Nothing Special   »   [go: up one dir, main page]

WO2023020606A1 - Method, system and apparatus for hiding source station, and device and storage medium - Google Patents

Method, system and apparatus for hiding source station, and device and storage medium Download PDF

Info

Publication number
WO2023020606A1
WO2023020606A1 PCT/CN2022/113500 CN2022113500W WO2023020606A1 WO 2023020606 A1 WO2023020606 A1 WO 2023020606A1 CN 2022113500 W CN2022113500 W CN 2022113500W WO 2023020606 A1 WO2023020606 A1 WO 2023020606A1
Authority
WO
WIPO (PCT)
Prior art keywords
connector
server
client
target
target application
Prior art date
Application number
PCT/CN2022/113500
Other languages
French (fr)
Chinese (zh)
Inventor
胡金涌
Original Assignee
上海云盾信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海云盾信息技术有限公司 filed Critical 上海云盾信息技术有限公司
Publication of WO2023020606A1 publication Critical patent/WO2023020606A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Definitions

  • the present disclosure relates to but is not limited to a method, system, device, equipment and storage medium for hiding a source site.
  • the Internet is an open world, and we can access content on the Internet because it is exposed on the Internet.
  • security threats on the Internet such as various scans and attacks from hackers
  • any application on the Internet may become a target of attacks, customers often try to hide the source server to which the application belongs to ensure the security of the source server.
  • proxies such as CDN, cloud WAF, or other types of four-layer or seven-layer security proxies.
  • Customers access proxy nodes and cannot directly access the source site. degree of concealment.
  • the proxy node IP list is generally set on the source site as a white list and access to other IPs is blocked.
  • maintaining such a security policy requires maintaining a proxy IP list, which is cumbersome and inefficient.
  • the present disclosure proposes a method, system, device, device and storage medium for hiding a source server, so that all inbound connections only need to be blocked on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • the embodiment of the first aspect of the present disclosure proposes a method for hiding a source site, which is applied to a connector client, and the connector client is associated with at least one target application, including:
  • the session connection is an outgoing connection from the connector client to the at least one connector server station connection;
  • the target source server is determined from the multiple source servers corresponding to the target application, and the sending the access request to the target application in the target source server;
  • the embodiment of the second aspect of the present disclosure provides a method for hiding the source site, which is applied to the connector server, including:
  • the embodiment of the third aspect of the present disclosure provides a method of hiding the source site, which is applied to the edge node server, including:
  • the access request includes an identifier of the target application, and the identifier of the target application includes at least one of a domain name, a protocol, an IP address, and a port;
  • configuration information of a connector client bound to the target application according to the identifier of the target application, where the configuration information includes at least address information of at least one connector server corresponding to the connector client;
  • the embodiment of the fourth aspect of the present disclosure provides a method of hiding the source site, which is applied to the management platform, including:
  • Configuration information corresponding to at least one connector client, where the configuration information includes at least identification information of the connector client and address information of a connector server corresponding to the connector client;
  • the application configuration information includes at least one of a domain name of the target application, a back-to-source address, and identification information of an associated connector client;
  • the status information of the connector client periodically reported by the connector client via its corresponding connector server the status information at least including at least one of heartbeat information and system resource usage.
  • the embodiment of the fifth aspect of the present disclosure provides a system for hiding the source site, including: a management platform, an edge node server, a connector server, and a connector client;
  • the management platform is used to generate the application configuration information of the target application, and generate the configuration information corresponding to the connector client; send the configuration information of the connector client; send the application configuration information of the target application required by the edge node server and configuration information of the connector client associated with the target application; receiving and displaying the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information being at least including at least one of heartbeat information and system resource usage;
  • the edge node server is configured to receive the access request for the target application sent by the target terminal; and send the access request to the corresponding connector server according to the identifier of the target application included in the access request;
  • the connector server is configured to receive the access request sent by the edge node server; forward the access request to the corresponding connector client according to the previously established session connection with the connector client;
  • the connector client is configured to receive the access request sent by the connector server, and forward the access request to a corresponding target application.
  • the embodiment of the sixth aspect of the present disclosure provides a device for hiding the source site, which is applied to the connector client, including:
  • a configuration acquisition module configured to acquire address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client;
  • Establishing a session module configured to establish a session connection with the at least one connector server according to the address information of the at least one connector server, the session connection is from the connector client to the at least one an outbound connection from a connector server;
  • the source server determining module is configured to, based on the session connection, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy, from the plurality of source servers corresponding to the target application Determine the target source server;
  • a first sending module configured to send the access request to the target application in the target source server; send the received request response information to the connector server, and the request response information is determined by the The target application in the target source server performs feedback according to the access request.
  • the embodiment of the seventh aspect of the present disclosure provides a device for hiding the source site, which is applied to the connector server, including:
  • a receiving module configured to receive a connection request sent by at least one connector client
  • Establishing a session module configured to establish a session connection with the at least one connector client according to the connection request, and the session connection is an outgoing connection from the at least one connector client to the connector server station connection;
  • the receiving module is also used to receive the access request for the target application forwarded by the edge node server;
  • a connector client determining module configured to determine a target connector client corresponding to the target application from the at least one connector client based on a second load balancing strategy
  • the second sending module is configured to forward the access request to the target connector client according to the session connection corresponding to the target connector client.
  • the embodiment of the eighth aspect of the present disclosure provides a device for hiding a source site, which is applied to an edge node server, including:
  • the receiving module is configured to receive an access request for a target application sent by a target terminal, the access request includes an identifier of the target application, and the identifier of the target application includes one of domain name, protocol, IP address and port or more;
  • a configuration acquiring module configured to acquire configuration information of a connector client bound to the target application according to the identifier of the target application, the configuration information at least including at least one connector service corresponding to the connector client end address information;
  • a connector server determination module configured to determine a target connector server from each connector server corresponding to the target application according to the configuration information and the third load balancing strategy;
  • the third sending module is configured to forward the access request to the target connector server according to the address information of the target connector server.
  • the embodiment of the ninth aspect of the present disclosure provides a device for hiding the source site, which is applied to the management platform, including:
  • a configuration generating module configured to generate configuration information corresponding to at least one connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client; generating a target application Corresponding application configuration information, the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client;
  • a configuration sending module configured to send the configuration information required by the connector client; send the application configuration information of the target application required by the edge node server and the connector client configuration information associated with the target application;
  • a status information receiving module configured to receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least including heartbeat information and system resource usage at least one of the .
  • the embodiment of the tenth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor runs the computer program to Implement the method described in any one of the first to fourth aspects above.
  • the embodiment of the eleventh aspect of the present disclosure provides a computer-readable storage medium, on which a computer program is stored, and the program is executed by a processor to implement the method described in any one of the first to fourth aspects above.
  • the session connection between the connector client and the connector server is established through setting the connector client, and the session connection is an outbound connection between the connector client and the connector server.
  • the user accesses the target application, he first visits the edge node server, and the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application.
  • This method only needs to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • FIG. 1 shows a schematic diagram of an exemplary system architecture to which the technical solutions of embodiments of the present disclosure can be applied;
  • FIG. 2 shows a signaling interaction diagram of a method for hiding a source station provided by an embodiment of the present disclosure
  • Fig. 3 shows a schematic diagram of application configuration information of a target application and configuration information of a connector client provided by an embodiment of the present disclosure
  • Fig. 4 shows a process of establishing a session connection between a connector client and a connector server provided by an embodiment of the present disclosure and a schematic diagram of the mapping relationship between the identification information of the connector client and the session;
  • Fig. 5 shows a schematic diagram of an edge node server selecting a connection server through load balancing and health checking and a connector server selecting a connector client through load balancing and health checking provided by an embodiment of the present disclosure
  • Fig. 6 shows a schematic diagram of a connector client reporting status information to a management platform via a connector server provided by an embodiment of the present disclosure
  • FIG. 7 shows a flowchart of a method for hiding an origin site provided by an embodiment of the present disclosure
  • FIG. 8 shows a schematic diagram of a connector client corresponding to multiple source servers provided by an embodiment of the present disclosure
  • FIG. 9 shows an operation flowchart of a connector client in a method for hiding an origin site provided by an embodiment of the present disclosure
  • Fig. 10 shows a flow chart of the operation of the connector server in a method for hiding the origin site provided by an embodiment of the present disclosure
  • Fig. 11 shows an operation flowchart of an edge node server in a method for hiding an origin site provided by an embodiment of the present disclosure
  • Fig. 12 shows an operation flowchart of the management platform in a method for hiding the origin site provided by an embodiment of the present disclosure
  • Fig. 13 shows a schematic structural diagram of a device applied to a connector client in a method for hiding an origin site provided by an embodiment of the present disclosure
  • Fig. 14 shows a schematic structural diagram of a device applied to a connector server in a method for hiding an origin site provided by an embodiment of the present disclosure
  • FIG. 15 shows a schematic structural diagram of a device applied to an edge node server in a method for hiding an origin site provided by an embodiment of the present disclosure
  • Fig. 16 shows a schematic structural diagram of a device applied to a management platform in a method for hiding an origin site provided by an embodiment of the present disclosure
  • Fig. 17 shows a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure
  • Fig. 18 shows a schematic diagram of a storage medium provided by an embodiment of the present disclosure.
  • the embodiment of the present disclosure provides a method of hiding the source site, see Figure 1,
  • the network system architecture based on the method includes a connector server, a connector client, a source server, an edge node server, a management platform and a target terminal.
  • the source server can adopt VPC (Virtual Private Cloud, proprietary network)/NAT (Network Address Translation, network address translation)
  • the source server contains one or more target applications
  • the target applications can be internal applications in the intranet. It can also be an application in the public network.
  • the same target application can be deployed on multiple source servers.
  • the connector client can be a software program for network communication, and the connector client can be deployed in any network that can communicate with the target application.
  • the connector client can be deployed in the same network as the target application, or Can be deployed in any network capable of communicating with the target application.
  • one or more connector clients may be deployed in a network, and the same connector client may communicate with multiple target applications, and the same target application may also communicate with multiple connector clients.
  • FIG. 1 only schematically shows a connector client, which communicates with a target application in the source server.
  • a session connection can be established between the connector client and the connector server, and the session connection is an outbound connection between the connector client and the connector server, that is, an outbound communication connection.
  • the session protocol type of the session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
  • the session connection may also be established based on a tunnel protocol, and the tunnel protocol may be one of VPN, GRE, or IPsec. It should be understood that the session connection may also be established using other tunnel protocols, which is not specifically limited in the present disclosure.
  • the edge node server communicates with the connector server and the target terminal respectively, and the management platform communicates with the edge node server.
  • the target terminal may include but not limited to one or more of smart phones, tablet computers, laptop computers or desktop computers.
  • the transmission protocol between the target terminal and the edge node server may include at least one of HTTP, HTTPS, TCP or UDP.
  • the number of target terminals, edge node servers, connector servers, connector clients, and source servers in FIG. 1 is only illustrative, and there may be any number of target terminals, edge node servers , Connector Server, Connector Client, and Origin Server.
  • the network architecture may include one or more edge node servers and one or more connector servers, and FIG. 1 only schematically shows one edge node server and one connector server.
  • edge node server and the connector server mentioned in the embodiments of the present disclosure are two logical concepts, which are proposed separately to help understanding. In practice, they can be deployed separately or on the same server device , which is not specifically limited in the present disclosure.
  • the target terminal's access request for the target application is sent to the connector server via the edge node server.
  • the connector server determines the connector client associated with the target application, and sends the access request to the connector client through an outbound connection with the determined client. Finally, the connector client sends the access request to the corresponding target application.
  • the target source server to which the target application belongs can block all incoming connections to achieve the purpose of hiding the source site, and the target source server does not need to maintain complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks on the source server and ensuring the security of the target application.
  • Fig. 2 shows a signaling interaction diagram of a method for hiding a source station provided by an embodiment of the present disclosure.
  • the method at least includes steps 101 to 114, which are described in detail as follows:
  • Step 101 The management platform generates configuration information corresponding to at least one connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client.
  • the management platform may be a cloud computing platform, such as a private cloud or a public cloud.
  • the configuration information corresponding to the connector client includes at least identification information of the connector client and address information of a connector server corresponding to the connector client.
  • the identification information can be used to identify the connector client, and the identification information can be the IP address, MAC (Media Access Control Address, hardware address) address of the connector client, or an artificially set or automatically generated address that can identify the connector client. End character sequence, etc.
  • the connector client can be a software program for network communication, and the connector client is installed in the source server of groups such as enterprises, institutions or social organizations or in a network capable of communicating with the source server, so that it can be accessed through the connector client.
  • a session connection is established with the connector server, and remote access to the source server is realized through the established session connection, for example, remote access to a target application included in the source server is realized.
  • the connector server may be a server capable of communicating with the connector client, and may establish a session connection with the connector client for transmitting information. It should be understood that the address information of the connector server may include a domain name and/or an IP address, and if it is a domain name, it can be resolved to one or more IP addresses of the connector server according to the domain name. It should be noted that one connector server can communicate with one or more connector clients, which is not specifically limited in this disclosure.
  • the configuration information corresponding to the connector client is first generated on the management platform, and the configuration information can be used as the startup parameter corresponding to the connector client, to enable the connector client after configuring the connector client according to the configuration information.
  • the customer can configure the configuration information corresponding to the connector client by itself.
  • the management platform can support the configuration operation of the customer and receive the configuration information corresponding to the connector client configured by the customer. It is also possible for the customer to provide the relevant configuration information of the connector client to the service provider, and then the service provider configures the corresponding configuration information of the client's connector client on the management platform.
  • the management platform can also automatically generate configuration information corresponding to the connector client. Specifically, the management platform can assign the connector client identification information for identifying the connector client, and according to the entire network system The configuration information of all connector servers included in the schema, assigns the connector server corresponding to the connector client. Wherein, the configuration information of the connector server may include but not limited to the address information of the connector server, the number of associated connector clients, the upper limit of the number of associated connector clients, and the like. After the management platform assigns the identification information and the associated connector server to the connector client, it determines the identification information and the address information of the connector server corresponding to the connector client as the corresponding configuration of the connector client. information.
  • the connector client may be created on the management platform, and the management platform may provide the service provider with an interface for creating the connector client.
  • the connector client can run on a variety of platforms, such as VMware's virtual machine, Docker (application container engine), public cloud cloud host, etc.
  • the service provider uses the interface provided by the management platform to create connector clients running on different platforms.
  • the installation package and configuration information corresponding to the connector client are also generated.
  • the configuration information includes the identification information of the connector client, the address information of the connector server corresponding to the connector client, etc.
  • the address information of the connector server may include the domain name and/or IP address of the connector server.
  • one or more connector clients can be created on the management platform, and the configuration information corresponding to each connector client can include one or more address information of each connector server, so that after installing and starting the connector client in the source server or in a network capable of communicating with the source server, the connector client can communicate with one or more of the system architecture shown in Figure 1.
  • a connector server establishes a session connection.
  • Figure 3 shows the configuration information of a connector client, which includes the identification information of the connector client (taking id as an example): "connector client id: 12345", and the corresponding The domain name "companyA.connector.com” of the connector server.
  • the domain name included in the address information of the connector server will be resolved to at least two IP addresses of the connector server.
  • the connector client can establish session connections with multiple connector servers based on the resolved IP addresses of the multiple connector servers, so that when a certain session connection fails or fails, it can be connected through other session connection for information transfer.
  • the session connections established by the multiple connector servers may be session connections for transmitting the same information. In other words, some of the multiple session connections may be used as primary session connections, and others may be used as secondary session connections. When the main session connection fails, the information transmitted by the secondary session connection can be used for processing to ensure the stability of access.
  • Step 102 The management platform generates application configuration information corresponding to the target application, and the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client.
  • the target application can be the application in the intranet of groups such as enterprises, institutions or social organizations, such as OA system, Web (website), SSH (Secure Shell, secure shell protocol), VNC (Virtual Network Console, virtual network console) ), RDP (Remote Desktop Protocol, Remote Desktop Protocol), internal IAM (Identity and Access Management, identity identification and access management), etc.
  • the target application can also be an application program in the public network.
  • the management platform before accessing the target application, the management platform generates application configuration information corresponding to the target application.
  • the management platform can support user configuration operations. Users determine the target applications that allow remote access according to their own needs, and then configure the application configuration information corresponding to these target applications on the management platform.
  • the management platform can receive and store the applications configured by the user. configuration information, and associate the application configuration information with the corresponding target application.
  • the application configuration information may include at least one of various information such as a return-to-source address, a domain name of a target application, and identification information of a connector client associated with the target application.
  • the back-to-source address may include the IP address of the device where the target application is located, the port number opened to the outside world by the device where the target application is located, and the like.
  • the back-to-source address in the application configuration information corresponding to the target application shown in Figure 3 is 172.16.1.100:443, where 172.16.1.100 is the IP address of the device where the target application is located, that is, the IP address of the source server, and 443 indicates the target application
  • the open port of the device is port 443 (that is, the encrypted web browsing port).
  • the domain name of the target application included in the application configuration information in Figure 3 is "oa.companyA.com”
  • the back-to-source load balancing policy is "polling”
  • the unique identifier of the connector client associated with the target application is "binding connection server client: 12345".
  • the configuration information corresponding to the connector client and the application configuration information corresponding to the target application are generated on the management platform, and the target application is set by setting the identification information of the associated connector client in the application configuration information. Associated with the connector client.
  • the target application and the connector client can be in the same network, for example, both belong to the internal network, both belong to the public network, or belong to the same segment C network, etc.
  • the target application and the connector client can also be in different networks, for example, one in The public network, the other in the internal network, etc., are not specifically limited in this disclosure, as long as the target application and the connector client can communicate.
  • step 103 the management platform sends the configuration information required by the connector client.
  • the connector client may directly download the installation package of the connector client from the management platform, and install the connector client locally on the device that needs to install the connector client according to the downloaded installation package.
  • the device that needs to install the connector client sends an acquisition request to the management platform, and the management platform sends the installation package of the connector client to the device according to the received acquisition request.
  • the device downloads the installation package of the connector client from the management platform, it locally installs the connector client according to the installation package.
  • the device on which the connector client needs to be installed may be the source server, or other devices capable of communicating with the source server.
  • the cloud host of the device that needs to install the connector client can have the connector client pre-installed. Or, it may also be that the device downloads a complete connector client image file from the management platform for installation, and so on.
  • the embodiments of the present disclosure make no special limitation on how to install the connector client.
  • configuration information corresponding to the connector client can be requested from the management platform.
  • the management platform responds to the request and sends configuration information corresponding to the adapter client to the device.
  • the device installs the connector client and obtains the configuration information corresponding to the connector client from the management platform, it uses the configuration information to start the connector client.
  • the device sends a configuration information acquisition request to the management platform, and the configuration information acquisition request may include the identification information of the connector client, and the management platform may send the configuration information of the corresponding connector client to the management platform according to the identification information.
  • the device performs feedback.
  • one or more connector clients may be deployed on the same device.
  • multiple connector clients can be associated with the same target application, and for the same target application, the associated multiple connector clients can be classified as active connections Connector client and backup connector client, so that when the active connector client fails, the backup connector client can be used for communication, improving network stability.
  • the identification information of the multiple connector clients can be used as the identification information of the device.
  • device A contains two connector clients, two connection If the identification information of the device client is 123456 and 234567 respectively, then the identification information of the device A may be two, that is, 123456 and 234567, and so on.
  • one identification information may be configured for the device, and the identification information of the device may have a mapping relationship with the identification information of multiple connector clients.
  • Step 104 The connector client acquires address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client.
  • the connector client acquires address information of at least one connector server corresponding to the connector client from the management platform.
  • the connector client can directly obtain configuration information corresponding to the connector client from the management platform.
  • the connector client can also indirectly obtain configuration information from the management platform through an intermediary, for example, the management platform sends the configuration information corresponding to the connector client to the configuration center, and the connector client then obtains the configuration information from the configuration center .
  • the connector client obtains address information of at least one connector server corresponding to the connector client from the configuration information.
  • the address information includes the IP address and/or domain name of the connector server.
  • the IP address and/or domain name of the connector server may be determined through anycast technology, intelligent resolution technology, and intelligent routing technology.
  • the address information of at least one connector server it can be obtained according to the geographic location of the connector server and the geographic location of the connector client, specifically obtaining the address information of at least one connector server whose geographic location is closest to the connector client .
  • the address information of the connector server may also be acquired according to the geographic location and in combination with at least one of factors such as network quality and network delay. For example, obtain at least one connector server with the best network quality from a certain number of connector servers closest to the connector client, or obtain from a certain number of connector servers closest to the connector client Obtain at least one connector server with the shortest network latency.
  • Step 105 The connector client establishes a session connection with at least one connector server according to the address information of at least one connector server, and the session connection is an outgoing connection from the connector client to the at least one connector server. station connection.
  • the connector client after the connector client is installed and the connector client is running normally, it is necessary to establish a session between at least one connector server corresponding to the connector client through the connector client connect. If the address information of the at least one connector server includes the IP address of the connector server, a session connection between the connector client and the at least one connector server is directly established according to the IP address of the at least one connector server.
  • the connector client sends the domain name resolution request of the at least one connector server to the domain name server.
  • the domain name server performs domain name resolution for each domain name, obtains the IP address corresponding to each domain name, and then sends the IP address corresponding to each domain name to the connector client.
  • the connector client receives the IP address corresponding to each domain name returned by the domain name server, and sends a connection request to the connector server corresponding to each IP address according to each IP address.
  • the connection request includes the identification information of the connector client , to establish and uniquely identify a session connection between the connector client and at least one corresponding connector server.
  • the session connection between the connector client and the connector server can be an encrypted session connection.
  • the connector client sends authentication information to the at least one connector server according to the acquired address information of the at least one connector server. After the authentication information is authenticated by at least one connector server, an encrypted session connection with the at least one connector server is established.
  • the above authentication information may include at least one of the connector client's identification information, certificate, key, encryption token and other information.
  • the authentication information may also include other arbitrary forms to identify the connector client.
  • Other authentication information of the terminal which is not limited in this embodiment of the present disclosure.
  • the authentication information sent by the connector client may include the identification information and the certificate of the connector client.
  • the connector server is also pre-configured with the certificate used to authenticate the connector client. After receiving the authentication information, the connector server compares the certificate included in the authentication information with the certificate stored in itself. If the two certificates are consistent , the authentication passes, otherwise the authentication fails.
  • the encryption protocol adopted for establishing the encrypted session connection may be at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
  • the connector client can also establish a session connection with at least one connector server based on a tunnel protocol, and the adopted tunnel protocol can be one of VPN, GRE or IPsec.
  • the session connection is an outbound connection from the connector client to the at least one connector server, and these session connections are active outbound communication connections of the connector client.
  • the connector client prohibits incoming connections. Specifically, you can configure the firewall of the device where the connector client is installed to prohibit incoming connection requests, so that all incoming requests except the session connections established above can be prohibited through the firewall. . In this way, it can be ensured that incoming information can only be received through the established session connection, and remote access to the target application program can be realized through the established session connection, while other incoming access can be avoided to ensure the security of the target application program.
  • the target application is an intranet application, the security of the intranet can be greatly improved.
  • Step 106 The connector server receives a connection request sent by at least one connector client, and establishes a session connection with the at least one connector client according to the connection request.
  • a connection request is sent to the connector server, and the connection request includes the identification information of the connector client. Since a connector client can establish a session connection with at least one connector server, the connector server can receive a connection request sent by at least one connector client, and establish a connection with this connector according to the identification information included in the received connection request.
  • a session connection between at least one connector client further, the session connection may be a session connection between the connector server and a connector client installed in the source server.
  • the number of connection requests received by the connector server may be multiple, and the connection requests include the identification information of the corresponding connector client.
  • the connector server respectively establishes a session connection with at least one connector client according to the multiple connection requests, and associates the identification information included in each connection request with the corresponding session connection.
  • the connector server stores the identification information included in the connection request and the corresponding session in the mapping relationship between the identification information of the connector client and the session.
  • the mapping relationship between the identification information of the connector client and the session is maintained on the connector server.
  • the connector server with the IP address "1.1.1.1” has established outbound session connections with the three connector clients respectively. Therefore, the mapping relationship maintained on the connector server includes connector client 12345: session 1, connector client 34567: session 2, and connector client 45678: session 3.
  • a connector client can establish a session connection with one or more connector servers, and a connector server can also connect with one or more connector clients, so that a certain connection can be avoided failure of a connector client or a connector server that interrupts remote access.
  • the session connection between the connector client and the connector server is established on port 443 (that is, the encrypted web browsing port), and the connection multiplexing of the application layer is realized on the session connection, and the The back-to-source request is implemented on the loop of the session connection.
  • the connector client can establish persistent session connections with multiple connector servers. For the source server, because the session connection corresponding to the connector client is outbound, the back-to-source access of the target application only depends on the session connection, and does not need to establish any inbound connection.
  • VPC Virtual Private Cloud, virtual private cloud
  • the connector client is created on the management platform and the application configuration information corresponding to the target application is set, and the connector client is installed on the source server and other devices that need to install the connector client, and the connector client and the connector server are established. session connection, and resolve the domain names of all target applications that allow remote access to the IP address of the edge node server, so that these target applications are directly published on the public network. Then the remote terminal can access the target application through the method provided by the embodiment of the present disclosure.
  • Step 107 The edge node server receives the access request for the target application sent by the target terminal, the access request includes the identifier of the target application, and the identifier of the target application includes at least one of domain name, protocol, IP address and port.
  • the edge node server provides functions such as DDoS (Distributed Denial of Service, distributed denial of service) cleaning, cache acceleration, WAF (Web Application Firewall, Web application protection system), load balancing, etc.
  • the edge node server can also be used as an edge security
  • the gateway provides functions such as identity authentication, rights management, and access control. When the target user accesses the target application, he first accesses the edge node server.
