WO2021196568A1 - Traffic flow proxy method, server, and storage medium - Google Patents

Traffic flow proxy method, server, and storage medium Download PDF

Info

Publication number
WO2021196568A1
WO2021196568A1 PCT/CN2020/122270 CN2020122270W WO2021196568A1 WO 2021196568 A1 WO2021196568 A1 WO 2021196568A1 CN 2020122270 W CN2020122270 W CN 2020122270W WO 2021196568 A1 WO2021196568 A1 WO 2021196568A1
Authority
WO
WIPO (PCT)
Prior art keywords
request message
proxy
request
server
message
Prior art date
Application number
PCT/CN2020/122270
Other languages
French (fr)
Chinese (zh)
Inventor
吴建国
许加烜
Original Assignee
厦门网宿有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 厦门网宿有限公司 filed Critical 厦门网宿有限公司
Publication of WO2021196568A1 publication Critical patent/WO2021196568A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a traffic proxy method, a server, and a storage medium.
  • the client establishes a connection with the proxy server
  • the proxy server establishes a connection with the origin site
  • the proxy server obtains the content of the origin site, and then returns the obtained content to the client.
  • the purpose of the embodiments of the present application is to provide a traffic proxy method, server, and storage medium, which can help reduce the traffic proxy load of the proxy server and prevent the proxy server from processing all proxy client requests.
  • the embodiment of the present application provides a traffic proxy method, including: receiving an HTTP request message; parsing the request message to obtain request information; judging whether the request information conforms to a preset whitelist rule If yes, redirect the request message to the agent software, and send the request information to the agent software, so that the agent software can determine that the request information corresponding to the request information is stored in the preset storage device After the content, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; wherein, the upstream of the TCP connection to which the request message belongs The message passes through the server, and the server records the SYN message header option of the TCP connection.
  • the embodiment of the present application also provides a server, including: a receiving module and a content recognition module; the receiving module is used to receive HTTP request messages; the content recognition module is used to parse the request messages to obtain the request Information; the content identification module is also used to determine whether the requested information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent Software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, send the requested content to the proxy server; The request message is forwarded to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the proxy server, and the proxy server records the SYN message header option of the TCP connection.
  • An embodiment of the present application also provides a server, including: at least one processor; and a memory communicatively connected with the at least one processor; wherein the memory stores instructions that can be executed by the at least one processor The instruction is executed by the at least one processor, so that the at least one processor can execute the above-mentioned traffic proxy method.
  • the embodiment of the present application also provides a computer storage medium storing a computer program, and the computer program is executed by a processor to implement the above-mentioned traffic proxy method.
  • this embodiment of the application receives an HTTP request message; parses the request message to obtain request information; judges whether the request information meets the preset whitelist rule; if so, reports the request
  • the document is redirected to the agent software, and the request information is sent to the agent software, so that the agent software can download the request information from the preset storage device after determining that the request content corresponding to the request information is stored in the preset storage device.
  • the storage device obtains the request content and sends it to the proxy server; if not, forwards the request message to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the server, so
  • the server records the SYN packet header options of the TCP connection.
  • the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether the request message meets the preset whitelist rules to determine whether to respond to the request message. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software.
  • the document is processed, so as to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for After the proxy software determines that the request content corresponding to the request information is stored in the preset storage device, it obtains the request content from the preset storage device and sends it to the proxy server, thereby shortening the time-consuming process of the request and response, and realizing the response to the request. Accelerated service.
  • the method before the parsing of the request message, further includes: determining whether the destination port of the TCP connection is a preset whitelist destination port; if so, parsing the request message to obtain request information If not, the request message is forwarded to the next hop; wherein, the destination port of the TCP connection is obtained by parsing the uplink message; in the above manner, the request information of the request message is used to determine whether Before proxying the request message, perform a pre-filtering through the destination port of the TCP connection to which the request message belongs to reduce the traffic that the proxy software will load.
  • the proxy software is pre-configured with a TCP connection quick opening function; the redirecting the request message to the proxy software includes: adding a TCP handshake request flag SYN to the request message to obtain A handshake request message carrying data; the handshake request message carrying data is redirected to the proxy software for the proxy software to confirm and send the handshake request message carrying data after receiving the handshake request message carrying data
  • the client requesting the message establishes a TCP connection; it is understandable that the pre-configured fast TCP connection opening function enables the proxy software and the client sending the upstream message to quickly establish a TCP connection, which speeds up the efficiency of the data transmission process.
  • adding a TCP handshake request flag SYN to the request message, and before obtaining a handshake request message carrying data further includes: modifying the request message according to the recorded header options of the SYN message The message header option of the message, so that the proxy software confirms that the message header option of the TCP connection established with the client is the same as the message header option of the TCP connection to which the request message belongs.
  • the established TCP connection is unaware, and a transparent proxy to the client is realized.
  • Fig. 1 is a flowchart of a traffic proxy method according to the first embodiment of the present application
  • FIG. 2 is a flowchart of another traffic proxy method according to the first embodiment of the present application.
  • Fig. 3 is a flowchart of a traffic proxy method according to a second embodiment of the present application.
  • Fig. 4 is a flowchart of a traffic proxy method according to a third embodiment of the present application.
  • FIG. 5 is a block diagram of the structure of a server according to a fourth embodiment of the present application.
  • Fig. 6 is a block diagram of the structure of the server in the fifth embodiment according to the present application.
  • the first embodiment of the present application relates to a traffic proxy method.
  • the specific process is shown in Figure 1 and includes the following steps.
  • Step 101 Receive an HTTP request message.
  • Step 102 Parse the request message to obtain request information.
  • Step 103 Determine whether the requested information meets the preset whitelist rules; if yes, go to step 104; if not, go to step 105.
  • Step 104 Redirect the request message to the agent software, and send the request information to the agent software.
  • Step 105 Forward the request message to the next hop.
  • the upstream message of the TCP connection to which the request message belongs passes through the server, that is, the upstream message sent by the client for establishing a TCP connection with the source station passes through the server. It can be understood that the server transparently transmits the above TCP connection. Uplink message.
  • step 101 the server receives the HTTP request message; specifically, the HTTP request message can be directed to the server by pre-configured routing strategy.
  • the server parses the request message to obtain the request information; specifically, the request information in this embodiment may include the requested domain name address, requested content type, requested content name, requested content related fields and other information .
  • the server determines whether the requested information meets the preset whitelist rules; specifically, the whitelist rules for the requested information can be configured in the server in advance to filter the requested information (for example, it can include Whitelist rules for filtering domain name addresses, whitelist rules for filtering requested content types, whitelist rules for filtering requested content names, etc.).
  • the server parses and obtains the request information, it performs operations such as comparison or matching according to the pre-configured whitelist rules; if the parsed request information meets the preset whitelist rules, it is determined that the request message is a legal request message.
  • step 104 If it belongs to a request message that is allowed to be proxied, go to step 104; if the parsed request information does not meet the preset whitelist rules, it is determined that the request message is an illegal request message and is a request that is not allowed to be proxied Packet, go to step 105. It is understandable that the request information is filtered according to the preset whitelist rules, that is, the function of the firewall is realized, which can effectively intercept insecure, offensive and other request messages that are not allowed to be proxied, thereby It helps to improve the security of the traffic proxy; moreover, the whitelist rules configured in the server can be dynamically adjusted according to requirements at any time, and will not affect the normal operation of the server.
  • step 104 when it is determined that the parsed request information meets the preset whitelist rules, the request message is redirected to the proxy software for the proxy software to perform proxy acceleration on the request message; since the request message is sent by The upstream message is sent by the client, so the source address of the request message is the address of the client, and the destination address is the address of the source station that receives the upstream message; when the request message is redirected, it can be based on DNAT (Destination Network Address). Translation (Destination Address Translation) principle is to convert the destination address of the request message to the address of the proxy software, thereby realizing the redirection of the request message to the proxy software.
  • DNAT Densination Network Address
  • Translation Destination Address Translation
  • the server also sends the request information to the agent software, so that the agent software can determine whether the requested content corresponding to the requested information is stored in the preset storage device according to the request information; if the agent software determines that the preset storage device stores If there is a request content corresponding to the request information, the proxy software can directly obtain the request content from the preset storage device and send it to the proxy server, so that the proxy server can forward the request content to the client, thereby reducing the cost of the request and response process. At the time, the accelerated service of the request was realized.
  • the preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device. The preset storage device is used to store content that the agent software has requested from the origin site.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A” from the origin site again. It is understandable that if the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software requests the content requested by the client from the source station, and sends the requested content back to the source via the proxy server. The client, and cache the requested content back to the source in the preset storage device.
  • step 105 when it is determined that the parsed request information does not conform to the preset whitelist rule, the request message is directly forwarded to the next hop in the pre-configured routing policy, without proxying by proxy software, so as to The proxy software filters the traffic to be loaded.
  • the request message can also be discarded directly without proxying by proxy software, so that some potentially offensive request messages can be filtered out , To ensure the security of the network.
  • this embodiment also provides a traffic proxy method, as shown in Fig. 2; the traffic proxy method shown in Fig. 2 is roughly the same as the traffic proxy method shown in Fig. 1, and includes the following steps.
  • Step 201 Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
  • Step 202 Determine whether the destination port of the TCP connection is a preset whitelist destination port; if yes, execute step 203, if not, execute step 206.
  • the upstream message of the TCP connection to which the request message belongs includes the source IP address, source port, destination IP address, and destination port; when the server transparently transmits the upstream message of the TCP connection, it can parse the upstream message to obtain Go to the destination port included in the uplink message, and determine whether the parsed destination port (that is, the port of the source station that receives the uplink message) is a preset whitelist destination port; it is understandable that it can be configured in the server in advance The destination port that needs to be served is used as the preset whitelist destination port.
  • step 203 If it is determined that the destination port belongs to the preset whitelisted destination port, go to step 203; if it is judged that the destination port does not belong to the preset whitelisted destination port, then go to step 206 to forward the request message directly to the next hop instead of Through the agent software for agent acceleration.
  • a filtering is performed through the destination port of the TCP connection to which the request message belongs, so as to reduce the traffic that the proxy software will load.
  • Step 203 parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
  • Step 204 Determine whether the requested information meets the preset whitelist rules; if yes, perform step 205; if not, perform step 206; this step is roughly the same as step 103, and will not be repeated here.
  • Step 205 redirect the request message to the agent software, and send the request information to the agent software; this step is roughly the same as step 104, and will not be repeated here.
  • Step 206 forward the request message to the next hop; this step is roughly the same as step 105, and will not be repeated here.
  • the server in this embodiment can be installed with proxy software and used as a proxy server, that is, the proxy server transparently transmits the uplink packets of the TCP connection and parses the received HTTP request packets.
  • the proxy in the proxy server The software mainly performs proxy acceleration and other operations on request messages at the application level.
  • the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router), and our switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message;
  • the proxy server redirects the request message to the proxy software in the proxy server and sends the request information to the proxy software in the proxy server
  • the proxy software obtains the stored request content from the preset storage device, or The request content is obtained from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server, and then routed to the bureau switch via our switch, and then routed by the bureau switch to the client.
  • the server in this embodiment when used as a proxy server, after the proxy server redirects the request message to the proxy software, it also includes: controlling the proxy software to establish a connection with the source station receiving the uplink message TCP connection, so that the agent software, after determining that the request content corresponding to the request information is not stored in the preset storage device, sends a request to the source station via our switch according to the handshake request message carrying data; And control the proxy software to receive the response message sent by the source station, modify the source address of the response message to the address of the source station, and then the proxy server will process the response message, and route it to the bureau's switch via our switch. It is routed and sent to the client by the central switch.
  • the proxy software in this embodiment is installed on another server serving as a proxy server, and the proxy software in the other server performs proxy acceleration and other operations on the request message redirected by the server.
