WO2021196568A1 - Procédé de mandataire d'écoulement de trafic, serveur et support de stockage - Google Patents

Procédé de mandataire d'écoulement de trafic, serveur et support de stockage Download PDF

Info

Publication number
WO2021196568A1
WO2021196568A1 PCT/CN2020/122270 CN2020122270W WO2021196568A1 WO 2021196568 A1 WO2021196568 A1 WO 2021196568A1 CN 2020122270 W CN2020122270 W CN 2020122270W WO 2021196568 A1 WO2021196568 A1 WO 2021196568A1
Authority
WO
WIPO (PCT)
Prior art keywords
request message
proxy
request
server
message
Prior art date
Application number
PCT/CN2020/122270
Other languages
English (en)
Chinese (zh)
Inventor
吴建国
许加烜
Original Assignee
厦门网宿有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 厦门网宿有限公司 filed Critical 厦门网宿有限公司
Publication of WO2021196568A1 publication Critical patent/WO2021196568A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a traffic proxy method, a server, and a storage medium.
  • the client establishes a connection with the proxy server
  • the proxy server establishes a connection with the origin site
  • the proxy server obtains the content of the origin site, and then returns the obtained content to the client.
  • the purpose of the embodiments of the present application is to provide a traffic proxy method, server, and storage medium, which can help reduce the traffic proxy load of the proxy server and prevent the proxy server from processing all proxy client requests.
  • the embodiment of the present application provides a traffic proxy method, including: receiving an HTTP request message; parsing the request message to obtain request information; judging whether the request information conforms to a preset whitelist rule If yes, redirect the request message to the agent software, and send the request information to the agent software, so that the agent software can determine that the request information corresponding to the request information is stored in the preset storage device After the content, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; wherein, the upstream of the TCP connection to which the request message belongs The message passes through the server, and the server records the SYN message header option of the TCP connection.
  • the embodiment of the present application also provides a server, including: a receiving module and a content recognition module; the receiving module is used to receive HTTP request messages; the content recognition module is used to parse the request messages to obtain the request Information; the content identification module is also used to determine whether the requested information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent Software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, send the requested content to the proxy server; The request message is forwarded to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the proxy server, and the proxy server records the SYN message header option of the TCP connection.
  • An embodiment of the present application also provides a server, including: at least one processor; and a memory communicatively connected with the at least one processor; wherein the memory stores instructions that can be executed by the at least one processor The instruction is executed by the at least one processor, so that the at least one processor can execute the above-mentioned traffic proxy method.
  • the embodiment of the present application also provides a computer storage medium storing a computer program, and the computer program is executed by a processor to implement the above-mentioned traffic proxy method.
  • this embodiment of the application receives an HTTP request message; parses the request message to obtain request information; judges whether the request information meets the preset whitelist rule; if so, reports the request
  • the document is redirected to the agent software, and the request information is sent to the agent software, so that the agent software can download the request information from the preset storage device after determining that the request content corresponding to the request information is stored in the preset storage device.
  • the storage device obtains the request content and sends it to the proxy server; if not, forwards the request message to the next hop; wherein, the uplink message of the TCP connection to which the request message belongs passes through the server, so
  • the server records the SYN packet header options of the TCP connection.
  • the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether the request message meets the preset whitelist rules to determine whether to respond to the request message. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software.
  • the document is processed, so as to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for After the proxy software determines that the request content corresponding to the request information is stored in the preset storage device, it obtains the request content from the preset storage device and sends it to the proxy server, thereby shortening the time-consuming process of the request and response, and realizing the response to the request. Accelerated service.
  • the method before the parsing of the request message, further includes: determining whether the destination port of the TCP connection is a preset whitelist destination port; if so, parsing the request message to obtain request information If not, the request message is forwarded to the next hop; wherein, the destination port of the TCP connection is obtained by parsing the uplink message; in the above manner, the request information of the request message is used to determine whether Before proxying the request message, perform a pre-filtering through the destination port of the TCP connection to which the request message belongs to reduce the traffic that the proxy software will load.
  • the proxy software is pre-configured with a TCP connection quick opening function; the redirecting the request message to the proxy software includes: adding a TCP handshake request flag SYN to the request message to obtain A handshake request message carrying data; the handshake request message carrying data is redirected to the proxy software for the proxy software to confirm and send the handshake request message carrying data after receiving the handshake request message carrying data
  • the client requesting the message establishes a TCP connection; it is understandable that the pre-configured fast TCP connection opening function enables the proxy software and the client sending the upstream message to quickly establish a TCP connection, which speeds up the efficiency of the data transmission process.