  • the target terminal when an employee working at home or on a business trip needs to access a target application in the company's intranet, he can view multiple target applications published by the company on the public network through the target terminal, and select the target application he needs to access. For example, Select by clicking.
  • the target terminal detects that a certain target application is clicked, it obtains the domain name of the clicked target application, and sends a resolution request for the domain name of the target application to the domain name server.
  • the domain name server resolves the domain name of the target application. Since the domain names of all target applications published on the public network have been resolved to the IP address of the edge node server, the domain name server can obtain the corresponding domain name for the current target application.
  • the IP address of the edge node server The domain name server returns the IP address obtained through domain name analysis to the target terminal. According to the IP address, the target terminal sends an access request to the corresponding edge node server, and the access request includes the identification of the target application that the target user needs to access.
  • the edge node server can also record the target user's access behavior log, which can include access time, access object, identity information, etc., and these information can facilitate the security management personnel of the enterprise to User behavior is audited and controlled.
  • Step 108 The edge node server obtains the configuration information of the connector client bound to the target application according to the identification of the target application.
  • the edge node server may obtain the application configuration information corresponding to each target application and the configuration information corresponding to the connector client bound to each target application from the management platform in advance. It should be noted that the edge node server may obtain the information directly from the management platform, or may obtain the information from an intermediary such as a configuration center, which is not specifically limited in this disclosure.
  • the edge node server After the edge node server receives the access request for the target application, it can obtain the identification of the target application included in the access request, determine the corresponding application configuration information according to the identification of the target application, and then determine the corresponding application configuration information according to the application configuration information. Identification information for the connector client associated with this target application. Based on the determined identification information of the connector client, configuration information corresponding to the connector client is determined, where the configuration information at least includes address information of at least one connector server corresponding to the connector client.
  • the edge node server requests or accepts push from the management platform about the application configuration information of the target application.
  • the management platform queries the application configuration information of the target application according to the query request sent by the edge node server and includes the identification of the target application, obtains the identification information of the connector client associated with the target application from the application configuration information, and then according to The identification information obtains the configuration information corresponding to the connector client, and sends the configuration information corresponding to the connector client to the edge node server.
  • Step 109 The edge node server determines the target connector server from each connector server corresponding to the target application based on the third load balancing policy and the acquired configuration information of the connector client.
  • the acquired configuration information of the connector client includes address information of at least one connector server corresponding to the connector client.
  • the edge node server is pre-configured with the third load balancing strategy, and the edge node server determines the target connector service from at least one connector server corresponding to the connector client based on the third load balancing strategy end.
  • the third load balancing strategy may be at least one of hash based on connector server IP, weighted round robin, and active/standby round robin.
  • the third load balancing strategy further needs to select a connector server satisfying a preset health condition from at least one connector server as a target connector server.
  • the preset health condition may include at least one of the network status with the connector server (such as network delay, network connectivity, connection establishment time), the response delay of the connector server (such as the first packet time), and the like.
  • the edge node server can obtain its network status, response delay of the connector server, etc. from the connector server.
  • the address information of the connector server included in the configuration information corresponding to the above-mentioned connector client may include the domain name and/or IP address of the connector server. If the address information is a domain name, the edge node server may use the connector The domain name resolution request of the server is sent to the domain name server for resolution, so that the domain name server returns the IP address of the corresponding connector server.
  • the address information of the connector server can be one or more, for example, there are multiple IP addresses of the connector server, or one or more IP addresses corresponding to the domain name fed back by the domain name server, and so on. Some of the connector servers corresponding to multiple address information can be used as the main connector server, and others can be used as the backup connector servers.
  • the edge node server After the edge node server obtains the IP address of each connector server corresponding to the target application, it establishes a communication connection with each connector server according to the obtained IP address, and obtains the IP address of each connector based on the communication connection. The network status of the server, the response delay of the connector server, etc. Then, according to the obtained information such as the network status and the response delay of the connector server, a connector server satisfying a preset health condition is selected from at least one connector server as the target connector server.
  • the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
  • the edge node server Before determining the target connector server, the edge node server first needs to obtain the system status information of each connector server corresponding to the target application, the system status information includes the load of the connector server, CPU usage percentage, memory usage percentage , disk IO, and network IO at least one.
  • the edge node server can directly obtain its system status information from the connector server. Specifically, after obtaining the IP address of each connector server corresponding to the target application, the edge node server establishes a communication connection with each connector server according to the obtained IP address. Then obtain the system state information of each connector server from each connector server respectively.
  • the edge node server may obtain the system state information of each connector server corresponding to the target application from the management platform.
  • each connector server can periodically report its own system status information to the management platform.
  • the management platform receives and stores the system status information of each connector server.
  • the management platform can also display system status information for each connector server.
  • the management platform can perform fault analysis and status analysis on each connector server according to the system status information of each connector server, and then display the system status information and analysis results of each connector server.
  • the edge node server when the edge node server receives the access request for the target application sent by the target terminal, it obtains the current system status information of each connector server corresponding to the target application from the management platform.
  • edge node server After the edge node server obtains the system status information of each connector server corresponding to the target application through any of the above methods, based on the third load balancing strategy, determine the connections that meet the preset health conditions from each connector server server server as the target connector server corresponding to the current access request.
  • the edge node server may select randomly or sequentially from them to determine a target connector server. As shown in Figure 5, assume that the edge node server determines the connector servers 1 and 2 corresponding to the target application, and then the edge node server performs load balancing and health checks on the connector servers 1 and 2 in the above-mentioned way, so that the connection Select a connector server that satisfies the preset health conditions from server servers 1 and 2 as the target connector server.
  • the edge node server can also determine at least two target connector servers, and send the access request to one of them. If the connector server fails and is unavailable, the access request is sent through another connector server This access request ensures the stability of access.
  • Step 110 The edge node server forwards the access request to the target connector server according to the address information of the target connector server.
  • the edge node server directly forwards the access request to the target connector server according to the IP address. If the address information only includes the domain name of the target connector server, the edge node server sends the domain name resolution request of the target connector server to the domain name server.
  • the domain name server performs domain name analysis on the domain name sent by the edge node server, obtains the IP address of each target connector server, forms an IP list for each IP address obtained, and returns the IP list to the edge node server. Contains the IP addresses of one or more target connector servers.
  • the edge node server receives the IP list returned by the domain name server, and selects an IP address from the IP list. Specifically, if the IP list includes only one IP address, the IP address is directly selected. If the IP list includes multiple IP addresses, an IP address of the active target connector server is selected from the multiple IP addresses. The edge node server establishes a communication connection between the target connector server corresponding to the selected IP address according to the selected IP address, and then sends the access request to the target connector server.
  • the edge node server may also perform two-way authentication with the target connector server to further ensure the security of the target application access. For example, the edge node server sends its own first certificate to the target connector server. The target connector server receives the first certificate of the edge node server, and verifies the first certificate, and verifies whether the first certificate is issued by a trusted CA center. The server returns a warning message, warning the edge node server that the first certificate is not trustworthy. After the verification is passed, the target connector server can compare the information in the certificate, such as the domain name and public key. If the domain name or public key conforms to the preset information transmission rules, the legal identity of the edge node server is recognized.
  • the edge node server sends its own first certificate to the target connector server.
  • the target connector server receives the first certificate of the edge node server, and verifies the first certificate, and verifies whether the first certificate is issued by a trusted CA center. The server returns a warning message, warning the edge node server that the first certificate is not trustworthy.
  • the target connector server can
  • the edge node server can also ask the target connector server to send its own second certificate. After receiving the second certificate, the edge node server can verify the second certificate. If it fails to pass the verification, it will refuse the connection. If verified, information can be transmitted between the two.
  • the two-way authentication is carried out between the edge node server and the target connector server through the above method.
  • the edge node server will not send the access request to For the target connector server, the security of intranet access is greatly improved.
  • the edge node server may first encrypt the access request, and send the encrypted data to the target connector server, so as to improve the security of data transmission.
  • Step 111 The connector server receives the access request for the target application forwarded by the edge node server, and determines the target connector client corresponding to the target application from at least one connector client based on the second load balancing strategy.
  • the connector server is a transit medium, which can realize the connection between the edge node server and the target application. Further, when the target application is located in the intranet, it can realize the connection between the edge node server and the intranet application get through. After the connector server starts, it waits for the connection between the edge node server and the connector client and forwards the access request from the edge node server.
  • the connector server After receiving the access request from the target terminal to the target application forwarded by the edge node server, the connector server determines each connector client associated with the target application from at least one connector client establishing a session connection.
  • the connector server determines all connector clients associated with the target application. Specifically, the identifier of the target application included in the access request is sent to the management platform.
  • the management platform obtains the application configuration information of the target application according to the identification of the target application, and queries the identification information of the connector client associated with the target application from the application configuration information.
  • the management platform sends the identification information of the connector client associated with the target application to the connector server.
  • the connector server receives identification information of a connector client associated with the target application.
  • the edge node server may also obtain the application configuration information of the target application from the management platform, and the edge node server forwards the access request and the application configuration information to the connector server.
  • the connector server can locally obtain the identification information of the connector client associated with the target application from the application configuration information.
  • the connector server After the connector server obtains the identification information of the connector client associated with the target application through any of the above methods, it establishes a session with the connector server according to the mapping relationship between the identification information of the connector client and the session stored locally. Each of the connected at least one connector client is determined to be associated with the target application.
  • the second load balancing strategy is pre-configured in the connector server. After the connector server obtains the identification information of the connector client The policy and the identification information of the connector client that has established the session connection and is associated with the target application determine the target connector client.
  • the second load balancing strategy may be at least one of hash based on connector client IP, weighted round robin, and active/standby round robin.
  • the second load balancing strategy also needs to select a connector client satisfying a preset health condition from at least one connector client as a target connector client.
  • the preset health condition may include at least one of the network status with the connector client (such as network delay, network connectivity, connection establishment time), the response delay of the connector client (such as the first packet time), and the like.
  • the connector server After the connector server obtains the identification information of the connector client that has established a session connection and is associated with the target application, it obtains the network status and response delay of each connector client through the session connection with each connector client and other information. Then select a connector client satisfying a preset health condition as a target connector client from at least one connector client according to the obtained network status, response delay and other information.
  • the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
  • the connector server Before determining the target connector client, the connector server first needs to obtain the status information of each connector client associated with the target application, the status information includes the heartbeat information, load, CPU usage percentage, At least one of memory usage percentage, disk IO, and network IO.
  • the connector server can directly obtain its status information from the connector client. After the connector server obtains the identification information of the connector clients that have established the session connection and are associated with the target application, they obtain the status information of each connector client through the session connection with each connector client.
  • each connector client may periodically report its own status information to the management platform via at least one connector server that establishes a session connection with itself.
  • the management platform receives and displays the status information of each connector client, so as to facilitate intuitive understanding of various operating statuses of the connector client.
  • the management platform can perform fault analysis and status analysis on each connector client based on the status information of each connector client. For example, based on the heartbeat information included in the status information of the connector client, it can be analyzed whether the connector client is normal. run. After the analysis results are obtained through analysis, the status information of each connector client and the corresponding analysis results are displayed.
  • the connector client reports status information to the management platform via the connector server that establishes a session connection with it.
  • the management platform performs data analysis based on the information reported by the connector client, and can display the connector in the form of a data report.
  • the client's status information, analysis results, etc. can also be monitored and alarmed when it is determined that the connector client is abnormal.
  • the connector server may store the correspondence between the identification information of each connector client and the status information. After the connector server obtains the identification information of the connector client associated with the target application, it may directly obtain the state information of the connector client associated with the target application from the locally stored correspondence.
  • the connector server may not store the correspondence between the identification information of the connector client and the status information. Instead, after obtaining the identification information of the connector client associated with the target application, the state of the connector client associated with the target application is obtained from the management platform according to the identification information of the connector client associated with the target application information.
  • the connector server After the connector server obtains the status information of each connector client that has established a session connection and corresponds to the target application through any of the above methods, based on the second load balancing strategy, determine from each connector client that meets the predetermined requirements. Set the connector client with the health condition as the target connector client corresponding to the current access request.
  • the number of target connector clients determined by the connector server may be one or more.
  • the number of target connector clients is multiple, that is, any number of two or more than two, one of the target connector clients can be used as the main target connector client, and the other ones are secondary The target connector client, so that when the primary target connector client fails or fails, the target application can be accessed through the secondary target connector client.
  • target application associated with the primary target connector client and the secondary target connector client should be the same, or the target application associated with the primary target connector client is included in the secondary target connector client Among the associated target applications, or between the primary target connector client and the secondary target connector client, there are partly the same associated target applications, and so on.
  • connector clients 1 and 2 are deployed in the source server, and both connector clients 1 and 2 are associated with the same source server.
  • the connector client 1 establishes session connections with the connector servers 1 and 2 respectively, and the session connections are established based on the tunneling protocol.
  • the session connection between connector client 1 and connector server 1 is the primary tunnel 1
  • the session connection between connector client 1 and connector server 2 is the backup tunnel 1.
  • the session connection between the connector client 2 and the connector server 1 is the primary tunnel 2
  • the session connection between the connector client 2 and the connector server 2 is the backup tunnel 2.
  • the edge node server selects connector server 1 as the target connector server through load balancing and health checks, and sends an access request for the target application to connector server 1.
  • the connector server 1 performs load balancing and health checks on the connector clients 1 and 2 according to the above method, so as to select a connector client that meets the preset health conditions as the target connection among the connector clients 1 and 2 server client. Assuming that the connector server 1 selects the connector client 2 as the target connector client, the connector server 1 sends the access request to the connector client 2 through the standby tunnel 2 . Then the connector client 2 sends the access request to the corresponding target application in the source server.
  • Step 112 The connector server forwards the access request to the target connector client according to the session connection corresponding to the target connector client.
  • the connector server obtains the target connector client from the locally stored mapping relationship between the identifier information of the connector client and the session according to the determined identification information of the target connector client.
  • the access request is forwarded to the target connector client through the session connection corresponding to the target connector client.
  • the connector server may also forward the access request to the target connector client in a polling manner.
  • a preset polling rule is configured in the connector server, and the preset polling rule specifies the polling sequence of each target connector client associated with the target application. Select one target connector client per target connector client associated. According to the identification information of the selected target connector client, obtain the session connection corresponding to the selected target connector client from the mapping relationship between the identification information and the session, and forward the access request to the target connector client through the obtained session connection .
  • the target terminal sends an access request to the edge node server, and the access request includes the domain name "oa.companyA.com" of the target application to be accessed.
  • the edge node server obtains the application configuration information corresponding to the domain name "oa.companyA.com” from the management platform.
  • the identifier of the connector client bound in the application configuration information is "12345", and also obtains the connector from the management platform. Configuration information of client 12345.
  • the edge node server After the edge node server obtains the application configuration information and the configuration information corresponding to the connector client, it sends a resolution request for the domain name "companyA.connector.com” of the connector server included in the configuration information corresponding to the connector client to the domain name server, and receives The resolved IP address "1.1.1.1” of the connector server returned by the domain name server, the edge node server establishes a communication connection with the connector server based on the IP address "1.1.1.1", and sends the access request and application configuration The information is sent to the connector server.
  • the connector server with the IP address "1.1.1.1” obtains the session connection corresponding to the connector client from the pre-stored mapping relationship according to the identifier "12345" of the connector client included in the application configuration information, and connects through the session The access request is sent to the connector client 12345 in Enterprise A's network.
  • Step 113 Based on the session connection between the connector client and the connector server, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy, multiple Determine the target source server in the source server, and send the access request to the target application in the target source server.
  • the connector client may be configured with a mapping relationship between the domain name of each target application associated with it and the return-to-origin address.
  • the management platform may send the back-to-source address or application configuration information of each target application to the connector client.
  • the connector server obtains the application configuration information corresponding to the target application from the management platform or the edge node server, the application configuration information includes the return-to-source address corresponding to the target application, and the connector server forwards the access request to The application configuration information may also be sent to the connector client when connecting the connector client.
  • the connector client If the connector client receives an access request for the target application sent by the connector server through the session connection between the two, the connector client will locally query the target application's domain name according to the domain name of the target application included in the access request. Back to source address. Each source-back address found in the query is the address of each source server corresponding to the target application.
  • the connector client is pre-configured with the first load balancing policy. After the connector client obtains the return-to-origin address of each source server corresponding to the target The origin-return address of the target source server is determined from the origin-return address of the source server.
  • the first load balancing strategy may be at least one of source server IP-based hashing, weighted round robin, and active/standby round robin.
  • the first load balancing strategy also needs to select a source server satisfying a preset health condition from at least one source server as a target source server.
  • the preset health condition may include at least one of network status with the source server (such as network delay, network connectivity, connection establishment time), response delay of the source server (such as first packet time), and the like.
  • the connector client establishes a communication connection with each source server according to the back-to-source address of each source server, and obtains information such as the network status and response delay of each source server based on the established communication connection. Afterwards, based on the first load balancing policy and information such as the network status and response delay of each source server, a source server satisfying a preset health condition is determined from each source server as a target source server. Then the connector client sends the access request to the target application in the target source server according to the back-source address of the target source server.
  • the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
  • the connector client Before determining the target source server, the connector client first needs to obtain the system status information of each source server, the system status information includes the source server load, CPU usage percentage, memory usage percentage, disk IO, network IO one.
  • the connector client obtains the system status information of each source server from each source server respectively according to the return-to-source address of each source server. Then, based on the first load balancing policy and the system state information of each source server, determine the source server satisfying the preset health condition from each source server as the target source server. Then the connector client sends the access request to the target application in the target source server according to the back-source address of the target source server.
  • the connector client is associated with the source server 1, 2 and 3 respectively, assuming that the source server 1, 2 and 3 all include the target application corresponding to the current access request, then the connector client according to the first load Balance strategy, select a source server from source servers 1, 2 and 3 as the target source server, assuming that the selected target source server is source server 2, then send the access request to source server 2.
  • Step 114 The connector client sends the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
  • the target application generates request response information according to the feedback of the access request, and sends the request response information to the connector client.
  • the connector client sends the request response information to the connector server through the session connection between itself and the connector server.
  • the connector server sends the request response information to the edge node server, and the edge node server sends the request response information to the target terminal.
  • the transmission protocol of the session connection between the connector client and the connector server may be an encrypted transmission protocol
  • the data between the connector client and the connector server are all encrypted transmissions to ensure Data security during transmission.
  • multiple connector clients may be associated with the same target application, and for the same target application, the associated multiple connector clients may include the active connector client and the standby connection
  • the active connector client fails, it can receive the target terminal’s access request to the target application through the session connection corresponding to the standby connector client, or send the target application’s access request to the target application through the session connection corresponding to the standby connector client.
  • a source server can also include multiple connector clients, which are divided into primary connector clients and secondary connector clients. After the primary connector client fails or the load limit is reached, the secondary connector client performs data transmission. .
  • the source server can also send its own health status information to the management platform every preset time period (such as 2min, 0.5h or 1h, etc.), and the management platform can judge whether the source server is abnormal according to the health status information of the source server. If there is an abnormality, an alarm message will be sent to the management personnel in time.
  • preset time period such as 2min, 0.5h or 1h, etc.
  • the remote user sends an access request to the edge node server, and the access request includes the identification of the target application.
  • the edge node server acquires the application configuration information of the target application to be accessed and the configuration information corresponding to the connector client associated with the target application from the management platform.
  • the edge node server sends the domain name resolution request of the domain name of the connector server included in the configuration information corresponding to the connector client to the domain name server, and sends the access request and application configuration information to the link server according to the IP address of the connector server returned by the domain name server. in the server server.
  • the domain name "companyA.connector.com” corresponds to the connector server with the IP address "1.1.1.1”.
  • the edge node server may send the access request and application configuration information to the connector server with the IP address "1.1.1.1”.
  • the connector server then sends the access request to the target application in enterprise A through the session connection with the connector client 12345 .
  • the session connection between the connector client and the connector server is established through setting the connector client, and the session connection is an outbound connection between the connector client and the connector server.
  • the user accesses the target application, he first visits the edge node server, and the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • Some other embodiments of the present disclosure provide a method for hiding an origin site, and the method is applied to a connector client. Referring to Figure 9, the method specifically includes the following steps:
  • Step 201 The connector client acquires address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client.
  • the connector client is deployed in any network that can communicate with the target application, and one or more connector clients are deployed in the network where the connector client is deployed.
  • the connector client receives configuration information corresponding to the connector client sent by the management platform.
  • the connector client can obtain configuration information directly from the management platform.
  • the connector client can also indirectly obtain configuration information from the management platform through an intermediary.
  • the management platform sends the configuration information corresponding to the Get that configuration information.
  • the connector client obtains the configuration information, it obtains address information of at least one connector server corresponding to the connector client from the configuration information.
  • the address information includes the IP address and/or domain name of the connector server.
  • Step 202 The connector client establishes a session connection with at least one connector server according to the address information of the at least one connector server, and the session connection is an outbound connection from the connector client to the at least one connector server.
  • the address information of the connector server is a domain name and/or an IP address determined by anycast technology, intelligent resolution technology, and intelligent routing technology. If the address information of the connector server only includes an IP address, the connector client establishes a session connection with the at least one connector server according to the IP address of the at least one connector server. If the address information of the connector server only includes the domain name of the connector server, the connector client sends the at least one domain name of the connector server to the domain name server; receives the IP address corresponding to each domain name returned by the domain name server; according to each The IP addresses respectively send connection requests to one or more connector servers, and the connection requests include identification information of the connector clients, so as to establish session connections between the connector clients and one or more connector servers.
  • the session connection is an outbound connection between the connector client and the connector server, which is an active outgoing communication connection of the connector client, and the connector client prohibits any incoming connection requests , so as to avoid malicious attacks from others and ensure the security of the target application.
  • prohibiting incoming connection requests may be configured in the firewall corresponding to the connector client, so that all incoming requests except the session connection established above can be prohibited through the firewall.
  • the transmission protocol of the session connection is an encrypted transmission protocol, that is, the data transmitted through the session connection is encrypted and then transmitted in ciphertext, so as to improve the security of data transmission.
  • the connector client can also send authentication information to at least one connector server according to the address information of at least one connector server; after the authentication information is authenticated by at least one connector server, establish an Encrypted session connections between .
  • the session protocol type of the encrypted session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
  • the session connection may also be established based on a tunnel protocol, where the tunnel protocol is one of VPN, GRE, or IPsec.
  • Step 203 Based on the established session connection, if the connector client receives an access request for the target application forwarded by the connector server, it determines the target application from multiple source servers corresponding to the target application based on the first load balancing strategy. The source server sends the access request to the target application in the target source server.
  • Step 204 The connector client sends the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
  • the connector clients may include a primary connector client and a secondary connector client, and the secondary connector client is used when the primary connector client fails.
  • Multiple connector clients can be deployed on the source server.
  • the multiple connector clients include the active connector client and the backup connector client.
  • the active connector client and the backup connector client are the same as the target application Association; when the active connector client fails, the access request of the target terminal to the target application is received through the session connection corresponding to the backup connector client.
  • the connector client can also periodically report the status information of the connector client to the management platform via at least one connector server, and the status information includes at least one of heartbeat information and system status information.
  • the connector client establishes an outbound session connection with the connector server, and the access request for the target application is sent to the connector client through the session connection, and the connector client sends the The request is forwarded to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • Some embodiments of the present disclosure provide a method for hiding the origin site, which is applied to the connector server, see FIG. 10 , and the method specifically includes the following steps:
  • Step 301 The connector server receives a connection request sent by at least one connector client.
  • connection requests there may be multiple connection requests, and the connection requests include identification information of corresponding connector clients.
  • Step 302 The connector server establishes a session connection with at least one connector client according to the connection request, and the session connection is an outbound connection from the at least one connector client to the connector server.
  • the connector server respectively establishes a session connection with at least one connector client according to multiple connection requests, and associates the identification information of each connector client with the corresponding session connection.
  • Step 303 The connector server receives the access request for the target application forwarded by the edge node server, and determines the target connector client corresponding to the target application from at least one connector client based on the second load balancing strategy.
  • Step 304 The connector server forwards the access request to the target connector client according to the session connection corresponding to the target connector client.
  • the connector server forwards the access request to each target connector client according to the session connection associated with the identification information of the multiple target connector clients.
  • the connector server extracts the identification information of each connector client associated with the target application from the application configuration information; according to the identification information of each connector client, each connector client is obtained from the mapping relationship Corresponding session connection; Obtain the status information of each connector client through the corresponding session connection of each connector client or from the management platform; according to the status information of each connector server, based on the second load balancing strategy, from each Select a target connector client that satisfies the preset health conditions from the connector clients, and forward the access request to the target connector client through the session connection corresponding to the selected target connector client.
  • the connector server may also use a polling mechanism to forward the access request. Specifically, extract the identification information of each connector client associated with the target application from the application configuration information; select a target connector client from each connector client according to a preset polling rule; The identification information of the target connector client obtains the session connection corresponding to the selected target connector client from the mapping relationship; forwards the access request to the target connector client through the obtained session connection.
  • the connector server establishes an outbound session connection with the connector client, and the connector server sends an access request for the target application to the connector client through the session connection, and the connection
  • the server client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • Some embodiments of the present disclosure provide a method of hiding the origin site, which is applied to an edge node server, see FIG. 11 , and the method specifically includes the following steps:
  • Step 401 The edge node server receives an access request for a target application sent by a target terminal.
  • the access request includes an identifier of the target application, and the identifier of the target application includes at least one of domain name, protocol, IP address and port.
  • Step 402 The edge node server acquires configuration information of a connector client bound to the target application according to the target application identifier, the configuration information at least including address information of at least one connector server corresponding to the connector client.
  • Step 403 The edge node server determines the target connector server from each connector server corresponding to the target application based on the third load balancing policy and the acquired configuration information of the connector client.
  • Step 404 The edge node server forwards the access request to the target connector server according to the address information of the target connector server.
  • edge node server For the specific operation details of the edge node server, reference may be made to the operation of the edge node server in any of the foregoing embodiments, which will not be repeated here.