  • the client's upstream traffic is transmitted to our switch through the bureau's switch, and our switch transmits the upstream traffic to server A, and server A analyzes and judges the request message; then, server A rewrites the request message After being directed to the proxy software in another server B (that is, server B as a proxy server), and sending the request information to the proxy software in the other server B, the proxy software in the other server B Perform proxy acceleration, so I won’t go into details here.
  • the HTTP request message is received; the request message is parsed to obtain the request information; it is determined whether the request information meets the preset whitelist rules; if so, the request message is redirected to the proxy software, and the request information is sent to Proxy software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, forward the request message to the next Jump; Among them, the upstream message of the TCP connection to which the request message belongs passes through the server, and the server records the SYN message header option of the TCP connection.
  • the server after the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether to respond to the request message according to whether the request information meets the preset whitelist rules. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software.
  • the document is processed to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for the proxy software After determining that the request content corresponding to the request information is stored in the preset storage device, the request content is obtained from the preset storage device and sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the acceleration of the request service.
  • the second embodiment of the present application relates to a traffic proxy method, which is roughly the same as the first embodiment.
  • the specific process is shown in Figure 3.
  • the steps and implementation details of the traffic proxy method in Figure 3 will be described in detail below.
  • the content is only the implementation details provided for ease of understanding, and is not necessary for the implementation of this solution.
  • Step 301 Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
  • Step 302 parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
  • Step 303 Determine whether the requested information meets the preset whitelist rules; if yes, go to step 304; if not, go to step 305; this step is roughly the same as step 103, and will not be repeated here.
  • Step 304 Add a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data; redirect the handshake request message carrying data to the proxy software, and send the request information to the proxy software.
  • this embodiment provides a specific implementation manner for redirecting the request message to the proxy software.
  • TCP handshake request flag SYN is a type of TCP connection The flag bit indicates that the connection is established
  • the request message itself carries data
  • the result is a handshake request message carrying data
  • the handshake request message carrying data is redirected to the proxy software .
  • the upstream message of the TCP connection to which the request message belongs passes through the server, and the proxy server records the SYN message header option of the TCP connection; therefore, after adding the TCP handshake request flag SYN to the request message, it can also be executed
  • the following steps are as follows: modify the header options of the request message according to the SYN header options recorded by the server; the final result is a handshake request message carrying data and modifying the header options of the message, so as to make the proxy
  • the software confirms that the message header options of the TCP connection established with the client are the same as the message header options of the TCP connection to which the request message belongs.
  • the client side has no perception of the TCP connection established with the proxy software, and realizes the client Transparent proxy.
  • the recorded SYN packet header option may be TCP OPTIONS, which represents variable-length optional information, including timestamp (message timestamp), windows scale (window scale factor), and so on.
  • the proxy software is pre-configured with the TCP connection fast opening function, the proxy software can think that the proxy software has established a TCP connection with the client after receiving the redirected handshake request message, thus saving the need to transmit when establishing a TCP connection Time-consuming handshake messages; when the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the subsequent data transmission process between the proxy software and the client.
  • the proxy software After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
  • Step 305 Forward the request message to the next hop. This step is roughly the same as step 105, and will not be repeated here.
  • the proxy software quickly establishes a TCP connection with the client and the source station, which speeds up the efficiency of the data transmission process, and implements a transparent proxy to the client by modifying message options and converting message addresses. Make the client unaware of the existence of agent software.
  • the third embodiment of the present application relates to a traffic proxy method with proxy software as the execution subject.
  • the specific process is shown in FIG. 4 and includes the following steps 401 to 404.
  • the proxy software can be installed in the server used as a proxy server, and the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router).
  • the party switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message; the proxy server redirects the request message to the proxy software in the proxy server, and sends the request information to the proxy server
  • the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server and passed through our
  • the switch is routed to the central switch, and then routed by the central switch to the client; in addition, the proxy software can also be installed on another server acting as a proxy server, and the proxy software in the other server redirects the server Perform proxy acceleration and other operations for the request message of the client, that is, the upstream traffic of the client is transmitted to our switch through the bureau's switch, and our switch
  • Step 401 Receive a redirected HTTP request message and request information obtained by parsing the request message.
  • the proxy software receives the redirected request message from the server and the request information obtained by parsing the request message; before that, the server has determined that the request information obtained by parsing the request message conforms to the preset whitelist rule.
  • the proxy software is pre-configured with the TCP connection quick opening function, and the received request message is a handshake request message carrying data, and the handshake request message is added by the request message with the TCP handshake
  • the request flag SYN is obtained; in this way, after the proxy software receives the handshake request message carrying the data, it confirms that the TCP connection is established with the client sending the uplink message, thereby saving the time-consuming transmission of the handshake message when establishing the TCP connection ;
  • the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the data transmission process between the proxy software and the client.
  • the proxy software After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
  • the proxy server controls the proxy software to also establish a TCP connection with the source station that receives the uplink message, so that the proxy software can determine whether it is not in the preset storage device. After storing the request content corresponding to the request information, the request is sent to the source station according to the handshake request message carrying the data.
  • Step 402 Determine whether the request content corresponding to the request information is stored in the preset storage device; if yes, execute step 403; if not, execute step 404.
  • Step 403 Obtain the requested content from the preset storage device and send it to the proxy server.
  • Step 404 Send a request according to the request message to the source station that receives the request message.
  • the preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device.
  • the preset storage device is used to store content that the agent software has requested from the source site.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A" from the origin site again.
  • the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software will request the content requested by the client from the source station according to the redirected request message, and return to the source.
  • the requested content of is sent to the client via the proxy server, and the requested content is cached back to the source in the preset storage device.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is not stored in the preset storage device ,
  • the proxy software sends a request to the origin site according to the request message, and the content of the request includes "picture A"; after the proxy software requests "picture A" from the origin site, it is sent to the client via the proxy server and is preset "Picture A" is cached in the storage device so that it can be directly obtained from the preset storage device when a request for "Picture A" is received next time.
  • the specific method for the proxy software to send the request message to the source station will not be repeated here.
  • the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch, which needs to be processed by the proxy server and routed to the office through our switch.
  • the central switch is routed to the client by the central switch.
  • the proxy server can parse the upstream message of the TCP connection to which the request message belongs, and obtain the upstream message header options, including seq (sequence number), timestamp (message timestamp), windows scale (window scale factor), etc.
  • the proxy server can send the request content to the client by responding to the message; when sending the response message, it can make the header option of the response message the same as the parsed upstream message header option, and send the response
  • the source address of the message is modified to the address of the source station, so that after the client receives the response message, it can be considered that the response message is sent from the source station, thus realizing a transparent proxy for the client.
  • the proxy server controls the proxy software to send requests to the source station and receive the response message sent by the source station; the proxy server also controls the proxy software to respond The source address of the message is modified to the address of the source station, and the modified response message is processed by the proxy server.
  • the proxy software receives the redirected request message and the request information obtained by parsing the request message, and when determining that the request content corresponding to the request information is stored in the preset storage device, obtains the request from the preset storage device
  • the content is sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the accelerated service of the request.
  • the fourth embodiment of the present application relates to a server 50, as shown in FIG. 5, including: a receiving module 501 and a content identification module 502;
  • the receiving module 501 is configured to receive HTTP request messages
  • the content identification module 502 is used to parse the request message to obtain the request information
  • the content identification module 502 is also used to determine whether the request information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent software for the agent software to determine the preset storage After the request content corresponding to the request information is stored in the device, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; where the request message belongs to the TCP connection The upstream message passes through the server, and the server records the SYN message header option of the TCP connection.
  • the content identification module 502 parses the request message, it further includes: judging whether the destination port of the TCP connection is a preset whitelist destination port; if so, parse the request message to obtain the request information; if not, The request message is forwarded to the next hop; among them, the destination port of the TCP connection is obtained by parsing the uplink message.
  • the proxy software is pre-configured with a TCP connection quick opening function; the content recognition module 502 redirects the request message to the proxy software, including: adding a TCP handshake request flag SYN to the request message to obtain a handshake request carrying data Message: Redirect the handshake request message carrying data to the proxy software for the proxy software to confirm the establishment of a TCP connection with the client sending the request message after receiving the handshake request message carrying the data.
  • the content recognition module 502 adds the TCP handshake request flag SYN to the request message, and before the handshake request message carrying data is obtained, the content recognition module 502 is also used to: modify the header options of the SYN message The header options of the request message.
  • the server is the proxy server, and the proxy server is installed with the proxy software; after the content identification module 502 redirects the request message to the proxy software, the content identification module 502 is also used for : Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carrying The data handshake request message sends a request to the source station.
  • the content recognition module 502 controls the proxy software to establish a TCP connection with the source station that receives the uplink message, and the proxy software determines that the request corresponding to the request information is not stored in the preset storage device After the content, the content recognition module 502 is further used to: control the proxy software to send a request to the source station according to the handshake request message carrying data, and receive a response message sent by the source station; control the proxy The software modifies the source address of the response message to the address of the source station for the proxy server to send the modified response message to the client.
  • this embodiment is an embodiment of a device corresponding to the first embodiment or the second embodiment.
  • This embodiment can be implemented in cooperation with the first embodiment or the second embodiment.
  • the related technical details mentioned in the second embodiment are still valid in this embodiment, and in order to reduce repetition, they will not be repeated here.
  • the related technical details mentioned in this embodiment can also be applied in the first embodiment or the second embodiment.
  • modules involved in this embodiment are all logical modules.
  • a logical unit can be a physical unit, a part of a physical unit, or multiple physical units. The combination of units is realized.
  • this embodiment does not introduce a unit that is not closely related to solving the technical problem proposed by the present application, but this does not indicate that there are no other units in this embodiment.
  • the fifth embodiment of the present application relates to a server. As shown in FIG. 6, it includes: at least one processor 601; and a memory 602 communicatively connected to the at least one processor 601; The instructions executed by the processor 601 are executed by the at least one processor 601, so that the at least one processor 601 can execute the foregoing traffic proxy method.
  • the memory 602 and the processor 601 are connected in a bus manner.
  • the bus may include any number of interconnected buses and bridges.
  • the bus connects one or more processors and various circuits of the memory 602 together.
  • the bus can also connect various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all well-known in the art, and therefore, no further description will be given herein.
  • the bus interface provides an interface between the bus and the transceiver.
  • the transceiver may be one element or multiple elements, such as multiple receivers and transmitters, providing a unit for communicating with various other devices on the transmission medium.
  • the data processed by the processor 601 is transmitted on the wireless medium through the antenna.
  • the antenna also receives the data and transmits the data to the processor 601.
  • the processor 601 is responsible for managing the bus and general processing, and can also provide various functions, including timing, peripheral interfaces, voltage regulation, power management, and other control functions.
  • the memory 602 may be used to store data used by the processor 601 when performing operations.
  • the sixth embodiment of the present application relates to a computer storage medium, which stores a computer program.
  • the computer program is executed by the processor, the foregoing embodiment of the traffic proxy method is implemented.
  • the program is stored in a storage medium and includes several instructions to enable a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes. .

