性的,该时间周期可以是2分钟。Optionally, every set time period, the edge node will receive and save the blacklist or blacklist change amount sent by the authentication server, so that the blacklist stored on the edge node and the single list on the authentication server can be maintained Synchronize. The set time period may be set according to user needs or experience. Exemplarily, the time period may be 2 minutes.
本实施例提供的请求响应方法,当接收到用户设备发送的业务请求时,边缘节点根据本地存储的黑名单,即可确定是否响应用户设备的业务请求;无需等待鉴权服务器进行鉴权并反馈鉴权结果,因此可以提高边缘节点的响应速度,提高用户体验。In the request response method provided in this embodiment, when receiving a service request sent by a user equipment, the edge node can determine whether to respond to the service request of the user equipment according to a locally stored blacklist; there is no need to wait for the authentication server to perform authentication and feedback The authentication result can therefore improve the response speed of the edge node and improve the user experience.
本申请实施例提供了另一种信息发送方法,应用于CDN的鉴权服务器,如图3所示,该方法包括如下步骤:The embodiment of the present application provides another method for sending information, which is applied to the CDN authentication server. As shown in FIG. 3, the method includes the following steps:
步骤S302,当接收到边缘节点发送的访问请求时,对访问请求进行统计。Step S302: When receiving the access request sent by the edge node, count the access request.
根据预设的拒绝规则的不同,所需要统计的信息可以不同。例如,假设预先规定,URL1在全网内只允许n个不同IP地址的用户设备进行访问。则可以统计访问URL1的IP地址的数目,当访问请求中包含IP地址为IP1的用户设备请求访问URL1时,可以将该数目加1,当该数目达到n时,则可以获知访问URL1的IP地址达到n个。According to different preset rejection rules, the required statistical information can be different. For example, suppose that URL1 is only allowed to be accessed by user devices with n different IP addresses in the entire network. Then the number of IP addresses accessing URL1 can be counted. When the access request contains a user device with an IP address of IP1 to request access to URL1, the number can be increased by 1, and when the number reaches n, the IP address of accessing URL1 can be known Reach n.
步骤S304,根据统计结果调整黑名单。Step S304: Adjust the blacklist according to the statistical results.
仍以S302中的例子为例,当该数目达到n时,则在黑名单中增加:URL1不允许访问。在将黑名单同步发送至各边缘节点后,再有其他IP地址的用户设备访问URL1,都会被拒绝。Still taking the example in S302 as an example, when the number reaches n, it is added to the blacklist: URL1 does not allow access. After the blacklist is synchronously sent to each edge node, user devices with other IP addresses accessing URL1 will be denied.
步骤S306,每隔设定的时间周期,向与鉴权服务器连接的各个边缘节点发送黑名单或黑名单的变化量。Step S306: Send the blacklist or the change amount of the blacklist to each edge node connected to the authentication server every set time period.
其中,黑名单的变化量指本次发送与上一次发送之间黑名单的变化,包括黑名单中增加的内容、减少的内容以及发生改变的内容。设定的时间周期可以是2分钟。Among them, the change amount of the blacklist refers to the change of the blacklist between the current transmission and the last transmission, including the increased content, the decreased content, and the changed content in the blacklist. The set time period can be 2 minutes.
为了方便理解,图4示出了鉴权服务器与边缘节点之间的交互图。如图4所示,在内容分发网络中,鉴权服务器可能连接多个边缘节点,图4中以边缘节点A和边缘节点B为例进行说明,当边缘节点A接收到第一用户设备发 送的第一业务请求时,根据第一业务请求和边缘节点A上预先存储的黑名单,确定是否响应第一用户设备的第一业务请求,无需等待鉴权服务器的反馈信息。其中,黑名单用于表示边缘节点A拒绝响应用户设备发送的业务请求的条件。如果边缘节点A确定响应第一用户设备的第一业务请求,将根据第一用户设备的第一业务请求,生成访问请求发送至鉴权服务器。鉴权服务器根据接收到的访问请求进行统计,根据统计结果调整黑名单。当边缘节点B接收到第二用户设备发送的第二业务请求时,执行逻辑与边缘节点A相同,该第二用户设备与上述第一用户设备可以是同一个用户设备,也可以是不同的用户设备,在此不作限定。鉴权服务器接收各个边缘节点发送的访问请求,进行统计并调整黑名单。每隔设定的时间周期,鉴权服务器将黑名单同步发送至各个边缘节点,使各个边缘节点上的黑名单与鉴权服务器保持一致。For ease of understanding, FIG. 4 shows an interaction diagram between an authentication server and an edge node. As shown in FIG. 4, in the content distribution network, the authentication server may be connected to multiple edge nodes. In FIG. 4, edge node A and edge node B are used as examples for illustration. When edge node A receives the During the first service request, it is determined whether to respond to the first service request of the first user equipment according to the first service request and the black list pre-stored on the edge node A, without waiting for the feedback information of the authentication server. The blacklist is used to indicate the condition that the edge node A refuses to respond to the service request sent by the user equipment. If the edge node A determines to respond to the first service request of the first user equipment, it will generate an access request according to the first service request of the first user equipment and send it to the authentication server. The authentication server performs statistics based on the received access request, and adjusts the blacklist based on the statistical results. When the edge node B receives the second service request sent by the second user equipment, the execution logic is the same as that of the edge node A. The second user equipment and the first user equipment may be the same user equipment or different users. The equipment is not limited here. The authentication server receives the access requests sent by each edge node, performs statistics and adjusts the blacklist. Every set time period, the authentication server sends the blacklist to each edge node synchronously, so that the blacklist on each edge node is consistent with the authentication server.