  • the edge node server forwards the access request and application configuration information to the connector server, and the connector server forwards the access request to the connector client through an outbound session connection with the connector client end, the connector client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
  • Some embodiments of the present disclosure provide a method of hiding the origin site, which is applied to the management platform, see Figure 12, the method specifically includes the following steps:
  • Step 501 The management platform generates configuration information corresponding to the connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client.
  • Step 502 The management platform generates application configuration information corresponding to the target application.
  • the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client.
  • Step 503 the management platform sends the configuration information required by the connector client.
  • Step 504 The management platform sends the application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application.
  • Step 505 The management platform receives and displays the status information of the connector client periodically reported by the connector client via its corresponding connector server.
  • the status information includes at least one of heartbeat information and system resource usage.
  • the configuration information of the connector client and the application configuration information of the target application are generated in the management platform, and the target application is associated with the connector client. And send the configuration information of the connector client to the connector client through the management platform.
  • the application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application are sent. Receive and display the status information of the connector client, and realize the status monitoring and alarm of the connector client.
  • remote terminals can access the target application, and only need to block all incoming connections on the target source server without maintaining complex security Strategy. It can prevent other servers from actively sending information to the target application or establishing a connection, reducing the risk of malicious attacks and ensuring the security of the target application.
  • An embodiment of the present disclosure provides a system for hiding source sites, as shown in FIG. 1 , the system includes: an edge node server, a connector server, a management platform, and a connector client;
  • the management platform is used to generate the application configuration information of the target application, and generate the configuration information corresponding to the connector client; send the configuration information of the connector client; send the application configuration information of the target application required by the edge node server and related to the target application
  • the configuration information of the connected connector client receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information includes at least one of heartbeat information and system resource usage one;
  • the edge node server is configured to receive the access request for the target application sent by the target terminal; and send the access request to the corresponding connector server according to the identification of the target application included in the access request;
  • the connector server is used to receive the access request sent by the edge node server; forward the access request to the corresponding connector client according to the previously established session connection with the connector client;
  • the connector client is used to receive the access request sent by the connector server, and forward the access request to the corresponding target application.
  • a session connection is an outbound connection from a connector client to a connector server.
  • the system for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by its stored application program .
  • An embodiment of the present disclosure also provides an apparatus for hiding an origin site, which is configured to perform operations of a connector client in the method for hiding an origin site provided in any of the above embodiments.
  • the device includes:
  • the configuration acquiring module 601 is configured to acquire address information of at least one connector server corresponding to the connector client, where the address information is the address information of at least one connector server closest to the connector client;
  • a session establishment module 602 configured to establish a session connection with at least one connector server according to the address information of at least one connector server, where the session connection is an outbound connection from a connector client to at least one connector server;
  • the source server determination module 603 is configured to determine the target source from multiple source servers corresponding to the target application based on the session connection, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy server;
  • the first sending module 604 is configured to send the access request to the target application in the target source server; send the received request response information to the connector server, and the request response information is sent by the target application in the target source server according to the access request Give feedback.
  • the address information is a domain name and/or IP address determined by one of anycast technology, intelligent resolution technology, and intelligent routing technology, and establishes a session module 602, which is used to send at least one connector server to the domain name server if the address information is a domain name Domain name resolution request; receive the IP address corresponding to the domain name of at least one connector server sent by the domain name server; send a connection request to at least one connector server respectively according to each IP address, so as to establish a connector client and at least one connector Session connections between servers.
  • the configuration obtaining module 601 is configured to receive configuration information corresponding to the connector client sent by the management platform; obtain address information of at least one connector server corresponding to the connector client from the configuration information.
  • the session protocol type of the session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
  • the session establishment module 602 is configured to establish a session connection based on a tunnel protocol, and the tunnel protocol is one of VPN, GRE or IPsec.
  • the connector client is deployed in any network that can communicate with the target application, and one or more connector clients are deployed in the network where the connector client is deployed.
  • the device also includes: an information reporting module, configured to periodically report the status information of the connector client to the management platform via at least one connector server, where the status information includes at least one of heartbeat information and system status information.
  • the device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
  • An embodiment of the present disclosure also provides a device for hiding an origin site, which is used to perform the operations of the connector server in the method for hiding an origin site provided in any one of the above embodiments.
  • the device includes:
  • the receiving module 703 is also configured to receive the access request for the target application forwarded by the edge node server;
  • a connector client determining module 704 configured to determine a target connector client corresponding to the target application from at least one connector client based on a second load balancing strategy;
  • the second sending module 705 is configured to forward the access request to the target connector client according to the session connection corresponding to the target connector client.
  • connection request contains the identification information of the corresponding connector client
  • the session establishment module 702 is configured to respectively establish a session connection with at least one connector client according to multiple connection requests, and store a mapping relationship between each identification information and a corresponding session connection.
  • a connector client determination module 704 configured to determine each connector client associated with the target application from at least one connector client establishing a session connection; based on the second load balancing strategy, each determined connection Determine the target connector client in Connector Client.
  • the device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
  • An embodiment of the present disclosure also provides an apparatus for hiding an origin station, which is configured to perform operations of the edge node server in the method for hiding an origin station provided in any one of the above embodiments.
  • the device includes:
  • the receiving module 801 is configured to receive an access request for a target application sent by a target terminal, where the access request includes an identification of the target application, and the identification of the target application includes one or more of domain name, protocol, IP address, and port;
  • the configuration acquiring module 802 is configured to acquire configuration information of a connector client bound to the target application according to the identifier of the target application, where the configuration information includes at least address information of at least one connector server corresponding to the connector client;
  • the connector server determination module 803 is configured to determine the target connector server from each connector server corresponding to the target application according to the configuration information and the third load balancing strategy;
  • the third sending module 804 is configured to forward the access request to the target connector server according to the address information of the target connector server.
  • the device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
  • An embodiment of the present disclosure also provides an apparatus for hiding an origin site, which is used to perform the operations of the management platform in the method for hiding an origin site provided in any of the above embodiments.
  • the device includes:
  • the configuration generation module 901 is configured to generate configuration information corresponding to at least one connector client, the configuration information at least includes the identification information of the connector client and the address information of the connector server corresponding to the connector client; generates an application corresponding to the target application Configuration information, the application configuration information includes at least one of the domain name of the target application, the back-to-source address, and the identification information of the associated connector client;
  • the configuration sending module 902 is configured to send the configuration information required by the connector client; send the application configuration information of the target application required by the edge node server and the connector client configuration information associated with the target application;
  • the status information receiving module 903 is configured to receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least includes at least one of heartbeat information and system resource usage .
  • the device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
  • Embodiments of the present disclosure also provide an electronic device to implement the above method for hiding an origin site.
  • FIG. 17 shows a schematic diagram of an electronic device provided by some embodiments of the present disclosure.
  • the electronic device 10 includes: a processor 1000, a memory 1001, a bus 1002 and a communication interface 1003, the processor 1000, the communication interface 1003 and the memory 1001 are connected through the bus 1002; A computer program running on the processor 1000, when the processor 1000 runs the computer program, executes the method for hiding an origin site provided in any one of the foregoing implementations of the present disclosure.
  • the memory 1001 may include a high-speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • RAM Random Access Memory
  • non-volatile memory such as at least one disk memory.
  • the communication connection between the system network element and at least one other network element is realized through at least one communication interface 1003 (which may be wired or wireless), and Internet, wide area network, local network, metropolitan area network, etc. can be used.
  • the bus 1002 may be an ISA bus, a PCI bus or an EISA bus, etc.
  • the bus can be divided into address bus, data bus, control bus and so on.
  • the memory 1001 is used to store a program, and the processor 1000 executes the program after receiving an execution instruction, and the method for hiding the source site disclosed in any implementation manner of the aforementioned embodiments of the present disclosure can be applied to the processor 1000 in, or implemented by the processor 1000.
  • the processor 1000 may be an integrated circuit chip with signal processing capability.
  • each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1000 or instructions in the form of software.
  • the above-mentioned processor 1000 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • Various methods, steps and logic block diagrams disclosed in the embodiments of the present disclosure may be implemented or executed.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the methods disclosed in the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 1001, and the processor 1000 reads the information in the memory 1001, and completes the steps of the above method in combination with its hardware.
  • the electronic device provided by the embodiment of the present disclosure is based on the same inventive concept as the method for hiding the source station provided by the embodiment of the present disclosure, and has the same beneficial effect as the method adopted, operated or realized.
  • the embodiment of the present disclosure also provides a computer-readable storage medium corresponding to the method for hiding the origin site provided in the foregoing embodiment.
  • a computer program that is, a program product.
  • the computer program When the computer program is run by a processor, it will execute the method for hiding the source site provided in any of the foregoing implementation manners.
  • examples of the computer-readable storage medium may also include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random Access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other optical and magnetic storage media will not be repeated here.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random Access memory
  • ROM read only memory
  • EEPROM electrically erasable programmable read only memory
  • flash memory or other optical and magnetic storage media will not be repeated here.
  • the computer-readable storage medium provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effects as the method adopted, run or implemented by the stored application program .
  • the session connection between the connector client and the connector server is established through setting the connector client, the session connection is an outbound connection between the connector client and the connector server, and the user accesses the target application
  • the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application.
  • This method only needs to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided in the present application are a method, system and apparatus for hiding a source station, and a device and a storage medium. The method comprises: acquiring address information of at least one connector server side corresponding to a connector client; according to the acquired address information, the connector client establishing a session connection with the at least one connector server side, wherein the session connection is an outbound connection from the connector client to the at least one connector server side; and if the connector server side receives an access request for a target application that is forwarded by an edge node server, sending the access request to the connector client on the basis of the session connection with the connector client, and then the connector client forwarding the access request to the target application, and sending, via the connector server side and to the edge node server, received request response information that is fed back by the target application.

Description

一种隐藏源站的方法、系统、装置、设备及存储介质A method, system, device, equipment and storage medium for hiding source sites
本公开基于2021年08月20日提交中国专利局,申请号为202110962434.X,发明名称为“隐藏源站的方法、系统、装置、设备及存储介质”的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本公开作为参考。This disclosure is based on the Chinese patent application submitted to the China Patent Office on August 20, 2021, with the application number 202110962434. The priority of the patent application, the entire content of the Chinese patent application is hereby incorporated by reference into this disclosure.
技术领域technical field
本公开涉及但不限于一种隐藏源站的方法、系统、装置、设备及存储介质。The present disclosure relates to but is not limited to a method, system, device, equipment and storage medium for hiding a source site.
背景技术Background technique
因特网是一个开放的世界,我们之所以能访问互联网上的内容,原因在于这些内容暴露于因特网上。然而互联网上有很多的安全威胁(如面临黑客的各类扫描、攻击等),因此将服务和应用暴露于因特网可能不安全。因为互联网上的任何应用程序都可能成为被攻击的目标,所以客户往往试图隐藏应用程序所属的源服务器,以保证源服务器的安全。The Internet is an open world, and we can access content on the Internet because it is exposed on the Internet. However, there are many security threats on the Internet (such as various scans and attacks from hackers), so it may not be safe to expose services and applications to the Internet. Because any application on the Internet may become a target of attacks, customers often try to hide the source server to which the application belongs to ensure the security of the source server.
当前越来越多的互联网应用使用各类代理(如CDN、云WAF、或其他类型的四层或七层安全代理),客户访问的是代理节点,无法直接访问源站,源站得到了一定程度的隐藏。为了防止黑客获取到源站地址进而绕过代理进行攻击,在源站上一般设置代理节点IP列表为白名单并阻断其他IP的访问。但是维护这类安全策略需要维护代理IP列表,过程繁琐且效率低下。At present, more and more Internet applications use various proxies (such as CDN, cloud WAF, or other types of four-layer or seven-layer security proxies). Customers access proxy nodes and cannot directly access the source site. degree of concealment. In order to prevent hackers from obtaining the source site address and then bypassing the proxy to attack, the proxy node IP list is generally set on the source site as a white list and access to other IPs is blocked. However, maintaining such a security policy requires maintaining a proxy IP list, which is cumbersome and inefficient.
发明内容Contents of the invention
本公开提出一种隐藏源站的方法、系统、装置、设备及存储介质,实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。The present disclosure proposes a method, system, device, device and storage medium for hiding a source server, so that all inbound connections only need to be blocked on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开第一方面实施例提出了一种隐藏源站的方法,应用于连接器客户端,所述连接器客户端与至少一个目标应用相关联,包括:The embodiment of the first aspect of the present disclosure proposes a method for hiding a source site, which is applied to a connector client, and the connector client is associated with at least one target application, including:
获取与所述连接器客户端对应的至少一个连接器服务端的地址信息,所述地址信息为离所述连接器客户端最近的至少一个连接器服务端的地址信息;Obtain address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client;
根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,所述会话连接为由所述连接器客户端至所述至少一个连接器服务端的出站连接;Establish a session connection with the at least one connector server according to the address information of the at least one connector server, the session connection is an outgoing connection from the connector client to the at least one connector server station connection;
基于所述会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从所述目标应用对应的多个源服务器中确定目标源服务器,将所述访问请求发送至所述目标源服务器中的所述目标应用;Based on the session connection, if an access request for the target application forwarded by the connector server is received, based on the first load balancing policy, the target source server is determined from the multiple source servers corresponding to the target application, and the sending the access request to the target application in the target source server;
将接收到的请求响应信息向所述连接器服务端进行发送,所述请求响应信息由所述目标源服务器中的所述目标应用根据所述访问请求进行反馈。Send the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
本公开第二方面的实施例提供了一种隐藏源站的方法,应用于连接器服务端,包括:The embodiment of the second aspect of the present disclosure provides a method for hiding the source site, which is applied to the connector server, including:
接收由至少一个连接器客户端发送的连接请求;receiving a connection request sent by at least one connector client;
根据所述连接请求,建立与所述至少一个连接器客户端之间的会话连接,所述会话连接为由所述至少一个连接器客户端至所述连接器服务端的出站连接;Establishing a session connection with the at least one connector client according to the connection request, where the session connection is an outbound connection from the at least one connector client to the connector server;
接收由边缘节点服务器转发的针对目标应用的访问请求,基于第二负载均衡策略,从所述至少一个连接器客户端中确定与所述目标应用对应的目标连接器客户端;receiving an access request for the target application forwarded by the edge node server, and determining a target connector client corresponding to the target application from the at least one connector client based on a second load balancing strategy;
根据与所述目标连接器客户端对应的会话连接,转发所述访问请求至所述目标连接器客户端。Forwarding the access request to the target connector client according to the session connection corresponding to the target connector client.
本公开第三方面的实施例提供了一种隐藏源站的方法,应用于边缘节点服务器,包括:The embodiment of the third aspect of the present disclosure provides a method of hiding the source site, which is applied to the edge node server, including:
接收由目标终端发送的针对目标应用的访问请求,所述访问请求包含所述目标应用的标识,所述目标应用的标识包括域名、协议、IP地址和端口中的至少一种;receiving an access request for a target application sent by a target terminal, where the access request includes an identifier of the target application, and the identifier of the target application includes at least one of a domain name, a protocol, an IP address, and a port;
根据所述目标应用的标识,获取与所述目标应用绑定的连接器客户端的配置信息,所述配置信息至少包括与所述连接器客户端对应的至少一个连接器服务端的地址信息;Obtain configuration information of a connector client bound to the target application according to the identifier of the target application, where the configuration information includes at least address information of at least one connector server corresponding to the connector client;
基于第三负载均衡策略和获取的所述连接器客户端的配置信息,从所述目标应用对应的每个连接器服务端中确定目标连接器服务端;Based on the third load balancing policy and the acquired configuration information of the connector client, determine the target connector server from each connector server corresponding to the target application;
根据所述目标连接器服务端的地址信息,转发所述访问请求至所述目标连接器服务端。forwarding the access request to the target connector server according to the address information of the target connector server.
本公开第四方面的实施例提供了一种隐藏源站的方法,应用于管理平台,包括:The embodiment of the fourth aspect of the present disclosure provides a method of hiding the source site, which is applied to the management platform, including:
生成至少一个连接器客户端对应的配置信息,所述配置信息至少包括连接器客户端的标识信息和与所述连接器客户端对应的连接器服务端的地址信息;Generate configuration information corresponding to at least one connector client, where the configuration information includes at least identification information of the connector client and address information of a connector server corresponding to the connector client;
生成目标应用对应的应用配置信息,所述应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种;Generate application configuration information corresponding to the target application, where the application configuration information includes at least one of a domain name of the target application, a back-to-source address, and identification information of an associated connector client;
发送所述连接器客户端的配置信息;sending the configuration information of the connector client;
发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端的配置信息;sending the application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application;
接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一。receiving and displaying the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least including at least one of heartbeat information and system resource usage.
本公开第五方面的实施例提供了一种隐藏源站的系统,包括:管理平台、边缘节点服务器、连接器服务端和连接器客户端;The embodiment of the fifth aspect of the present disclosure provides a system for hiding the source site, including: a management platform, an edge node server, a connector server, and a connector client;
管理平台,用于生成目标应用的应用配置信息,以及生成连接器客户端对应的配置信息;发送所述连接器客户端的配置信息;发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端的配置信息;接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一;The management platform is used to generate the application configuration information of the target application, and generate the configuration information corresponding to the connector client; send the configuration information of the connector client; send the application configuration information of the target application required by the edge node server and configuration information of the connector client associated with the target application; receiving and displaying the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information being at least including at least one of heartbeat information and system resource usage;
边缘节点服务器,用于接收目标终端发送的针对目标应用的访问请求;并根据所述访问请求包含的目标应用的标识,将所述访问请求向对应的连接器服务端进行发送;The edge node server is configured to receive the access request for the target application sent by the target terminal; and send the access request to the corresponding connector server according to the identifier of the target application included in the access request;
连接器服务端,用于接收所述边缘节点服务器发送的所述访问请求;根据在先建立的与连接器客户端的会话连接,将所述访问请求转发至对应的连接器客户端;The connector server is configured to receive the access request sent by the edge node server; forward the access request to the corresponding connector client according to the previously established session connection with the connector client;
连接器客户端,用于接收所述连接器服务端发送的所述访问请求,并将所述访问请求转发至对应的目标应用。The connector client is configured to receive the access request sent by the connector server, and forward the access request to a corresponding target application.
本公开第六方面的实施例提供了一种隐藏源站的装置,应用于连接器客户端,包括:The embodiment of the sixth aspect of the present disclosure provides a device for hiding the source site, which is applied to the connector client, including:
配置获取模块,用于获取与所述连接器客户端对应的至少一个连接器服务端的地址信息,所述地址信息为离所述连接器客户端最近的至少一个连接器服务端的地址信息;A configuration acquisition module, configured to acquire address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client;
建立会话模块,用于根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,所述会话连接为由所述连接器客户端至所述至少一个连接器服务端的出站连接;Establishing a session module, configured to establish a session connection with the at least one connector server according to the address information of the at least one connector server, the session connection is from the connector client to the at least one an outbound connection from a connector server;
源服务器确定模块,用于基于所述会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从所述目标应用对应的多个源服务器中确定目标源服务器;The source server determining module is configured to, based on the session connection, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy, from the plurality of source servers corresponding to the target application Determine the target source server;
第一发送模块,用于将所述访问请求发送至所述目标源服务器中的所述目标应用;将接收到的请求响应信息向所述连接器服务端进行发送,所述请求响应信息由所述目标源服务器中的所述目标应用根据所述访问请求进行反馈。A first sending module, configured to send the access request to the target application in the target source server; send the received request response information to the connector server, and the request response information is determined by the The target application in the target source server performs feedback according to the access request.
本公开第七方面的实施例提供了一种隐藏源站的装置,应用于连接器服务端,包括:The embodiment of the seventh aspect of the present disclosure provides a device for hiding the source site, which is applied to the connector server, including:
接收模块,用于接收由至少一个连接器客户端发送的连接请求;A receiving module, configured to receive a connection request sent by at least one connector client;
建立会话模块,用于根据所述连接请求,建立与所述至少一个连接器客户端之间的会话连接,所述会话连接为由所述至少一个连接器客户端至所述连接器服务端的出站连接;Establishing a session module, configured to establish a session connection with the at least one connector client according to the connection request, and the session connection is an outgoing connection from the at least one connector client to the connector server station connection;
所述接收模块,还用于接收由边缘节点服务器转发的针对目标应用的访问请求;The receiving module is also used to receive the access request for the target application forwarded by the edge node server;
连接器客户端确定模块,用于基于第二负载均衡策略,从所述至少一个连接器客户端中确定与所述目标应用对应的目标连接器客户端;A connector client determining module, configured to determine a target connector client corresponding to the target application from the at least one connector client based on a second load balancing strategy;
第二发送模块,用于根据与所述目标连接器客户端对应的会话连接,转发所述访问请求至所述目标连接器客户端。The second sending module is configured to forward the access request to the target connector client according to the session connection corresponding to the target connector client.
本公开第八方面的实施例提供了一种隐藏源站的装置,应用于边缘节点服务器,包括:The embodiment of the eighth aspect of the present disclosure provides a device for hiding a source site, which is applied to an edge node server, including:
接收模块,用于接收由目标终端发送的针对目标应用的访问请求,所述访问请求包含所述目标应用的标识,所述目标应用的标识包括域名、协议、IP地址和端口之间的一种或多种;The receiving module is configured to receive an access request for a target application sent by a target terminal, the access request includes an identifier of the target application, and the identifier of the target application includes one of domain name, protocol, IP address and port or more;
配置获取模块,用于根据所述目标应用的标识,获取与所述目标应用绑定的连接器客户端的配置信息,所述配置信息至少包括与所述连接器客户端对应的至少一个连接器服务端的地址信息;A configuration acquiring module, configured to acquire configuration information of a connector client bound to the target application according to the identifier of the target application, the configuration information at least including at least one connector service corresponding to the connector client end address information;
连接器服务端确定模块,用于根据所述配置信息及第三负载均衡策略,从所述目标应用对应的每个连接器服务端中确定目标连接器服务端;A connector server determination module, configured to determine a target connector server from each connector server corresponding to the target application according to the configuration information and the third load balancing strategy;
第三发送模块,用于根据所述目标连接器服务端的地址信息,转发所述访问请求至所述目标连接器服务端。The third sending module is configured to forward the access request to the target connector server according to the address information of the target connector server.
本公开第九方面的实施例提供了一种隐藏源站的装置,应用于管理平台,包括:The embodiment of the ninth aspect of the present disclosure provides a device for hiding the source site, which is applied to the management platform, including:
配置生成模块,用于生成至少一个连接器客户端对应的配置信息,所述配置信息至少包括连接器客户端的标识信息和与所述连接器客户端对应的连接器服务端的地址信息;生成目标应用对应的应用配置信息,所述应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种;A configuration generating module, configured to generate configuration information corresponding to at least one connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client; generating a target application Corresponding application configuration information, the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client;
配置发送模块,用于发送所述连接器客户端所需的配置信息;发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端配置信息;A configuration sending module, configured to send the configuration information required by the connector client; send the application configuration information of the target application required by the edge node server and the connector client configuration information associated with the target application;
状态信息接收模块,用于接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一。A status information receiving module, configured to receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least including heartbeat information and system resource usage at least one of the .
本公开第十方面的实施例提供了一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器运行所述计算机程序以实现上述第一至第四方面中任一方面所述的方法。The embodiment of the tenth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor runs the computer program to Implement the method described in any one of the first to fourth aspects above.
本公开第十一方面的实施例提供了一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行实现上述第一至第四方面中任一方面所述的方法。The embodiment of the eleventh aspect of the present disclosure provides a computer-readable storage medium, on which a computer program is stored, and the program is executed by a processor to implement the method described in any one of the first to fourth aspects above.
本公开实施例中提供的技术方案,至少具有如下技术效果或优点:The technical solutions provided in the embodiments of the present disclosure have at least the following technical effects or advantages:
在本公开实施例中,通过连接器客户端的设置并建立连接器客户端与连接器服务端之间的会话连接,该会话连接为连接器客户端至连接器服务端之间的出站连接,用户访问目标应用时先访问边缘节点服务器,边缘节点服务器经由连接器服务端将请求转发至连接器客户端,连接器客户端再将请求转发至目标应用。In the embodiment of the present disclosure, the session connection between the connector client and the connector server is established through setting the connector client, and the session connection is an outbound connection between the connector client and the connector server. When the user accesses the target application, he first visits the edge node server, and the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application.