  • adding a TCP handshake request flag SYN to the request message, and before obtaining a handshake request message carrying data further includes: modifying the request message according to the recorded header options of the SYN message The message header option of the message, so that the proxy software confirms that the message header option of the TCP connection established with the client is the same as the message header option of the TCP connection to which the request message belongs.
  • the established TCP connection is unaware, and a transparent proxy to the client is realized.
  • Fig. 1 is a flowchart of a traffic proxy method according to the first embodiment of the present application
  • FIG. 2 is a flowchart of another traffic proxy method according to the first embodiment of the present application.
  • Fig. 3 is a flowchart of a traffic proxy method according to a second embodiment of the present application.
  • Fig. 4 is a flowchart of a traffic proxy method according to a third embodiment of the present application.
  • FIG. 5 is a block diagram of the structure of a server according to a fourth embodiment of the present application.
  • Fig. 6 is a block diagram of the structure of the server in the fifth embodiment according to the present application.
  • the first embodiment of the present application relates to a traffic proxy method.
  • the specific process is shown in Figure 1 and includes the following steps.
  • Step 101 Receive an HTTP request message.
  • Step 102 Parse the request message to obtain request information.
  • Step 103 Determine whether the requested information meets the preset whitelist rules; if yes, go to step 104; if not, go to step 105.
  • Step 104 Redirect the request message to the agent software, and send the request information to the agent software.
  • Step 105 Forward the request message to the next hop.
  • the upstream message of the TCP connection to which the request message belongs passes through the server, that is, the upstream message sent by the client for establishing a TCP connection with the source station passes through the server. It can be understood that the server transparently transmits the above TCP connection. Uplink message.
  • step 101 the server receives the HTTP request message; specifically, the HTTP request message can be directed to the server by pre-configured routing strategy.
  • the server parses the request message to obtain the request information; specifically, the request information in this embodiment may include the requested domain name address, requested content type, requested content name, requested content related fields and other information .
  • the server determines whether the requested information meets the preset whitelist rules; specifically, the whitelist rules for the requested information can be configured in the server in advance to filter the requested information (for example, it can include Whitelist rules for filtering domain name addresses, whitelist rules for filtering requested content types, whitelist rules for filtering requested content names, etc.).
  • the server parses and obtains the request information, it performs operations such as comparison or matching according to the pre-configured whitelist rules; if the parsed request information meets the preset whitelist rules, it is determined that the request message is a legal request message.
  • step 104 If it belongs to a request message that is allowed to be proxied, go to step 104; if the parsed request information does not meet the preset whitelist rules, it is determined that the request message is an illegal request message and is a request that is not allowed to be proxied Packet, go to step 105. It is understandable that the request information is filtered according to the preset whitelist rules, that is, the function of the firewall is realized, which can effectively intercept insecure, offensive and other request messages that are not allowed to be proxied, thereby It helps to improve the security of the traffic proxy; moreover, the whitelist rules configured in the server can be dynamically adjusted according to requirements at any time, and will not affect the normal operation of the server.
  • step 104 when it is determined that the parsed request information meets the preset whitelist rules, the request message is redirected to the proxy software for the proxy software to perform proxy acceleration on the request message; since the request message is sent by The upstream message is sent by the client, so the source address of the request message is the address of the client, and the destination address is the address of the source station that receives the upstream message; when the request message is redirected, it can be based on DNAT (Destination Network Address). Translation (Destination Address Translation) principle is to convert the destination address of the request message to the address of the proxy software, thereby realizing the redirection of the request message to the proxy software.
  • DNAT Densination Network Address
  • Translation Destination Address Translation
  • the server also sends the request information to the agent software, so that the agent software can determine whether the requested content corresponding to the requested information is stored in the preset storage device according to the request information; if the agent software determines that the preset storage device stores If there is a request content corresponding to the request information, the proxy software can directly obtain the request content from the preset storage device and send it to the proxy server, so that the proxy server can forward the request content to the client, thereby reducing the cost of the request and response process. At the time, the accelerated service of the request was realized.
  • the preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device. The preset storage device is used to store content that the agent software has requested from the origin site.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A” from the origin site again. It is understandable that if the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software requests the content requested by the client from the source station, and sends the requested content back to the source via the proxy server. The client, and cache the requested content back to the source in the preset storage device.
  • step 105 when it is determined that the parsed request information does not conform to the preset whitelist rule, the request message is directly forwarded to the next hop in the pre-configured routing policy, without proxying by proxy software, so as to The proxy software filters the traffic to be loaded.