在本申请实施例中,在CDN的边缘节点中没有缓存数据的情况下,用户设备向边缘节点请求获取数据的过程如图5所示,包括如下步骤:In the embodiment of the present application, when there is no cached data in the edge node of the CDN, the process of the user equipment requesting the edge node to obtain data is shown in FIG. 5 and includes the following steps:
步骤a:用户设备向边缘节点发送获取数据请求;边缘节点根据预先存储的黑名单确定是否响应用户设备的请求,如果确定响应,则执行以下步骤:Step a: The user equipment sends a data acquisition request to the edge node; the edge node determines whether to respond to the user equipment request according to the pre-stored blacklist. If the response is determined, the following steps are performed:
步骤b:边缘节点向CDN的鉴权服务器发送访问请求;同时,边缘节点向CDN的上层节点发送访问数据请求;Step b: The edge node sends an access request to the authentication server of the CDN; at the same time, the edge node sends an access data request to the upper node of the CDN;
鉴权服务器基于所述访问请求和拒绝规则更新黑名单,每隔设定的时间周期,将更新后的黑名单同步至边缘节点。The authentication server updates the blacklist based on the access request and the rejection rule, and synchronizes the updated blacklist to the edge node every set time period.
步骤c:上层节点向源站服务器发送获取数据请求;Step c: The upper node sends a request to obtain data to the source server;
步骤d:源站服务器将数据发送至上层节点;Step d: The source server sends the data to the upper node;
步骤e:上层节点将数据发送至边缘节点;Step e: The upper node sends the data to the edge node;
步骤f:边缘节点将数据发送至用户设备。Step f: The edge node sends the data to the user equipment.
结合图1和图5所示的过程中可以看出,本申请实施例将现有的同步鉴权方式(发送鉴权请求至鉴权服务器鉴权)改为异步鉴权方式(无需每次发送鉴权请求至鉴权服务器),在用户设备发起业务请求后,边缘节点根据本地存储的黑名单对用户设备进行鉴权,不需要得到鉴权服务器的响应。对于鉴权服务器,访问请求可以是在边缘节点确定响应获取数据请求的情况下发送 的,边缘节点在确定不响应获取数据请求的情况下,鉴权服务器不会接收到访问请求,因此可以减少鉴权服务器的QPS,对于边缘节点,无需等到鉴权服务器的结果,相当于不存在与鉴权服务器建联和通信的耗时,直接响应数据,不会影响首包时间,有助于提升边缘节点的服务质量。It can be seen from the processes shown in FIGS. 1 and 5 that the embodiment of the present application changes the existing synchronous authentication method (sending authentication request to the authentication server authentication) to asynchronous authentication method (no need to send each time (Authentication request to the authentication server). After the user equipment initiates the service request, the edge node authenticates the user equipment according to the locally stored blacklist, and does not need to receive a response from the authentication server. For the authentication server, the access request may be sent when the edge node determines to respond to the data acquisition request. When the edge node determines not to respond to the data acquisition request, the authentication server will not receive the access request, so the authentication can be reduced The QPS of the weight server does not need to wait for the result of the authentication server for the edge node, which is equivalent to no time-consuming connection and communication with the authentication server. Quality of service.
与上述方法实施例相对应地,本申请实施例提供了一种请求响应装置,应用于CDN的边缘节点。如图6所示,该装置包括:Corresponding to the above method embodiment, an embodiment of the present application provides a request response device, which is applied to an edge node of a CDN. As shown in Figure 6, the device includes:
业务请求接收单元61,设置为接收第一用户设备发送的第一业务请求;The service request receiving unit 61 is configured to receive the first service request sent by the first user equipment;
鉴权单元62,设置为根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单中用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。The authentication unit 62 is configured to determine whether to respond to the first service request of the first user equipment according to the first service request and the blacklist pre-stored on the edge node, wherein the blacklist is used for It indicates the condition that the edge node refuses to respond to the service request sent by the user equipment.
其中,第一业务请求包括以下至少之一:所述第一用户设备的设备信息,所述第一用户设备需要访问的统一资源定位符URL信息,所述第一用户设备需要访问的加密数据的标识信息。The first service request includes at least one of the following: device information of the first user equipment, URL information of a uniform resource locator that the first user equipment needs to access, and encrypted data of the first user equipment that needs to be accessed Identification information.