本方法使得目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。This method only needs to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变的明显,或通过本公开的实践了解到。Additional aspects and advantages of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
附图说明Description of drawings
构成本公开的一部分的附图用来提供对本公开的进一步理解,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The accompanying drawings constituting a part of the present disclosure are used to provide a further understanding of the present disclosure, and the schematic embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute improper limitations to the present disclosure. In the attached picture:
图1示出了可以应用本公开实施例的技术方案的示例性系统架构的示意图;FIG. 1 shows a schematic diagram of an exemplary system architecture to which the technical solutions of embodiments of the present disclosure can be applied;
图2示出了本公开一实施例所提供的一种隐藏源站的方法的信令交互图;FIG. 2 shows a signaling interaction diagram of a method for hiding a source station provided by an embodiment of the present disclosure;
图3示出了本公开一实施例所提供的目标应用的应用配置信息及连接器客户端的配置信息的示意图;Fig. 3 shows a schematic diagram of application configuration information of a target application and configuration information of a connector client provided by an embodiment of the present disclosure;
图4示出了本公开一实施例所提供的连接器客户端与连接器服务端建立会话连接的过程及连接器客户端的标识信息与会话的映射关系示意图;Fig. 4 shows a process of establishing a session connection between a connector client and a connector server provided by an embodiment of the present disclosure and a schematic diagram of the mapping relationship between the identification information of the connector client and the session;
图5示出了本公开一实施例所提供的边缘节点服务器通过负载均衡和健康检查选择连接服务端以及连接器服务端通过负载均衡和健康检查选择连接器客户端的示意图;Fig. 5 shows a schematic diagram of an edge node server selecting a connection server through load balancing and health checking and a connector server selecting a connector client through load balancing and health checking provided by an embodiment of the present disclosure;
图6示出了本公开一实施例所提供的连接器客户端经由连接器服务端向管理平台上报状态信息的示意图;Fig. 6 shows a schematic diagram of a connector client reporting status information to a management platform via a connector server provided by an embodiment of the present disclosure;
图7示出了本公开一实施例所提供的一种隐藏源站的方法流程图;FIG. 7 shows a flowchart of a method for hiding an origin site provided by an embodiment of the present disclosure;
图8示出了本公开一实施例所提供的连接器客户端对应于多个源服务器的示意图;FIG. 8 shows a schematic diagram of a connector client corresponding to multiple source servers provided by an embodiment of the present disclosure;
图9示出了本公开一实施例所提供的一种隐藏源站的方法中连接器客户端的操作流程图;FIG. 9 shows an operation flowchart of a connector client in a method for hiding an origin site provided by an embodiment of the present disclosure;
图10示出了本公开一实施例所提供的一种隐藏源站的方法中连接器服务端的操作流程图;Fig. 10 shows a flow chart of the operation of the connector server in a method for hiding the origin site provided by an embodiment of the present disclosure;
图11示出了本公开一实施例所提供的一种隐藏源站的方法中边缘节点服务器的操作流程图;Fig. 11 shows an operation flowchart of an edge node server in a method for hiding an origin site provided by an embodiment of the present disclosure;
图12示出了本公开一实施例所提供的一种隐藏源站的方法中管理平台的操作流程图;Fig. 12 shows an operation flowchart of the management platform in a method for hiding the origin site provided by an embodiment of the present disclosure;
图13示出了本公开一实施例所提供的一种隐藏源站的方法中应用于连接器客户端的装置结构示意图;Fig. 13 shows a schematic structural diagram of a device applied to a connector client in a method for hiding an origin site provided by an embodiment of the present disclosure;
图14示出了本公开一实施例所提供的一种隐藏源站的方法中应用于连接器服务端的装置结构示意图;Fig. 14 shows a schematic structural diagram of a device applied to a connector server in a method for hiding an origin site provided by an embodiment of the present disclosure;
图15示出了本公开一实施例所提供的一种隐藏源站的方法中应用于边缘节点服务器的装置结构示意图;FIG. 15 shows a schematic structural diagram of a device applied to an edge node server in a method for hiding an origin site provided by an embodiment of the present disclosure;
图16示出了本公开一实施例所提供的一种隐藏源站的方法中应用于管理平台的装置结构示意图;Fig. 16 shows a schematic structural diagram of a device applied to a management platform in a method for hiding an origin site provided by an embodiment of the present disclosure;
图17示出了本公开一实施例所提供的一种电子设备的结构示意图;Fig. 17 shows a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure;
图18示出了本公开一实施例所提供的一种存储介质的示意图。Fig. 18 shows a schematic diagram of a storage medium provided by an embodiment of the present disclosure.
具体实施方式Detailed ways
为使本公开实施例的目的、技术方案和优点更加清楚,下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the described embodiments It is a part of the embodiments of the present disclosure, but not all of them. Based on the embodiments in the present disclosure, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present disclosure. It should be noted that, in the case of no conflict, the embodiments in the present disclosure and the features in the embodiments can be combined arbitrarily with each other.
需要注意的是,除非另有说明,本公开使用的技术术语或者科学术语应当为本公开所属领域技术人员所理解的通常意义。It should be noted that, unless otherwise specified, the technical terms or scientific terms used in the present disclosure shall have the usual meanings understood by those skilled in the art to which the present disclosure belongs.
下面结合附图来描述根据本公开实施例提出的一种隐藏源站的方法、系统、装置、设备及存储介质。A method, system, device, device, and storage medium for hiding an origin site according to embodiments of the present disclosure will be described below with reference to the accompanying drawings.
本公开实施例提供了一种隐藏源站的方法,参见图1,该方法所基于的网络系统架构包 括连接器服务端、连接器客户端、源服务器、边缘节点服务器、管理平台和目标终端。其中,源服务器可以采用VPC(Virtual Private Cloud,专有网络)/NAT(Network Address Translation,网络地址转换),源服务器中包含一个或多个目标应用,目标应用可以为内网中的内部应用,也可以为公网中的应用。同一个目标应用可以部署在多个源服务器中。The embodiment of the present disclosure provides a method of hiding the source site, see Figure 1, the network system architecture based on the method includes a connector server, a connector client, a source server, an edge node server, a management platform and a target terminal. Among them, the source server can adopt VPC (Virtual Private Cloud, proprietary network)/NAT (Network Address Translation, network address translation), the source server contains one or more target applications, and the target applications can be internal applications in the intranet. It can also be an application in the public network. The same target application can be deployed on multiple source servers.
连接器客户端可以为用于进行网络通信的软件程序,连接器客户端部署在能与目标应用通信连接的任一网络中,如连接器客户端可以与目标应用部署在同一个网络中,也可以部署在任何能够与目标应用通信的网络中。需要说明的,一个网络中可以部署有一个或多个连接器客户端,同一个连接器客户端可以与多个目标应用通信连接,同一个目标应用也可以与多个连接器客户端通信连接。The connector client can be a software program for network communication, and the connector client can be deployed in any network that can communicate with the target application. For example, the connector client can be deployed in the same network as the target application, or Can be deployed in any network capable of communicating with the target application. It should be noted that one or more connector clients may be deployed in a network, and the same connector client may communicate with multiple target applications, and the same target application may also communicate with multiple connector clients.
图1中仅示意性地画出了一个连接器客户端,该连接器客户端与源服务器中的一个目标应用通信连接。连接器客户端与连接器服务端之间可以建立会话连接,该会话连接为连接器客户端至连接器服务端之间的出站连接,即出向的通信连接。该会话连接的会话协议类型为加密协议,该加密协议包括HTTPS、HTTP/2、HTTP/3、Websocket、TLS_TCP中的至少一种。该会话连接还可以是基于隧道协议建立的,隧道协议可以为VPN、GRE或者IPsec中的一种,应该理解的,其也可以采用其他隧道协议建立该会话连接,本公开对此不作特殊限定。FIG. 1 only schematically shows a connector client, which communicates with a target application in the source server. A session connection can be established between the connector client and the connector server, and the session connection is an outbound connection between the connector client and the connector server, that is, an outbound communication connection. The session protocol type of the session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP. The session connection may also be established based on a tunnel protocol, and the tunnel protocol may be one of VPN, GRE, or IPsec. It should be understood that the session connection may also be established using other tunnel protocols, which is not specifically limited in the present disclosure.
边缘节点服务器分别与连接器服务端和目标终端通信,管理平台与边缘节点服务器通信连接。目标终端可以包括但不限于智能手机、平板电脑、便携式电脑或者台式计算机中的一种或者多种。目标终端与边缘节点服务器之间的传输协议可以包括HTTP、HTTPS、TCP或UDP中的至少一种。应该理解的,图1中的目标终端、边缘节点服务器、连接器服务端、连接器客户端以及源服务器的数目仅仅是示意性的,根据实现需要,可以具有任意数目的目标终端、边缘节点服务器、连接器服务端、连接器客户端以及源服务器。例如,该网络架构中可以包括一个或多个边缘节点服务器以及一个或多个连接器服务端,图1中仅示意性地画出了一个边缘节点服务器和一个连接器服务端。The edge node server communicates with the connector server and the target terminal respectively, and the management platform communicates with the edge node server. The target terminal may include but not limited to one or more of smart phones, tablet computers, laptop computers or desktop computers. The transmission protocol between the target terminal and the edge node server may include at least one of HTTP, HTTPS, TCP or UDP. It should be understood that the number of target terminals, edge node servers, connector servers, connector clients, and source servers in FIG. 1 is only illustrative, and there may be any number of target terminals, edge node servers , Connector Server, Connector Client, and Origin Server. For example, the network architecture may include one or more edge node servers and one or more connector servers, and FIG. 1 only schematically shows one edge node server and one connector server.
值得注意的是,本公开实施例提到的边缘节点服务器和连接器服务端,是两个逻辑概念,分开提出来是为了帮助理解,实践中可以分开部署,也可以部署在同一台服务器设备上,本公开对此不作特殊限定。It is worth noting that the edge node server and the connector server mentioned in the embodiments of the present disclosure are two logical concepts, which are proposed separately to help understanding. In practice, they can be deployed separately or on the same server device , which is not specifically limited in the present disclosure.
基于上述网络架构,目标终端针对目标应用的访问请求经边缘节点服务器发送至连接器服务端。连接器服务端确定与该目标应用关联的连接器客户端,通过与确定的客户端之间的出站连接将该访问请求发送给该连接器客户端。最后由该连接器客户端将该访问请求发送给对应的目标应用。如此该目标应用所属的目标源服务器可以阻断一切入向连接,实现隐藏源站的目的,目标源服务器不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了源服务器遭受恶意攻击的风险,保证了目标应用的安全性。Based on the above network architecture, the target terminal's access request for the target application is sent to the connector server via the edge node server. The connector server determines the connector client associated with the target application, and sends the access request to the connector client through an outbound connection with the determined client. Finally, the connector client sends the access request to the corresponding target application. In this way, the target source server to which the target application belongs can block all incoming connections to achieve the purpose of hiding the source site, and the target source server does not need to maintain complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks on the source server and ensuring the security of the target application.
以下对本公开实施例的技术方案的实现细节进行详细阐述:The implementation details of the technical solutions of the embodiments of the present disclosure are described in detail below:
图2示出了本公开一实施例所提供的一种隐藏源站的方法的信令交互图。参照图2所示,该方法至少包括步骤101至步骤114,详细介绍如下:Fig. 2 shows a signaling interaction diagram of a method for hiding a source station provided by an embodiment of the present disclosure. Referring to Figure 2, the method at least includes steps 101 to 114, which are described in detail as follows:
步骤101:管理平台生成至少一个连接器客户端对应的配置信息,该配置信息至少包括连接器客户端的标识信息和与连接器客户端对应的连接器服务端的地址信息。Step 101: The management platform generates configuration information corresponding to at least one connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client.
其中,管理平台可以为云计算平台,如私有云或公有云等。连接器客户端对应的配置信息至少包括连接器客户端的标识信息和与连接器客户端对应的连接器服务端的地址信息。其中,标识信息可以用于标识连接器客户端,该标识信息可以为连接器客户端的IP地址、MAC(Media Access Control Address,硬件地址)地址或人为设定或自动生成的能够标识该连接器客户端的字符序列等。Wherein, the management platform may be a cloud computing platform, such as a private cloud or a public cloud. The configuration information corresponding to the connector client includes at least identification information of the connector client and address information of a connector server corresponding to the connector client. Among them, the identification information can be used to identify the connector client, and the identification information can be the IP address, MAC (Media Access Control Address, hardware address) address of the connector client, or an artificially set or automatically generated address that can identify the connector client. End character sequence, etc.
连接器客户端可以为用于进行网络通信的软件程序,将连接器客户端安装在企事业单位 或社会组织等团体的源服务器或能够与源服务器通信的网络中,使得能够通过连接器客户端与连接器服务端建立会话连接,通过建立的会话连接实现源服务器的远程访问,例如实现源服务器中所包含的目标应用的远程访问等等。The connector client can be a software program for network communication, and the connector client is installed in the source server of groups such as enterprises, institutions or social organizations or in a network capable of communicating with the source server, so that it can be accessed through the connector client. A session connection is established with the connector server, and remote access to the source server is realized through the established session connection, for example, remote access to a target application included in the source server is realized.
连接器服务端可以是能够与连接器客户端进行通信的服务器,其可以与连接器客户端之间建立用以传输信息的会话连接。应该理解的,连接器服务端的地址信息可以包括域名和/或IP地址,若为域名,则根据该域名可以解析到一个或多个连接器服务端的IP地址。需要说明的是,一个连接器服务端可以与一个或者多个连接器客户端进行通信连接,本公开对此不作特殊限定。The connector server may be a server capable of communicating with the connector client, and may establish a session connection with the connector client for transmitting information. It should be understood that the address information of the connector server may include a domain name and/or an IP address, and if it is a domain name, it can be resolved to one or more IP addresses of the connector server according to the domain name. It should be noted that one connector server can communicate with one or more connector clients, which is not specifically limited in this disclosure.
在本公开一示例性实施例中,在通过连接器客户端实现远程访问前,首先在管理平台上生成连接器客户端对应的配置信息,该配置信息可以作为连接器客户端对应的启动参数,以在根据该配置信息对连接器客户端进行配置之后启用该连接器客户端。In an exemplary embodiment of the present disclosure, before the remote access is realized through the connector client, the configuration information corresponding to the connector client is first generated on the management platform, and the configuration information can be used as the startup parameter corresponding to the connector client, to enable the connector client after configuring the connector client according to the configuration information.
作为一种实现方式,客户可以自行配置连接器客户端对应的配置信息,具体地,管理平台可以支持客户的配置操作,接收客户配置的连接器客户端对应的配置信息。其也可以由客户将连接器客户端的相关配置信息提供给服务提供方,再由服务提供方在管理平台上配置该客户的连接器客户端对应的配置信息。As an implementation, the customer can configure the configuration information corresponding to the connector client by itself. Specifically, the management platform can support the configuration operation of the customer and receive the configuration information corresponding to the connector client configured by the customer. It is also possible for the customer to provide the relevant configuration information of the connector client to the service provider, and then the service provider configures the corresponding configuration information of the client's connector client on the management platform.
作为另一种实现方式,管理平台也可以自动生成连接器客户端对应的配置信息,具体地,管理平台可以为连接器客户端分配用于标识该连接器客户端的标识信息,以及根据整个网络系统架构中包括的所有连接器服务端的配置信息,分配与该连接器客户端对应的连接器服务端。其中,连接器服务端的配置信息中可以包括但不限于连接器服务端的地址信息、已关联的连接器客户端的数目、能关联的连接器客户端数目的上限值等。管理平台为该连接器客户端分配标识信息及相关联的连接器服务端后,将该标识信息及该连接器客户端对应的连接器服务端的地址信息等确定为该连接器客户端对应的配置信息。As another implementation, the management platform can also automatically generate configuration information corresponding to the connector client. Specifically, the management platform can assign the connector client identification information for identifying the connector client, and according to the entire network system The configuration information of all connector servers included in the schema, assigns the connector server corresponding to the connector client. Wherein, the configuration information of the connector server may include but not limited to the address information of the connector server, the number of associated connector clients, the upper limit of the number of associated connector clients, and the like. After the management platform assigns the identification information and the associated connector server to the connector client, it determines the identification information and the address information of the connector server corresponding to the connector client as the corresponding configuration of the connector client. information.
在本公开一示例性实施例中,连接器客户端可以是在管理平台上创建的,管理平台可以为服务提供方提供用于创建连接器客户端的接口。连接器客户端可以运行在多种平台上,如VMware的虚拟机、Docker(应用容器引擎)、公有云云主机等。服务提供方利用管理平台提供的接口创建运行在不同平台上的连接器客户端。在创建出连接器客户端后,还生成连接器客户端对应的安装包和配置信息,该配置信息中包括连接器客户端的标识信息、连接器客户端对应的连接器服务端的地址信息等,该连接器服务端的地址信息可以包括连接器服务端的域名和/或IP地址。In an exemplary embodiment of the present disclosure, the connector client may be created on the management platform, and the management platform may provide the service provider with an interface for creating the connector client. The connector client can run on a variety of platforms, such as VMware's virtual machine, Docker (application container engine), public cloud cloud host, etc. The service provider uses the interface provided by the management platform to create connector clients running on different platforms. After the connector client is created, the installation package and configuration information corresponding to the connector client are also generated. The configuration information includes the identification information of the connector client, the address information of the connector server corresponding to the connector client, etc. The address information of the connector server may include the domain name and/or IP address of the connector server.
需要说明的,管理平台上可以创建一个连接器客户端,也可以创建多个连接器客户端,且在各连接器客户端对应的配置信息中可以包括该连接器客户端所对应的一个或多个连接器服务端的地址信息,以便在源服务器中或在能够与源服务器通信的网络中安装并启动连接器客户端之后,该连接器客户端可以与图1所示系统架构中的一个或多个连接器服务端建立会话连接。It should be noted that one or more connector clients can be created on the management platform, and the configuration information corresponding to each connector client can include one or more address information of each connector server, so that after installing and starting the connector client in the source server or in a network capable of communicating with the source server, the connector client can communicate with one or more of the system architecture shown in Figure 1. A connector server establishes a session connection.
例如,图3中示出了一个连接器客户端的配置信息,该配置信息中包括连接器客户端的标识信息(以id为例):“连接器客户端id:12345”,以及连接器客户端对应的连接器服务端的域名“companyA.connector.com”。For example, Figure 3 shows the configuration information of a connector client, which includes the identification information of the connector client (taking id as an example): "connector client id: 12345", and the corresponding The domain name "companyA.connector.com" of the connector server.
另外,在一示例性实施例中,为了实现访问的高可用,连接器服务端的地址信息包括的域名至少会解析到两个连接器服务端的IP地址。由此,连接器客户端可以根据解析到的多个连接器服务端的IP地址,分别建立与多个连接器服务端之间的会话连接,从而在某一会话连接失效或者故障时,可以通过其他的会话连接进行信息传输。应该理解的,根据该多个连接器服务端所建立的会话连接可以是用于传输相同信息的会话连接,换言之,多个会话连接中有的可以作为主会话连接,其他的作为副会话连接,以在主会话连接失效时,可以通过副会话连接所传输的信息进行处理,以保证访问的稳定性。In addition, in an exemplary embodiment, in order to achieve high access availability, the domain name included in the address information of the connector server will be resolved to at least two IP addresses of the connector server. As a result, the connector client can establish session connections with multiple connector servers based on the resolved IP addresses of the multiple connector servers, so that when a certain session connection fails or fails, it can be connected through other session connection for information transfer. It should be understood that the session connections established by the multiple connector servers may be session connections for transmitting the same information. In other words, some of the multiple session connections may be used as primary session connections, and others may be used as secondary session connections. When the main session connection fails, the information transmitted by the secondary session connection can be used for processing to ensure the stability of access.
步骤102:管理平台生成目标应用对应的应用配置信息,该应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种。Step 102: The management platform generates application configuration information corresponding to the target application, and the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client.
其中,目标应用可以为企事业单位或社会组织等团体的内网中的应用,如OA系统、Web(网站)、SSH(Secure Shell,安全外壳协议)、VNC(Virtual Network Console,虚拟网络控制台)、RDP(Remote Desktop Protocol,远程桌面协议)、内部IAM(Identity and Access Management,身份识别与访问管理)等。目标应用也可以为公网中的应用程序。Among them, the target application can be the application in the intranet of groups such as enterprises, institutions or social organizations, such as OA system, Web (website), SSH (Secure Shell, secure shell protocol), VNC (Virtual Network Console, virtual network console) ), RDP (Remote Desktop Protocol, Remote Desktop Protocol), internal IAM (Identity and Access Management, identity identification and access management), etc. The target application can also be an application program in the public network.
在本公开一示例性实施例中,在访问目标应用之前,由管理平台生成目标应用对应的应用配置信息。具体地,管理平台可以支持用户的配置操作,用户依据自身需求确定允许远程访问的目标应用,然后在管理平台上配置这些目标应用对应的应用配置信息,管理平台可以接收并存储用户所配置的应用配置信息,并将该应用配置信息与对应的目标应用相关联。In an exemplary embodiment of the present disclosure, before accessing the target application, the management platform generates application configuration information corresponding to the target application. Specifically, the management platform can support user configuration operations. Users determine the target applications that allow remote access according to their own needs, and then configure the application configuration information corresponding to these target applications on the management platform. The management platform can receive and store the applications configured by the user. configuration information, and associate the application configuration information with the corresponding target application.
在一示例性实施例中,该应用配置信息可以包括回源地址、目标应用的域名及与该目标应用相关联的连接器客户端的标识信息等多种信息中的至少一种。其中,回源地址可以包括目标应用所在设备的IP地址及目标应用所在设备对外开放的端口号等。In an exemplary embodiment, the application configuration information may include at least one of various information such as a return-to-source address, a domain name of a target application, and identification information of a connector client associated with the target application. Wherein, the back-to-source address may include the IP address of the device where the target application is located, the port number opened to the outside world by the device where the target application is located, and the like.
例如,图3中示出的目标应用对应的应用配置信息中的回源地址为172.16.1.100:443,其中172.16.1.100为目标应用所在设备的IP地址即源服务器的IP地址,443表示目标应用所在设备对外开放的端口为443端口(即加密网页浏览端口)。图3中应用配置信息包括的目标应用的域名为“oa.companyA.com”,回源负载均衡策略为“轮询”,与该目标应用相关联的连接器客户端的唯一标识为“绑定连接器客户端:12345”。For example, the back-to-source address in the application configuration information corresponding to the target application shown in Figure 3 is 172.16.1.100:443, where 172.16.1.100 is the IP address of the device where the target application is located, that is, the IP address of the source server, and 443 indicates the target application The open port of the device is port 443 (that is, the encrypted web browsing port). The domain name of the target application included in the application configuration information in Figure 3 is "oa.companyA.com", the back-to-source load balancing policy is "polling", and the unique identifier of the connector client associated with the target application is "binding connection server client: 12345".
通过步骤101和102的操作,在管理平台上生成连接器客户端对应的配置信息及目标应用对应的应用配置信息,通过在应用配置信息中设置相关联的连接器客户端的标识信息将该目标应用与连接器客户端关联起来。Through the operations of steps 101 and 102, the configuration information corresponding to the connector client and the application configuration information corresponding to the target application are generated on the management platform, and the target application is set by setting the identification information of the associated connector client in the application configuration information. Associated with the connector client.
需要说明的,目标应用与连接器客户端可以处于同一网络,例如均属于内部网络、均属于公共网络或者属于同一C段网络等,目标应用与连接器客户端也可以处于不同网络,例如一个在公网、另一个在内部网络等,本公开对此不作特殊限定,只需目标应用与连接器客户端之间可以通信即可。It should be noted that the target application and the connector client can be in the same network, for example, both belong to the internal network, both belong to the public network, or belong to the same segment C network, etc. The target application and the connector client can also be in different networks, for example, one in The public network, the other in the internal network, etc., are not specifically limited in this disclosure, as long as the target application and the connector client can communicate.
请继续参考图2,步骤103:管理平台发送连接器客户端所需的配置信息。Please continue to refer to FIG. 2, step 103: the management platform sends the configuration information required by the connector client.
在本公开一示例性实施例中,连接器客户端可以直接从管理平台中下载连接器客户端的安装包,依据下载的安装包在需要安装连接器客户端的设备本地安装连接器客户端。具体地,需要安装连接器客户端的设备发送获取请求给管理平台,管理平台根据接收到的获取请求,将连接器客户端的安装包发送给该设备。该设备从管理平台下载连接器客户端的安装包后,根据该安装包在本地安装该连接器客户端。其中,需要安装连接器客户端的设备可以为源服务器,也可以为能够与源服务器通信的其他设备。In an exemplary embodiment of the present disclosure, the connector client may directly download the installation package of the connector client from the management platform, and install the connector client locally on the device that needs to install the connector client according to the downloaded installation package. Specifically, the device that needs to install the connector client sends an acquisition request to the management platform, and the management platform sends the installation package of the connector client to the device according to the received acquisition request. After the device downloads the installation package of the connector client from the management platform, it locally installs the connector client according to the installation package. Wherein, the device on which the connector client needs to be installed may be the source server, or other devices capable of communicating with the source server.
或者,需要安装连接器客户端的设备的云主机中可以预先安装有连接器客户端。或者,还可以是该设备从管理平台中下载完整的连接器客户端镜像文件进行安装,等等。本公开实施例对如何安装连接器客户端的方式不作特殊限定。Or, the cloud host of the device that needs to install the connector client can have the connector client pre-installed. Or, it may also be that the device downloads a complete connector client image file from the management platform for installation, and so on. The embodiments of the present disclosure make no special limitation on how to install the connector client.
在该设备安装连接器客户端后,可以从管理平台请求连接器客户端对应的配置信息。管理平台响应该请求,发送接器客户端对应的配置信息给该设备。该设备安装连接器客户端并从管理平台获得接器客户端对应的配置信息后,以该配置信息来启动此连接器客户端。在一示例中,该设备向管理平台发送配置信息获取请求,该配置信息获取请求中可以包含该连接器客户端的标识信息,管理平台可以根据该标识信息,将对应的连接器客户端的配置信息向该设备进行反馈。After the connector client is installed on the device, configuration information corresponding to the connector client can be requested from the management platform. The management platform responds to the request and sends configuration information corresponding to the adapter client to the device. After the device installs the connector client and obtains the configuration information corresponding to the connector client from the management platform, it uses the configuration information to start the connector client. In an example, the device sends a configuration information acquisition request to the management platform, and the configuration information acquisition request may include the identification information of the connector client, and the management platform may send the configuration information of the corresponding connector client to the management platform according to the identification information. The device performs feedback.
在本公开实施例中,同一设备可以部署一个或多个连接器客户端。在部署多个连接器客户端的应用场景中,多个连接器客户端可以与相同的目标应用关联,对于该相同的目标应用来说,其关联的多个连接器客户端可以划分为主用连接器客户端和备用连接器客户端,以便 在主用连接器客户端故障时采用备用连接器客户端进行通信,提高网络稳定性。In an embodiment of the present disclosure, one or more connector clients may be deployed on the same device. In the application scenario where multiple connector clients are deployed, multiple connector clients can be associated with the same target application, and for the same target application, the associated multiple connector clients can be classified as active connections Connector client and backup connector client, so that when the active connector client fails, the backup connector client can be used for communication, improving network stability.