  • the request message can also be discarded directly without proxying by proxy software, so that some potentially offensive request messages can be filtered out , To ensure the security of the network.
  • this embodiment also provides a traffic proxy method, as shown in Fig. 2; the traffic proxy method shown in Fig. 2 is roughly the same as the traffic proxy method shown in Fig. 1, and includes the following steps.
  • Step 201 Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
  • Step 202 Determine whether the destination port of the TCP connection is a preset whitelist destination port; if yes, execute step 203, if not, execute step 206.
  • the upstream message of the TCP connection to which the request message belongs includes the source IP address, source port, destination IP address, and destination port; when the server transparently transmits the upstream message of the TCP connection, it can parse the upstream message to obtain Go to the destination port included in the uplink message, and determine whether the parsed destination port (that is, the port of the source station that receives the uplink message) is a preset whitelist destination port; it is understandable that it can be configured in the server in advance The destination port that needs to be served is used as the preset whitelist destination port.
  • step 203 If it is determined that the destination port belongs to the preset whitelisted destination port, go to step 203; if it is judged that the destination port does not belong to the preset whitelisted destination port, then go to step 206 to forward the request message directly to the next hop instead of Through the agent software for agent acceleration.
  • a filtering is performed through the destination port of the TCP connection to which the request message belongs, so as to reduce the traffic that the proxy software will load.
  • Step 203 parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
  • Step 204 Determine whether the requested information meets the preset whitelist rules; if yes, perform step 205; if not, perform step 206; this step is roughly the same as step 103, and will not be repeated here.
  • Step 205 redirect the request message to the agent software, and send the request information to the agent software; this step is roughly the same as step 104, and will not be repeated here.
  • Step 206 forward the request message to the next hop; this step is roughly the same as step 105, and will not be repeated here.
  • the server in this embodiment can be installed with proxy software and used as a proxy server, that is, the proxy server transparently transmits the uplink packets of the TCP connection and parses the received HTTP request packets.
  • the proxy in the proxy server The software mainly performs proxy acceleration and other operations on request messages at the application level.
  • the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router), and our switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message;
  • the proxy server redirects the request message to the proxy software in the proxy server and sends the request information to the proxy software in the proxy server
  • the proxy software obtains the stored request content from the preset storage device, or The request content is obtained from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server, and then routed to the bureau switch via our switch, and then routed by the bureau switch to the client.
  • the server in this embodiment when used as a proxy server, after the proxy server redirects the request message to the proxy software, it also includes: controlling the proxy software to establish a connection with the source station receiving the uplink message TCP connection, so that the agent software, after determining that the request content corresponding to the request information is not stored in the preset storage device, sends a request to the source station via our switch according to the handshake request message carrying data; And control the proxy software to receive the response message sent by the source station, modify the source address of the response message to the address of the source station, and then the proxy server will process the response message, and route it to the bureau's switch via our switch. It is routed and sent to the client by the central switch.
  • the proxy software in this embodiment is installed on another server serving as a proxy server, and the proxy software in the other server performs proxy acceleration and other operations on the request message redirected by the server.
  • the client's upstream traffic is transmitted to our switch through the bureau's switch, and our switch transmits the upstream traffic to server A, and server A analyzes and judges the request message; then, server A rewrites the request message After being directed to the proxy software in another server B (that is, server B as a proxy server), and sending the request information to the proxy software in the other server B, the proxy software in the other server B Perform proxy acceleration, so I won’t go into details here.
  • the HTTP request message is received; the request message is parsed to obtain the request information; it is determined whether the request information meets the preset whitelist rules; if so, the request message is redirected to the proxy software, and the request information is sent to Proxy software for the proxy software to obtain the requested content from the preset storage device and send it to the proxy server after determining that the requested content corresponding to the requested information is stored in the preset storage device; if not, forward the request message to the next Jump; Among them, the upstream message of the TCP connection to which the request message belongs passes through the server, and the server records the SYN message header option of the TCP connection.
  • the server after the server transmits the uplink message of the TCP connection, it intercepts the HTTP request message in the TCP connection, parses the request information, and determines whether to respond to the request message according to whether the request information meets the preset whitelist rules. Proxying can effectively intercept insecure, offensive and other requests that are not allowed to proxy, thereby helping to improve the security of traffic proxy. If it is determined to proxy the request message, the request message will be redirected to the proxy software for processing; if the request message is not proxyed, the request message will be directly forwarded to the next hop, that is, the request message will not be processed by the proxy software.