所述条件包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。The conditions include at least one of the following: specifying a uniform resource locator URL does not allow user device access, specifying encrypted data does not allow user device access, specifying uniform resource locator URL does not allow user device access in a specified area, and specifying encrypted data does not allow User device access in the specified area.
可选地,上述装置还可以包括访问请求发送单元,访问请求发送单元与鉴权单元62连接,设置为向鉴权服务器发送访问请求,以使得所述鉴权服务器用于基于所述访问请求和拒绝规则更新黑名单。Optionally, the above device may further include an access request sending unit connected to the authentication unit 62, and configured to send an access request to an authentication server, so that the authentication server is used to based on the access request and Reject rule update blacklist.
上述装置还可以包括黑名单接收单元,设置为每隔设定的时间周期,接收并保存鉴权服务器发送的黑名单或黑名单的变化量。黑名单接收单元,可以连接与业务请求接收单元61连接,也可以与鉴权单元62连接,或者与上述业务请求接收单元61和鉴权单元62连接。The above device may further include a blacklist receiving unit, which is set to receive and store the blacklist or the amount of change of the blacklist sent by the authentication server every set time period. The blacklist receiving unit may be connected to the service request receiving unit 61, the authentication unit 62, or the service request receiving unit 61 and the authentication unit 62.
与上述方法实施例相对应地,本申请实施例提供了一种信息发送装置,应用于CDN的鉴权服务器。如图7所示,该装置包括:Corresponding to the above method embodiments, the embodiments of the present application provide an information sending device, which is applied to an authentication server of a CDN. As shown in Figure 7, the device includes:
统计单元71,设置为当接收到边缘节点发送的访问请求时,对所述访问信息进行统计;The statistics unit 71 is configured to perform statistics on the access information when receiving the access request sent by the edge node;
黑名单修订单元72,根据统计结果调整黑名单。The blacklist revision unit 72 adjusts the blacklist based on statistical results.
可选地,上述装置还可以包括:黑名单发送单元73,设置为每隔设定的时间周期,向与所述鉴权服务器连接的各个边缘节点发送黑名单或黑名单的变化量。Optionally, the above-mentioned device may further include: a blacklist sending unit 73 configured to send the blacklist or the amount of change of the blacklist to each edge node connected to the authentication server every set time period.
本实施例提供了一种CDN中的边缘节点,如图8所示,该边缘节点包括第一处理器81和与第一处理器81连接的第一存储器82,还包括第一通信接口84。第一处理器81、第一通信接口84和第一存储器82可以通过第一总线83连接。This embodiment provides an edge node in a CDN. As shown in FIG. 8, the edge node includes a first processor 81 and a first memory 82 connected to the first processor 81, and further includes a first communication interface 84. The first processor 81, the first communication interface 84, and the first memory 82 may be connected through the first bus 83.
其中,第一存储器82可以包含高速随机存取存储器(RAM,Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个第一通信接口84(可以是有线或者无线)实现该系统网元与至少一个其他网元(如烹饪器具)之间的通信连接,可以使用互联网,广域网,本地网,城域网等。第一总线83可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一个双向箭头表示,但并不表示仅有一根总线或一种类型的总线。The first memory 82 may include a high-speed random access memory (RAM, Random Access Memory), or may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element (such as a cooking appliance) is achieved through at least one first communication interface 84 (which may be wired or wireless), and the Internet, wide area network, local network, metropolitan area network, etc. . The first bus 83 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus can be divided into an address bus, a data bus, and a control bus. For ease of representation, only one bidirectional arrow is used in FIG. 8, but it does not mean that there is only one bus or one type of bus.
第一处理器81可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过第一处理器81中的硬件的集成逻辑电路或者软件形式的指令完成。上述的第一处理器81可以是通用处理器,可以实现或者执行本公开实施方式中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本公开实施方式所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、 寄存器等本领域成熟的存储介质中。该存储介质位于第一存储器82,第一处理器81读取第一存储器82中的信息,结合其硬件完成上述请求响应方法,可选的,可以实现如下操作:The first processor 81 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the first processor 81 or instructions in the form of software. The above-mentioned first processor 81 may be a general-purpose processor, and may implement or execute the disclosed methods, steps, and logical block diagrams in the embodiments of the present disclosure. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present disclosure may be directly embodied and executed by a hardware decoding processor, or may be executed and completed by a combination of hardware and software modules in the decoding processor. The software module may be located in a mature storage medium in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, an electrically erasable programmable memory, and a register. The storage medium is located in the first memory 82. The first processor 81 reads the information in the first memory 82 and completes the above request response method in combination with its hardware. Optionally, the following operations may be implemented:
接收第一用户设备发送的第一业务请求;Receiving the first service request sent by the first user equipment;
根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。Determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, wherein the blacklist is used to indicate that the edge node refuses to respond to the user The condition of the service request sent by the device.
本实施例提供了一种CDN中的鉴权服务器,如图9所示,该边缘节点包括第二处理器91和与第二处理器91连接的第二存储器92,还包括第二通信接口94。第二处理器91、第二通信接口94和第二存储器92可以通过第二总线93连接。This embodiment provides an authentication server in a CDN. As shown in FIG. 9, the edge node includes a second processor 91 and a second memory 92 connected to the second processor 91, and further includes a second communication interface 94 . The second processor 91, the second communication interface 94, and the second memory 92 may be connected through the second bus 93.
其中,第二存储器92可以包含高速随机存取存储器(RAM,Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个第二通信接口94(可以是有线或者无线)实现该系统网元与至少一个其他网元(如烹饪器具)之间的通信连接,可以使用互联网,广域网,本地网,城域网等。第二总线93可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一个双向箭头表示,但并不表示仅有一根总线或一种类型的总线。The second memory 92 may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element (such as a cooking appliance) is achieved through at least one second communication interface 94 (which may be wired or wireless), and the Internet, wide area network, local network, metropolitan area network, etc. can be used . The second bus 93 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus can be divided into an address bus, a data bus, and a control bus. For ease of representation, only one bidirectional arrow is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
第二处理器91可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过第二处理器91中的硬件的集成逻辑电路或者软件形式的指令完成。上述的第二处理器91可以是通用处理器,可以实现或者执行本公开实施方式中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本公开实施方式所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机 存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于第二存储器92,第二处理器91读取第二存储器92中的信息,结合其硬件完成上述信息发送方法,可选的,可以实现如下操作:The second processor 91 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the second processor 91 or an instruction in the form of software. The above-mentioned second processor 91 may be a general-purpose processor, and may implement or execute the disclosed methods, steps, and logical block diagrams in the embodiments of the present disclosure. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present disclosure may be directly embodied and executed by a hardware decoding processor, or may be executed and completed by a combination of hardware and software modules in the decoding processor. The software module may be located in a mature storage medium in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, an electrically erasable programmable memory, and a register. The storage medium is located in the second memory 92. The second processor 91 reads the information in the second memory 92 and completes the above information sending method in combination with its hardware. Optionally, the following operations may be implemented:
当接收到边缘节点发送的访问请求时,对所述访问信息进行统计;When receiving the access request sent by the edge node, perform statistics on the access information;
根据统计结果调整黑名单。Adjust the blacklist according to the statistical results.
每隔设定的时间周期,向与所述鉴权服务器连接的各个边缘节点发送黑名单或黑名单的变化量。Every set time period, the blacklist or the amount of change of the blacklist is sent to each edge node connected to the authentication server.
进一步地,本申请实施例还提供了一种机器可读存储介质,该机器可读存储介质存储有机器可执行指令,该机器可执行指令在被处理器调用和执行时,机器可执行指令促使处理器实现上述任一方法实施例所述的方法。Further, an embodiment of the present application further provides a machine-readable storage medium that stores machine-executable instructions. When the machine-executable instructions are called and executed by the processor, the machine-executable instructions cause The processor implements the method described in any of the above method embodiments.