需要说明的,当一个设备中部署多个连接器客户端时,多个连接器客户端的标识信息均可以作为该设备的标识信息,例如在设备A中包含两个连接器客户端,两个连接器客户端的标识信息分别为123456和234567,那么,该设备A的标识信息可以为两个即123456和234567,等等。又或者,当一个设备中部署多个连接器时,可以为该设备配置一个标识信息,该设备的标识信息则可以与多个连接器客户端的标识信息存在映射关系。本领域技术人员可以根据实际实现需要确定对应的实现方式,本公开对此不作特殊限定。It should be noted that when multiple connector clients are deployed in a device, the identification information of the multiple connector clients can be used as the identification information of the device. For example, device A contains two connector clients, two connection If the identification information of the device client is 123456 and 234567 respectively, then the identification information of the device A may be two, that is, 123456 and 234567, and so on. Alternatively, when multiple connectors are deployed in one device, one identification information may be configured for the device, and the identification information of the device may have a mapping relationship with the identification information of multiple connector clients. Those skilled in the art may determine the corresponding implementation manner according to actual implementation requirements, which is not specifically limited in the present disclosure.
步骤104:连接器客户端获取与该连接器客户端对应的至少一个连接器服务端的地址信息,该地址信息为离该连接器客户端最近的至少一个连接器服务端的地址信息。Step 104: The connector client acquires address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client.
在本公开一示例性实施例中,连接器客户端由管理平台中获取与该连接器客户端对应的至少一个连接器服务端的地址信息。可选的,连接器客户端可以直接从管理平台中获取该连接器客户端对应的配置信息。或者,连接器客户端也可以通过中间媒介间接从管理平台获取配置信息,例如管理平台将该连接器客户端对应的配置信息下发至配置中心,连接器客户端再从配置中心获取该配置信息。连接器客户端在获得配置信息后,从该配置信息中获取与该连接器客户端对应的至少一个连接器服务端的地址信息。该地址信息包括连接器服务端的IP地址和/或域名。连接器服务端的IP地址和/或域名可以是通过任播技术、智能解析技术、智能路由技术之一确定的。In an exemplary embodiment of the present disclosure, the connector client acquires address information of at least one connector server corresponding to the connector client from the management platform. Optionally, the connector client can directly obtain configuration information corresponding to the connector client from the management platform. Alternatively, the connector client can also indirectly obtain configuration information from the management platform through an intermediary, for example, the management platform sends the configuration information corresponding to the connector client to the configuration center, and the connector client then obtains the configuration information from the configuration center . After obtaining the configuration information, the connector client obtains address information of at least one connector server corresponding to the connector client from the configuration information. The address information includes the IP address and/or domain name of the connector server. The IP address and/or domain name of the connector server may be determined through anycast technology, intelligent resolution technology, and intelligent routing technology.
在获取至少一个连接器服务端的地址信息的过程中可以根据连接器服务端的地理位置与连接器客户端的地理位置来获取,具体获取地理位置距离连接器客户端最近的至少一个连接器服务端的地址信息。或者,还可以依据地理位置,并结合网络质量、网络延迟等因素中的至少一种来获取连接器服务端的地址信息。如从距离该连接器客户端最近的一定数目的连接器服务端中获取网络质量最优的至少一个连接器服务端,或者,从距离该连接器客户端最近的一定数目的连接器服务端中获取网络延迟最短的至少一个连接器服务端。In the process of obtaining the address information of at least one connector server, it can be obtained according to the geographic location of the connector server and the geographic location of the connector client, specifically obtaining the address information of at least one connector server whose geographic location is closest to the connector client . Alternatively, the address information of the connector server may also be acquired according to the geographic location and in combination with at least one of factors such as network quality and network delay. For example, obtain at least one connector server with the best network quality from a certain number of connector servers closest to the connector client, or obtain from a certain number of connector servers closest to the connector client Obtain at least one connector server with the shortest network latency.
步骤105:连接器客户端根据至少一个连接器服务端的地址信息,建立与至少一个连接器服务端之间的会话连接,该会话连接为由连接器客户端至所述至少一个连接器服务端的出站连接。Step 105: The connector client establishes a session connection with at least one connector server according to the address information of at least one connector server, and the session connection is an outgoing connection from the connector client to the at least one connector server. station connection.
在本公开一示例性实施例中,安装连接器客户端,且连接器客户端运行正常之后,需要通过连接器客户端建立与该连接器客户端对应的至少一个连接器服务端之间的会话连接。若至少一个连接器服务端的地址信息中包括连接器服务端的IP地址,则根据至少一个连接器服务端的IP地址,直接建立该连接器客户端与至少一个连接器服务端之间的会话连接。In an exemplary embodiment of the present disclosure, after the connector client is installed and the connector client is running normally, it is necessary to establish a session between at least one connector server corresponding to the connector client through the connector client connect. If the address information of the at least one connector server includes the IP address of the connector server, a session connection between the connector client and the at least one connector server is directly established according to the IP address of the at least one connector server.
若至少一个连接器服务端的地址信息中仅包括连接器服务端的域名,则连接器客户端发送该至少一个连接器服务端的域名解析请求给域名服务器。域名服务器对每个域名进行域名解析,得到每个域名对应的IP地址,然后将每个域名对应的IP地址发送给连接器客户端。连接器客户端接收域名服务器返回的每个域名对应的IP地址,根据每个IP地址,分别发送连接请求给每个IP地址对应的连接器服务端,该连接请求包括该连接器客户端的标识信息,以建立并唯一标识该连接器客户端与其对应的至少一个连接器服务端之间的会话连接。If the address information of at least one connector server only includes the domain name of the connector server, the connector client sends the domain name resolution request of the at least one connector server to the domain name server. The domain name server performs domain name resolution for each domain name, obtains the IP address corresponding to each domain name, and then sends the IP address corresponding to each domain name to the connector client. The connector client receives the IP address corresponding to each domain name returned by the domain name server, and sends a connection request to the connector server corresponding to each IP address according to each IP address. The connection request includes the identification information of the connector client , to establish and uniquely identify a session connection between the connector client and at least one corresponding connector server.
连接器客户端与连接器服务端之间的会话连接可以为加密的会话连接。在建立会话连接时,连接器客户端根据获取的至少一个连接器服务端的地址信息,发送认证信息给该至少一个连接器服务端。在该认证信息该被至少一个连接器服务端认证通过后,建立与该至少一个连接器服务端之间的加密的会话连接。The session connection between the connector client and the connector server can be an encrypted session connection. When establishing a session connection, the connector client sends authentication information to the at least one connector server according to the acquired address information of the at least one connector server. After the authentication information is authenticated by at least one connector server, an encrypted session connection with the at least one connector server is established.
上述认证信息可以包括连接器客户端的标识信息、证书、密钥、加密token等信息中的至少一种,除列举的几种信息外,认证信息也可以包括其他任意形式的用以识别连接器客户端的其他认证信息,本公开实施例对此不作限定。The above authentication information may include at least one of the connector client's identification information, certificate, key, encryption token and other information. In addition to the listed information, the authentication information may also include other arbitrary forms to identify the connector client. Other authentication information of the terminal, which is not limited in this embodiment of the present disclosure.
在一示例性实施例中,连接器客户端发送的认证信息中可以包括连接器客户端的标识信 息及证书。连接器服务端上也预先配置了用于认证连接器客户端的证书,连接器服务端接收到该认证信息后,将该认证信息包括的证书与自身存储的证书进行比对,若两个证书一致,则认证通过,否则认证失败。In an exemplary embodiment, the authentication information sent by the connector client may include the identification information and the certificate of the connector client. The connector server is also pre-configured with the certificate used to authenticate the connector client. After receiving the authentication information, the connector server compares the certificate included in the authentication information with the certificate stored in itself. If the two certificates are consistent , the authentication passes, otherwise the authentication fails.
上述建立加密的会话连接所采取的加密协议可以为HTTPS、HTTP/2、HTTP/3、Websocket、TLS_TCP中的至少一种。The encryption protocol adopted for establishing the encrypted session connection may be at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
连接器客户端还可以基于隧道协议建立与至少一个连接器服务端之间的会话连接,所采用的隧道协议可以为VPN、GRE或者IPsec中的一种。The connector client can also establish a session connection with at least one connector server based on a tunnel protocol, and the adopted tunnel protocol can be one of VPN, GRE or IPsec.
在本公开实施例中,该会话连接为由连接器客户端至所述至少一个连接器服务端的出站连接,这些会话连接是连接器客户端主动向外的通信连接。连接器客户端禁止入向的连接,具体地,可以在安装有连接器客户端的设备的防火墙中配置禁止入向的连接请求,从而能够通过防火墙禁止除上述建立的会话连接以外的所有入向请求。如此能够确保只能通过上述建立的会话连接接收入向的信息,通过建立的会话连接实现对目标应用程序的远程访问,同时能够避免其他入向访问,确保目标应用程序的安全性。在目标应用为内网的应用时,能够极大地提高内网的安全性。In the embodiment of the present disclosure, the session connection is an outbound connection from the connector client to the at least one connector server, and these session connections are active outbound communication connections of the connector client. The connector client prohibits incoming connections. Specifically, you can configure the firewall of the device where the connector client is installed to prohibit incoming connection requests, so that all incoming requests except the session connections established above can be prohibited through the firewall. . In this way, it can be ensured that incoming information can only be received through the established session connection, and remote access to the target application program can be realized through the established session connection, while other incoming access can be avoided to ensure the security of the target application program. When the target application is an intranet application, the security of the intranet can be greatly improved.
步骤106:连接器服务端接收由至少一个连接器客户端发送的连接请求,根据连接请求,建立与至少一个连接器客户端之间的会话连接。Step 106: The connector server receives a connection request sent by at least one connector client, and establishes a session connection with the at least one connector client according to the connection request.
步骤105中连接器客户端建立与连接器服务端之间的会话连接之前,发送连接请求给连接器服务端,该连接请求中包括该连接器客户端的标识信息。由于一个连接器客户端可以与至少一个连接器服务端建立会话连接,因此连接器服务端能接收到至少一个连接器客户端发送的连接请求,根据接收的连接请求包括的标识信息,建立与这至少一个连接器客户端之间的会话连接,进一步地,该会话连接可以是连接器服务端与源服务器中安装的连接器客户端之间的会话连接。In step 105, before the session connection between the connector client and the connector server is established, a connection request is sent to the connector server, and the connection request includes the identification information of the connector client. Since a connector client can establish a session connection with at least one connector server, the connector server can receive a connection request sent by at least one connector client, and establish a connection with this connector according to the identification information included in the received connection request. A session connection between at least one connector client, further, the session connection may be a session connection between the connector server and a connector client installed in the source server.
在本公开实施例中,连接器服务端接收到的连接请求的数量可以为多个,连接请求中包含对应的连接器客户端的标识信息。连接器服务端根据多个连接请求,分别建立与至少一个连接器客户端之间的会话连接,并将各连接请求包括的标识信息与对应的会话连接相关联。具体地,连接器服务端将连接请求包括的标识信息与对应的会话存储在连接器客户端的标识信息与会话的映射关系中。In the embodiment of the present disclosure, the number of connection requests received by the connector server may be multiple, and the connection requests include the identification information of the corresponding connector client. The connector server respectively establishes a session connection with at least one connector client according to the multiple connection requests, and associates the identification information included in each connection request with the corresponding session connection. Specifically, the connector server stores the identification information included in the connection request and the corresponding session in the mapping relationship between the identification information of the connector client and the session.
如图4所示,连接器服务端上维护连接器客户端的标识信息与会话之间的映射关系。图4中IP地址为“1.1.1.1”的连接器服务端分别与三个连接器客户端建立了出站的会话连接。因此连接器服务端上维护的映射关系中包括连接器客户端12345:会话1、连接器客户端34567:会话2以及连接器客户端45678:会话3。As shown in FIG. 4 , the mapping relationship between the identification information of the connector client and the session is maintained on the connector server. In Figure 4, the connector server with the IP address "1.1.1.1" has established outbound session connections with the three connector clients respectively. Therefore, the mapping relationship maintained on the connector server includes connector client 12345: session 1, connector client 34567: session 2, and connector client 45678: session 3.
在本公开实施例中,一个连接器客户端可以与一个或多个连接器服务端建立会话连接,一个连接器服务端也可以与一个或多个连接器客户端连接,如此能够避免某个连接器客户端或某个连接器服务端出现故障导致远程访问中断的情况。In the embodiment of the present disclosure, a connector client can establish a session connection with one or more connector servers, and a connector server can also connect with one or more connector clients, so that a certain connection can be avoided failure of a connector client or a connector server that interrupts remote access.
在本公开实施例中,连接器客户端与连接器服务端之间的会话连接是建立在443端口(即加密网页浏览端口)上,在该会话连接上实现应用层的连接复用,并在该会话连接的回路上实现请求回源。为了实现连接器客户端的高可用,连接器客户端可以与多个连接器服务端建立持久的会话连接。对于源服务器来说,因为连接器客户端对应的会话连接是出向的,目标应用的回源访问只依赖于该会话连接,不需要建立任何入向的连接,因此内网防火墙或者VPC(Virtual Private Cloud,虚拟私有云)的安全策略里不需要设置很复杂的网络策略,只需要开放出向443端口并且阻断一切的入向连接即可,从而能够实现对源服务器的隐藏,保证源服务器的安全性。In the embodiment of the present disclosure, the session connection between the connector client and the connector server is established on port 443 (that is, the encrypted web browsing port), and the connection multiplexing of the application layer is realized on the session connection, and the The back-to-source request is implemented on the loop of the session connection. In order to achieve high availability of the connector client, the connector client can establish persistent session connections with multiple connector servers. For the source server, because the session connection corresponding to the connector client is outbound, the back-to-source access of the target application only depends on the session connection, and does not need to establish any inbound connection. Therefore, intranet firewalls or VPC (Virtual Private Cloud, virtual private cloud) security policy does not need to set a very complicated network policy, only need to open port 443 and block all incoming connections, so as to realize the hiding of the source server and ensure the security of the source server sex.
管理平台上创建了连接器客户端及设置好目标应用对应的应用配置信息,以及在源服务器等需要安装连接器客户端的设备中安装连接器客户端,且连接器客户端与连接器服务端建 立会话连接,并将允许进行远程访问的所有目标应用的域名均解析到边缘节点服务器的IP地址上,从而将这些目标应用直接发布在公网中。之后远程终端即可通过本公开实施例提供的方法来访问目标应用。The connector client is created on the management platform and the application configuration information corresponding to the target application is set, and the connector client is installed on the source server and other devices that need to install the connector client, and the connector client and the connector server are established. session connection, and resolve the domain names of all target applications that allow remote access to the IP address of the edge node server, so that these target applications are directly published on the public network. Then the remote terminal can access the target application through the method provided by the embodiment of the present disclosure.
步骤107:边缘节点服务器接收由目标终端发送的针对目标应用的访问请求,该访问请求包括目标应用的标识,目标应用的标识包括域名、协议、IP地址和端口中的至少一种。Step 107: The edge node server receives the access request for the target application sent by the target terminal, the access request includes the identifier of the target application, and the identifier of the target application includes at least one of domain name, protocol, IP address and port.
边缘节点服务器上提供了DDoS(Distributed Denial of Service,分布式拒绝服务)清洗、缓存加速、WAF(Web Application Firewall,Web应用防护系统)、负载均衡等功能,另外,边缘节点服务器还可以作为边缘安全网关以提供身份认证、权限管理、访问控制等功能。目标用户在访问目标应用时,先访问到边缘节点服务器。The edge node server provides functions such as DDoS (Distributed Denial of Service, distributed denial of service) cleaning, cache acceleration, WAF (Web Application Firewall, Web application protection system), load balancing, etc. In addition, the edge node server can also be used as an edge security The gateway provides functions such as identity authentication, rights management, and access control. When the target user accesses the target application, he first accesses the edge node server.
在一具体应用场景中,在家办公或出差的员工需要访问公司内网中的目标应用时,通过目标终端查看公司在公网上发布的多个目标应用,从中选择自己需要访问的目标应用,例如可以通过点击的方式进行选择。目标终端监测到某个目标应用被点击时,获取被点击的目标应用的域名,发送针对该目标应用的域名的解析请求给域名服务器。域名服务器对该目标应用的域名进行解析,由于之前将发布到公网上的所有目标应用的域名均解析到了边缘节点服务器的IP地址上,因此域名服务器对当前的目标应用的域名进行解析能够得到对应的边缘节点服务器的IP地址。域名服务器将域名解析得到的IP地址返回给该目标终端。目标终端根据该IP地址,发送访问请求给对应的边缘节点服务器,该访问请求中包括目标用户需要访问的目标应用的标识。In a specific application scenario, when an employee working at home or on a business trip needs to access a target application in the company's intranet, he can view multiple target applications published by the company on the public network through the target terminal, and select the target application he needs to access. For example, Select by clicking. When the target terminal detects that a certain target application is clicked, it obtains the domain name of the clicked target application, and sends a resolution request for the domain name of the target application to the domain name server. The domain name server resolves the domain name of the target application. Since the domain names of all target applications published on the public network have been resolved to the IP address of the edge node server, the domain name server can obtain the corresponding domain name for the current target application. The IP address of the edge node server. The domain name server returns the IP address obtained through domain name analysis to the target terminal. According to the IP address, the target terminal sends an access request to the corresponding edge node server, and the access request includes the identification of the target application that the target user needs to access.
在本公开的另一些实施例中,边缘节点服务器还可以记录目标用户的访问行为日志,该访问行为日志中可以包括访问时间、访问对象、身份信息等,这些信息可以便于企业的安全管理人员对用户的行为进行审计和管控。In some other embodiments of the present disclosure, the edge node server can also record the target user's access behavior log, which can include access time, access object, identity information, etc., and these information can facilitate the security management personnel of the enterprise to User behavior is audited and controlled.
步骤108:边缘节点服务器根据目标应用的标识,获取与该目标应用绑定的连接器客户端的配置信息。Step 108: The edge node server obtains the configuration information of the connector client bound to the target application according to the identification of the target application.
在本公开一示例性实施例中,边缘节点服务器可以预先从管理平台中获取各目标应用对应的应用配置信息以及与各目标应用绑定的连接器客户端对应的配置信息。需要说明的,边缘节点服务器可以直接从管理平台中获取,也可以从配置中心等中间媒介获取该信息,本公开对此不作特殊限定。In an exemplary embodiment of the present disclosure, the edge node server may obtain the application configuration information corresponding to each target application and the configuration information corresponding to the connector client bound to each target application from the management platform in advance. It should be noted that the edge node server may obtain the information directly from the management platform, or may obtain the information from an intermediary such as a configuration center, which is not specifically limited in this disclosure.
当边缘节点服务器接收到针对目标应用的访问请求之后,可以获取该访问请求中所包含的目标应用的标识,根据该目标应用的标识,确定其对应的应用配置信息,再根据该应用配置信息确定与该目标应用相关联的连接器客户端的标识信息。基于所确定的连接器客户端的标识信息,确定该连接器客户端对应的配置信息,该配置信息至少包括与该连接器客户端对应的至少一个连接器服务端的地址信息。After the edge node server receives the access request for the target application, it can obtain the identification of the target application included in the access request, determine the corresponding application configuration information according to the identification of the target application, and then determine the corresponding application configuration information according to the application configuration information. Identification information for the connector client associated with this target application. Based on the determined identification information of the connector client, configuration information corresponding to the connector client is determined, where the configuration information at least includes address information of at least one connector server corresponding to the connector client.
在本公开另一示例性实施例中,边缘节点服务器向管理平台请求或接受管理平台关于目标应用的应用配置信息的推送。管理平台根据边缘节点服务器发送的包含该目标应用的标识的查询请求,查询该目标应用的应用配置信息,从该应用配置信息中获取与该目标应用相关联的连接器客户端的标识信息,然后根据该标识信息获取该连接器客户端对应的配置信息,发送该连接器客户端对应的配置信息给边缘节点服务器。In another exemplary embodiment of the present disclosure, the edge node server requests or accepts push from the management platform about the application configuration information of the target application. The management platform queries the application configuration information of the target application according to the query request sent by the edge node server and includes the identification of the target application, obtains the identification information of the connector client associated with the target application from the application configuration information, and then according to The identification information obtains the configuration information corresponding to the connector client, and sends the configuration information corresponding to the connector client to the edge node server.
步骤109:边缘节点服务器基于第三负载均衡策略和获取的连接器客户端的配置信息,从该目标应用对应的每个连接器服务端中确定出目标连接器服务端。Step 109: The edge node server determines the target connector server from each connector server corresponding to the target application based on the third load balancing policy and the acquired configuration information of the connector client.
获取的连接器客户端的配置信息中包括与该连接器客户端对应的至少一个连接器服务端的地址信息。本公开实施例中,边缘节点服务器中预先配置了第三负载均衡策略,边缘节点服务器基于第三负载均衡策略从与该连接器客户端对应的至少一个连接器服务端中确定出目标连接器服务端。The acquired configuration information of the connector client includes address information of at least one connector server corresponding to the connector client. In the embodiment of the present disclosure, the edge node server is pre-configured with the third load balancing strategy, and the edge node server determines the target connector service from at least one connector server corresponding to the connector client based on the third load balancing strategy end.
在一示例中,第三负载均衡策略可以是基于连接器服务端IP的哈希、加权轮询、主备轮 询中至少之一。第三负载均衡策略还需从至少一个连接器服务端中选择满足预设健康条件的连接器服务端作为目标连接器服务端。预设健康条件可以包括与连接器服务端之间的网络状态(如网络延迟、网络连通性、建连时间)、连接器服务端的响应延迟(如首包时间)等至少之一。In an example, the third load balancing strategy may be at least one of hash based on connector server IP, weighted round robin, and active/standby round robin. The third load balancing strategy further needs to select a connector server satisfying a preset health condition from at least one connector server as a target connector server. The preset health condition may include at least one of the network status with the connector server (such as network delay, network connectivity, connection establishment time), the response delay of the connector server (such as the first packet time), and the like.
边缘节点服务器可以从连接器服务端获得其网络状态、连接器服务端的响应延迟等。具体地,上述连接器客户端对应的配置信息中包括的连接器服务端的地址信息可以包括连接器服务端域名和/或IP地址,若该地址信息为域名,则边缘节点服务器可以将该连接器服务端的域名解析请求发送至域名服务器中进行解析,以使域名服务器反馈对应的连接器服务端的IP地址。The edge node server can obtain its network status, response delay of the connector server, etc. from the connector server. Specifically, the address information of the connector server included in the configuration information corresponding to the above-mentioned connector client may include the domain name and/or IP address of the connector server. If the address information is a domain name, the edge node server may use the connector The domain name resolution request of the server is sent to the domain name server for resolution, so that the domain name server returns the IP address of the corresponding connector server.
需要说明的,连接器服务端的地址信息可以是一个也可以是多个,例如具有多个连接器服务端的IP地址,或者域名服务器反馈的域名对应的IP地址为一个或者多个,等等。多个地址信息所对应的连接器服务端,有的可以作为主用的连接器服务端,其他的则可以作为备用的连接器服务端。It should be noted that the address information of the connector server can be one or more, for example, there are multiple IP addresses of the connector server, or one or more IP addresses corresponding to the domain name fed back by the domain name server, and so on. Some of the connector servers corresponding to multiple address information can be used as the main connector server, and others can be used as the backup connector servers.
边缘节点服务器获得与该目标应用对应的每个连接器服务端的IP地址后,根据获得的IP地址,分别建立与每个连接器服务端之间的通信连接,基于该通信连接获得每个连接器服务端的网络状态、连接器服务端的响应延迟等。然后根据获取的网络状态、连接器服务端的响应延迟等信息从至少一个连接器服务端中选择满足预设健康条件的连接器服务端作为目标连接器服务端。After the edge node server obtains the IP address of each connector server corresponding to the target application, it establishes a communication connection with each connector server according to the obtained IP address, and obtains the IP address of each connector based on the communication connection. The network status of the server, the response delay of the connector server, etc. Then, according to the obtained information such as the network status and the response delay of the connector server, a connector server satisfying a preset health condition is selected from at least one connector server as the target connector server.
在另一示例中,预设健康条件还可以包括负载量小于预设阈值,网络状态、系统状态和磁盘状态无异常,预设健康条件中可以列举出网络状态、系统状态和磁盘状态的一些异常情况,如网络中断、系统资源占用率超过预设比例、磁盘剩余存储空间小于预设值等。In another example, the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
在确定目标连接器服务端之前,边缘节点服务器首先需要获取与该目标应用对应的每个连接器服务端的系统状态信息,该系统状态信息包括连接器服务端的负载量、CPU使用百分比、内存使用百分比、磁盘IO、网络IO中的至少之一。Before determining the target connector server, the edge node server first needs to obtain the system status information of each connector server corresponding to the target application, the system status information includes the load of the connector server, CPU usage percentage, memory usage percentage , disk IO, and network IO at least one.
在本公开的一些实施例中,边缘节点服务器可以直接从连接器服务端处获得其系统状态信息。具体地,边缘节点服务器获得与该目标应用对应的每个连接器服务端的IP地址后,根据获得的IP地址,分别建立与每个连接器服务端之间的通信连接。然后分别从每个连接器服务端获得各连接器服务端的系统状态信息。In some embodiments of the present disclosure, the edge node server can directly obtain its system status information from the connector server. Specifically, after obtaining the IP address of each connector server corresponding to the target application, the edge node server establishes a communication connection with each connector server according to the obtained IP address. Then obtain the system state information of each connector server from each connector server respectively.
在本公开的另一些实施例中,边缘节点服务器可以从管理平台处获得与目标应用对应的每个连接器服务端的系统状态信息。In some other embodiments of the present disclosure, the edge node server may obtain the system state information of each connector server corresponding to the target application from the management platform.