  • the document is processed to filter the traffic to be loaded by the proxy server and reduce the traffic load pressure of the proxy server; in addition, the request message is redirected to the proxy software, and the request information is sent to the proxy software for the proxy software After determining that the request content corresponding to the request information is stored in the preset storage device, the request content is obtained from the preset storage device and sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the acceleration of the request service.
  • the second embodiment of the present application relates to a traffic proxy method, which is roughly the same as the first embodiment.
  • the specific process is shown in Figure 3.
  • the steps and implementation details of the traffic proxy method in Figure 3 will be described in detail below.
  • the content is only the implementation details provided for ease of understanding, and is not necessary for the implementation of this solution.
  • Step 301 Receive an HTTP request message; this step is roughly the same as step 101, and will not be repeated here.
  • Step 302 parse the request message to obtain the request information; this step is roughly the same as step 102, and will not be repeated here.
  • Step 303 Determine whether the requested information meets the preset whitelist rules; if yes, go to step 304; if not, go to step 305; this step is roughly the same as step 103, and will not be repeated here.
  • Step 304 Add a TCP handshake request flag SYN to the request message to obtain a handshake request message carrying data; redirect the handshake request message carrying data to the proxy software, and send the request information to the proxy software.
  • this embodiment provides a specific implementation manner for redirecting the request message to the proxy software.
  • TCP handshake request flag SYN is a type of TCP connection The flag bit indicates that the connection is established
  • the request message itself carries data
  • the result is a handshake request message carrying data
  • the handshake request message carrying data is redirected to the proxy software .
  • the upstream message of the TCP connection to which the request message belongs passes through the server, and the proxy server records the SYN message header option of the TCP connection; therefore, after adding the TCP handshake request flag SYN to the request message, it can also be executed
  • the following steps are as follows: modify the header options of the request message according to the SYN header options recorded by the server; the final result is a handshake request message carrying data and modifying the header options of the message, so as to make the proxy
  • the software confirms that the message header options of the TCP connection established with the client are the same as the message header options of the TCP connection to which the request message belongs.
  • the client side has no perception of the TCP connection established with the proxy software, and realizes the client Transparent proxy.
  • the recorded SYN packet header option may be TCP OPTIONS, which represents variable-length optional information, including timestamp (message timestamp), windows scale (window scale factor), and so on.
  • the proxy software is pre-configured with the TCP connection fast opening function, the proxy software can think that the proxy software has established a TCP connection with the client after receiving the redirected handshake request message, thus saving the need to transmit when establishing a TCP connection Time-consuming handshake messages; when the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the subsequent data transmission process between the proxy software and the client.
  • the proxy software After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
  • Step 305 Forward the request message to the next hop. This step is roughly the same as step 105, and will not be repeated here.
  • the proxy software quickly establishes a TCP connection with the client and the source station, which speeds up the efficiency of the data transmission process, and implements a transparent proxy to the client by modifying message options and converting message addresses. Make the client unaware of the existence of agent software.
  • the third embodiment of the present application relates to a traffic proxy method with proxy software as the execution subject.
  • the specific process is shown in FIG. 4 and includes the following steps 401 to 404.
  • the proxy software can be installed in the server used as a proxy server, and the upstream traffic of the client is transmitted to our switch (or router) through the office switch (or router).
  • the party switch transmits the upstream traffic to the proxy server, and the proxy server analyzes and judges the request message; the proxy server redirects the request message to the proxy software in the proxy server, and sends the request information to the proxy server
  • the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch; the request content obtained by the proxy software is processed by the proxy server and passed through our
  • the switch is routed to the central switch, and then routed by the central switch to the client; in addition, the proxy software can also be installed on another server acting as a proxy server, and the proxy software in the other server redirects the server Perform proxy acceleration and other operations for the request message of the client, that is, the upstream traffic of the client is transmitted to our switch through the bureau's switch, and our switch
  • Step 401 Receive a redirected HTTP request message and request information obtained by parsing the request message.
  • the proxy software receives the redirected request message from the server and the request information obtained by parsing the request message; before that, the server has determined that the request information obtained by parsing the request message conforms to the preset whitelist rule.
  • the proxy software is pre-configured with the TCP connection quick opening function, and the received request message is a handshake request message carrying data, and the handshake request message is added by the request message with the TCP handshake
  • the request flag SYN is obtained; in this way, after the proxy software receives the handshake request message carrying the data, it confirms that the TCP connection is established with the client sending the uplink message, thereby saving the time-consuming transmission of the handshake message when establishing the TCP connection ;