本实施例提供了一种鉴权系统,应用于内容分发网络。如图10所示,该系统包括鉴权服务器90和边缘节点80,系统中鉴权服务器90与多个边缘节点80连接。边缘节点80接收到用户设备发送的业务请求时,根据用户设备的设备信息和业务请求,生成访问信息发送至鉴权服务器90,同时,边缘节点80根据本地存储的黑名单,确定是否响应用户设备的业务请求。鉴权服务器90根据接收到的访问信息进行统计,根据统计结果修订黑名单。每隔设定的时间周期,鉴权服务器90将黑名单同步发送至各个边缘节点80,使各个边缘节点80上的黑名单与鉴权服务器90保持一致。This embodiment provides an authentication system, which is applied to a content distribution network. As shown in FIG. 10, the system includes an authentication server 90 and an edge node 80. The authentication server 90 in the system is connected to multiple edge nodes 80. When receiving the service request sent by the user equipment, the edge node 80 generates access information and sends it to the authentication server 90 according to the device information and service request of the user equipment. At the same time, the edge node 80 determines whether to respond to the user equipment according to the locally stored blacklist Business request. The authentication server 90 performs statistics based on the received access information, and revises the blacklist according to the statistical results. Every set time period, the authentication server 90 sends the blacklist to each edge node 80 synchronously, so that the blacklist on each edge node 80 is consistent with the authentication server 90.
本实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有为实现上述任一项所述的请求响应方法所使用的计算机程序指令。This embodiment provides a computer-readable storage medium that stores computer program instructions used to implement the request response method described in any one of the above.
本实施例提供了一种计算机程序产品,当其在计算机上运行时,使得计算机执行上述任一项所述的请求响应方法。This embodiment provides a computer program product, which when run on a computer, causes the computer to execute any of the above-mentioned request response methods.
本申请实施例提供的请求响应方法、装置、边缘节点和鉴权系统、计算机可读存储介质、计算机程序产品具有相同的技术特征,所以也能解决相同的技术问题,达到相同的技术效果。The request response method, device, edge node and authentication system, computer readable storage medium, and computer program product provided by the embodiments of the present application have the same technical characteristics, so they can also solve the same technical problems and achieve the same technical effect.
需要说明的是,在本申请所提供的实施例中,应该理解到,所揭露系统和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。It should be noted that, in the embodiments provided in this application, it should be understood that the disclosed system and method may be implemented in other ways. The device embodiments described above are only schematics. For example, the division of the units is only a division of logical functions. In actual implementation, there may be other divisions. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请提供的实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the embodiments provided in this application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on such an understanding, the technical solution of the present application essentially or part of the contribution to the existing technology or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to enable a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In addition, the terms "first", "second", and "third" are for descriptive purposes only, and cannot be understood as indicating or implying relative importance.
最后应说明的是:以上所述实施例,仅为本申请的具体实施方式,用以说明本申请的技术方案,而非对其限制,本申请的保护范围并不局限于此,尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对 其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present application, and are used to illustrate the technical solutions of the present application, rather than limit them, and the scope of protection of the present application is not limited thereto, although referring to the foregoing The embodiment describes the application in detail, and those of ordinary skill in the art should understand that any person skilled in the art can still modify the technical solutions described in the foregoing embodiments within the technical scope disclosed in the application Or it is easy to think of changes, or equivalent replacement of some of the technical features; and these modifications, changes, or replacements do not deviate from the essence and scope of the corresponding technical solutions of the technical solutions of the embodiments of this application, and should be covered in this application. Within the scope of protection. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
工业实用性Industrial applicability
基于本申请实施例提供的请求响应方法、装置、边缘节点和鉴权系统,当接收到第一用户设备发送的第一业务请求时,边缘节点根据本地存储的黑名单,即可确定是否响应第一用户设备的第一业务请求;无需等待鉴权服务器进行鉴权并反馈鉴权结果,因此可以提高边缘节点的响应速度,提高用户体验。Based on the request response method, apparatus, edge node, and authentication system provided in the embodiments of the present application, when receiving the first service request sent by the first user equipment, the edge node can determine whether to respond to the first request according to the locally stored blacklist The first service request of a user equipment; there is no need to wait for the authentication server to perform authentication and feedback the authentication result, so the response speed of the edge node can be improved and the user experience can be improved.