Abstract

Embodiments of the present application relate to the technical field of communications, and in particular, to a traffic flow proxy method, a server, and a storage medium. The traffic flow proxy method comprises: receiving an HTTP request packet (101); parsing the request packet to obtain request information (102); determining whether the request information meets a preset whitelist rule (103); if yes, redirecting the request packet to a proxy software, and sending the request information to the proxy software (104); and if not, forwarding the request packet to the next hop (105), wherein an uplink packet of the TCP connection to which the request packet belongs passes through the server, and the server records the SYN packet header option of the TCP connection.

Description

流量代理方法、服务器及存储介质Traffic proxy method, server and storage medium
交叉引用cross reference
本申请要求于2020年03月30日递交的名称为“流量代理方法、代理服务器及存储介质”、申请号为202010237001.3的中国专利申请以及于2020年09月23日递交的名称为“流量代理方法、服务器及存储介质”、申请号为202011010588.0的中国专利申请的优先权,它们通过引用被全部并入本申请。This application requires a Chinese patent application filed on March 30, 2020 under the name "Traffic Proxy Method, Proxy Server and Storage Medium", the application number is 202010237001.3, and the name submitted on September 23, 2020 as "Traffic Proxy Method" , Server and storage medium", the priority of the Chinese patent application with the application number 202011010588.0, all of which are incorporated into this application by reference.
技术领域Technical field
本申请实施例涉及通信技术领域,特别涉及一种流量代理方法、服务器及存储介质。The embodiments of the present application relate to the field of communication technologies, and in particular, to a traffic proxy method, a server, and a storage medium.
背景技术Background technique
随着互联网的飞速发展,互联网上的内容日渐丰富,用户也逐渐追求更快的互联网响应速度;通常是通过网络代理等方式,为用户提供加速度的互联网访问体验。传统的代理加速方式中,客户端与代理服务器建立连接,代理服务器与源站建立连接,代理服务器获取源站的内容,然后再向客户端返回获取到的内容。With the rapid development of the Internet, the content on the Internet is becoming more and more abundant, and users are gradually pursuing faster Internet response speed; usually through network proxy and other methods, to provide users with an accelerated Internet access experience. In the traditional proxy acceleration method, the client establishes a connection with the proxy server, the proxy server establishes a connection with the origin site, the proxy server obtains the content of the origin site, and then returns the obtained content to the client.
发明内容Summary of the invention
本申请实施例的目的在于提供一种流量代理方法、服务器及存储介质,有助于降低代理服务器的流量代理负载,避免代理服务器处理全量代理客户端的请求。The purpose of the embodiments of the present application is to provide a traffic proxy method, server, and storage medium, which can help reduce the traffic proxy load of the proxy server and prevent the proxy server from processing all proxy client requests.
为解决上述问题,本申请的实施例提供了一种流量代理方法,包括:接收HTTP请求报文;解析所述请求报文,得到请求信息;判断所述请求信息是否符合预设的白名单规则;若是,将所述请求报文重定向至代理软件,并将所述请 求信息发送至所述代理软件,以供所述代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;若否,将所述请求报文转发至下一跳;其中,所述请求报文所属的TCP连接的上行报文经过所述服务器,所述服务器记录有所述TCP连接的SYN报文头部选项。To solve the above problem, the embodiment of the present application provides a traffic proxy method, including: receiving an HTTP request message; parsing the request message to obtain request information; judging whether the request information conforms to a preset whitelist rule If yes, redirect the request message to the agent software, and send the request information to the agent software, so that the agent software can determine that the request information corresponding to the request information is stored in the preset storage device After the content, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; wherein, the upstream of the TCP connection to which the request message belongs The message passes through the server, and the server records the SYN message header option of the TCP connection.
本申请实施例还提供了一种服务器,包括:接收模块和内容识别模块;所述接收模块,用于接收HTTP请求报文;所述内容识别模块,用于解析所述请求报文,得到请求信息;所述内容识别模块,还用于判断所述请求信息是否符合预设的白名单规则;若是,将所述请求报文重定向至代理软件,并将所述请求信息发送至所述代理软件,以供代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;若否,将所述请求报文转发至下一跳;其中,所述请求报文所属的TCP连接的上行报文经过所述代理服务器,所述代理服务器记录有所述TCP连接的SYN报文头部选项。The embodiment of the present application also provides a server, including: a receiving module and a content recognition module; the receiving module is used to receive HTTP request messages; the content recognition module is used to parse the request messages to obtain the request Information; the content identification module is also used to determine whether the requested information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent Software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, send the requested content to the proxy server; The request message is forwarded to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the proxy server, and the proxy server records the SYN message header option of the TCP connection.
本申请实施例还提供了一种服务器,包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行上述的流量代理方法。An embodiment of the present application also provides a server, including: at least one processor; and a memory communicatively connected with the at least one processor; wherein the memory stores instructions that can be executed by the at least one processor The instruction is executed by the at least one processor, so that the at least one processor can execute the above-mentioned traffic proxy method.
本申请实施例还提供了一种计算机存储介质,存储有计算机程序,计算机程序被处理器执行时实现上述的流量代理方法。The embodiment of the present application also provides a computer storage medium storing a computer program, and the computer program is executed by a processor to implement the above-mentioned traffic proxy method.
本申请实施例相对于现有技术而言,接收HTTP请求报文;解析所述请求报文,得到请求信息;判断所述请求信息是否符合预设的白名单规则;若是,将所述请求报文重定向至代理软件,并将所述请求信息发送至所述代理软件,以供所述代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;若否,将所述请求报文转发至下一跳;其中,所述请求报文所属的TCP连接的上行报文经过所述服务器,所述服务器记录有所述TCP连接的SYN报文头部选项。也就是说,服务器在传输TCP连接的上行报文后,截获TCP连接中的HTTP请求报文,解析得到请求信息,根据请求信息判断是否符合预设的白名单规则,来确定是否对 请求报文进行代理,能够有效拦截掉不安全的、具有攻击性的等不被允许代理的请求报文,从而有助于提升流量代理的安全性。如果判定对请求报文进行代理,则将请求报文重定向至代理软件进行处理;如果不对请求报文进行代理,则直接将请求报文转发至下一跳,即不经过代理软件对请求报文进行处理,从而对代理服务器将要负载的流量进行了过滤,降低了代理服务器的流量负载压力;另外,将请求报文重定向至代理软件,并将请求信息发送至所述代理软件,以供代理软件在判定预设存储设备中存储有请求信息对应的请求内容后,从预设存储设备中获取请求内容并发送至代理服务器,从而能够缩短了请求及响应过程的耗时,实现了对请求的加速服务。Compared with the prior art, this embodiment of the application receives an HTTP request message; parses the request message to obtain request information; judges whether the request information meets the preset whitelist rule; if so, reports the request The document is redirected to the agent software, and the request information is sent to the agent software, so that the agent software can download the request information from the preset storage device after determining that the request content corresponding to the request information is stored in the preset storage device. The storage device obtains the request content and sends it to the proxy server; if not, forwards the request message to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the server, so The server records the SYN packet header options of the TCP connection. That is to say, after the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether the request message meets the preset whitelist rules to determine whether to respond to the request message. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software. The document is processed, so as to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for After the proxy software determines that the request content corresponding to the request information is stored in the preset storage device, it obtains the request content from the preset storage device and sends it to the proxy server, thereby shortening the time-consuming process of the request and response, and realizing the response to the request. Accelerated service.
在一个实施例中,在所述解析所述请求报文前,还包括:判断所述TCP连接的目的端口是否为预设的白名单目的端口;若是,解析所述请求报文,得到请求信息;若否,将所述请求报文转发至所述下一跳;其中,所述TCP连接的目的端口通过解析所述上行报文获得;上述方式中,在通过请求报文的请求信息判断是否对请求报文进行代理之前,先通过请求报文所属的TCP连接的目的端口进行一次预先过滤,以减少代理软件将要负载的流量。In an embodiment, before the parsing of the request message, the method further includes: determining whether the destination port of the TCP connection is a preset whitelist destination port; if so, parsing the request message to obtain request information If not, the request message is forwarded to the next hop; wherein, the destination port of the TCP connection is obtained by parsing the uplink message; in the above manner, the request information of the request message is used to determine whether Before proxying the request message, perform a pre-filtering through the destination port of the TCP connection to which the request message belongs to reduce the traffic that the proxy software will load.
在一个实施例中,所述代理软件预先配置有TCP连接快速打开功能;所述将所述请求报文重定向至代理软件,包括:在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;将所述携带数据的握手请求报文重定向至所述代理软件,供所述代理软件在接收到所述携带数据的握手请求报文后,确认与发送所述请求报文的客户端建立了TCP连接;可以理解的是,预先配置的TCP连接快速打开功能使得代理软件和发送上行报文的客户端快速建立TCP连接,加快了数据传输过程的效率。In one embodiment, the proxy software is pre-configured with a TCP connection quick opening function; the redirecting the request message to the proxy software includes: adding a TCP handshake request flag SYN to the request message to obtain A handshake request message carrying data; the handshake request message carrying data is redirected to the proxy software for the proxy software to confirm and send the handshake request message carrying data after receiving the handshake request message carrying data The client requesting the message establishes a TCP connection; it is understandable that the pre-configured fast TCP connection opening function enables the proxy software and the client sending the upstream message to quickly establish a TCP connection, which speeds up the efficiency of the data transmission process.
在一个实施例中,在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文前,还包括:根据记录的所述SYN报文头部选项,修改所述请求报文的报文头部选项,从而使得代理软件确认与客户端建立的TCP连接的报文头部选项和请求报文所属的TCP连接的报文头部选项相同,从客户端侧对和代理软件建立的TCP连接无感知,实现对客户端的透明代理。In one embodiment, adding a TCP handshake request flag SYN to the request message, and before obtaining a handshake request message carrying data, further includes: modifying the request message according to the recorded header options of the SYN message The message header option of the message, so that the proxy software confirms that the message header option of the TCP connection established with the client is the same as the message header option of the TCP connection to which the request message belongs. The established TCP connection is unaware, and a transparent proxy to the client is realized.
附图说明Description of the drawings
一个或多个实施例通过与之对应的附图中的图片进行示例性说明,这些示例性说明并不构成对实施例的限定。One or more embodiments are exemplified by the pictures in the corresponding drawings, and these exemplified descriptions do not constitute a limitation on the embodiments.
图1是根据本申请第一实施例中流量代理方法的流程图;Fig. 1 is a flowchart of a traffic proxy method according to the first embodiment of the present application;
图2是根据本申请第一实施例中另一种流量代理方法的流程图;Figure 2 is a flowchart of another traffic proxy method according to the first embodiment of the present application;
图3是根据本申请第二实施例中流量代理方法的流程图;Fig. 3 is a flowchart of a traffic proxy method according to a second embodiment of the present application;
图4是根据本申请第三实施例中流量代理方法的流程图;Fig. 4 is a flowchart of a traffic proxy method according to a third embodiment of the present application;
图5是根据本申请第四实施例中服务器的结构方框图;FIG. 5 is a block diagram of the structure of a server according to a fourth embodiment of the present application;
图6是根据本申请第五实施例中服务器的结构方框图。Fig. 6 is a block diagram of the structure of the server in the fifth embodiment according to the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的各实施例进行详细的阐述。然而,本领域的普通技术人员可以理解,在本申请各实施例中,为了使读者更好地理解本申请而提出了许多技术细节。但是,即使没有这些技术细节和基于以下各实施例的种种变化和修改,也可以实现本申请所要求保护的技术方案。以下各个实施例的划分是为了描述方便,不应对本申请的具体实现方式构成任何限定,各个实施例在不矛盾的前提下可以相互结合相互引用。In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the various embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, those of ordinary skill in the art can understand that in each embodiment of the present application, many technical details are proposed in order to enable the reader to better understand the present application. However, even without these technical details and various changes and modifications based on the following embodiments, the technical solution claimed in this application can be realized. The following divisions of the various embodiments are for convenience of description, and should not constitute any limitation on the specific implementation manners of the present application, and the various embodiments may be combined with each other without contradiction.
发明人发现相关技术中存在如下问题:由于客户端和代理服务器建立连接,代理服务器通常是全量代理客户端发来的请求,导致代理服务器负载较大,代理耗时较长,且代理服务器的安全性难以得到保障。The inventor found the following problems in the related technology: due to the establishment of a connection between the client and the proxy server, the proxy server usually proxies all the requests sent by the client, resulting in a large load on the proxy server, a long proxy time, and the security of the proxy server Sex is difficult to be guaranteed.
本申请的第一实施例涉及一种流量代理方法,具体流程如图1所示,包括以下步骤。The first embodiment of the present application relates to a traffic proxy method. The specific process is shown in Figure 1 and includes the following steps.