  • the default proxy software has established a TCP connection with the client, it helps to speed up the efficiency of the data transmission process between the proxy software and the client.
  • the proxy software After the default proxy software has established a TCP connection with the client, the proxy software also establishes a TCP connection with the source station that receives the uplink message, so that the proxy software can send a request to the source station according to the handshake request message carrying data; when the proxy After the software has established a TCP connection with the client and the source station, it can send multiple requests and receive multiple responses, which shortens the time-consuming process of data transmission; in addition, because the proxy software has established TCP with the client and the source station respectively Connection, so the proxy software can implement a transparent proxy to the client on this basis, making the client unaware of the existence of the proxy software.
  • the proxy server controls the proxy software to also establish a TCP connection with the source station that receives the uplink message, so that the proxy software can determine whether it is not in the preset storage device. After storing the request content corresponding to the request information, the request is sent to the source station according to the handshake request message carrying the data.
  • Step 402 Determine whether the request content corresponding to the request information is stored in the preset storage device; if yes, execute step 403; if not, execute step 404.
  • Step 403 Obtain the requested content from the preset storage device and send it to the proxy server.
  • Step 404 Send a request according to the request message to the source station that receives the request message.
  • the preset storage device in this embodiment may be a local storage device such as a disk, or a cloud storage device.
  • the preset storage device is used to store content that the agent software has requested from the source site.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is stored in the preset storage device, Then the proxy software directly reads "Picture A" from the preset storage device and sends it to the proxy server without having to request "Picture A" from the origin site again.
  • the proxy software determines that the requested content corresponding to the requested information is not stored in the preset storage device, the proxy software will request the content requested by the client from the source station according to the redirected request message, and return to the source.
  • the requested content of is sent to the client via the proxy server, and the requested content is cached back to the source in the preset storage device.
  • the request information received by the proxy software includes: the requested content type is a picture, the requested content name is A (that is, the requested content includes: picture A), and the proxy software determines that "picture A" is not stored in the preset storage device ,
  • the proxy software sends a request to the origin site according to the request message, and the content of the request includes "picture A"; after the proxy software requests "picture A" from the origin site, it is sent to the client via the proxy server and is preset "Picture A" is cached in the storage device so that it can be directly obtained from the preset storage device when a request for "Picture A" is received next time.
  • the specific method for the proxy software to send the request message to the source station will not be repeated here.
  • the proxy software obtains the stored request content from the preset storage device, or obtains the request content from the source site through our switch, which needs to be processed by the proxy server and routed to the office through our switch.
  • the central switch is routed to the client by the central switch.
  • the proxy server can parse the upstream message of the TCP connection to which the request message belongs, and obtain the upstream message header options, including seq (sequence number), timestamp (message timestamp), windows scale (window scale factor), etc.
  • the proxy server can send the request content to the client by responding to the message; when sending the response message, it can make the header option of the response message the same as the parsed upstream message header option, and send the response
  • the source address of the message is modified to the address of the source station, so that after the client receives the response message, it can be considered that the response message is sent from the source station, thus realizing a transparent proxy for the client.
  • the proxy server controls the proxy software to send requests to the source station and receive the response message sent by the source station; the proxy server also controls the proxy software to respond The source address of the message is modified to the address of the source station, and the modified response message is processed by the proxy server.
  • the proxy software receives the redirected request message and the request information obtained by parsing the request message, and when determining that the request content corresponding to the request information is stored in the preset storage device, obtains the request from the preset storage device
  • the content is sent to the proxy server, which can shorten the time-consuming process of the request and response, and realize the accelerated service of the request.
  • the fourth embodiment of the present application relates to a server 50, as shown in FIG. 5, including: a receiving module 501 and a content identification module 502;
  • the receiving module 501 is configured to receive HTTP request messages
  • the content identification module 502 is used to parse the request message to obtain the request information
  • the content identification module 502 is also used to determine whether the request information meets the preset whitelist rules; if so, the request message is redirected to the agent software, and the request information is sent to the agent software for the agent software to determine the preset storage After the request content corresponding to the request information is stored in the device, the request content is obtained from the preset storage device and sent to the proxy server; if not, the request message is forwarded to the next hop; where the request message belongs to the TCP connection The upstream message passes through the server, and the server records the SYN message header option of the TCP connection.