Claims (15)

  1. 一种请求响应方法,应用于CDN的边缘节点,所述方法包括:A request response method applied to the edge node of a CDN. The method includes:
    接收第一用户设备发送的第一业务请求;Receiving the first service request sent by the first user equipment;
    根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。Determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, wherein the blacklist is used to indicate that the edge node refuses to respond to the user The condition of the service request sent by the device.
  2. 根据权利要求1所述的方法,其中,所述第一业务请求包括以下至少之一:所述第一用户设备的设备信息,所述第一用户设备需要访问的统一资源定位符URL信息,所述第一用户设备需要访问的加密数据的标识信息。The method according to claim 1, wherein the first service request includes at least one of the following: device information of the first user equipment, URL information of a uniform resource locator that the first user equipment needs to access, so The identification information of the encrypted data that the first user equipment needs to access is described.
  3. 根据权利要求1所述的方法,其中,所述条件包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。The method according to claim 1, wherein the condition comprises at least one of the following: specifying a uniform resource locator URL does not allow user device access, specifying encrypted data does not allow user device access, specifying uniform resource locator URL does not allow specifying User equipment access in the area and designated encrypted data are not allowed to be accessed by user equipment in the specified area.
  4. 根据权利要求1所述的方法,其中,在接收第一用户设备发送的第一业务请求之后,所述方法还包括:The method according to claim 1, wherein, after receiving the first service request sent by the first user equipment, the method further comprises:
    向鉴权服务器发送访问请求,以使得所述鉴权服务器基于所述访问请求和拒绝规则更新黑名单。Sending an access request to the authentication server, so that the authentication server updates the blacklist based on the access request and the rejection rule.
  5. 根据权利要求1所述的方法,其中,在所述确定是否响应所述第一用户设备的第一业务请求之后,所述方法还包括:The method according to claim 1, wherein, after the determining whether to respond to the first service request of the first user equipment, the method further comprises:
    如果确定响应所述第一用户设备的第一业务请求,向鉴权服务器发送访问请求,以使得所述鉴权服务器基于所述访问请求和拒绝规则更新黑名单。If it is determined to respond to the first service request of the first user equipment, send an access request to the authentication server, so that the authentication server updates the blacklist based on the access request and the rejection rule.
  6. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:
    每隔设定的时间周期,接收并保存鉴权服务器发送的黑名单或黑名单的变化量。Every set time period, receive and save the blacklist or blacklist change amount sent by the authentication server.
  7. 一种请求响应装置,应用于CDN的边缘节点,所述装置包括:A request response device applied to an edge node of a CDN. The device includes:
    业务请求接收单元,设置为接收第一用户设备发送的第一业务请求;A service request receiving unit, configured to receive the first service request sent by the first user equipment;
    鉴权单元,设置为根据所述第一业务请求和所述边缘节点上预先存储的黑名单,确定是否响应所述第一用户设备的第一业务请求,其中,所述黑名单用于表示所述边缘节点拒绝响应用户设备发送的业务请求的条件。The authentication unit is configured to determine whether to respond to the first service request of the first user equipment according to the first service request and a blacklist pre-stored on the edge node, where the blacklist is used to indicate The condition that the edge node refuses to respond to the service request sent by the user equipment.