步骤101,接收HTTP请求报文。Step 101: Receive an HTTP request message.
步骤102,解析请求报文,得到请求信息。Step 102: Parse the request message to obtain request information.
步骤103,判断请求信息是否符合预设的白名单规则;若是,执行步骤104;若否,执行步骤105。Step 103: Determine whether the requested information meets the preset whitelist rules; if yes, go to step 104; if not, go to step 105.
步骤104,将请求报文重定向至代理软件,并将请求信息发送至代理软件。Step 104: Redirect the request message to the agent software, and send the request information to the agent software.
步骤105,将请求报文转发至下一跳。Step 105: Forward the request message to the next hop.
本实施例中,请求报文所属的TCP连接的上行报文经过服务器,即客户端发送的用于和源站建立TCP连接的上行报文经过服务器,可以理解为服务器透明传输了上述TCP连接的上行报文。下面对本实施例的流量代理方法的实现细节进行具体的说明,以下内容仅为方便理解提供的实现细节,并非实施本方案的必须。In this embodiment, the upstream message of the TCP connection to which the request message belongs passes through the server, that is, the upstream message sent by the client for establishing a TCP connection with the source station passes through the server. It can be understood that the server transparently transmits the above TCP connection. Uplink message. The following specifically describes the implementation details of the traffic proxy method of this embodiment. The following content is only provided for ease of understanding and is not necessary for implementing this solution.
在步骤101中,服务器接收HTTP请求报文;具体地说,可以通过预先配置路由策略的方式,将HTTP请求报文导至服务器。In step 101, the server receives the HTTP request message; specifically, the HTTP request message can be directed to the server by pre-configured routing strategy.
在步骤102中,服务器解析请求报文,得到请求信息;具体地说,本实施例中的请求信息可以包括请求的域名地址、请求的内容类型、请求的内容名称、请求的内容相关字段等信息。In step 102, the server parses the request message to obtain the request information; specifically, the request information in this embodiment may include the requested domain name address, requested content type, requested content name, requested content related fields and other information .
在步骤103中,服务器判断请求信息是否符合预设的白名单规则;具体地说,可以预先在服务器中配置请求信息的白名单规则,用于对请求信息进行过滤(例如,可以包括对请求的域名地址进行过滤的白名单规则、对请求的内容类型进行过滤的白名单规则、对请求的内容名称进行过滤的白名单规则等)。在服务器解析得到请求信息后,根据预先配置的白名单规则进行比对或匹配等操作;如果解析得到的请求信息符合预设的白名单规则,则判定该请求报文为合法的请求报文,属于允许进行代理的请求报文,执行步骤104;如果解析得到的请求信息不符合预设的白名单规则,则判定该请求报文为不合法的请求报文,属于不被允许进行代理的请求报文,执行步骤105。可以理解的是,根据预设的白名单规则来对请求信息进行过滤,也就是实现了防火墙的功能,能够有效拦截掉不安全的、具有攻击性的等不被允许代理的请求报文,从而有助于提升流量代理的安全性;并且,服务器中配置的白名单规则是可以随时根据需求进行动态调整的,而并不会影响服务器的正常工作。In step 103, the server determines whether the requested information meets the preset whitelist rules; specifically, the whitelist rules for the requested information can be configured in the server in advance to filter the requested information (for example, it can include Whitelist rules for filtering domain name addresses, whitelist rules for filtering requested content types, whitelist rules for filtering requested content names, etc.). After the server parses and obtains the request information, it performs operations such as comparison or matching according to the pre-configured whitelist rules; if the parsed request information meets the preset whitelist rules, it is determined that the request message is a legal request message. If it belongs to a request message that is allowed to be proxied, go to step 104; if the parsed request information does not meet the preset whitelist rules, it is determined that the request message is an illegal request message and is a request that is not allowed to be proxied Packet, go to step 105. It is understandable that the request information is filtered according to the preset whitelist rules, that is, the function of the firewall is realized, which can effectively intercept insecure, offensive and other request messages that are not allowed to be proxied, thereby It helps to improve the security of the traffic proxy; moreover, the whitelist rules configured in the server can be dynamically adjusted according to requirements at any time, and will not affect the normal operation of the server.
在步骤104中,当判定解析得到的请求信息符合预设的白名单规则时,将请求报文重定向至代理软件,以供代理软件对请求报文进行代理加速;由于请求报文是由发送上行报文的客户端发送的,因此请求报文的源地址为客户端的地址,目的地址为接收上行报文的源站的地址;在将请求报文重定向时,可以基于DNAT(Destination Network Address Translation,目的地址转换)原理,将请求报文的目的地址转换为代理软件的地址,从而实现了将请求报文重定向至代理软 件。In step 104, when it is determined that the parsed request information meets the preset whitelist rules, the request message is redirected to the proxy software for the proxy software to perform proxy acceleration on the request message; since the request message is sent by The upstream message is sent by the client, so the source address of the request message is the address of the client, and the destination address is the address of the source station that receives the upstream message; when the request message is redirected, it can be based on DNAT (Destination Network Address). Translation (Destination Address Translation) principle is to convert the destination address of the request message to the address of the proxy software, thereby realizing the redirection of the request message to the proxy software.
在一个实施例中,服务器还将请求信息也发送至代理软件,以供代理软件根据请求信息判定预设存储设备中是否存储有请求信息对应的请求内容;如果代理软件判定预设存储设备中存储有请求信息对应的请求内容,则代理软件可直接从预设存储设备中获取请求内容并发送至代理服务器,以供代理服务器将请求内容转发至客户端,从而能够缩短了请求及响应过程的耗时,实现了对请求的加速服务。本实施例中的预设存储设备可以是例如磁盘的本地存储设备,也可以是云端存储设备,预设存储设备用于存储代理软件已经从源站请求过的内容。在实例中,代理软件接收到请求信息包括:请求的内容类型为图片,请求的内容名称为A(即请求内容包括:图片A),代理软件判断预设存储设备中存储有“图片A”,则代理软件直接从预设存储设备中读取“图片A”并发送至代理服务器,而无需再次向源站请求“图片A”。可以理解的是,如果代理软件判定预设存储设备中没有存储有请求信息对应的请求内容,则代理软件向源站请求客户端所请求的内容,并将回源的请求内容经代理服务器发送给客户端,并在预设存储设备中缓存回源的请求内容。In one embodiment, the server also sends the request information to the agent software, so that the agent software can determine whether the requested content corresponding to the requested information is stored in the preset storage device according to the request information; if the agent software determines that the preset storage device stores If there is a request content corresponding to the request information, the proxy software can directly obtain the request content from the preset storage device and send it to the proxy server, so that the proxy server can forward the request content to the client, thereby reducing the cost of the request and response process. At the time, the accelerated service of the request was realized. The preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device. The preset storage device is used to store content that the agent software has requested from the origin site. In the example, the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A" from the origin site again. It is understandable that if the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software requests the content requested by the client from the source station, and sends the requested content back to the source via the proxy server. The client, and cache the requested content back to the source in the preset storage device.
在步骤105中,当判定解析得到的请求信息不符合预设的白名单规则时,将请求报文直接转发至预先配置的路由策略中的下一跳,而不经过代理软件进行代理,从而对代理软件将要负载的流量进行过滤。另外,当判定解析得到的请求信息不符合预设的白名单规则时,也可以直接舍弃掉该请求报文,而不经过代理软件进行代理,从而可以过滤掉一些可能具有攻击性的请求报文,保障了网络的安全性。In step 105, when it is determined that the parsed request information does not conform to the preset whitelist rule, the request message is directly forwarded to the next hop in the pre-configured routing policy, without proxying by proxy software, so as to The proxy software filters the traffic to be loaded. In addition, when it is determined that the parsed request information does not meet the preset whitelist rules, the request message can also be discarded directly without proxying by proxy software, so that some potentially offensive request messages can be filtered out , To ensure the security of the network.
更具体地说,本实施例中还提供了一种流量代理方法,如图2所示;图2所示的流量代理方法与图1所示的流量代理方法大致相同,包括以下步骤。More specifically, this embodiment also provides a traffic proxy method, as shown in Fig. 2; the traffic proxy method shown in Fig. 2 is roughly the same as the traffic proxy method shown in Fig. 1, and includes the following steps.
步骤201,接收HTTP请求报文;此步骤与步骤101大致相同,此处不再赘述。Step 201: Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
步骤202,判断TCP连接的目的端口是否为预设的白名单目的端口;若是,执行步骤203,若否,执行步骤206。Step 202: Determine whether the destination port of the TCP connection is a preset whitelist destination port; if yes, execute step 203, if not, execute step 206.
具体地说,请求报文所属的TCP连接的上行报文中包括有源IP地址、源端口、目的IP地址和目的端口;服务器在透明传输TCP连接的上行报文时可 以解析上行报文,获取到上行报文中包括的目的端口,并判断解析得到的目的端口(即接收上行报文的源站的端口)是否为预设的白名单目的端口;可以理解的是,可以预先在服务器中配置需要服务的目的端口,作为预设的白名单目的端口。如果判断目的端口属于预设的白名单目的端口,则执行步骤203;如果判断目的端口不属于预设的白名单目的端口,则执行步骤206,将请求报文直接转发至下一跳,而不经过代理软件进行代理加速。通过上述方式,先通过请求报文所属的TCP连接的目的端口进行一次过滤,以减少代理软件将要负载的流量。Specifically, the upstream message of the TCP connection to which the request message belongs includes the source IP address, source port, destination IP address, and destination port; when the server transparently transmits the upstream message of the TCP connection, it can parse the upstream message to obtain Go to the destination port included in the uplink message, and determine whether the parsed destination port (that is, the port of the source station that receives the uplink message) is a preset whitelist destination port; it is understandable that it can be configured in the server in advance The destination port that needs to be served is used as the preset whitelist destination port. If it is determined that the destination port belongs to the preset whitelisted destination port, go to step 203; if it is judged that the destination port does not belong to the preset whitelisted destination port, then go to step 206 to forward the request message directly to the next hop instead of Through the agent software for agent acceleration. Through the above method, a filtering is performed through the destination port of the TCP connection to which the request message belongs, so as to reduce the traffic that the proxy software will load.
步骤203,解析请求报文,得到请求信息;此步骤与步骤102大致相同,此处不再赘述。Step 203: parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
步骤204,判断请求信息是否符合预设的白名单规则;若是,执行步骤205;若否,执行步骤206;此步骤与步骤103大致相同,此处不再赘述。Step 204: Determine whether the requested information meets the preset whitelist rules; if yes, perform step 205; if not, perform step 206; this step is roughly the same as step 103, and will not be repeated here.
步骤205,将请求报文重定向至代理软件,并将请求信息发送至代理软件;此步骤与步骤104大致相同,此处不再赘述。 Step 205, redirect the request message to the agent software, and send the request information to the agent software; this step is roughly the same as step 104, and will not be repeated here.
步骤206,将请求报文转发至下一跳;此步骤与步骤105大致相同,此处不再赘述。 Step 206, forward the request message to the next hop; this step is roughly the same as step 105, and will not be repeated here.
需要说明的是,本实施例中的服务器,可以安装有代理软件,作为代理服务器使用,即代理服务器透明传输TCP连接的上行报文,并解析接收到的HTTP请求报文,代理服务器中的代理软件主要在应用层面对请求报文进行代理加速等操作。在实例中,客户端的上行流量通过局方交换机(或路由器)传输到我方交换机(或路由器),我方交换机将上行流量传输到代理服务器中,代理服务器对请求报文进行解析和判断;在代理服务器将请求报文重定向至本代理服务器中的代理软件、并将请求信息发送至本代理服务器中的代理软件后,代理软件从预设存储设备中获取已存储过的请求内容,或是经我方交换机向源站获取请求内容;代理软件获取到的请求内容经过代理服务器处理后,经我方交换机路由到局方交换机,再由局方交换机路由发送至客户端。It should be noted that the server in this embodiment can be installed with proxy software and used as a proxy server, that is, the proxy server transparently transmits the uplink packets of the TCP connection and parses the received HTTP request packets. The proxy in the proxy server The software mainly performs proxy acceleration and other operations on request messages at the application level. In the example, the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router), and our switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message; After the proxy server redirects the request message to the proxy software in the proxy server and sends the request information to the proxy software in the proxy server, the proxy software obtains the stored request content from the preset storage device, or The request content is obtained from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server, and then routed to the bureau switch via our switch, and then routed by the bureau switch to the client.
具体地说,在将本实施例中的服务器作为代理服务器使用时,代理服务器将请求报文重定向至代理软件后,还包括:控制所述代理软件与接收所述上行报文的源站建立TCP连接,以供所述代理软件在判定预设存储设备中未存储有所述请求信息对应的请求内容后,根据所述携带数据的握手请求报文,经我方交 换机向源站发送请求;并控制代理软件接收源站发送的响应报文,将响应报文的源地址修改为源站的地址,再由代理服务器对响应报文进行处理,,经我方交换机路由到局方交换机,再由局方交换机路由发送至客户端。Specifically, when the server in this embodiment is used as a proxy server, after the proxy server redirects the request message to the proxy software, it also includes: controlling the proxy software to establish a connection with the source station receiving the uplink message TCP connection, so that the agent software, after determining that the request content corresponding to the request information is not stored in the preset storage device, sends a request to the source station via our switch according to the handshake request message carrying data; And control the proxy software to receive the response message sent by the source station, modify the source address of the response message to the address of the source station, and then the proxy server will process the response message, and route it to the bureau's switch via our switch. It is routed and sent to the client by the central switch.