  • the content identification module 502 parses the request message, it further includes: judging whether the destination port of the TCP connection is a preset whitelist destination port; if so, parse the request message to obtain the request information; if not, The request message is forwarded to the next hop; among them, the destination port of the TCP connection is obtained by parsing the uplink message.
  • the proxy software is pre-configured with a TCP connection quick opening function; the content recognition module 502 redirects the request message to the proxy software, including: adding a TCP handshake request flag SYN to the request message to obtain a handshake request carrying data Message: Redirect the handshake request message carrying data to the proxy software for the proxy software to confirm the establishment of a TCP connection with the client sending the request message after receiving the handshake request message carrying the data.
  • the content recognition module 502 adds the TCP handshake request flag SYN to the request message, and before the handshake request message carrying data is obtained, the content recognition module 502 is also used to: modify the header options of the SYN message The header options of the request message.
  • the server is the proxy server, and the proxy server is installed with the proxy software; after the content identification module 502 redirects the request message to the proxy software, the content identification module 502 is also used for : Control the proxy software to establish a TCP connection with the source station that receives the uplink message, so that the proxy software determines that the request content corresponding to the request information is not stored in the preset storage device, and then according to the carrying The data handshake request message sends a request to the source station.
  • the content recognition module 502 controls the proxy software to establish a TCP connection with the source station that receives the uplink message, and the proxy software determines that the request corresponding to the request information is not stored in the preset storage device After the content, the content recognition module 502 is further used to: control the proxy software to send a request to the source station according to the handshake request message carrying data, and receive a response message sent by the source station; control the proxy The software modifies the source address of the response message to the address of the source station for the proxy server to send the modified response message to the client.
  • this embodiment is an embodiment of a device corresponding to the first embodiment or the second embodiment.
  • This embodiment can be implemented in cooperation with the first embodiment or the second embodiment.
  • the related technical details mentioned in the second embodiment are still valid in this embodiment, and in order to reduce repetition, they will not be repeated here.
  • the related technical details mentioned in this embodiment can also be applied in the first embodiment or the second embodiment.
  • modules involved in this embodiment are all logical modules.
  • a logical unit can be a physical unit, a part of a physical unit, or multiple physical units. The combination of units is realized.
  • this embodiment does not introduce a unit that is not closely related to solving the technical problem proposed by the present application, but this does not indicate that there are no other units in this embodiment.
  • the fifth embodiment of the present application relates to a server. As shown in FIG. 6, it includes: at least one processor 601; and a memory 602 communicatively connected to the at least one processor 601; The instructions executed by the processor 601 are executed by the at least one processor 601, so that the at least one processor 601 can execute the foregoing traffic proxy method.
  • the memory 602 and the processor 601 are connected in a bus manner.
  • the bus may include any number of interconnected buses and bridges.
  • the bus connects one or more processors and various circuits of the memory 602 together.
  • the bus can also connect various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all well-known in the art, and therefore, no further description will be given herein.
  • the bus interface provides an interface between the bus and the transceiver.
  • the transceiver may be one element or multiple elements, such as multiple receivers and transmitters, providing a unit for communicating with various other devices on the transmission medium.
  • the data processed by the processor 601 is transmitted on the wireless medium through the antenna.
  • the antenna also receives the data and transmits the data to the processor 601.
  • the processor 601 is responsible for managing the bus and general processing, and can also provide various functions, including timing, peripheral interfaces, voltage regulation, power management, and other control functions.
  • the memory 602 may be used to store data used by the processor 601 when performing operations.
  • the sixth embodiment of the present application relates to a computer storage medium, which stores a computer program.
  • the computer program is executed by the processor, the foregoing embodiment of the traffic proxy method is implemented.
  • the program is stored in a storage medium and includes several instructions to enable a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Selon certains modes de réalisation, la présente invention se rapporte au domaine technique des communications et concerne en particulier un procédé de mandataire d'écoulement de trafic, un serveur et un support de stockage. Le procédé du mandataire d'écoulement de trafic comprend les étapes consistant : à recevoir un paquet de requête HTTP (101) ; à analyser le paquet de requête pour obtenir des informations de requête (102) ; à déterminer si les informations de requête satisfont ou non une règle d'une liste blanche prédéfinie (103) ; si tel est le cas, à rediriger le paquet de requête vers un logiciel mandataire et à envoyer les informations de requête au logiciel mandataire (104) ; et si tel n'est pas le cas, à transmettre le paquet de requête au bond suivant (105), un paquet de liaison montante de la connexion TCP à laquelle appartient le paquet de requête traversant le serveur, et le serveur enregistrant l'option d'en-tête du paquet SYN de la connexion TCP.
PCT/CN2020/122270 2020-03-30 2020-10-20 Procédé de mandataire d'écoulement de trafic, serveur et support de stockage WO2021196568A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202010237001.3 2020-03-30
CN202010237001 2020-03-30
CN202011010588.0A CN112104744B (zh) 2020-03-30 2020-09-23 流量代理方法、服务器及存储介质
CN202011010588.0 2020-09-23