具体地,在本公开实施例的网络架构中,每个连接器服务端都可以周期性地向管理平台上报自身的系统状态信息。管理平台接收并存储每个连接器服务端的系统状态信息。管理平台还可以显示每个连接器服务端的系统状态信息。或者管理平台可以根据每个连接器服务端的系统状态信息分别对每个连接器服务端进行故障分析、状态分析等,然后显示每个连接器服务端的系统状态信息及分析结果。Specifically, in the network architecture of the embodiment of the present disclosure, each connector server can periodically report its own system status information to the management platform. The management platform receives and stores the system status information of each connector server. The management platform can also display system status information for each connector server. Or the management platform can perform fault analysis and status analysis on each connector server according to the system status information of each connector server, and then display the system status information and analysis results of each connector server.
由此,当边缘节点服务器接收到目标终端发送的针对目标应用的访问请求时,从管理平台获取与该目标应用对应的每个连接器服务端当前的系统状态信息。Thus, when the edge node server receives the access request for the target application sent by the target terminal, it obtains the current system status information of each connector server corresponding to the target application from the management platform.
边缘节点服务器通过上述任一方式获得与该目标应用对应的每个连接器服务端的系统状态信息之后,基于第三负载均衡策略,从每个连接器服务端中确定出满足预设健康条件的连接器服务端作为当前该访问请求对应的目标连接器服务端。After the edge node server obtains the system status information of each connector server corresponding to the target application through any of the above methods, based on the third load balancing strategy, determine the connections that meet the preset health conditions from each connector server server server as the target connector server corresponding to the current access request.
若边缘节点服务器确定出多个满足预设健康条件的连接器服务端,则可从中随机选取或者依次选取以确定一个目标连接器服务端。如图5所示,假设边缘节点服务器确定出与目标应用对应的连接器服务端1和2,然后边缘节点服务器通过上述方式对连接器服务端1和2进行负载均衡和健康检查,从而在连接器服务端1和2中选择出一个满足预设健康条件的连 接器服务端作为目标连接器服务端。If the edge node server determines a plurality of connector servers satisfying the preset health conditions, it may select randomly or sequentially from them to determine a target connector server. As shown in Figure 5, assume that the edge node server determines the connector servers 1 and 2 corresponding to the target application, and then the edge node server performs load balancing and health checks on the connector servers 1 and 2 in the above-mentioned way, so that the connection Select a connector server that satisfies the preset health conditions from server servers 1 and 2 as the target connector server.
在另一示例中,边缘节点服务器也可以确定至少两个目标连接器服务端,并向其中之一发送该访问请求,若此连接器服务器出现故障不可用,则通过另一个连接器服务端发送此访问请求,保证访问的稳定性。In another example, the edge node server can also determine at least two target connector servers, and send the access request to one of them. If the connector server fails and is unavailable, the access request is sent through another connector server This access request ensures the stability of access.
步骤110:边缘节点服务器根据目标连接器服务端的地址信息,转发该访问请求至目标连接器服务端。Step 110: The edge node server forwards the access request to the target connector server according to the address information of the target connector server.
在本公开一示例性实施例中,若目标连接器服务端的地址信息包括目标连接器服务端的IP地址,则边缘节点服务器根据该IP地址,直接将该访问请求转发给目标连接器服务端。若该地址信息中仅包括目标连接器服务端的域名,则边缘节点服务器发送该目标连接器服务端的域名解析请求给域名服务器。域名服务器对边缘节点服务器发送的域名进行域名解析,得到对应的每个目标连接器服务端的IP地址,将得到的每个IP地址组成IP列表,返回该IP列表给边缘节点服务器,该IP列表中包括一个或多个目标连接器服务端的IP地址。In an exemplary embodiment of the present disclosure, if the address information of the target connector server includes the IP address of the target connector server, the edge node server directly forwards the access request to the target connector server according to the IP address. If the address information only includes the domain name of the target connector server, the edge node server sends the domain name resolution request of the target connector server to the domain name server. The domain name server performs domain name analysis on the domain name sent by the edge node server, obtains the IP address of each target connector server, forms an IP list for each IP address obtained, and returns the IP list to the edge node server. Contains the IP addresses of one or more target connector servers.
边缘节点服务器接收域名服务器返回的IP列表,从该IP列表中选择一个IP地址。具体地,若该IP列表中仅包括一个IP地址,则直接选择该IP地址。若该IP列表中包括多个IP地址,则从这多个IP地址中选择一个主用的目标连接器服务端的IP地址。边缘节点服务器根据选择的IP地址,建立与选择的IP地址对应的目标连接器服务端之间的通信连接,然后发送该访问请求给该目标连接器服务端。The edge node server receives the IP list returned by the domain name server, and selects an IP address from the IP list. Specifically, if the IP list includes only one IP address, the IP address is directly selected. If the IP list includes multiple IP addresses, an IP address of the active target connector server is selected from the multiple IP addresses. The edge node server establishes a communication connection between the target connector server corresponding to the selected IP address according to the selected IP address, and then sends the access request to the target connector server.
在本公开的另一些实施例中,在发送该访问请求给目标连接器服务端之前,边缘节点服务器还可以与目标连接器服务端进行双向认证,进一步确保目标应用访问的安全性。例如,边缘节点服务器发送自身的第一证书给目标连接器服务端。该目标连接器服务端接收边缘节点服务器的第一证书,并对第一证书进行验证,验证第一证书是否由自己信赖的CA中心所签发,若是则验证通过,若不是,则可以向边缘节点服务器返回一个警告信息,警告边缘节点服务器这个第一证书不是可以信赖的。验证通过后,目标连接器服务端可以比较证书里的信息,例如域名和公钥,若该域名或公钥符合预先设定的信息传输规则,则认可该边缘节点服务器的合法身份。In some other embodiments of the present disclosure, before sending the access request to the target connector server, the edge node server may also perform two-way authentication with the target connector server to further ensure the security of the target application access. For example, the edge node server sends its own first certificate to the target connector server. The target connector server receives the first certificate of the edge node server, and verifies the first certificate, and verifies whether the first certificate is issued by a trusted CA center. The server returns a warning message, warning the edge node server that the first certificate is not trustworthy. After the verification is passed, the target connector server can compare the information in the certificate, such as the domain name and public key. If the domain name or public key conforms to the preset information transmission rules, the legal identity of the edge node server is recognized.
边缘节点服务器也可以要求目标连接器服务端发送其自身的第二证书,收到该第二证书之后,边缘节点服务器可以对该第二证书进行验证,若没有通过验证,则拒绝连接,若通过验证,则二者之间可以进行信息传输。The edge node server can also ask the target connector server to send its own second certificate. After receiving the second certificate, the edge node server can verify the second certificate. If it fails to pass the verification, it will refuse the connection. If verified, information can be transmitted between the two.
在本公开实施例中,边缘节点服务器与目标连接器服务端之间通过上述方式进行双向认证,第一证书和第二证书中只要有一个认证不通过,边缘节点服务器就不会将访问请求发送给目标连接器服务端,大大提高了内网访问的安全性。进一步地,边缘节点服务器还可以先对访问请求进行加密,将加密后的数据发送给目标连接器服务端,以提高数据传输的安全性。In the embodiment of the present disclosure, the two-way authentication is carried out between the edge node server and the target connector server through the above method. As long as one of the first certificate and the second certificate fails to pass the authentication, the edge node server will not send the access request to For the target connector server, the security of intranet access is greatly improved. Furthermore, the edge node server may first encrypt the access request, and send the encrypted data to the target connector server, so as to improve the security of data transmission.
步骤111:连接器服务端接收由边缘节点服务器转发的针对目标应用的访问请求,基于第二负载均衡策略,从至少一个连接器客户端中确定与目标应用对应的目标连接器客户端。Step 111: The connector server receives the access request for the target application forwarded by the edge node server, and determines the target connector client corresponding to the target application from at least one connector client based on the second load balancing strategy.
在本公开一示例性实施例中,连接器服务端是一个中转媒介,可以实现边缘节点服务器与目标应用的打通,进一步地,当目标应用位于内网,可以实现边缘节点服务器与内网应用的打通。连接器服务端启动后,等待边缘节点服务器和连接器客户端的连接并转发来自边缘节点服务器的访问请求。In an exemplary embodiment of the present disclosure, the connector server is a transit medium, which can realize the connection between the edge node server and the target application. Further, when the target application is located in the intranet, it can realize the connection between the edge node server and the intranet application get through. After the connector server starts, it waits for the connection between the edge node server and the connector client and forwards the access request from the edge node server.
连接器服务端接收到边缘节点服务器转发的目标终端对目标应用的访问请求后,从建立会话连接的至少一个连接器客户端中确定出与目标应用关联的每个连接器客户端。After receiving the access request from the target terminal to the target application forwarded by the edge node server, the connector server determines each connector client associated with the target application from at least one connector client establishing a session connection.
首先连接器服务端确定与该目标应用相关联的所有连接器客户端。具体地,将该访问请求中包括的目标应用的标识发送给管理平台。管理平台根据该目标应用的标识,获取该目标应用的应用配置信息,从该应用配置信息中查询与该目标应用相关联的连接器客户端的标识信息。管理平台将与该目标应用相关联的连接器客户端的标识信息发送给连接器服务端。连 接器服务端接收与该目标应用相关联的连接器客户端的标识信息。First the connector server determines all connector clients associated with the target application. Specifically, the identifier of the target application included in the access request is sent to the management platform. The management platform obtains the application configuration information of the target application according to the identification of the target application, and queries the identification information of the connector client associated with the target application from the application configuration information. The management platform sends the identification information of the connector client associated with the target application to the connector server. The connector server receives identification information of a connector client associated with the target application.
在本公开的另一些实施例中,也可以由边缘节点服务器从管理平台获取目标应用的应用配置信息,并由边缘节点服务器将访问请求及应用配置信息一并转发给连接器服务端。如此连接器服务端可以在本地从应用配置信息中获取与该目标应用相关联的连接器客户端的标识信息。In other embodiments of the present disclosure, the edge node server may also obtain the application configuration information of the target application from the management platform, and the edge node server forwards the access request and the application configuration information to the connector server. In this way, the connector server can locally obtain the identification information of the connector client associated with the target application from the application configuration information.
连接器服务端通过上述任一方式获得与该目标应用相关联的连接器客户端的标识信息后,根据本地存储的连接器客户端的标识信息与会话的映射关系,从与该连接器服务端建立会话连接的至少一个连接器客户端中确定出与目标应用相关联的每个连接器客户端。After the connector server obtains the identification information of the connector client associated with the target application through any of the above methods, it establishes a session with the connector server according to the mapping relationship between the identification information of the connector client and the session stored locally. Each of the connected at least one connector client is determined to be associated with the target application.
本公开实施例中,连接器服务端中预先配置了第二负载均衡策略,连接器服务端通过上述任一方式获得与该目标应用相关联的连接器客户端的标识信息后,基于第二负载均衡策略以及建立了会话连接且与目标应用关联的连接器客户端的标识信息,确定出目标连接器客户端。In the embodiment of the present disclosure, the second load balancing strategy is pre-configured in the connector server. After the connector server obtains the identification information of the connector client The policy and the identification information of the connector client that has established the session connection and is associated with the target application determine the target connector client.
在一示例中,第二负载均衡策略可以是基于连接器客户端IP的哈希、加权轮询、主备轮询中至少之一。第二负载均衡策略还需从至少一个连接器客户端中选择满足预设健康条件的连接器客户端作为目标连接器客户端。预设健康条件可以包括与连接器客户端之间的网络状态(如网络延迟、网络连通性、建连时间)、连接器客户端的响应延迟(如首包时间)等至少之一。In an example, the second load balancing strategy may be at least one of hash based on connector client IP, weighted round robin, and active/standby round robin. The second load balancing strategy also needs to select a connector client satisfying a preset health condition from at least one connector client as a target connector client. The preset health condition may include at least one of the network status with the connector client (such as network delay, network connectivity, connection establishment time), the response delay of the connector client (such as the first packet time), and the like.
连接器服务端获得建立了会话连接且与该目标应用相关联的连接器客户端的标识信息后,分别通过与每个连接器客户端之间的会话连接获取各连接器客户端的网络状态、响应延迟等信息。然后根据获取的网络状态、响应延迟等信息从至少一个连接器客户端中选择满足预设健康条件的连接器客户端作为目标连接器客户端。After the connector server obtains the identification information of the connector client that has established a session connection and is associated with the target application, it obtains the network status and response delay of each connector client through the session connection with each connector client and other information. Then select a connector client satisfying a preset health condition as a target connector client from at least one connector client according to the obtained network status, response delay and other information.
在另一示例中,预设健康条件还可以包括负载量小于预设阈值,网络状态、系统状态和磁盘状态无异常,预设健康条件中可以列举出网络状态、系统状态和磁盘状态的一些异常情况,如网络中断、系统资源占用率超过预设比例、磁盘剩余存储空间小于预设值等。In another example, the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
在确定目标连接器客户端之前,连接器服务端首先需要获取与该目标应用相关联的每个连接器客户端的状态信息,该状态信息包括连接器客户端的心跳信息、负载量、CPU使用百分比、内存使用百分比、磁盘IO、网络IO中的至少之一。Before determining the target connector client, the connector server first needs to obtain the status information of each connector client associated with the target application, the status information includes the heartbeat information, load, CPU usage percentage, At least one of memory usage percentage, disk IO, and network IO.
在本公开的一些实施例中,连接器服务端可以直接从连接器客户端处获得其状态信息。连接器服务端获得建立了会话连接且与该目标应用相关联的连接器客户端的标识信息后,分别通过与每个连接器客户端之间的会话连接获取各连接器客户端的状态信息。In some embodiments of the present disclosure, the connector server can directly obtain its status information from the connector client. After the connector server obtains the identification information of the connector clients that have established the session connection and are associated with the target application, they obtain the status information of each connector client through the session connection with each connector client.
在本公开的另一些实施例中,每个连接器客户端都可以周期性地经由与自身建立会话连接的至少一个连接器服务端向管理平台上报自身的状态信息。管理平台接收并显示每个连接器客户端的状态信息,以方便直观了解连接器客户端的各类运行状态。或者,管理平台可以根据每个连接器客户端的状态信息分别对每个连接器客户端进行故障分析、状态分析等,如基于连接器客户端的状态信息包括的心跳信息可以分析连接器客户端是否正常运行。通过分析获得分析结果后,再显示每个连接器客户端的状态信息及对应的分析结果。如图6所示,连接器客户端经由与其建立会话连接的连接器服务端向管理平台上报状态信息,管理平台基于连接器客户端上报的信息进行数据分析,可以以数据报表的形式显示连接器客户端的状态信息、分析结果等,还可以在确定连接器客户端出现异常时进行监控告警。In some other embodiments of the present disclosure, each connector client may periodically report its own status information to the management platform via at least one connector server that establishes a session connection with itself. The management platform receives and displays the status information of each connector client, so as to facilitate intuitive understanding of various operating statuses of the connector client. Alternatively, the management platform can perform fault analysis and status analysis on each connector client based on the status information of each connector client. For example, based on the heartbeat information included in the status information of the connector client, it can be analyzed whether the connector client is normal. run. After the analysis results are obtained through analysis, the status information of each connector client and the corresponding analysis results are displayed. As shown in Figure 6, the connector client reports status information to the management platform via the connector server that establishes a session connection with it. The management platform performs data analysis based on the information reported by the connector client, and can display the connector in the form of a data report. The client's status information, analysis results, etc. can also be monitored and alarmed when it is determined that the connector client is abnormal.
在上报连接器客户端的状态信息的过程中,连接器服务端可以存储每个连接器客户端的标识信息与状态信息的对应关系。连接器服务端获得与该目标应用相关联的连接器客户端的标识信息后,可以直接从本地存储的该对应关系中获取与该目标应用相关联的连接器客户端的状态信息。In the process of reporting the status information of the connector client, the connector server may store the correspondence between the identification information of each connector client and the status information. After the connector server obtains the identification information of the connector client associated with the target application, it may directly obtain the state information of the connector client associated with the target application from the locally stored correspondence.
或者,连接器服务端也可以不存储连接器客户端的标识信息与状态信息的对应关系。而 是在获得与该目标应用相关联的连接器客户端的标识信息后,根据与该目标应用相关联的连接器客户端的标识信息,从管理平台获取与该目标应用相关联的连接器客户端的状态信息。Alternatively, the connector server may not store the correspondence between the identification information of the connector client and the status information. Instead, after obtaining the identification information of the connector client associated with the target application, the state of the connector client associated with the target application is obtained from the management platform according to the identification information of the connector client associated with the target application information.
连接器服务端通过上述任一方式获得建立了会话连接且与该目标应用对应的每个连接器客户端的状态信息之后,基于第二负载均衡策略,从每个连接器客户端中确定出满足预设健康条件的连接器客户端作为当前该访问请求对应的目标连接器客户端。After the connector server obtains the status information of each connector client that has established a session connection and corresponds to the target application through any of the above methods, based on the second load balancing strategy, determine from each connector client that meets the predetermined requirements. Set the connector client with the health condition as the target connector client corresponding to the current access request.
应该理解的,连接器服务端确定出的目标连接器客户端的数量可以为一个或多个。It should be understood that the number of target connector clients determined by the connector server may be one or more.
若目标连接器客户端的数量为多个即两个或者两个以上的任意数量,则其中一个目标连接器客户端可以作为主目标连接器客户端,除主目标连接器客户端之外的为副目标连接器客户端,从而在主目标连接器客户端失效或者故障时,可以通过副目标连接器客户端进行访问目标应用。If the number of target connector clients is multiple, that is, any number of two or more than two, one of the target connector clients can be used as the main target connector client, and the other ones are secondary The target connector client, so that when the primary target connector client fails or fails, the target application can be accessed through the secondary target connector client.
应该理解的,主目标连接器客户端和副目标连接器客户端二者相关联的目标应用应是相同的,或者主目标连接器客户端所关联的目标应用被包含于副目标连接器客户端所关联的目标应用中,又或者主目标连接器客户端与副目标连接器客户端之间具有部分相同的相关联的目标应用,等等。It should be understood that the target application associated with the primary target connector client and the secondary target connector client should be the same, or the target application associated with the primary target connector client is included in the secondary target connector client Among the associated target applications, or between the primary target connector client and the secondary target connector client, there are partly the same associated target applications, and so on.
如图5所示,源服务器中部署有连接器客户端1和2,且连接器客户端1和2均与相同的源服务器相关联。连接器客户端1分别建立了与连接器服务端1和2之间的会话连接,且该会话连接是基于隧道协议建立的。连接器客户端1与连接器服务端1之间的会话连接为主隧道1,连接器客户端1与连接器服务端2之间的会话连接为备隧道1。相似地,连接器客户端2与连接器服务端1之间的会话连接为主隧道2,连接器客户端2与连接器服务端2之间的会话连接为备隧道2。假设边缘节点服务器通过负载均衡与健康检查选取了连接器服务端1作为目标连接器服务端,并将针对目标应用的访问请求发送给了连接器服务端1。则连接器服务端1按照上述方式对连接器客户端1和2进行负载均衡和健康检查,从而在连接器客户端1和2中选择出一个满足预设健康条件的连接器客户端作为目标连接器客户端。假设连接器服务端1选择了连接器客户端2作为目标连接器客户端,则连接器服务端1通过备隧道2将访问请求发送给连接器客户端2。然后连接器客户端2再将访问请求发送给源服务器中对应的目标应用。As shown in FIG. 5 , connector clients 1 and 2 are deployed in the source server, and both connector clients 1 and 2 are associated with the same source server. The connector client 1 establishes session connections with the connector servers 1 and 2 respectively, and the session connections are established based on the tunneling protocol. The session connection between connector client 1 and connector server 1 is the primary tunnel 1, and the session connection between connector client 1 and connector server 2 is the backup tunnel 1. Similarly, the session connection between the connector client 2 and the connector server 1 is the primary tunnel 2, and the session connection between the connector client 2 and the connector server 2 is the backup tunnel 2. Assume that the edge node server selects connector server 1 as the target connector server through load balancing and health checks, and sends an access request for the target application to connector server 1. Then the connector server 1 performs load balancing and health checks on the connector clients 1 and 2 according to the above method, so as to select a connector client that meets the preset health conditions as the target connection among the connector clients 1 and 2 server client. Assuming that the connector server 1 selects the connector client 2 as the target connector client, the connector server 1 sends the access request to the connector client 2 through the standby tunnel 2 . Then the connector client 2 sends the access request to the corresponding target application in the source server.
步骤112:连接器服务端根据与目标连接器客户端对应的会话连接,转发访问请求至目标连接器客户端。Step 112: The connector server forwards the access request to the target connector client according to the session connection corresponding to the target connector client.
在本公开一示例性实施例中,连接器服务端根据确定出的目标连接器客户端的标识信息,从本地存储的连接器客户端的标识信息与会话之间的映射关系中,获取目标连接器客户端对应的会话连接。通过目标连接器客户端对应的会话连接,将该访问请求转发给目标连接器客户端。In an exemplary embodiment of the present disclosure, the connector server obtains the target connector client from the locally stored mapping relationship between the identifier information of the connector client and the session according to the determined identification information of the target connector client. The session connection corresponding to the end. The access request is forwarded to the target connector client through the session connection corresponding to the target connector client.
在本公开的另一些实施例中,连接器服务端还可以通过轮询的方式来将访问请求转发给目标连接器客户端。具体地,连接器服务端中配置了预设轮询规则,预设轮询规则中规定了该目标应用关联的每个目标连接器客户端的轮询顺序,根据该轮询顺序从与该目标应用关联的每个目标连接器客户端中选择一个目标连接器客户端。根据选择的目标连接器客户端的标识信息,从标识信息与会话的映射关系中获取选择的目标连接器客户端对应的会话连接,通过获取的会话连接将该访问请求转发给该目标连接器客户端。In some other embodiments of the present disclosure, the connector server may also forward the access request to the target connector client in a polling manner. Specifically, a preset polling rule is configured in the connector server, and the preset polling rule specifies the polling sequence of each target connector client associated with the target application. Select one target connector client per target connector client associated. According to the identification information of the selected target connector client, obtain the session connection corresponding to the selected target connector client from the mapping relationship between the identification information and the session, and forward the access request to the target connector client through the obtained session connection .
为了便于理解将目标终端的访问请求发送至目标连接器客户端的流程,下面结合附图进行说明。如图7所示,目标终端发送访问请求给边缘节点服务器,该访问请求包括待访问的目标应用的域名“oa.companyA.com”。边缘节点服务器根据该域名,从管理平台获取域名“oa.companyA.com”对应的应用配置信息,该应用配置信息中绑定的连接器客户端的标识为“12345”,也从管理平台获取连接器客户端12345的配置信息。边缘节点服务器获得该应用配置信息和连接器客户端对应的配置信息后,发送连接器客户端对应的配置信息包括的连接 器服务端的域名“companyA.connector.com”的解析请求给域名服务器,接收域名服务器返回的解析出的连接器服务端的IP地址“1.1.1.1”,边缘节点服务器根据该IP地址“1.1.1.1”建立与该连接器服务端之间的通信连接,将访问请求及应用配置信息发送给该连接器服务端。IP地址为“1.1.1.1”的连接器服务端根据应用配置信息中包括的连接器客户端的标识“12345”,从预存的映射关系中获得该连接器客户端对应的会话连接,通过该会话连接将该访问请求发送给企业A的网络中的连接器客户端12345。In order to facilitate the understanding of the process of sending the access request of the target terminal to the target connector client, it will be described below with reference to the accompanying drawings. As shown in FIG. 7 , the target terminal sends an access request to the edge node server, and the access request includes the domain name "oa.companyA.com" of the target application to be accessed. According to the domain name, the edge node server obtains the application configuration information corresponding to the domain name "oa.companyA.com" from the management platform. The identifier of the connector client bound in the application configuration information is "12345", and also obtains the connector from the management platform. Configuration information of client 12345. After the edge node server obtains the application configuration information and the configuration information corresponding to the connector client, it sends a resolution request for the domain name "companyA.connector.com" of the connector server included in the configuration information corresponding to the connector client to the domain name server, and receives The resolved IP address "1.1.1.1" of the connector server returned by the domain name server, the edge node server establishes a communication connection with the connector server based on the IP address "1.1.1.1", and sends the access request and application configuration The information is sent to the connector server. The connector server with the IP address "1.1.1.1" obtains the session connection corresponding to the connector client from the pre-stored mapping relationship according to the identifier "12345" of the connector client included in the application configuration information, and connects through the session The access request is sent to the connector client 12345 in Enterprise A's network.
步骤113:连接器客户端基于与连接器服务端之间的会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从目标应用对应的多个源服务器中确定目标源服务器,将访问请求发送至目标源服务器中的目标应用。Step 113: Based on the session connection between the connector client and the connector server, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy, multiple Determine the target source server in the source server, and send the access request to the target application in the target source server.
在本公开实施例中,连接器客户端中可以配置有与其关联的每个目标应用的域名与回源地址的映射关系。或者管理平台可以将每个目标应用的回源地址或应用配置信息下发给连接器客户端。或者,由连接器服务端从管理平台或者边缘节点服务器处获得该目标应用对应的应用配置信息,该应用配置信息中包括目标应用对应的回源地址,连接器服务端在将该访问请求转发给连接器客户端时还可以将该应用配置信息发送给连接器客户端。连接器客户端若接收到连接器服务端通过二者之间的会话连接发送的针对目标应用的访问请求,则连接器客户端根据该访问请求包括的目标应用的域名,在本地查询目标应用的回源地址。查询到的每个回源地址即为目标应用对应的每个源服务器的地址。In the embodiment of the present disclosure, the connector client may be configured with a mapping relationship between the domain name of each target application associated with it and the return-to-origin address. Alternatively, the management platform may send the back-to-source address or application configuration information of each target application to the connector client. Alternatively, the connector server obtains the application configuration information corresponding to the target application from the management platform or the edge node server, the application configuration information includes the return-to-source address corresponding to the target application, and the connector server forwards the access request to The application configuration information may also be sent to the connector client when connecting the connector client. If the connector client receives an access request for the target application sent by the connector server through the session connection between the two, the connector client will locally query the target application's domain name according to the domain name of the target application included in the access request. Back to source address. Each source-back address found in the query is the address of each source server corresponding to the target application.