或者,本实施例中的代理软件安装在另一台作为代理服务器的服务器上,由该另一台服务器中的代理软件对服务器重定向的请求报文进行代理加速等操作。在实例中,客户端的上行流量通过局方交换机传输到我方交换机,我方交换机将上行流量传输到服务器A中,服务器A对请求报文进行解析和判断;随后,服务器A将请求报文重定向至另一台服务器B(即作为代理服务器的服务器B)中的代理软件、并将请求信息发送至上述另一台服务器B中的代理软件后,由上述另一台服务器B中的代理软件进行代理加速,此处不再赘述。Alternatively, the proxy software in this embodiment is installed on another server serving as a proxy server, and the proxy software in the other server performs proxy acceleration and other operations on the request message redirected by the server. In the example, the client's upstream traffic is transmitted to our switch through the bureau's switch, and our switch transmits the upstream traffic to server A, and server A analyzes and judges the request message; then, server A rewrites the request message After being directed to the proxy software in another server B (that is, server B as a proxy server), and sending the request information to the proxy software in the other server B, the proxy software in the other server B Perform proxy acceleration, so I won’t go into details here.
本实施例中,接收HTTP请求报文;解析请求报文,得到请求信息;判断请求信息是否符合预设的白名单规则;若是,将请求报文重定向至代理软件,并将请求信息发送至代理软件,以供代理软件在判定预设存储设备中存储有请求信息对应的请求内容后,从预设存储设备中获取请求内容并发送至代理服务器;若否,将请求报文转发至下一跳;其中,请求报文所属的TCP连接的上行报文经过服务器,服务器记录有TCP连接的SYN报文头部选项。也就是说,服务器在传输TCP连接的上行报文后,截获TCP连接中的HTTP请求报文,解析得到请求信息,根据判断请求信息是否符合预设的白名单规则,来确定是否对请求报文进行代理,能够有效拦截掉不安全的、具有攻击性的等不被允许代理的请求报文,从而有助于提升流量代理的安全性。如果判定对请求报文进行代理,则将请求报文重定向至代理软件进行处理;如果不对请求报文进行代理,则直接将请求报文转发至下一跳,即不经过代理软件对请求报文进行处理,从而对代理服务器将要负载的流量进行了过滤,降低了代理服务器的流量负载压力;另外,将请求报文重定向至代理软件,并将请求信息发送至代理软件,以供代理软件在判定预设存储设备中存储有请求信息对应的请求内容后,从预设存储设备中获取请求内容并发送至代理服务器,从而能够缩短了请求及响应过程的耗时,实现了对请求的加速服务。In this embodiment, the HTTP request message is received; the request message is parsed to obtain the request information; it is determined whether the request information meets the preset whitelist rules; if so, the request message is redirected to the proxy software, and the request information is sent to Proxy software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, forward the request message to the next Jump; Among them, the upstream message of the TCP connection to which the request message belongs passes through the server, and the server records the SYN message header option of the TCP connection. That is to say, after the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether to respond to the request message according to whether the request information meets the preset whitelist rules. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software. The document is processed to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for the proxy software After determining that the request content corresponding to the request information is stored in the preset storage device, the request content is obtained from the preset storage device and sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the acceleration of the request service.
本申请的第二实施例涉及一种流量代理方法,与第一实施例大致相同,具体流程如图3所示;下面对图3中流量代理方法的步骤及实现细节进行具体的 说明,以下内容仅为方便理解提供的实现细节,并非实施本方案的必须。The second embodiment of the present application relates to a traffic proxy method, which is roughly the same as the first embodiment. The specific process is shown in Figure 3. The steps and implementation details of the traffic proxy method in Figure 3 will be described in detail below. The content is only the implementation details provided for ease of understanding, and is not necessary for the implementation of this solution.
步骤301,接收HTTP请求报文;此步骤与步骤101大致相同,此处不再赘述。Step 301: Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
步骤302,解析请求报文,得到请求信息;此步骤与步骤102大致相同,此处不再赘述。Step 302: parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
步骤303,判断请求信息是否符合预设的白名单规则;若是,执行步骤304;若否,执行步骤305;此步骤与步骤103大致相同,此处不再赘述。Step 303: Determine whether the requested information meets the preset whitelist rules; if yes, go to step 304; if not, go to step 305; this step is roughly the same as step 103, and will not be repeated here.
步骤304,在请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;将携带数据的握手请求报文重定向至代理软件,并将请求信息发送至代理软件。Step 304: Add a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data; redirect the handshake request message carrying data to the proxy software, and send the request information to the proxy software.
具体地说,本实施例中提供了一种将请求报文重定向至代理软件的具体实现方式。预先配置代理服务器的代理软件,使代理模块配置有TCP连接快速打开(TCP fast open)功能;在获取的请求报文中,添加TCP握手请求标志SYN(TCP握手请求标志SYN为TCP连接的一种标志位,表示建立连接);由于请求报文本身携带有数据,因此添加TCP握手请求标志后,得到的是携带数据的握手请求报文;并将携带数据的握手请求报文重定向至代理软件,以供代理软件在接收到携带数据的握手请求报文后,确认与发送上行报文的客户端建立了TCP连接;关于重定向的方式和奖请求信息发送至代理软件的部分,可参见步骤104中的说明,此处不再赘述。Specifically, this embodiment provides a specific implementation manner for redirecting the request message to the proxy software. Pre-configure the proxy software of the proxy server to configure the proxy module with the TCP fast open function; in the obtained request message, add the TCP handshake request flag SYN (TCP handshake request flag SYN is a type of TCP connection The flag bit indicates that the connection is established); because the request message itself carries data, after adding the TCP handshake request flag, the result is a handshake request message carrying data; and the handshake request message carrying data is redirected to the proxy software , For the proxy software to confirm that a TCP connection is established with the client sending the uplink message after receiving the handshake request message carrying the data; for the redirection method and the part of the award request information sent to the proxy software, please refer to the steps The description in 104 will not be repeated here.
更具体地说,请求报文所属的TCP连接的上行报文经过服务器,代理服务器记录有TCP连接的SYN报文头部选项;因此在请求报文中添加TCP握手请求标志SYN后,还可以执行如下步骤:根据服务器记录的SYN报文头部选项,修改请求报文的报文头部选项;最终得到的是携带数据的、且修改了报文头部选项的握手请求报文,从而使得代理软件确认与客户端建立的TCP连接的报文头部选项和请求报文所属的TCP连接的报文头部选项相同,从客户端侧对和代理软件建立的TCP连接无感知,实现对客户端的透明代理。其中,例如,记录的SYN报文头部选项可以是TCP OPTIONS,表示可变长的可选信息,包括timestamp(报文时间戳)、windows scale(窗口扩大因子)等。More specifically, the upstream message of the TCP connection to which the request message belongs passes through the server, and the proxy server records the SYN message header option of the TCP connection; therefore, after adding the TCP handshake request flag SYN to the request message, it can also be executed The following steps are as follows: modify the header options of the request message according to the SYN header options recorded by the server; the final result is a handshake request message carrying data and modifying the header options of the message, so as to make the proxy The software confirms that the message header options of the TCP connection established with the client are the same as the message header options of the TCP connection to which the request message belongs. The client side has no perception of the TCP connection established with the proxy software, and realizes the client Transparent proxy. Among them, for example, the recorded SYN packet header option may be TCP OPTIONS, which represents variable-length optional information, including timestamp (message timestamp), windows scale (window scale factor), and so on.
由于代理软件预先配置有TCP连接快速打开功能,因此代理软件在接收 到重定向的握手请求报文后,便可认为代理软件已经与客户端建立了TCP连接,从而节省了建立TCP连接时需要传输握手报文的耗时;当默认代理软件已经与客户端建立TCP连接后,有助于后续加快代理软件和客户端间数据传输过程的效率。在默认代理软件已经与客户端建立TCP连接后,代理软件随之和接收上行报文的源站也建立TCP连接,从而代理软件可以根据携带数据的握手请求报文向源站发送请求;当代理软件和客户端以及源站都建立了TCP连接后,可以发送多个请求以及接收多个响应,缩短了数据传输过程中的耗时;另外,由于代理软件分别与客户端和源站建立了TCP连接,因此代理软件可在此基础上实现对客户端的透明代理,使得客户端对于代理软件的存在无感知。Because the proxy software is pre-configured with the TCP connection fast opening function, the proxy software can think that the proxy software has established a TCP connection with the client after receiving the redirected handshake request message, thus saving the need to transmit when establishing a TCP connection Time-consuming handshake messages; when the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the subsequent data transmission process between the proxy software and the client. After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
步骤305,将请求报文转发至下一跳。此步骤与步骤105大致相同,此处不再赘述。Step 305: Forward the request message to the next hop. This step is roughly the same as step 105, and will not be repeated here.
本实施例中,代理软件快速建立与客户端和源站之间的TCP连接,加快了数据传输过程的效率,并通过修改报文选项及转换报文地址等方式,实现对客户端的透明代理,使得客户端对于代理软件的存在无感知。In this embodiment, the proxy software quickly establishes a TCP connection with the client and the source station, which speeds up the efficiency of the data transmission process, and implements a transparent proxy to the client by modifying message options and converting message addresses. Make the client unaware of the existence of agent software.
本申请第三实施例涉及一种以代理软件为执行主体的流量代理方法,具体流程如图4所示,包括以下步骤401至步骤404。The third embodiment of the present application relates to a traffic proxy method with proxy software as the execution subject. The specific process is shown in FIG. 4 and includes the following steps 401 to 404.
本实施例中,同第一实施例中所述,代理软件可以安装在作为代理服务器使用的服务器中,客户端的上行流量通过局方交换机(或路由器)传输到我方交换机(或路由器),我方交换机将上行流量传输到代理服务器中,代理服务器对请求报文进行解析和判断;在代理服务器将请求报文重定向至本代理服务器中的代理软件、并将请求信息发送至本代理服务器中的代理软件后,代理软件从预设存储设备中获取已存储过的请求内容,或是经我方交换机向源站获取请求内容;代理软件获取到的请求内容经过代理服务器处理后,经我方交换机路由到局方交换机,再由局方交换机路由发送至客户端;另外,代理软件也可以安装在另一台作为代理服务器的服务器上,由该另一台服务器中的代理软件对服务器重定向的请求报文进行代理加速等操作,即客户端的上行流量通过局方交换机传输到我方交换机,我方交换机将上行流量传输到服务器A中,服务器A对请求报文进行解析和判断;随后,服务器A将请求报文重定向至另一台服务器B(即作为代理服务器的服务器B)中的代理软件、并将请求信息发送至上述另一台服务器B 中的代理软件后,由上述另一台服务器B中的代理软件进行代理加速。In this embodiment, as described in the first embodiment, the proxy software can be installed in the server used as a proxy server, and the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router). The party switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message; the proxy server redirects the request message to the proxy software in the proxy server, and sends the request information to the proxy server After the proxy software of the proxy software, the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server and passed through our The switch is routed to the central switch, and then routed by the central switch to the client; in addition, the proxy software can also be installed on another server acting as a proxy server, and the proxy software in the other server redirects the server Perform proxy acceleration and other operations for the request message of the client, that is, the upstream traffic of the client is transmitted to our switch through the bureau's switch, and our switch transmits the upstream traffic to server A, and server A analyzes and judges the request message; then, After server A redirects the request message to the proxy software of another server B (that is, server B as a proxy server), and sends the request information to the proxy software of the other server B, the other The agent software in server B performs agent acceleration.
步骤401,接收重定向的HTTP请求报文,和解析请求报文得到的请求信息。Step 401: Receive a redirected HTTP request message and request information obtained by parsing the request message.
具体地说,代理软件从服务器接收重定向的请求报文,和解析请求报文得到的请求信息;在此之前,服务器已经判定解析请求报文到的请求信息符合预设的白名单规则。另外,如第二实施例中所说明的,代理软件预先配置有TCP连接快速打开功能,且接收到的请求报文为携带数据的握手请求报文,握手请求报文由请求报文添加TCP握手请求标志SYN得到;这样,在代理软件接收到携带数据的握手请求报文后,确认与发送上行报文的客户端建立了TCP连接,从而节省了建立TCP连接时需要传输握手报文的耗时;当默认代理软件已经与客户端建立TCP连接后,有助于后续加快代理软件和客户端间数据传输过程的效率。在默认代理软件已经与客户端建立TCP连接后,代理软件随之和接收上行报文的源站也建立TCP连接,从而代理软件可以根据携带数据的握手请求报文向源站发送请求;当代理软件和客户端以及源站都建立了TCP连接后,可以发送多个请求以及接收多个响应,缩短了数据传输过程中的耗时;另外,由于代理软件分别与客户端和源站建立了TCP连接,因此代理软件可在此基础上实现对客户端的透明代理,使得客户端对于代理软件的存在无感知。Specifically, the proxy software receives the redirected request message from the server and the request information obtained by parsing the request message; before that, the server has determined that the request information obtained by parsing the request message conforms to the preset whitelist rule. In addition, as explained in the second embodiment, the proxy software is pre-configured with the TCP connection quick opening function, and the received request message is a handshake request message carrying data, and the handshake request message is added by the request message with the TCP handshake The request flag SYN is obtained; in this way, after the proxy software receives the handshake request message carrying the data, it confirms that the TCP connection is established with the client sending the uplink message, thereby saving the time-consuming transmission of the handshake message when establishing the TCP connection ; When the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the data transmission process between the proxy software and the client. After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
可以理解的是,当代理软件安装在作为代理服务器使用的服务器中时,由代理服务器控制代理软件与接收上行报文的源站也建立TCP连接,以供代理软件在判定预设存储设备中未存储有请求信息对应的请求内容后,根据携带数据的握手请求报文向源站发送请求。It is understandable that when the proxy software is installed in a server used as a proxy server, the proxy server controls the proxy software to also establish a TCP connection with the source station that receives the uplink message, so that the proxy software can determine whether it is not in the preset storage device. After storing the request content corresponding to the request information, the request is sent to the source station according to the handshake request message carrying the data.
步骤402,判断预设存储设备中是否存储有请求信息对应的请求内容;若是,执行步骤403;若否,执行步骤404。Step 402: Determine whether the request content corresponding to the request information is stored in the preset storage device; if yes, execute step 403; if not, execute step 404.
步骤403,从预设存储设备中获取请求内容并发送至代理服务器。Step 403: Obtain the requested content from the preset storage device and send it to the proxy server.
步骤404,根据请求报文向接收请求报文的源站发送请求。Step 404: Send a request according to the request message to the source station that receives the request message.