Publications (1)

Publication Number Publication Date
WO2021196568A1 true WO2021196568A1 (fr) 2021-10-07

Family

ID=73755994

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/122270 WO2021196568A1 (fr) 2020-03-30 2020-10-20 Procédé de mandataire d'écoulement de trafic, serveur et support de stockage

Country Status (2)

Country Link
CN (1) CN112104744B (fr)
WO (1) WO2021196568A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710548A (zh) * 2022-03-22 2022-07-05 阿里巴巴(中国)有限公司 报文转发方法及装置
CN117579383A (zh) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 一种主动http响应的检测及拦截方法、装置及设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929360A (zh) * 2021-02-03 2021-06-08 北京中数智汇科技股份有限公司 基于端口代理的web终端防护方法、系统和存储介质
CN113472875A (zh) * 2021-06-28 2021-10-01 深信服科技股份有限公司 一种连接复用方法、装置、电子设备及存储介质
CN113726789B (zh) * 2021-09-01 2023-07-28 北京天空卫士网络安全技术有限公司 一种敏感数据拦截方法和装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005114449A2 (fr) * 2004-05-14 2005-12-01 Mobilaps, Llc Procede de formation d'une page web a contenu insere
CN102780711A (zh) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 一种sns应用数据访问方法及其装置和系统
CN103220372A (zh) * 2012-01-19 2013-07-24 中国移动通信集团公司 数据业务访问方法及系统
CN103533060A (zh) * 2013-10-17 2014-01-22 华为技术有限公司 本地代理的处理方法及装置