本公开实施例中,连接器客户端中预先配置了第一负载均衡策略,连接器客户端获得目标应用对应的每个源服务器的回源地址后,基于第一负载均衡策略从获得的每个源服务器的回源地址中确定出目标源服务器的回源地址。In the embodiment of the present disclosure, the connector client is pre-configured with the first load balancing policy. After the connector client obtains the return-to-origin address of each source server corresponding to the target The origin-return address of the target source server is determined from the origin-return address of the source server.
在一示例中,第一负载均衡策略可以是基于源服务器IP的哈希、加权轮询、主备轮询中至少之一。第一负载均衡策略还需从至少一个源服务器中选择满足预设健康条件的源服务器作为目标源服务器。预设健康条件可以包括与源服务器之间的网络状态(如网络延迟、网络连通性、建连时间)、源服务器的响应延迟(如首包时间)等至少之一。In an example, the first load balancing strategy may be at least one of source server IP-based hashing, weighted round robin, and active/standby round robin. The first load balancing strategy also needs to select a source server satisfying a preset health condition from at least one source server as a target source server. The preset health condition may include at least one of network status with the source server (such as network delay, network connectivity, connection establishment time), response delay of the source server (such as first packet time), and the like.
连接器客户端分别根据每个源服务器的回源地址,分别建立与每个源服务器之间的通信连接,基于建立的通信连接获取每个源服务器的网络状态、响应延迟等信息。之后基于第一负载均衡策略和每个源服务器的网络状态、响应延迟等信息,从每个源服务器中确定出满足预设健康条件的源服务器作为目标源服务器。然后连接器客户端根据目标源服务器的回源地址,将访问请求发送至目标源服务器中的目标应用。The connector client establishes a communication connection with each source server according to the back-to-source address of each source server, and obtains information such as the network status and response delay of each source server based on the established communication connection. Afterwards, based on the first load balancing policy and information such as the network status and response delay of each source server, a source server satisfying a preset health condition is determined from each source server as a target source server. Then the connector client sends the access request to the target application in the target source server according to the back-source address of the target source server.
在另一示例中,预设健康条件还可以包括负载量小于预设阈值,网络状态、系统状态和磁盘状态无异常,预设健康条件中可以列举出网络状态、系统状态和磁盘状态的一些异常情况,如网络中断、系统资源占用率超过预设比例、磁盘剩余存储空间小于预设值等。In another example, the preset health conditions may also include that the load is less than a preset threshold, and the network status, system status, and disk status are normal, and the preset health conditions may list some abnormalities in the network status, system status, and disk status Circumstances, such as network interruption, system resource usage exceeding the preset ratio, remaining disk storage space less than the preset value, etc.
在确定目标源服务器之前,连接器客户端首先需要获取每个源服务器的系统状态信息,该系统状态信息包括源服务器的负载量、CPU使用百分比、内存使用百分比、磁盘IO、网络IO中的至少之一。Before determining the target source server, the connector client first needs to obtain the system status information of each source server, the system status information includes the source server load, CPU usage percentage, memory usage percentage, disk IO, network IO one.
连接器客户端分别根据每个源服务器的回源地址,分别从每个源服务器获取每个源服务器的系统状态信息。之后基于第一负载均衡策略和每个源服务器的系统状态信息,从每个源服务器中确定出满足预设健康条件的源服务器作为目标源服务器。然后连接器客户端根据目标源服务器的回源地址,将访问请求发送至目标源服务器中的目标应用。The connector client obtains the system status information of each source server from each source server respectively according to the return-to-source address of each source server. Then, based on the first load balancing policy and the system state information of each source server, determine the source server satisfying the preset health condition from each source server as the target source server. Then the connector client sends the access request to the target application in the target source server according to the back-source address of the target source server.
如图8所示,连接器客户端分别与源服务器1、2和3相关联,假设源服务器1、2和3均包括当前的访问请求对应的目标应用,则连接器客户端依据第一负载均衡策略,从源服务器1、2和3中选择一个源服务器作为目标源服务器,假设选取的目标源服务器为源服务器2,则将访问请求发送给源服务器2。As shown in Figure 8, the connector client is associated with the source server 1, 2 and 3 respectively, assuming that the source server 1, 2 and 3 all include the target application corresponding to the current access request, then the connector client according to the first load Balance strategy, select a source server from source servers 1, 2 and 3 as the target source server, assuming that the selected target source server is source server 2, then send the access request to source server 2.
步骤114:连接器客户端将接收到的请求响应信息向连接器服务端进行发送,该请求响 应信息由目标源服务器中的目标应用根据访问请求进行反馈。Step 114: The connector client sends the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
在本公开一示例性实施例中,目标应用根据访问请求进行反馈生成请求响应信息,发送该请求响应信息给该连接器客户端。该连接器客户端再通过自身与连接器服务端之间的会话连接将该请求响应信息发送给连接器服务端。连接器服务端将该请求响应信息发送给边缘节点服务器,边缘节点服务器再将该请求响应信息发送给该目标终端。In an exemplary embodiment of the present disclosure, the target application generates request response information according to the feedback of the access request, and sends the request response information to the connector client. The connector client sends the request response information to the connector server through the session connection between itself and the connector server. The connector server sends the request response information to the edge node server, and the edge node server sends the request response information to the target terminal.
在本公开实施例中,连接器客户端与连接器服务端之间的会话连接的传输协议可以为加密传输协议,连接器客户端与连接器服务端之间的数据都是加密传输,以确保传输过程中的数据安全性。In the embodiment of the present disclosure, the transmission protocol of the session connection between the connector client and the connector server may be an encrypted transmission protocol, and the data between the connector client and the connector server are all encrypted transmissions to ensure Data security during transmission.
在本公开实施例中,多个连接器客户端可以与相同的目标应用关联,对于该相同的目标应用来说,其关联的多个连接器客户端可以包括主用连接器客户端和备用连接器客户端,在主用连接器客户端故障时,可以通过备用连接器客户端对应的会话连接接收目标终端对目标应用的访问请求,或通过备用连接器客户端对应的会话连接发送目标应用对访问请求进行响应而产生的请求响应信息。一个源服务器中也可以包括多个连接器客户端,分成主连接器客户端和副连接器客户端,在主连接器客户端故障或者达到负载上限后,由副连接器客户端来进行数据传输。In the embodiment of the present disclosure, multiple connector clients may be associated with the same target application, and for the same target application, the associated multiple connector clients may include the active connector client and the standby connection When the active connector client fails, it can receive the target terminal’s access request to the target application through the session connection corresponding to the standby connector client, or send the target application’s access request to the target application through the session connection corresponding to the standby connector client. Request response information generated in response to an access request. A source server can also include multiple connector clients, which are divided into primary connector clients and secondary connector clients. After the primary connector client fails or the load limit is reached, the secondary connector client performs data transmission. .
另外,源服务器还可以每隔预设时间段(例如2min、0.5h或者1h等)发送自身的健康状态信息给管理平台,管理平台根据源服务器的健康状态信息及判断源服务器是否出现异常,若有异常则及时向管理人员发出告警信息。In addition, the source server can also send its own health status information to the management platform every preset time period (such as 2min, 0.5h or 1h, etc.), and the management platform can judge whether the source server is abnormal according to the health status information of the source server. If there is an abnormality, an alarm message will be sent to the management personnel in time.
远程用户发送访问请求给边缘节点服务器,该访问请求包括目标应用的标识。边缘节点服务器从管理平台获取待访问的目标应用的应用配置信息和与该目标应用关联的连接器客户端对应的配置信息。边缘节点服务器将连接器客户端对应的配置信息包括的连接器服务端的域名的域名解析请求发送给域名服务器,根据域名服务器返回的连接器服务端的IP地址,将访问请求和应用配置信息发送到连接器服务端中。The remote user sends an access request to the edge node server, and the access request includes the identification of the target application. The edge node server acquires the application configuration information of the target application to be accessed and the configuration information corresponding to the connector client associated with the target application from the management platform. The edge node server sends the domain name resolution request of the domain name of the connector server included in the configuration information corresponding to the connector client to the domain name server, and sends the access request and application configuration information to the link server according to the IP address of the connector server returned by the domain name server. in the server server.
如图7所示,域名“companyA.connector.com”对应于IP地址为“1.1.1.1”的连接器服务端。假设访问请求是对企业A的网络中的目标应用的访问,则边缘节点服务器可以将访问请求及应用配置信息发送到IP地址为“1.1.1.1”的连接器服务端。连接器服务端再通过与连接器客户端12345之间的会话连接将访问请求发送给企业A中的目标应用。As shown in Figure 7, the domain name "companyA.connector.com" corresponds to the connector server with the IP address "1.1.1.1". Assuming that the access request is an access to a target application in the network of enterprise A, the edge node server may send the access request and application configuration information to the connector server with the IP address "1.1.1.1". The connector server then sends the access request to the target application in enterprise A through the session connection with the connector client 12345 .
在本公开实施例中,通过连接器客户端的设置并建立连接器客户端与连接器服务端之间的会话连接,该会话连接为连接器客户端至连接器服务端之间的出站连接,用户访问目标应用时先访问边缘节点服务器,边缘节点服务器经由连接器服务端将请求转发至连接器客户端,连接器客户端再将请求转发至目标应用。实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。In the embodiment of the present disclosure, the session connection between the connector client and the connector server is established through setting the connector client, and the session connection is an outbound connection between the connector client and the connector server. When the user accesses the target application, he first visits the edge node server, and the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开的另一些实施例提供了一种隐藏源站的方法,该方法应用于连接器客户端。参见图9,该方法具体包括以下步骤:Some other embodiments of the present disclosure provide a method for hiding an origin site, and the method is applied to a connector client. Referring to Figure 9, the method specifically includes the following steps:
步骤201:连接器客户端获取与连接器客户端对应的至少一个连接器服务端的地址信息,地址信息为离连接器客户端最近的至少一个连接器服务端的地址信息。Step 201: The connector client acquires address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client.
连接器客户端部署在能与目标应用通信连接的任一网络中,部署连接器客户端的网络中部署有一个或多个连接器客户端。The connector client is deployed in any network that can communicate with the target application, and one or more connector clients are deployed in the network where the connector client is deployed.
在本公开一示例性实施例中,连接器客户端接收由管理平台发送的连接器客户端对应的配置信息。在一示例中,连接器客户端可以直接从管理平台中获取配置信息。在另一示例中,连接器客户端也可以通过中间媒介间接从管理平台获取配置信息,例如管理平台将该连接器客户端对应的配置信息下发至配置中心,连接器客户端再从配置中心获取该配置信息。连接器客户端获得配置信息后,从该配置信息中获取与连接器客户端对应的至少一个连接器服务 端的地址信息。该地址信息包括连接器服务端的IP地址和/或域名。In an exemplary embodiment of the present disclosure, the connector client receives configuration information corresponding to the connector client sent by the management platform. In one example, the connector client can obtain configuration information directly from the management platform. In another example, the connector client can also indirectly obtain configuration information from the management platform through an intermediary. For example, the management platform sends the configuration information corresponding to the Get that configuration information. After the connector client obtains the configuration information, it obtains address information of at least one connector server corresponding to the connector client from the configuration information. The address information includes the IP address and/or domain name of the connector server.
步骤202:连接器客户端根据至少一个连接器服务端的地址信息,建立与至少一个连接器服务端之间的会话连接,会话连接为由连接器客户端至至少一个连接器服务端的出站连接。Step 202: The connector client establishes a session connection with at least one connector server according to the address information of the at least one connector server, and the session connection is an outbound connection from the connector client to the at least one connector server.
在本公开一示例性实施例中,连接器服务端的地址信息为通过任播技术、智能解析技术、智能路由技术之一确定的域名和/或IP地址。若连接器服务端的地址信息中仅包括IP地址,则连接器客户端根据至少一个连接器服务端的IP地址,建立与这至少一个连接器服务端之间的会话连接。若连接器服务端的地址信息中仅包括连接器服务端的域名,则连接器客户端发送这至少一个连接器服务端的域名给域名服务器;接收域名服务器返回的每个域名对应的IP地址;根据每个IP地址,分别发送连接请求给一个或多个连接器服务端,连接请求包括连接器客户端的标识信息,以建立连接器客户端与一个或多个连接器服务端之间的会话连接。In an exemplary embodiment of the present disclosure, the address information of the connector server is a domain name and/or an IP address determined by anycast technology, intelligent resolution technology, and intelligent routing technology. If the address information of the connector server only includes an IP address, the connector client establishes a session connection with the at least one connector server according to the IP address of the at least one connector server. If the address information of the connector server only includes the domain name of the connector server, the connector client sends the at least one domain name of the connector server to the domain name server; receives the IP address corresponding to each domain name returned by the domain name server; according to each The IP addresses respectively send connection requests to one or more connector servers, and the connection requests include identification information of the connector clients, so as to establish session connections between the connector clients and one or more connector servers.
值得注意的是,该会话连接为连接器客户端到连接器服务端之间的出站连接,其是连接器客户端主动向外的通信连接,该连接器客户端禁止任何入向的连接请求,从而可以避免遭受他人的恶意攻击,保证目标应用的安全性。在一示例中,可以在连接器客户端对应的防火墙中配置禁止入向的连接请求,从而能够通过防火墙禁止除上述建立的会话连接以外的所有入向的请求。It is worth noting that the session connection is an outbound connection between the connector client and the connector server, which is an active outgoing communication connection of the connector client, and the connector client prohibits any incoming connection requests , so as to avoid malicious attacks from others and ensure the security of the target application. In an example, prohibiting incoming connection requests may be configured in the firewall corresponding to the connector client, so that all incoming requests except the session connection established above can be prohibited through the firewall.
在一示例中,该会话连接的传输协议为加密传输协议,即通过该会话连接进行传输的数据均通过加密后以密文的形式进行传输,以提高数据传输的安全性。In an example, the transmission protocol of the session connection is an encrypted transmission protocol, that is, the data transmitted through the session connection is encrypted and then transmitted in ciphertext, so as to improve the security of data transmission.
连接器客户端还可以根据至少一个连接器服务端的地址信息,发送认证信息给至少一个连接器服务端;在该认证信息被至少一个连接器服务端认证通过后,建立与至少一个连接器服务端之间的加密的会话连接。加密的会话连接的会话协议类型为加密协议,加密协议包括HTTPS、HTTP/2、HTTP/3、Websocket、TLS_TCP中的至少一种。The connector client can also send authentication information to at least one connector server according to the address information of at least one connector server; after the authentication information is authenticated by at least one connector server, establish an Encrypted session connections between . The session protocol type of the encrypted session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
在另一些实施例中,还可以基于隧道协议建立上述会话连接,隧道协议为VPN、GRE或者IPsec中的一种。In other embodiments, the session connection may also be established based on a tunnel protocol, where the tunnel protocol is one of VPN, GRE, or IPsec.
步骤203:连接器客户端基于建立的会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从目标应用对应的多个源服务器中确定目标源服务器,将访问请求发送至目标源服务器中的目标应用。Step 203: Based on the established session connection, if the connector client receives an access request for the target application forwarded by the connector server, it determines the target application from multiple source servers corresponding to the target application based on the first load balancing strategy. The source server sends the access request to the target application in the target source server.
步骤204:连接器客户端将接收到的请求响应信息向连接器服务端进行发送,该请求响应信息由目标源服务器中的目标应用根据访问请求进行反馈。Step 204: The connector client sends the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
在本公开实施例中,连接器客户端可以包括主连接器客户端和副连接器客户端,在主连接器客户端故障时使用副连接器客户端。源服务器中可以部署多个连接器客户端,多个连接器客户端中包括主用连接器客户端和备用连接器客户端,主用连接器客户端和备用连接器客户端与相同的目标应用关联;在主用连接器客户端故障时,通过备用连接器客户端对应的会话连接接收目标终端对目标应用的访问请求。In the embodiment of the present disclosure, the connector clients may include a primary connector client and a secondary connector client, and the secondary connector client is used when the primary connector client fails. Multiple connector clients can be deployed on the source server. The multiple connector clients include the active connector client and the backup connector client. The active connector client and the backup connector client are the same as the target application Association; when the active connector client fails, the access request of the target terminal to the target application is received through the session connection corresponding to the backup connector client.
连接器客户端还可以周期性地经由至少一个连接器服务端向管理平台上报连接器客户端的状态信息,状态信息至少包括心跳信息和系统状态信息中的至少之一。The connector client can also periodically report the status information of the connector client to the management platform via at least one connector server, and the status information includes at least one of heartbeat information and system status information.
在本公开实施例中,连接器客户端的具体操作细节均可参考上述任一实施例中连接器客户端的操作,在此不再赘述。In the embodiments of the present disclosure, for the specific operation details of the connector client, reference may be made to the operation of the connector client in any of the foregoing embodiments, which will not be repeated here.
在本公开实施例中,连接器客户端建立了与连接器服务端之间的出站的会话连接,针对目标应用的访问请求经由该会话连接发送至连接器客户端,连接器客户端再将请求转发至目标应用。实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。In the embodiment of the present disclosure, the connector client establishes an outbound session connection with the connector server, and the access request for the target application is sent to the connector client through the session connection, and the connector client sends the The request is forwarded to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开的一些实施例提供了一种隐藏源站的方法,该方法应用于连接器服务端,参见图10,该方法具体包括以下步骤:Some embodiments of the present disclosure provide a method for hiding the origin site, which is applied to the connector server, see FIG. 10 , and the method specifically includes the following steps:
步骤301:连接器服务端接收由至少一个连接器客户端发送的连接请求。Step 301: The connector server receives a connection request sent by at least one connector client.
在一示例中,连接请求的数量可以为多个,连接请求中包含对应的连接器客户端的标识信息。In an example, there may be multiple connection requests, and the connection requests include identification information of corresponding connector clients.
步骤302:连接器服务端根据连接请求,建立与至少一个连接器客户端之间的会话连接,该会话连接为由至少一个连接器客户端至连接器服务端的出站连接。Step 302: The connector server establishes a session connection with at least one connector client according to the connection request, and the session connection is an outbound connection from the at least one connector client to the connector server.
在一示例中,连接器服务端根据多个连接请求,分别建立与至少一个连接器客户端之间的会话连接,并将各连接器客户端的标识信息与对应的会话连接相关联。In an example, the connector server respectively establishes a session connection with at least one connector client according to multiple connection requests, and associates the identification information of each connector client with the corresponding session connection.
步骤303:连接器服务端接收由边缘节点服务器转发的针对目标应用的访问请求,基于第二负载均衡策略,从至少一个连接器客户端中确定与目标应用对应的目标连接器客户端。Step 303: The connector server receives the access request for the target application forwarded by the edge node server, and determines the target connector client corresponding to the target application from at least one connector client based on the second load balancing strategy.
步骤304:连接器服务端根据与目标连接器客户端对应的会话连接,转发访问请求至目标连接器客户端。Step 304: The connector server forwards the access request to the target connector client according to the session connection corresponding to the target connector client.
在一示例中,目标连接器客户端的数量可以为多个,连接器服务端根据与多个目标连接器客户端的标识信息相关联的会话连接,转发访问请求至每个目标连接器客户端。In an example, there may be multiple target connector clients, and the connector server forwards the access request to each target connector client according to the session connection associated with the identification information of the multiple target connector clients.
具体地,连接器服务端从应用配置信息中提取出与目标应用关联的每个连接器客户端的标识信息;根据每个连接器客户端的标识信息,从映射关系中分别获取每个连接器客户端对应的会话连接;通过每个连接器客户端对应的会话连接或者从管理平台分别获取每个连接器客户端的状态信息;根据每个连接器服务端的状态信息,基于第二负载均衡策略,从每个连接器客户端中选择一个满足预设健康条件的目标连接器客户端,通过选择的目标连接器客户端对应的会话连接将访问请求转发给目标连接器客户端。Specifically, the connector server extracts the identification information of each connector client associated with the target application from the application configuration information; according to the identification information of each connector client, each connector client is obtained from the mapping relationship Corresponding session connection; Obtain the status information of each connector client through the corresponding session connection of each connector client or from the management platform; according to the status information of each connector server, based on the second load balancing strategy, from each Select a target connector client that satisfies the preset health conditions from the connector clients, and forward the access request to the target connector client through the session connection corresponding to the selected target connector client.
在本公开的另一些实施例中,连接器服务端还可以轮询的机制来转发访问请求。具体地,从应用配置信息中提取出与目标应用关联的每个连接器客户端的标识信息;根据预设轮询规则,从每个连接器客户端中选择一个目标连接器客户端;根据选择的目标连接器客户端的标识信息,从映射关系中获取选择的目标连接器客户端对应的会话连接;通过获取的会话连接将访问请求转发给目标连接器客户端。In other embodiments of the present disclosure, the connector server may also use a polling mechanism to forward the access request. Specifically, extract the identification information of each connector client associated with the target application from the application configuration information; select a target connector client from each connector client according to a preset polling rule; The identification information of the target connector client obtains the session connection corresponding to the selected target connector client from the mapping relationship; forwards the access request to the target connector client through the obtained session connection.
连接器服务端的具体操作细节均可参考上述任一实施例中连接器服务端的操作,在此不再赘述。For the specific operation details of the connector server, reference may be made to the operation of the connector server in any of the above embodiments, which will not be repeated here.
在本公开实施例中,连接器服务端建立了与连接器客户端之间的出站的会话连接,连接器服务端将针对目标应用的访问请求经由该会话连接发送至连接器客户端,连接器客户端再将请求转发至目标应用。实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。In the embodiment of the present disclosure, the connector server establishes an outbound session connection with the connector client, and the connector server sends an access request for the target application to the connector client through the session connection, and the connection The server client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开的一些实施例提供了一种隐藏源站的方法,该方法应用于边缘节点服务器,参见图11,该方法具体包括以下步骤:Some embodiments of the present disclosure provide a method of hiding the origin site, which is applied to an edge node server, see FIG. 11 , and the method specifically includes the following steps:
步骤401:边缘节点服务器接收由目标终端发送的针对目标应用的访问请求,访问请求包含目标应用的标识,目标应用的标识包括域名、协议、IP地址和端口中的至少一种。Step 401: The edge node server receives an access request for a target application sent by a target terminal. The access request includes an identifier of the target application, and the identifier of the target application includes at least one of domain name, protocol, IP address and port.
步骤402:边缘节点服务器根据目标应用的标识,获取与目标应用绑定的连接器客户端的配置信息,该配置信息至少包括与连接器客户端对应的至少一个连接器服务端的地址信息。Step 402: The edge node server acquires configuration information of a connector client bound to the target application according to the target application identifier, the configuration information at least including address information of at least one connector server corresponding to the connector client.
步骤403:边缘节点服务器基于第三负载均衡策略和获取的连接器客户端的配置信息,从目标应用对应的每个连接器服务端中确定目标连接器服务端。Step 403: The edge node server determines the target connector server from each connector server corresponding to the target application based on the third load balancing policy and the acquired configuration information of the connector client.
步骤404:边缘节点服务器根据目标连接器服务端的地址信息,转发访问请求至目标连接器服务端。Step 404: The edge node server forwards the access request to the target connector server according to the address information of the target connector server.
边缘节点服务器的具体操作细节均可参考上述任一实施例中边缘节点服务器的操作,在此不再赘述。For the specific operation details of the edge node server, reference may be made to the operation of the edge node server in any of the foregoing embodiments, which will not be repeated here.
在本公开实施例中,边缘节点服务器将访问请求及应用配置信息转发给连接器服务端, 连接器服务端通过与连接器客户端之间的出站的会话连接将访问请求转发给连接器客户端,连接器客户端再将请求转发至目标应用。实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。In the embodiment of the present disclosure, the edge node server forwards the access request and application configuration information to the connector server, and the connector server forwards the access request to the connector client through an outbound session connection with the connector client end, the connector client forwards the request to the target application. It is only necessary to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开的一些实施例提供了一种隐藏源站的方法,该方法应用于管理平台,参见图12,该方法具体包括以下步骤:Some embodiments of the present disclosure provide a method of hiding the origin site, which is applied to the management platform, see Figure 12, the method specifically includes the following steps:
步骤501:管理平台生成连接器客户端对应的配置信息,该配置信息至少包括连接器客户端的标识信息和与连接器客户端对应的连接器服务端的地址信息。Step 501: The management platform generates configuration information corresponding to the connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client.
步骤502:管理平台生成目标应用对应的应用配置信息,应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种。Step 502: The management platform generates application configuration information corresponding to the target application. The application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client.
步骤503:管理平台发送连接器客户端所需的配置信息。Step 503: the management platform sends the configuration information required by the connector client.
步骤504:管理平台发送边缘节点服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接器客户端的配置信息。Step 504: The management platform sends the application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application.
步骤505:管理平台接收并显示连接器客户端经由其对应的连接器服务端周期性上报的连接器客户端的状态信息,状态信息至少包括心跳信息和系统资源使用率中的至少之一。Step 505: The management platform receives and displays the status information of the connector client periodically reported by the connector client via its corresponding connector server. The status information includes at least one of heartbeat information and system resource usage.
管理平台的具体操作细节均可参考上述任一实施例中管理平台的操作,在此不再赘述。For the specific operation details of the management platform, reference may be made to the operation of the management platform in any of the above embodiments, and details are not repeated here.