具体地说,本实施例中的预设存储设备可以是例如磁盘的本地存储设备,也可以是云端存储设备,预设存储设备用于存储代理软件已经从源站请求过的内容。在实例中,代理软件接收到请求信息包括:请求的内容类型为图片,请求的内容名称为A(即请求内容包括:图片A),代理软件判断预设存储设备中存储 有“图片A”,则代理软件直接从预设存储设备中读取“图片A”并发送至代理服务器,而无需再次向源站请求“图片A”。Specifically, the preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device. The preset storage device is used to store content that the agent software has requested from the source site. In the example, the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A" from the origin site again.
可以理解的是,如果代理软件判定预设存储设备中没有存储有请求信息对应的请求内容,则代理软件根据重定向的请求报文,向源站请求客户端所请求的内容,并将回源的请求内容经代理服务器发送给客户端,并在预设存储设备中缓存回源的请求内容。在实例中,代理软件接收到请求信息包括:请求的内容类型为图片,请求的内容名称为A(即请求内容包括:图片A),代理软件判断预设存储设备中未存储有“图片A”,则代理软件根据请求报文,向源站发送请求,请求的内容包括“图片A”;在代理软件从源站请求到“图片A”后,经代理服务器发送给客户端,并在预设存储设备中缓存“图片A”,以便下次再接收到对“图片A”的请求时可以直接从预设存储设备中获取得到。具体代理软件向源站发送请求报文的方式此处不再赘述。It is understandable that if the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software will request the content requested by the client from the source station according to the redirected request message, and return to the source. The requested content of is sent to the client via the proxy server, and the requested content is cached back to the source in the preset storage device. In the example, the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is not stored in the preset storage device , The proxy software sends a request to the origin site according to the request message, and the content of the request includes "picture A"; after the proxy software requests "picture A" from the origin site, it is sent to the client via the proxy server and is preset "Picture A" is cached in the storage device so that it can be directly obtained from the preset storage device when a request for "Picture A" is received next time. The specific method for the proxy software to send the request message to the source station will not be repeated here.
需要说明的是,代理软件从预设存储设备中获取到已存储过的请求内容,或是经我方交换机向源站获取到请求内容,需要经过代理服务器处理后,经我方交换机路由到局方交换机,再由局方交换机路由发送至客户端。在实例中,代理服务器可以解析请求报文所属的TCP连接的上行报文,得到上行报文头部选项,包括seq(序号)、timestamp(报文时间戳)、windows scale(窗口扩大因子)等;代理服务器可以通过响应报文的方式,将请求内容发送至客户端;在发送响应报文时,可以令响应报文的头部选项和解析得到的上行报文头部选项相同,并将响应报文的源地址修改为源站的地址,这样客户端在接收到响应报文后,可以认为响应报文的从源站发出的,从而实现了对客户端的透明代理。It should be noted that the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch, which needs to be processed by the proxy server and routed to the office through our switch. The central switch is routed to the client by the central switch. In the example, the proxy server can parse the upstream message of the TCP connection to which the request message belongs, and obtain the upstream message header options, including seq (sequence number), timestamp (message timestamp), windows scale (window scale factor), etc. ; The proxy server can send the request content to the client by responding to the message; when sending the response message, it can make the header option of the response message the same as the parsed upstream message header option, and send the response The source address of the message is modified to the address of the source station, so that after the client receives the response message, it can be considered that the response message is sent from the source station, thus realizing a transparent proxy for the client.
可以理解的是,当代理软件安装在作为代理服务器使用的服务器中时,由代理服务器控制代理软件向源站发送请求,并接收源站发送的响应报文;同样由代理服务器控制代理软件将响应报文的源地址修改为源站的地址,修改后的响应报文经由代理服务器进行处理。It is understandable that when the proxy software is installed in the server used as a proxy server, the proxy server controls the proxy software to send requests to the source station and receive the response message sent by the source station; the proxy server also controls the proxy software to respond The source address of the message is modified to the address of the source station, and the modified response message is processed by the proxy server.
本实施例中,代理软件接收重定向的请求报文和解析请求报文得到的请求信息,并在判定预设存储设备中存储有请求信息对应的请求内容时,从预设存储设备中获取请求内容并发送至代理服务器,从而能够缩短了请求及响应过程的耗时,实现了对请求的加速服务。In this embodiment, the proxy software receives the redirected request message and the request information obtained by parsing the request message, and when determining that the request content corresponding to the request information is stored in the preset storage device, obtains the request from the preset storage device The content is sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the accelerated service of the request.
本申请第四实施例涉及一种服务器50,如图5所示,包括:接收模块501和内容识别模块502;The fourth embodiment of the present application relates to a server 50, as shown in FIG. 5, including: a receiving module 501 and a content identification module 502;
接收模块501,用于接收HTTP请求报文;The receiving module 501 is configured to receive HTTP request messages;
内容识别模块502,用于解析请求报文,得到请求信息;The content identification module 502 is used to parse the request message to obtain the request information;
内容识别模块502,还用于判断请求信息是否符合预设的白名单规则;若是,将请求报文重定向至代理软件,并将请求信息发送至代理软件,以供代理软件在判定预设存储设备中存储有请求信息对应的请求内容后,从预设存储设备中获取请求内容并发送至代理服务器;若否,将请求报文转发至下一跳;其中,请求报文所属的TCP连接的上行报文经过服务器,服务器记录有TCP连接的SYN报文头部选项。The content identification module 502 is also used to determine whether the request information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent software for the agent software to determine the preset storage After the request content corresponding to the request information is stored in the device, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; where the request message belongs to the TCP connection The upstream message passes through the server, and the server records the SYN message header option of the TCP connection.
在一个实例中,在内容识别模块502解析请求报文前,还包括:判断TCP连接的目的端口是否为预设的白名单目的端口;若是,解析请求报文,得到请求信息;若否,将请求报文转发至下一跳;其中,TCP连接的目的端口通过解析上行报文获得。In an example, before the content identification module 502 parses the request message, it further includes: judging whether the destination port of the TCP connection is a preset whitelist destination port; if so, parse the request message to obtain the request information; if not, The request message is forwarded to the next hop; among them, the destination port of the TCP connection is obtained by parsing the uplink message.
在一个实例中,代理软件预先配置有TCP连接快速打开功能;内容识别模块502将请求报文重定向至代理软件,包括:在请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;将携带数据的握手请求报文重定向至代理软件,供代理软件在接收到携带数据的握手请求报文后,确认与发送请求报文的客户端建立了TCP连接。In one example, the proxy software is pre-configured with a TCP connection quick opening function; the content recognition module 502 redirects the request message to the proxy software, including: adding a TCP handshake request flag SYN to the request message to obtain a handshake request carrying data Message: Redirect the handshake request message carrying data to the proxy software for the proxy software to confirm the establishment of a TCP connection with the client sending the request message after receiving the handshake request message carrying the data.
在一个实例中,内容识别模块502在请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文前,内容识别模块502还用于:根据记录的SYN报文头部选项,修改请求报文的报文头部选项。In an example, the content recognition module 502 adds the TCP handshake request flag SYN to the request message, and before the handshake request message carrying data is obtained, the content recognition module 502 is also used to: modify the header options of the SYN message The header options of the request message.
在一个实例中,所述服务器为所述代理服务器,所述代理服务器安装有所述代理软件;在内容识别模块502将所述请求报文重定向至代理软件后,内容识别模块502还用于:控制所述代理软件与接收所述上行报文的源站建立TCP连接,以供所述代理软件在判定预设存储设备中未存储有所述请求信息对应的请求内容后,根据所述携带数据的握手请求报文向所述源站发送请求。In an example, the server is the proxy server, and the proxy server is installed with the proxy software; after the content identification module 502 redirects the request message to the proxy software, the content identification module 502 is also used for : Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carrying The data handshake request message sends a request to the source station.
在一个实例中,在内容识别模块502控制所述代理软件与接收所述上行报文的源站建立TCP连接,且所述代理软件判定预设存储设备中未存储有所述 请求信息对应的请求内容后,内容识别模块502还用于:控制所述代理软件根据所述携带数据的握手请求报文向所述源站发送请求,并接收所述源站发送的响应报文;控制所述代理软件将所述响应报文的源地址修改为所述源站的地址,以供所述代理服务器将修改后的所述响应报文发送至客户端。In an example, the content recognition module 502 controls the proxy software to establish a TCP connection with the source station that receives the uplink message, and the proxy software determines that the request corresponding to the request information is not stored in the preset storage device After the content, the content recognition module 502 is further used to: control the proxy software to send a request to the source station according to the handshake request message carrying data, and receive a response message sent by the source station; control the proxy The software modifies the source address of the response message to the address of the source station for the proxy server to send the modified response message to the client.
不难发现,本实施例为与第一实施例或第二实施例的相对应装置的实施例,本实施例可与第一实施例或第二实施例互相配合实施,第一实施例或第二实施例中提到的相关技术细节在本实施例中依然有效,为了减少重复,此处不再赘述。相应的,本实施例中提到的相关技术细节也可应用在第一实施例或第二实施例中。It is not difficult to find that this embodiment is an embodiment of a device corresponding to the first embodiment or the second embodiment. This embodiment can be implemented in cooperation with the first embodiment or the second embodiment. The related technical details mentioned in the second embodiment are still valid in this embodiment, and in order to reduce repetition, they will not be repeated here. Correspondingly, the related technical details mentioned in this embodiment can also be applied in the first embodiment or the second embodiment.
值得一提的是,本实施例中所涉及到的各模块均为逻辑模块,在实际应用中,一个逻辑单元可以是一个物理单元,也可以是一个物理单元的一部分,还可以以多个物理单元的组合实现。此外,为了突出本申请的创新部分,本实施例中并没有将与解决本申请所提出的技术问题关系不太密切的单元引入,但这并不表明本实施例中不存在其它的单元。It is worth mentioning that the modules involved in this embodiment are all logical modules. In practical applications, a logical unit can be a physical unit, a part of a physical unit, or multiple physical units. The combination of units is realized. In addition, in order to highlight the innovative part of the present application, this embodiment does not introduce a unit that is not closely related to solving the technical problem proposed by the present application, but this does not indicate that there are no other units in this embodiment.
本申请第五实施例涉及一种服务器,如图6所示,包括:至少一个处理器601;以及,与至少一个处理器601通信连接的存储器602;其中,存储器602存储有可被至少一个处理器601执行的指令,指令被至少一个处理器601执行,以使至少一个处理器601能够执行上述流量代理方法。The fifth embodiment of the present application relates to a server. As shown in FIG. 6, it includes: at least one processor 601; and a memory 602 communicatively connected to the at least one processor 601; The instructions executed by the processor 601 are executed by the at least one processor 601, so that the at least one processor 601 can execute the foregoing traffic proxy method.
其中,存储器602和处理器601采用总线方式连接,总线可以包括任意数量的互联的总线和桥,总线将一个或多个处理器和存储器602的各种电路连接在一起。总线还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路连接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口在总线和收发机之间提供接口。收发机可以是一个元件,也可以是多个元件,比如多个接收器和发送器,提供用于在传输介质上与各种其他装置通信的单元。经处理器601处理的数据通过天线在无线介质上进行传输,本实施例中,天线还接收数据并将数据传送给处理器601。The memory 602 and the processor 601 are connected in a bus manner. The bus may include any number of interconnected buses and bridges. The bus connects one or more processors and various circuits of the memory 602 together. The bus can also connect various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all well-known in the art, and therefore, no further description will be given herein. The bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or multiple elements, such as multiple receivers and transmitters, providing a unit for communicating with various other devices on the transmission medium. The data processed by the processor 601 is transmitted on the wireless medium through the antenna. In this embodiment, the antenna also receives the data and transmits the data to the processor 601.
处理器601负责管理总线和通常的处理,还可以提供各种功能,包括定时,外围接口,电压调节、电源管理以及其他控制功能。而存储器602可以被用于存储处理器601在执行操作时所使用的数据。The processor 601 is responsible for managing the bus and general processing, and can also provide various functions, including timing, peripheral interfaces, voltage regulation, power management, and other control functions. The memory 602 may be used to store data used by the processor 601 when performing operations.
本申请第六实施例涉及一种计算机存储介质,存储有计算机程序。计算 机程序被处理器执行时实现上述流量代理方法实施例。The sixth embodiment of the present application relates to a computer storage medium, which stores a computer program. When the computer program is executed by the processor, the foregoing embodiment of the traffic proxy method is implemented.
即,本领域技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。That is, those skilled in the art can understand that all or part of the steps in the method of the foregoing embodiments can be implemented by instructing relevant hardware through a program. The program is stored in a storage medium and includes several instructions to enable a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes. .
本领域的普通技术人员可以理解,上述各实施例是实现本申请的具体实施例,而在实际应用中,可以在形式上和细节上对其作各种改变,而不偏离本申请的精神和范围。A person of ordinary skill in the art can understand that the above-mentioned embodiments are specific embodiments for realizing the present application, and in practical applications, various changes can be made to them in form and details without departing from the spirit and spirit of the present application. Scope.