  8. 根据权利要求7所述的装置,其中,所述第一业务请求包括以下至少之一:所述第一用户设备的设备信息,所述第一用户设备需要访问的统一资源定位符URL信息,所述第一用户设备需要访问的加密数据的标识信息。The apparatus according to claim 7, wherein the first service request includes at least one of the following: device information of the first user equipment, uniform resource locator URL information that the first user equipment needs to access, and The identification information of the encrypted data that the first user equipment needs to access is described.
  9. 根据权利要求7所述的装置,其中,所述条件包括以下至少之一:指定统一资源定位符URL不允许用户设备访问、指定加密数据不允许用户设备访问、指定统一资源定位符URL不允许指定区域的用户设备访问、指定加密数据不允许指定区域的用户设备访问。The apparatus according to claim 7, wherein the condition includes at least one of the following: specifying a uniform resource locator URL does not allow user device access, specifying encrypted data does not allow user device access, specifying uniform resource locator URL does not allow User equipment access in the area and designated encrypted data are not allowed to be accessed by user equipment in the specified area.
  10. 根据权利要求7所述的装置,其中,所述装置还包括:The device according to claim 7, wherein the device further comprises:
    访问请求发送单元,设置为向鉴权服务器发送访问请求,以使得所述鉴权服务器用于基于所述访问请求和拒绝规则更新黑名单。The access request sending unit is configured to send the access request to the authentication server, so that the authentication server is used to update the blacklist based on the access request and the rejection rule.
  11. 根据权利要求10所述的装置,其中,所述访问请求发送单元,具体设置为如果确定响应所述第一用户设备的第一业务请求,向鉴权服务器发送访问请求,以使得所述鉴权服务器基于所述访问请求和拒绝规则更新黑名单。The apparatus according to claim 10, wherein the access request sending unit is specifically configured to send an access request to the authentication server if it is determined to respond to the first service request of the first user equipment, so that the authentication The server updates the blacklist based on the access request and denial rules.
  12. 根据权利要求7所述的装置,其中,所述装置还包括:The device according to claim 7, wherein the device further comprises:
    黑名单接收单元,设置为每隔设定的时间周期,接收并保存鉴权服务器发送的黑名单或黑名单的变化量。The blacklist receiving unit is set to receive and save the blacklist or the amount of change of the blacklist sent by the authentication server every set time period.
  13. 一种边缘节点,包括第一处理器和与所述第一处理器连接的第一存储器;An edge node includes a first processor and a first memory connected to the first processor;
    所述第一存储器存储有能够被所述第一处理器执行的机器可执行指令,所述第一处理器执行所述机器可执行指令以实现权利要求1~6中任一项所述的方法。The first memory stores machine-executable instructions executable by the first processor, and the first processor executes the machine-executable instructions to implement the method of any one of claims 1 to 6. .
  14. 一种鉴权系统,包括权利要求13所述的边缘节点和鉴权服务器;所述鉴权服务器与至少一个所述边缘节点连接。An authentication system includes the edge node and the authentication server of claim 13; the authentication server is connected to at least one of the edge nodes.
  15. 一种计算机可读存储介质,所述计算机可读存储介质存储有为实现权利要求1~6中任一项所述的请求响应方法所使用的计算机程序指令。A computer-readable storage medium storing computer program instructions for implementing the request response method according to any one of claims 1 to 6.
PCT/CN2019/118711 2018-11-15 2019-11-15 Request response method and device, edge node and authentication system WO2020098773A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811371745.3 2018-11-15
CN201811371745.3A CN111193692A (en) 2018-11-15 2018-11-15 Request response method, device, edge node and authentication system