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060069782A1 (en) * 2004-09-16 2006-03-30 Michael Manning Method and apparatus for location-based white lists in a telecommunications network
JP4648182B2 (ja) * 2005-12-19 2011-03-09 富士通株式会社 パケット中継システム
CN101547210A (zh) * 2009-05-14 2009-09-30 福建星网锐捷网络有限公司 一种tcp连接的处理方法和装置
CN101771695A (zh) * 2010-01-07 2010-07-07 福建星网锐捷网络有限公司 Tcp连接的处理方法、系统及syn代理设备
CN101834875B (zh) * 2010-05-27 2012-08-22 华为技术有限公司 防御DDoS攻击的方法、装置和系统
US20120174196A1 (en) * 2010-12-30 2012-07-05 Suresh Bhogavilli Active validation for ddos and ssl ddos attacks
CN102075537B (zh) * 2011-01-19 2013-12-04 华为技术有限公司 一种实现虚拟机间数据传输的方法和系统
CN102594877B (zh) * 2012-01-19 2015-08-12 网宿科技股份有限公司 结合重定向下载请求和代理服务加速网络服务的方法、系统
CN104901943A (zh) * 2012-03-31 2015-09-09 北京奇虎科技有限公司 一种访问网站的方法和系统
WO2014015503A1 (fr) * 2012-07-26 2014-01-30 华为技术有限公司 Procédé de transmission de données, terminal mobile et serveur mandataire
CN105208026A (zh) * 2015-09-29 2015-12-30 努比亚技术有限公司 一种防止恶意攻击方法及网络系统
CN108418847B (zh) * 2017-02-09 2021-04-16 中国移动通信集团甘肃有限公司 一种网络流量缓存系统、方法及装置
CN108965203B (zh) * 2017-05-18 2020-12-29 腾讯科技(深圳)有限公司 一种资源访问方法及服务器
CN107438074A (zh) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 一种DDoS攻击的防护方法及装置
WO2019061521A1 (fr) * 2017-09-30 2019-04-04 深圳前海达闼云端智能科技有限公司 Procédé et dispositif de transfert de proxy, serveur proxy et réseau proxy multiniveaux
CN108848049A (zh) * 2018-04-18 2018-11-20 山石网科通信技术有限公司 域名解析系统的代理方法及装置、存储介质和处理器
CN108924138B (zh) * 2018-07-05 2020-10-23 成都安恒信息技术有限公司 一种实现tcp代理完全透明的方法
CN109714312B (zh) * 2018-11-19 2020-04-24 中国科学院信息工程研究所 一种基于外部威胁的采集策略生成方法及系统
CN111431871B (zh) * 2020-03-10 2022-11-25 杭州迪普科技股份有限公司 Tcp半透明代理的处理方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005114449A2 (fr) * 2004-05-14 2005-12-01 Mobilaps, Llc Procede de formation d'une page web a contenu insere
CN102780711A (zh) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 一种sns应用数据访问方法及其装置和系统
CN103220372A (zh) * 2012-01-19 2013-07-24 中国移动通信集团公司 数据业务访问方法及系统
CN103533060A (zh) * 2013-10-17 2014-01-22 华为技术有限公司 本地代理的处理方法及装置

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710548A (zh) * 2022-03-22 2022-07-05 阿里巴巴(中国)有限公司 报文转发方法及装置
CN114710548B (zh) * 2022-03-22 2024-04-05 阿里巴巴(中国)有限公司 报文转发方法及装置
CN117579383A (zh) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 一种主动http响应的检测及拦截方法、装置及设备
CN117579383B (zh) * 2024-01-15 2024-03-22 杭州优云科技股份有限公司 一种主动http响应的检测及拦截方法、装置及设备

Also Published As

Publication number Publication date
CN112104744A (zh) 2020-12-18
CN112104744B (zh) 2022-09-09

Similar Documents

Publication Publication Date Title
WO2021196568A1 (fr) Procédé de mandataire d'écoulement de trafic, serveur et support de stockage
US10778582B2 (en) Method and apparatus for traffic optimization in virtual private networks (VPNs)
US9876760B2 (en) Peer-to-peer connection establishment using turn
US10091049B2 (en) Scripting for implementing policy-based traffic steering and management
US8533780B2 (en) Dynamic content-based routing
EP3085064B1 (fr) Blocage de menaces de sécurité au moyen d'un système de nom de domaine
US8250214B2 (en) System, method and computer program product for communicating with a private network
US9002923B2 (en) Transparent web proxy
US10135956B2 (en) Hardware-based packet forwarding for the transport layer
RU2560819C2 (ru) Способ, устройство и система для перенаправления данных в системе связи
US7769869B2 (en) Systems and methods of providing server initiated connections on a virtual private network
EP2357570A1 (fr) Système et procédé pour accès au réseau sans reconfiguration
US20220045934A1 (en) Method and apparatus of automatic route optimization in a private virtual network for client devices of a local network
US11076281B1 (en) 5G core roaming network function proxy in an IPX network
EP3588906B1 (fr) Gestion à trajets multiples avec http/2
US9929942B2 (en) Remote access to a residential multipath entity
US7907621B2 (en) Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment
US7564848B2 (en) Method for the establishing of connections in a communication system
JP6007644B2 (ja) 通信装置、プログラムおよびルーティング方法
WO2021135493A1 (fr) Procédé et appareil permettant d'accéder à une passerelle résidentielle, processeur de système et support d'enregistrement
US8509235B2 (en) Layer-2 packet return in proxy-router communication protocol environments
US20180063220A1 (en) Systems and methods to provide hypertext transfer protocol 2.0 optimization through multiple links
US20150089058A1 (en) System and method for software defined adaptation of broadband network gateway services
WO2023162146A1 (fr) Dispositif de communication, procédé de communication et programme
CN117081990B (zh) 一种mpls流量代理方法、系统、设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20928820

Country of ref document: EP

Kind code of ref document: A1