Claims (20)

  1. 一种流量代理方法,包括:A traffic proxy method, including:
    接收HTTP请求报文;Receive HTTP request message;
    解析所述请求报文,得到请求信息;Parse the request message to obtain request information;
    判断所述请求信息是否符合预设的白名单规则;Judging whether the requested information complies with preset whitelist rules;
    若是,将所述请求报文重定向至代理软件,并将所述请求信息发送至所述代理软件,以供所述代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;If yes, redirect the request message to the agent software, and send the request information to the agent software, so that the agent software can determine that the requested content corresponding to the request information is stored in a preset storage device Afterwards, obtain the requested content from the preset storage device and send it to the proxy server;
    若否,将所述请求报文转发至下一跳;If not, forward the request message to the next hop;
    其中,所述请求报文所属的TCP连接的上行报文经过服务器,所述服务器记录有所述TCP连接的SYN报文头部选项。Wherein, the uplink message of the TCP connection to which the request message belongs passes through a server, and the server records the SYN message header option of the TCP connection.
  2. 根据权利要求1所述的流量代理方法,其中,在所述解析所述请求报文前,还包括:The traffic proxy method according to claim 1, wherein before the parsing of the request message, the method further comprises:
    判断所述TCP连接的目的端口是否为预设的白名单目的端口;Judging whether the destination port of the TCP connection is a preset whitelist destination port;
    若是,解析所述请求报文,得到请求信息;If yes, parse the request message to obtain request information;
    若否,将所述请求报文转发至所述下一跳;If not, forward the request message to the next hop;
    其中,所述TCP连接的目的端口通过解析所述上行报文获得。Wherein, the destination port of the TCP connection is obtained by parsing the uplink packet.
  3. 根据权利要求1所述的流量代理方法,其中,所述代理软件预先配置有TCP连接快速打开功能;所述将所述请求报文重定向至代理软件,包括:The traffic proxy method according to claim 1, wherein the proxy software is pre-configured with a TCP connection quick opening function; and the redirecting the request message to the proxy software includes:
    在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;Adding a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data;
    将所述携带数据的握手请求报文重定向至所述代理软件,供所述代理软件在接收到所述携带数据的握手请求报文后,确认与发送所述请求报文的客户端建立了TCP连接。Redirect the handshake request message carrying data to the proxy software, so that the proxy software, after receiving the handshake request message carrying data, confirms that it has established a connection with the client that sent the request message TCP connection.
  4. 根据权利要求3所述的流量代理方法,其中,在所述请求报文中添加TCP 握手请求标志SYN,得到携带数据的握手请求报文前,还包括:The traffic proxy method according to claim 3, wherein adding a TCP handshake request flag SYN to the request message, before obtaining a handshake request message carrying data, further comprises:
    根据记录的所述SYN报文头部选项,修改所述请求报文的报文头部选项。Modify the message header option of the request message according to the recorded header option of the SYN message.
  5. 根据权利要求3所述的流量代理方法,其中,所述服务器为所述代理服务器,所述代理服务器安装有所述代理软件;在将所述请求报文重定向至代理软件后,还包括:The traffic proxy method according to claim 3, wherein the server is the proxy server, and the proxy server is installed with the proxy software; after redirecting the request message to the proxy software, the method further comprises:
    控制所述代理软件与接收所述上行报文的源站建立TCP连接,以供所述代理软件在判定预设存储设备中未存储有所述请求信息对应的请求内容后,根据所述携带数据的握手请求报文向所述源站发送请求。Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carried data The handshake request message sends a request to the source station.
  6. 根据权利要求5所述的流量代理方法,其中,在所述控制所述代理软件与接收所述上行报文的源站建立TCP连接,且所述代理软件判定预设存储设备中未存储有所述请求信息对应的请求内容后,还包括:The traffic proxy method according to claim 5, wherein a TCP connection is established between the control proxy software and the source station that receives the uplink message, and the proxy software determines that no data is stored in the preset storage device. After the request content corresponding to the request information, it also includes:
    控制所述代理软件根据所述携带数据的握手请求报文向所述源站发送请求。Control the proxy software to send a request to the source station according to the handshake request message carrying data.
  7. 根据权利要求6所述的流量代理方法,其中,在所述控制所述代理软件根据所述携带数据的握手请求报文向所述源站发送请求后,还包括:The traffic proxy method according to claim 6, wherein after the controlling the proxy software sends a request to the source station according to the handshake request message carrying data, the method further comprises:
    控制所述代理软件接收所述源站发送的响应报文;Controlling the proxy software to receive the response message sent by the source station;
    控制所述代理软件将所述响应报文的源地址修改为所述源站的地址,以供所述代理服务器将修改后的所述响应报文发送至客户端。Control the proxy software to modify the source address of the response message to the address of the source station, so that the proxy server can send the modified response message to the client.
  8. 一种服务器,包括:接收模块和内容识别模块;A server, including: a receiving module and a content recognition module;
    所述接收模块,用于接收HTTP请求报文;The receiving module is used to receive HTTP request messages;
    所述内容识别模块,用于解析所述请求报文,得到请求信息;The content identification module is used to parse the request message to obtain request information;
    所述内容识别模块,还用于判断所述请求信息是否符合预设的白名单规则;若是,将所述请求报文重定向至代理软件,并将所述请求信息发送至所述代理软件,以供代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;The content identification module is also used to determine whether the request information complies with preset whitelist rules; if so, redirect the request message to the proxy software, and send the request information to the proxy software, After determining that the request content corresponding to the request information is stored in the preset storage device, the proxy software obtains the request content from the preset storage device and sends it to the proxy server;
    若否,将所述请求报文转发至下一跳;If not, forward the request message to the next hop;
    其中,所述请求报文所属的TCP连接的上行报文经过服务器,所述服务器记录有所述TCP连接的SYN报文头部选项。Wherein, the uplink message of the TCP connection to which the request message belongs passes through a server, and the server records the SYN message header option of the TCP connection.
  9. 根据权利要求8所述的服务器,其中,在所述内容识别模块解析所述请求报文前,所述内容识别模块还用于:The server according to claim 8, wherein, before the content identification module parses the request message, the content identification module is further configured to:
    判断所述TCP连接的目的端口是否为预设的白名单目的端口;Judging whether the destination port of the TCP connection is a preset whitelist destination port;
    若是,解析所述请求报文,得到请求信息;If yes, parse the request message to obtain request information;
    若否,将所述请求报文转发至所述下一跳;If not, forward the request message to the next hop;
    其中,所述TCP连接的目的端口通过解析所述上行报文获得。Wherein, the destination port of the TCP connection is obtained by parsing the uplink packet.
  10. 根据权利要求8所述的服务器,其中,所述代理软件预先配置有TCP连接快速打开功能;所述内容识别模块将所述请求报文重定向至代理软件,包括:The server according to claim 8, wherein the proxy software is pre-configured with a TCP connection quick opening function; and the content identification module redirects the request message to the proxy software, comprising:
    在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;Adding a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data;
    将所述携带数据的握手请求报文重定向至所述代理软件,供所述代理软件在接收到所述携带数据的握手请求报文后,确认与发送所述请求报文的客户端建立了TCP连接。Redirect the handshake request message carrying data to the proxy software, so that the proxy software, after receiving the handshake request message carrying data, confirms that it has established a connection with the client that sent the request message TCP connection.
  11. 根据权利要求10所述的服务器,其中,所述内容识别模块在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文前,所述内容识别模块还用于:The server according to claim 10, wherein the content identification module adds a TCP handshake request flag SYN to the request message, and before the handshake request message carrying data is obtained, the content identification module is further configured to:
    根据记录的所述SYN报文头部选项,修改所述请求报文的报文头部选项。Modify the message header option of the request message according to the recorded header option of the SYN message.
  12. 根据权利要求10所述的服务器,其中,所述服务器为所述代理服务器,所述代理服务器安装有所述代理软件;在所述内容识别模块将所述请求报文重定向至代理软件后,所述内容识别模块还用于:The server according to claim 10, wherein the server is the proxy server, and the proxy server is installed with the proxy software; after the content recognition module redirects the request message to the proxy software, The content recognition module is also used for:
    控制所述代理软件与接收所述上行报文的源站建立TCP连接,以供所述代理软件在判定预设存储设备中未存储有所述请求信息对应的请求内容后,根据所述携带数据的握手请求报文向所述源站发送请求。Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carried data The handshake request message sends a request to the source station.
  13. 根据权利要求12所述的服务器,其中,在所述内容识别模块控制所述代理软件与接收所述上行报文的源站建立TCP连接,且所述代理软件判定预设存储设备中未存储有所述请求信息对应的请求内容后,所述内容识别模块还用于:The server according to claim 12, wherein the content recognition module controls the proxy software to establish a TCP connection with the source station that receives the uplink message, and the proxy software determines that there is no After the request content corresponding to the request information, the content identification module is further configured to:
    控制所述代理软件根据所述携带数据的握手请求报文向所述源站发送请求。Control the proxy software to send a request to the source station according to the handshake request message carrying data.
  14. 根据权利要求13所述的服务器,其中,在所述控制所述代理软件根据所述携带数据的握手请求报文向所述源站发送请求后,还包括:The server according to claim 13, wherein after said controlling said agent software sends a request to said source station according to said handshake request message carrying data, the method further comprises:
    控制所述代理软件接收所述源站发送的响应报文;Controlling the proxy software to receive the response message sent by the source station;
    控制所述代理软件将所述响应报文的源地址修改为所述源站的地址,以供所述代理服务器将修改后的所述响应报文发送至客户端。Control the proxy software to modify the source address of the response message to the address of the source station, so that the proxy server can send the modified response message to the client.
  15. 一种服务器,包括:A server that includes:
    至少一个处理器;以及,At least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected with the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行:The memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can execute:
    接收HTTP请求报文;Receive HTTP request message;
    解析所述请求报文,得到请求信息;Parse the request message to obtain request information;
    判断所述请求信息是否符合预设的白名单规则;Judging whether the requested information complies with preset whitelist rules;
    若是,将所述请求报文重定向至代理软件,并将所述请求信息发送至所述代理软件,以供所述代理软件在判定预设存储设备中存储有所述请求信息对应的请求内容后,从所述预设存储设备中获取所述请求内容并发送至代理服务器;If yes, redirect the request message to the agent software, and send the request information to the agent software, so that the agent software can determine that the requested content corresponding to the request information is stored in a preset storage device Afterwards, obtain the requested content from the preset storage device and send it to the proxy server;
    若否,将所述请求报文转发至下一跳;If not, forward the request message to the next hop;
    其中,所述请求报文所属的TCP连接的上行报文经过服务器,所述服务器记录有所述TCP连接的SYN报文头部选项。Wherein, the uplink message of the TCP connection to which the request message belongs passes through a server, and the server records the SYN message header option of the TCP connection.
  16. 根据权利要求15所述的服务器,其中,在所述解析所述请求报文前,所述至少一个处理器还能够执行:The server according to claim 15, wherein, before the parsing of the request message, the at least one processor is further capable of executing:
    判断所述TCP连接的目的端口是否为预设的白名单目的端口;Judging whether the destination port of the TCP connection is a preset whitelist destination port;
    若是,解析所述请求报文,得到请求信息;If yes, parse the request message to obtain request information;
    若否,将所述请求报文转发至所述下一跳;If not, forward the request message to the next hop;
    其中,所述TCP连接的目的端口通过解析所述上行报文获得。Wherein, the destination port of the TCP connection is obtained by parsing the uplink packet.
  17. 根据权利要求15所述的服务器,其中,所述代理软件预先配置有TCP连接快速打开功能;所述至少一个处理器还能够执行:所述将所述请求报文重定向至代理软件,包括:The server according to claim 15, wherein the proxy software is pre-configured with a TCP connection quick opening function; the at least one processor is also capable of executing: the redirecting the request message to the proxy software includes:
    在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文;Adding a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data;
    将所述携带数据的握手请求报文重定向至所述代理软件,供所述代理软件在接收到所述携带数据的握手请求报文后,确认与发送所述请求报文的客户端建立了TCP连接。Redirect the handshake request message carrying data to the proxy software, so that the proxy software, after receiving the handshake request message carrying data, confirms that it has established a connection with the client that sent the request message TCP connection.
  18. 根据权利要求17所述的服务器,其中,在所述请求报文中添加TCP握手请求标志SYN,得到携带数据的握手请求报文前,所述至少一个处理器还能够执行:The server according to claim 17, wherein the TCP handshake request flag SYN is added to the request message, and before the handshake request message carrying data is obtained, the at least one processor can further execute:
    根据记录的所述SYN报文头部选项,修改所述请求报文的报文头部选项。Modify the message header option of the request message according to the recorded header option of the SYN message.
  19. 根据权利要求17所述的服务器,其中,所述服务器为所述代理服务器,所述代理服务器安装有所述代理软件;在将所述请求报文重定向至代理软件后,所述至少一个处理器还能够执行:The server according to claim 17, wherein the server is the proxy server, and the proxy server is installed with the proxy software; after the request message is redirected to the proxy software, the at least one processing The device can also execute:
    控制所述代理软件与接收所述上行报文的源站建立TCP连接,以供所述代理软件在判定预设存储设备中未存储有所述请求信息对应的请求内容后,根据所述携带数据的握手请求报文向所述源站发送请求。Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carried data The handshake request message sends a request to the source station.
  20. 一种计算机存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1-6中任一项所述的流量代理方法。A computer storage medium storing a computer program, which, when executed by a processor, implements the traffic proxy method according to any one of claims 1-6.
PCT/CN2020/122270 2020-03-30 2020-10-20 Traffic flow proxy method, server, and storage medium WO2021196568A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202010237001 2020-03-30
CN202010237001.3 2020-03-30
CN202011010588.0 2020-09-23
CN202011010588.0A CN112104744B (en) 2020-03-30 2020-09-23 Traffic proxy method, server and storage medium