Publications (1)

Publication Number Publication Date
WO2020098773A1 true WO2020098773A1 (en) 2020-05-22

Family

ID=70710638

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118711 WO2020098773A1 (en) 2018-11-15 2019-11-15 Request response method and device, edge node and authentication system

Country Status (2)

Country Link
CN (1) CN111193692A (en)
WO (1) WO2020098773A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835773B (en) * 2020-07-15 2022-04-08 中国电子技术标准化研究院 User identity authentication system based on edge calculation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932380A (en) * 2012-11-30 2013-02-13 网宿科技股份有限公司 Distributed method and distributed system for preventing malicious attacks based on content distribution network
WO2013134211A2 (en) * 2012-03-09 2013-09-12 Interdigital Patent Holdings, Inc. Method and system for cdn exchange nterconnection
CN105357190A (en) * 2015-10-26 2016-02-24 网宿科技股份有限公司 Method and system for performing authentication on access request
CN106961451A (en) * 2017-05-25 2017-07-18 网宿科技股份有限公司 Method for authenticating, right discriminating system, fringe node and authentication server in CDN

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991603A (en) * 2015-02-26 2016-10-05 阿里巴巴集团控股有限公司 Authority determination method and device
CN105897674A (en) * 2015-11-25 2016-08-24 乐视云计算有限公司 DDoS attack protection method applied to CDN server group and system
CN105871919A (en) * 2016-06-12 2016-08-17 北京六间房科技有限公司 Network application firewall system and realization method thereof
CN106357651A (en) * 2016-09-23 2017-01-25 成都知道创宇信息技术有限公司 Method for geographically limiting IP access on CDN
CN108768979B (en) * 2018-05-17 2021-04-16 网宿科技股份有限公司 Method for accessing intranet, device and system for accessing intranet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013134211A2 (en) * 2012-03-09 2013-09-12 Interdigital Patent Holdings, Inc. Method and system for cdn exchange nterconnection
CN102932380A (en) * 2012-11-30 2013-02-13 网宿科技股份有限公司 Distributed method and distributed system for preventing malicious attacks based on content distribution network
CN105357190A (en) * 2015-10-26 2016-02-24 网宿科技股份有限公司 Method and system for performing authentication on access request
CN106961451A (en) * 2017-05-25 2017-07-18 网宿科技股份有限公司 Method for authenticating, right discriminating system, fringe node and authentication server in CDN

Also Published As

Publication number Publication date
CN111193692A (en) 2020-05-22

Similar Documents

Publication Publication Date Title
US11362952B2 (en) Application programing interface API gateway cluster control method and API gateway cluster
US10972575B2 (en) Method and system for supporting edge computing
WO2018121331A1 (en) Attack request determination method, apparatus and server
US11089473B2 (en) Service access, and control method and apparatus therefor
US10225871B2 (en) Method and system for hosting network access point
US20090122798A1 (en) Ip network system and its access control method, ip address distributing device, and ip address distributing method
CN110995873A (en) Gateway service interface discovery method, system, electronic device and storage medium
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
CN112463653B (en) Data refreshing method and device and electronic equipment
CN109743357B (en) Method and device for realizing service access continuity
EP3855695A1 (en) Access authentication
US20150006622A1 (en) Web contents transmission method and apparatus
US20160323365A1 (en) Content delivery method, apparatus, and system
US9686724B2 (en) Network storage method, switch device, and controller
CN112217653B (en) Strategy issuing method, device and system
CN110430062B (en) Login request processing method, device, equipment and medium
CN114221959A (en) Service sharing method, device and system
WO2020098773A1 (en) Request response method and device, edge node and authentication system
US9674693B2 (en) State-efficient network function support
CN114500380A (en) Flow control method and device and electronic equipment
CN112422705A (en) Server, data processing method and medium
WO2022237729A1 (en) Domain name parsing method and system, electronic apparatus, device, and medium
CN114980075A (en) Address allocation method, session management function entity and communication system
US12061921B2 (en) Management apparatus, management system, management method and management program
CN112839070B (en) Data processing method and device and node equipment in CDN (content delivery network)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19885877

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 06/07/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19885877

Country of ref document: EP

Kind code of ref document: A1