Publications (1)

Publication Number Publication Date
WO2021196568A1 true WO2021196568A1 (en) 2021-10-07

Family

ID=73755994

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/122270 WO2021196568A1 (en) 2020-03-30 2020-10-20 Traffic flow proxy method, server, and storage medium

Country Status (2)

Country Link
CN (1) CN112104744B (en)
WO (1) WO2021196568A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710548A (en) * 2022-03-22 2022-07-05 阿里巴巴(中国)有限公司 Message forwarding method and device
CN117579383A (en) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 Method, device and equipment for detecting and intercepting active HTTP response

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929360A (en) * 2021-02-03 2021-06-08 北京中数智汇科技股份有限公司 Web terminal protection method, system and storage medium based on port proxy
CN113472875A (en) * 2021-06-28 2021-10-01 深信服科技股份有限公司 Connection multiplexing method and device, electronic equipment and storage medium
CN113726789B (en) * 2021-09-01 2023-07-28 北京天空卫士网络安全技术有限公司 Sensitive data interception method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005114449A2 (en) * 2004-05-14 2005-12-01 Mobilaps, Llc Method of providing a web page with inserted content
CN102780711A (en) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 Method, device and system for accessing application data of SNS (Social Network Site)
CN103220372A (en) * 2012-01-19 2013-07-24 中国移动通信集团公司 Data service access method and system
CN103533060A (en) * 2013-10-17 2014-01-22 华为技术有限公司 Processing method and device of local proxy

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060069782A1 (en) * 2004-09-16 2006-03-30 Michael Manning Method and apparatus for location-based white lists in a telecommunications network
JP4648182B2 (en) * 2005-12-19 2011-03-09 富士通株式会社 Packet relay system
CN101547210A (en) * 2009-05-14 2009-09-30 福建星网锐捷网络有限公司 Method and device for processing TCP connection
CN101771695A (en) * 2010-01-07 2010-07-07 福建星网锐捷网络有限公司 Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment
CN101834875B (en) * 2010-05-27 2012-08-22 华为技术有限公司 Method, device and system for defending DDoS (Distributed Denial of Service) attacks
US20120174196A1 (en) * 2010-12-30 2012-07-05 Suresh Bhogavilli Active validation for ddos and ssl ddos attacks
CN102075537B (en) * 2011-01-19 2013-12-04 华为技术有限公司 Method and system for realizing data transmission between virtual machines
CN102594877B (en) * 2012-01-19 2015-08-12 网宿科技股份有限公司 In conjunction with the method, the system that are redirected download request and the service of agency service accelerating network
CN102647482B (en) * 2012-03-31 2015-05-06 北京奇虎科技有限公司 Method and system for accessing website
CN102907071B (en) * 2012-07-26 2015-04-29 华为技术有限公司 Data transmission method, mobile terminal, proxy server
CN105208026A (en) * 2015-09-29 2015-12-30 努比亚技术有限公司 Hostile attack preventing method and network system
CN108418847B (en) * 2017-02-09 2021-04-16 中国移动通信集团甘肃有限公司 Network traffic caching system, method and device
CN108965203B (en) * 2017-05-18 2020-12-29 腾讯科技(深圳)有限公司 Resource access method and server
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack
CN108064443B (en) * 2017-09-30 2021-08-06 达闼机器人有限公司 Proxy forwarding method and device, proxy server and multi-level proxy network
CN108848049A (en) * 2018-04-18 2018-11-20 山石网科通信技术有限公司 Proxy Method and device, the storage medium and processor of domain name analysis system
CN108924138B (en) * 2018-07-05 2020-10-23 成都安恒信息技术有限公司 Method for realizing TCP proxy complete transparency
CN109714312B (en) * 2018-11-19 2020-04-24 中国科学院信息工程研究所 Acquisition strategy generation method and system based on external threats
CN111431871B (en) * 2020-03-10 2022-11-25 杭州迪普科技股份有限公司 Processing method and device of TCP (Transmission control protocol) semi-transparent proxy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005114449A2 (en) * 2004-05-14 2005-12-01 Mobilaps, Llc Method of providing a web page with inserted content
CN102780711A (en) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 Method, device and system for accessing application data of SNS (Social Network Site)
CN103220372A (en) * 2012-01-19 2013-07-24 中国移动通信集团公司 Data service access method and system
CN103533060A (en) * 2013-10-17 2014-01-22 华为技术有限公司 Processing method and device of local proxy

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710548A (en) * 2022-03-22 2022-07-05 阿里巴巴(中国)有限公司 Message forwarding method and device
CN114710548B (en) * 2022-03-22 2024-04-05 阿里巴巴(中国)有限公司 Message forwarding method and device
CN117579383A (en) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 Method, device and equipment for detecting and intercepting active HTTP response
CN117579383B (en) * 2024-01-15 2024-03-22 杭州优云科技股份有限公司 Method, device and equipment for detecting and intercepting active HTTP response

Also Published As

Publication number Publication date
CN112104744A (en) 2020-12-18
CN112104744B (en) 2022-09-09

Similar Documents

Publication Publication Date Title
WO2021196568A1 (en) Traffic flow proxy method, server, and storage medium
US10778582B2 (en) Method and apparatus for traffic optimization in virtual private networks (VPNs)
US9876760B2 (en) Peer-to-peer connection establishment using turn
US10091049B2 (en) Scripting for implementing policy-based traffic steering and management
US8533780B2 (en) Dynamic content-based routing
EP3085064B1 (en) Countering security threats with domain name system
US8250214B2 (en) System, method and computer program product for communicating with a private network
US9002923B2 (en) Transparent web proxy
US10135956B2 (en) Hardware-based packet forwarding for the transport layer
RU2560819C2 (en) Method, device and system for data redirection in communication system
US7769869B2 (en) Systems and methods of providing server initiated connections on a virtual private network
WO2022151867A1 (en) Method and apparatus for converting http into https bidirectional transparent proxy
EP2357570A1 (en) System and method for network access without reconfiguration
US20220045934A1 (en) Method and apparatus of automatic route optimization in a private virtual network for client devices of a local network
US11076281B1 (en) 5G core roaming network function proxy in an IPX network
EP3588906B1 (en) Multi-path management with http/2
US9929942B2 (en) Remote access to a residential multipath entity
US7907621B2 (en) Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment
US7564848B2 (en) Method for the establishing of connections in a communication system
JP6007644B2 (en) COMMUNICATION DEVICE, PROGRAM, AND ROUTING METHOD
WO2021135493A1 (en) Method and apparatus for accessing home gateway, system processor and storage medium
US8509235B2 (en) Layer-2 packet return in proxy-router communication protocol environments
US20180063220A1 (en) Systems and methods to provide hypertext transfer protocol 2.0 optimization through multiple links
US20150089058A1 (en) System and method for software defined adaptation of broadband network gateway services
WO2023162146A1 (en) Communication device, communication method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1