在本公开实施例中,管理平台中生成了连接器客户端的配置信息,以及生成了目标应用的应用配置信息,将目标应用与连接器客户端相关联。并通过管理平台发送连接器客户端的配置信息给连接器客户端。发送边缘节点服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接器客户端的配置信息。接收并显示连接器客户端的状态信息,实现对连接器客户端的状态监控告警。基于管理平台生成的连接器客户端的配置信息及目标应用的应用配置信息,实现远程终端对目标应用的访问,且实现目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。In the embodiment of the present disclosure, the configuration information of the connector client and the application configuration information of the target application are generated in the management platform, and the target application is associated with the connector client. And send the configuration information of the connector client to the connector client through the management platform. The application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application are sent. Receive and display the status information of the connector client, and realize the status monitoring and alarm of the connector client. Based on the configuration information of the connector client and the application configuration information of the target application generated by the management platform, remote terminals can access the target application, and only need to block all incoming connections on the target source server without maintaining complex security Strategy. It can prevent other servers from actively sending information to the target application or establishing a connection, reducing the risk of malicious attacks and ensuring the security of the target application.
本公开实施例提供了一种隐藏源站的系统,参见图1,该系统包括:边缘节点服务器、连接器服务端、管理平台和连接器客户端;An embodiment of the present disclosure provides a system for hiding source sites, as shown in FIG. 1 , the system includes: an edge node server, a connector server, a management platform, and a connector client;
管理平台,用于生成目标应用的应用配置信息,以及生成连接器客户端对应的配置信息;发送连接器客户端的配置信息;发送边缘节点服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接器客户端的配置信息;接收并显示连接器客户端经由其对应的连接器服务端周期性上报的连接器客户端的状态信息,状态信息至少包括心跳信息和系统资源使用率中的至少之一;The management platform is used to generate the application configuration information of the target application, and generate the configuration information corresponding to the connector client; send the configuration information of the connector client; send the application configuration information of the target application required by the edge node server and related to the target application The configuration information of the connected connector client; receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information includes at least one of heartbeat information and system resource usage one;
边缘节点服务器,用于接收目标终端发送的针对目标应用的访问请求;并根据访问请求包含的目标应用的标识,将访问请求向对应的连接器服务端进行发送;The edge node server is configured to receive the access request for the target application sent by the target terminal; and send the access request to the corresponding connector server according to the identification of the target application included in the access request;
连接器服务端,用于接收边缘节点服务器发送的访问请求;根据在先建立的与连接器客户端的会话连接,将访问请求转发至对应的连接器客户端;The connector server is used to receive the access request sent by the edge node server; forward the access request to the corresponding connector client according to the previously established session connection with the connector client;
连接器客户端,用于接收连接器服务端发送的访问请求,并将访问请求转发至对应的目标应用。The connector client is used to receive the access request sent by the connector server, and forward the access request to the corresponding target application.
在一示例性实施例中,会话连接为连接器客户端至连接器服务端的出站连接。In an exemplary embodiment, a session connection is an outbound connection from a connector client to a connector server.
本公开的上述实施例提供的隐藏源站的系统与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The system for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by its stored application program .
本公开实施例还提供一种隐藏源站的装置,该装置用于执行上述任一实施例提供的隐藏源站的方法中连接器客户端的操作。参见图13,该装置包括:An embodiment of the present disclosure also provides an apparatus for hiding an origin site, which is configured to perform operations of a connector client in the method for hiding an origin site provided in any of the above embodiments. Referring to Figure 13, the device includes:
配置获取模块601,用于获取与连接器客户端对应的至少一个连接器服务端的地址信息,地址信息为离连接器客户端最近的至少一个连接器服务端的地址信息;The configuration acquiring module 601 is configured to acquire address information of at least one connector server corresponding to the connector client, where the address information is the address information of at least one connector server closest to the connector client;
建立会话模块602,用于根据至少一个连接器服务端的地址信息,建立与至少一个连接器服务端之间的会话连接,会话连接为由连接器客户端至至少一个连接器服务端的出站连接;A session establishment module 602, configured to establish a session connection with at least one connector server according to the address information of at least one connector server, where the session connection is an outbound connection from a connector client to at least one connector server;
源服务器确定模块603,用于基于会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从目标应用对应的多个源服务器中确定目标源服务器;The source server determination module 603 is configured to determine the target source from multiple source servers corresponding to the target application based on the session connection, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy server;
第一发送模块604,用于将访问请求发送至目标源服务器中的目标应用;将接收到的请求响应信息向连接器服务端进行发送,请求响应信息由目标源服务器中的目标应用根据访问请求进行反馈。The first sending module 604 is configured to send the access request to the target application in the target source server; send the received request response information to the connector server, and the request response information is sent by the target application in the target source server according to the access request Give feedback.
地址信息为通过任播技术、智能解析技术、智能路由技术之一确定的域名和/或IP地址,建立会话模块602,用于若地址信息为域名,则向域名服务器发送至少一个连接器服务端的域名解析请求;接收由域名服务器发送的至少一个连接器服务端的域名对应的IP地址;根据各IP地址,分别向至少一个连接器服务端发送连接请求,以建立连接器客户端与至少一个连接器服务端之间的会话连接。The address information is a domain name and/or IP address determined by one of anycast technology, intelligent resolution technology, and intelligent routing technology, and establishes a session module 602, which is used to send at least one connector server to the domain name server if the address information is a domain name Domain name resolution request; receive the IP address corresponding to the domain name of at least one connector server sent by the domain name server; send a connection request to at least one connector server respectively according to each IP address, so as to establish a connector client and at least one connector Session connections between servers.
配置获取模块601,用于接收由管理平台发送的连接器客户端对应的配置信息;从配置信息中获取与连接器客户端对应的至少一个连接器服务端的地址信息。The configuration obtaining module 601 is configured to receive configuration information corresponding to the connector client sent by the management platform; obtain address information of at least one connector server corresponding to the connector client from the configuration information.
建立会话模块602,用于根据至少一个连接器服务端的地址信息,发送认证信息给至少一个连接器服务端;在认证信息被至少一个连接器服务端认证通过后,建立与至少一个连接器服务端之间的加密的会话连接。Establish a session module 602, configured to send authentication information to at least one connector server according to the address information of at least one connector server; after the authentication information is authenticated by at least one connector server, establish a connection with at least one connector server Encrypted session connections between .
会话连接的会话协议类型为加密协议,加密协议包括HTTPS、HTTP/2、HTTP/3、Websocket、TLS_TCP中的至少一种。The session protocol type of the session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
建立会话模块602,用于基于隧道协议建立会话连接,隧道协议为VPN、GRE或者IPsec中的一种。The session establishment module 602 is configured to establish a session connection based on a tunnel protocol, and the tunnel protocol is one of VPN, GRE or IPsec.
连接器客户端部署在能与目标应用通信连接的任一网络中,部署连接器客户端的网络中部署有一个或多个连接器客户端。The connector client is deployed in any network that can communicate with the target application, and one or more connector clients are deployed in the network where the connector client is deployed.
该装置还包括:信息上报模块,用于周期性地经由至少一个连接器服务端向管理平台上报连接器客户端的状态信息,状态信息至少包括心跳信息和系统状态信息中的至少之一。The device also includes: an information reporting module, configured to periodically report the status information of the connector client to the management platform via at least one connector server, where the status information includes at least one of heartbeat information and system status information.
本公开的上述实施例提供的隐藏源站的装置与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
本公开实施例还提供一种隐藏源站的装置,该装置用于执行上述任一实施例提供的隐藏源站的方法中连接器服务端的操作。参见图14,该装置包括:An embodiment of the present disclosure also provides a device for hiding an origin site, which is used to perform the operations of the connector server in the method for hiding an origin site provided in any one of the above embodiments. Referring to Figure 14, the device includes:
接收模块701,用于接收由至少一个连接器客户端发送的连接请求;A receiving module 701, configured to receive a connection request sent by at least one connector client;
建立会话模块702,用于根据连接请求,建立与至少一个连接器客户端之间的会话连接,会话连接为由至少一个连接器客户端至连接器服务端的出站连接;Establishing a session module 702, configured to establish a session connection with at least one connector client according to the connection request, where the session connection is an outbound connection from at least one connector client to the connector server;
接收模块703,还用于接收由边缘节点服务器转发的针对目标应用的访问请求;The receiving module 703 is also configured to receive the access request for the target application forwarded by the edge node server;
连接器客户端确定模块704,用于基于第二负载均衡策略,从至少一个连接器客户端中确定与目标应用对应的目标连接器客户端;A connector client determining module 704, configured to determine a target connector client corresponding to the target application from at least one connector client based on a second load balancing strategy;
第二发送模块705,用于根据与目标连接器客户端对应的会话连接,转发访问请求至目标连接器客户端。The second sending module 705 is configured to forward the access request to the target connector client according to the session connection corresponding to the target connector client.
连接请求的数量为多个,连接请求中包含对应的连接器客户端的标识信息;The number of connection requests is multiple, and the connection request contains the identification information of the corresponding connector client;
建立会话模块702,用于根据多个连接请求,分别建立与至少一个连接器客户端之间的会话连接,并存储各标识信息与对应的会话连接之间的映射关系。The session establishment module 702 is configured to respectively establish a session connection with at least one connector client according to multiple connection requests, and store a mapping relationship between each identification information and a corresponding session connection.
连接器客户端确定模块704,用于从建立会话连接的至少一个连接器客户端中确定出与目标应用关联的每个连接器客户端;基于第二负载均衡策略,从确定出的每个连接器客户端中确定目标连接器客户端。A connector client determination module 704, configured to determine each connector client associated with the target application from at least one connector client establishing a session connection; based on the second load balancing strategy, each determined connection Determine the target connector client in Connector Client.
本公开的上述实施例提供的隐藏源站的装置与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
本公开实施例还提供一种隐藏源站的装置,该装置用于执行上述任一实施例提供的隐藏源站的方法中边缘节点服务器的操作。参见图15,该装置包括:An embodiment of the present disclosure also provides an apparatus for hiding an origin station, which is configured to perform operations of the edge node server in the method for hiding an origin station provided in any one of the above embodiments. Referring to Figure 15, the device includes:
接收模块801,用于接收由目标终端发送的针对目标应用的访问请求,访问请求包含目标应用的标识,目标应用的标识包括域名、协议、IP地址和端口之间的一种或多种;The receiving module 801 is configured to receive an access request for a target application sent by a target terminal, where the access request includes an identification of the target application, and the identification of the target application includes one or more of domain name, protocol, IP address, and port;
配置获取模块802,用于根据目标应用的标识,获取与目标应用绑定的连接器客户端的配置信息,配置信息至少包括与连接器客户端对应的至少一个连接器服务端的地址信息;The configuration acquiring module 802 is configured to acquire configuration information of a connector client bound to the target application according to the identifier of the target application, where the configuration information includes at least address information of at least one connector server corresponding to the connector client;
连接器服务端确定模块803,用于根据配置信息及第三负载均衡策略,从目标应用对应的每个连接器服务端中确定目标连接器服务端;The connector server determination module 803 is configured to determine the target connector server from each connector server corresponding to the target application according to the configuration information and the third load balancing strategy;
第三发送模块804,用于根据目标连接器服务端的地址信息,转发访问请求至目标连接器服务端。The third sending module 804 is configured to forward the access request to the target connector server according to the address information of the target connector server.
本公开的上述实施例提供的隐藏源站的装置与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
本公开实施例还提供一种隐藏源站的装置,该装置用于执行上述任一实施例提供的隐藏源站的方法中管理平台的操作。参见图16,该装置包括:An embodiment of the present disclosure also provides an apparatus for hiding an origin site, which is used to perform the operations of the management platform in the method for hiding an origin site provided in any of the above embodiments. Referring to Figure 16, the device includes:
配置生成模块901,用于生成至少一个连接器客户端对应的配置信息,配置信息至少包括连接器客户端的标识信息和与连接器客户端对应的连接器服务端的地址信息;生成目标应用对应的应用配置信息,应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种;The configuration generation module 901 is configured to generate configuration information corresponding to at least one connector client, the configuration information at least includes the identification information of the connector client and the address information of the connector server corresponding to the connector client; generates an application corresponding to the target application Configuration information, the application configuration information includes at least one of the domain name of the target application, the back-to-source address, and the identification information of the associated connector client;
配置发送模块902,用于发送连接器客户端所需的配置信息;发送边缘节点服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接器客户端配置信息;The configuration sending module 902 is configured to send the configuration information required by the connector client; send the application configuration information of the target application required by the edge node server and the connector client configuration information associated with the target application;
状态信息接收模块903,用于接收并显示连接器客户端经由其对应的连接器服务端周期性上报的连接器客户端的状态信息,状态信息至少包括心跳信息和系统资源使用率中的至少之一。The status information receiving module 903 is configured to receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least includes at least one of heartbeat information and system resource usage .
本公开的上述实施例提供的隐藏源站的装置与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The device for hiding the source site provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effect as the method adopted, run or implemented by the stored application program .
本公开实施方式还提供一种电子设备,以执行上述隐藏源站的方法。请参考图17,其示出了本公开的一些实施方式所提供的一种电子设备的示意图。如图17所示,电子设备10包括:处理器1000,存储器1001,总线1002和通信接口1003,所述处理器1000、通信接口1003和存储器1001通过总线1002连接;所述存储器1001中存储有可在所述处理器1000上运行的计算机程序,所述处理器1000运行所述计算机程序时执行本公开前述任一实施方式所提供的隐藏源站的方法。Embodiments of the present disclosure also provide an electronic device to implement the above method for hiding an origin site. Please refer to FIG. 17 , which shows a schematic diagram of an electronic device provided by some embodiments of the present disclosure. As shown in Figure 17, the electronic device 10 includes: a processor 1000, a memory 1001, a bus 1002 and a communication interface 1003, the processor 1000, the communication interface 1003 and the memory 1001 are connected through the bus 1002; A computer program running on the processor 1000, when the processor 1000 runs the computer program, executes the method for hiding an origin site provided in any one of the foregoing implementations of the present disclosure.
其中,存储器1001可能包含高速随机存取存储器(RAM:Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个通信接口1003(可以是有线或者无线)实现该系统网元与至少一个其他网元之间的通信连接,可以使用互联网、广域网、本地网、城域网等。Wherein, the memory 1001 may include a high-speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is realized through at least one communication interface 1003 (which may be wired or wireless), and Internet, wide area network, local network, metropolitan area network, etc. can be used.
总线1002可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。其中,存储器1001用于存储程序,所述处理器1000在接收到执行指令后,执行所述程序,前述本公开实施例任一实施方式揭示的所述隐藏源站的方法可以应用于处理器1000中,或者由处理器1000实现。The bus 1002 may be an ISA bus, a PCI bus or an EISA bus, etc. The bus can be divided into address bus, data bus, control bus and so on. Wherein, the memory 1001 is used to store a program, and the processor 1000 executes the program after receiving an execution instruction, and the method for hiding the source site disclosed in any implementation manner of the aforementioned embodiments of the present disclosure can be applied to the processor 1000 in, or implemented by the processor 1000.
处理器1000可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器1000中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1000可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网 络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本公开实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1001,处理器1000读取存储器1001中的信息,结合其硬件完成上述方法的步骤。The processor 1000 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1000 or instructions in the form of software. The above-mentioned processor 1000 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Various methods, steps and logic block diagrams disclosed in the embodiments of the present disclosure may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the methods disclosed in the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 1001, and the processor 1000 reads the information in the memory 1001, and completes the steps of the above method in combination with its hardware.
本公开实施例提供的电子设备与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其采用、运行或实现的方法相同的有益效果。The electronic device provided by the embodiment of the present disclosure is based on the same inventive concept as the method for hiding the source station provided by the embodiment of the present disclosure, and has the same beneficial effect as the method adopted, operated or realized.
本公开实施方式还提供一种与前述实施方式所提供的隐藏源站的方法对应的计算机可读存储介质,请参考图18,其示出的计算机可读存储介质为光盘30,其上存储有计算机程序(即程序产品),所述计算机程序在被处理器运行时,会执行前述任意实施方式所提供的隐藏源站的方法。The embodiment of the present disclosure also provides a computer-readable storage medium corresponding to the method for hiding the origin site provided in the foregoing embodiment. Please refer to FIG. A computer program (that is, a program product). When the computer program is run by a processor, it will execute the method for hiding the source site provided in any of the foregoing implementation manners.
需要说明的是,所述计算机可读存储介质的例子还可以包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他光学、磁性存储介质,在此不再一一赘述。It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random Access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other optical and magnetic storage media will not be repeated here.
本公开的上述实施例提供的计算机可读存储介质与本公开实施例提供的隐藏源站的方法出于相同的发明构思,具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The computer-readable storage medium provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for hiding the source site provided by the embodiments of the present disclosure, and has the same beneficial effects as the method adopted, run or implemented by the stored application program .
需要说明的是:It should be noted:
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present disclosure may be practiced without these specific details. In some instances, well-known structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本公开的示例性实施例的描述中,本公开的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下示意图:即所要求保护的本公开要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本公开的单独实施例。Similarly, it should be appreciated that in the above description of example embodiments of the disclosure, in order to streamline the disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the disclosure are sometimes grouped together into a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting a schematic representation that the claimed disclosure requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this disclosure.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the present disclosure. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
以上所述,仅为本公开较佳的具体实施方式,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以所述权利要求的保护范围为准。The above is only a preferred specific implementation mode of the present disclosure, but the protection scope of the present disclosure is not limited thereto. Any person skilled in the art can easily think of changes or Any replacement should be covered within the protection scope of the present disclosure. Therefore, the protection scope of the present disclosure should be determined by the protection scope of the claims.
工业实用性Industrial Applicability
本公开中通过连接器客户端的设置并建立连接器客户端与连接器服务端之间的会话连接,该会话连接为连接器客户端至连接器服务端之间的出站连接,用户访问目标应用时先访问边缘节点服务器,边缘节点服务器经由连接器服务端将请求转发至连接器客户端,连接器客户端再将请求转发至目标应用。In this disclosure, the session connection between the connector client and the connector server is established through setting the connector client, the session connection is an outbound connection between the connector client and the connector server, and the user accesses the target application When accessing the edge node server first, the edge node server forwards the request to the connector client through the connector server, and the connector client forwards the request to the target application.
本方法使得目标源服务器上只需要阻断一切入向连接,而不需要维护复杂的安全策略。可以避免由其他服务器主动向目标应用发送信息或者建立连接的情况发生,降低了遭受恶意攻击的风险,保证了目标应用的安全性。This method only needs to block all incoming connections on the target source server without maintaining complex security policies. It can prevent other servers from actively sending information or establishing a connection to the target application, reducing the risk of malicious attacks and ensuring the security of the target application.

Claims (21)

  1. 一种隐藏源站的方法,应用于连接器客户端,所述连接器客户端与至少一个目标应用相关联,包括:A method for hiding a source site, applied to a connector client, the connector client being associated with at least one target application, comprising:
    获取与所述连接器客户端对应的至少一个连接器服务端的地址信息,所述地址信息为离所述连接器客户端最近的至少一个连接器服务端的地址信息;Obtain address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client;
    根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,所述会话连接为由所述连接器客户端至所述至少一个连接器服务端的出站连接;Establish a session connection with the at least one connector server according to the address information of the at least one connector server, the session connection is an outgoing connection from the connector client to the at least one connector server station connection;
    基于所述会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从所述目标应用对应的多个源服务器中确定目标源服务器,将所述访问请求发送至所述目标源服务器中的所述目标应用;Based on the session connection, if an access request for the target application forwarded by the connector server is received, based on the first load balancing policy, the target source server is determined from the multiple source servers corresponding to the target application, and the sending the access request to the target application in the target source server;
    将接收到的请求响应信息向所述连接器服务端进行发送,所述请求响应信息由所述目标源服务器中的所述目标应用根据所述访问请求进行反馈。Send the received request response information to the connector server, and the request response information is fed back by the target application in the target source server according to the access request.
  2. 根据权利要求1所述的方法,其中,所述地址信息为通过任播技术、智能解析技术、智能路由技术之一确定的域名和/或IP地址,所述根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,包括:The method according to claim 1, wherein the address information is a domain name and/or IP address determined by one of anycast technology, intelligent resolution technology, and intelligent routing technology, and the address information according to the at least one connector server Address information for establishing a session connection with the at least one connector server, including:
    若所述地址信息为域名,则向域名服务器发送所述至少一个连接器服务端的域名解析请求;If the address information is a domain name, sending a domain name resolution request of the at least one connector server to a domain name server;
    接收由所述域名服务器发送的所述至少一个连接器服务端的域名对应的IP地址;receiving the IP address corresponding to the domain name of the at least one connector server sent by the domain name server;
    根据各所述IP地址,分别向所述至少一个连接器服务端发送连接请求,以建立所述连接器客户端与所述至少一个连接器服务端之间的会话连接。Send a connection request to the at least one connector server according to each of the IP addresses, so as to establish a session connection between the connector client and the at least one connector server.
  3. 根据权利要求1所述的方法,其中,所述获取与所述连接器客户端对应的至少一个连接器服务端的地址信息,包括:The method according to claim 1, wherein said acquiring address information of at least one connector server corresponding to said connector client comprises:
    接收由管理平台发送的所述连接器客户端对应的配置信息;receiving configuration information corresponding to the connector client sent by the management platform;
    从所述配置信息中获取与所述连接器客户端对应的至少一个连接器服务端的地址信息。Obtain address information of at least one connector server corresponding to the connector client from the configuration information.
  4. 根据权利要求1所述的方法,其中,所述根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,包括:The method according to claim 1, wherein the establishing a session connection with the at least one connector server according to the address information of the at least one connector server includes:
    根据所述至少一个连接器服务端的地址信息,发送认证信息给所述至少一个连接器服务端;sending authentication information to the at least one connector server according to the address information of the at least one connector server;
    在所述认证信息被所述至少一个连接器服务端认证通过后,建立与所述至少一个连接器服务端之间的加密的会话连接。After the authentication information is authenticated by the at least one connector server, an encrypted session connection with the at least one connector server is established.
  5. 根据权利要求4所述的方法,其中,所述会话连接的会话协议类型为加密协议,所述加密协议包括HTTPS、HTTP/2、HTTP/3、Websocket、TLS_TCP中的至少一种。The method according to claim 4, wherein the session protocol type of the session connection is an encryption protocol, and the encryption protocol includes at least one of HTTPS, HTTP/2, HTTP/3, Websocket, and TLS_TCP.
  6. 根据权利要求4所述的方法,其中,基于隧道协议建立所述会话连接,所述隧道协议为VPN、GRE或者IPsec中的一种。The method according to claim 4, wherein the session connection is established based on a tunnel protocol, and the tunnel protocol is one of VPN, GRE or IPsec.
  7. 根据权利要求1所述的方法,其中,所述连接器客户端部署在能与所述目标应用通信连接的任一网络中,部署所述连接器客户端的网络中部署有一个或多个所述连接器客户端。The method according to claim 1, wherein the connector client is deployed in any network that can communicate with the target application, and the network where the connector client is deployed has one or more of the Connector client.
  8. 根据权利要求1所述的方法,所述方法还包括:The method according to claim 1, said method further comprising:
    周期性地经由所述至少一个连接器服务端向管理平台上报所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统状态信息中的至少之一。Periodically report the status information of the connector client to the management platform via the at least one connector server, where the status information at least includes at least one of heartbeat information and system status information.
  9. 一种隐藏源站的方法,应用于连接器服务端,包括:A method of hiding the source site, applied to the connector server, including:
    接收由至少一个连接器客户端发送的连接请求;receiving a connection request sent by at least one connector client;
    根据所述连接请求,建立与所述至少一个连接器客户端之间的会话连接,所述会话连接为由所述至少一个连接器客户端至所述连接器服务端的出站连接;Establishing a session connection with the at least one connector client according to the connection request, where the session connection is an outbound connection from the at least one connector client to the connector server;
    接收由边缘节点服务器转发的针对目标应用的访问请求,基于第二负载均衡策略,从所述至少一个连接器客户端中确定与所述目标应用对应的目标连接器客户端;receiving an access request for the target application forwarded by the edge node server, and determining a target connector client corresponding to the target application from the at least one connector client based on a second load balancing strategy;
    根据与所述目标连接器客户端对应的会话连接,转发所述访问请求至所述目标连接器客户端。Forwarding the access request to the target connector client according to the session connection corresponding to the target connector client.
  10. 根据权利要求9所述的方法,其中,所述连接请求的数量为多个,所述连接请求中包含对应的连接器客户端的标识信息;The method according to claim 9, wherein the number of the connection requests is multiple, and the connection requests include the identification information of the corresponding connector client;
    根据所述连接请求,建立与所述至少一个连接器客户端之间的会话连接,包括:According to the connection request, establishing a session connection with the at least one connector client includes:
    根据多个所述连接请求,分别建立与所述至少一个连接器客户端之间的会话连接,并存储各所述标识信息与对应的会话连接之间的映射关系。Establish a session connection with the at least one connector client respectively according to the multiple connection requests, and store a mapping relationship between each piece of identification information and a corresponding session connection.
  11. 根据权利要求9所述的方法,其中,所述基于第二负载均衡策略,从所述至少一个连接器客户端中确定与所述目标应用对应的目标连接器客户端,包括:The method according to claim 9, wherein the determining the target connector client corresponding to the target application from the at least one connector client based on the second load balancing strategy comprises:
    从建立会话连接的所述至少一个连接器客户端中确定出与所述目标应用关联的每个连接器客户端;determining each connector client associated with the target application from the at least one connector client establishing a session connection;
    基于第二负载均衡策略,从确定出的每个所述连接器客户端中确定目标连接器客户端。Based on the second load balancing policy, determine a target connector client from each of the determined connector clients.
  12. 一种隐藏源站的方法,应用于边缘节点服务器,包括:A method of hiding the source station, applied to the edge node server, including:
    接收由目标终端发送的针对目标应用的访问请求,所述访问请求包含所述目标应用的标识,所述目标应用的标识包括域名、协议、IP地址和端口中的至少一种;receiving an access request for a target application sent by a target terminal, where the access request includes an identifier of the target application, and the identifier of the target application includes at least one of a domain name, a protocol, an IP address, and a port;
    根据所述目标应用的标识,获取与所述目标应用绑定的连接器客户端的配置信息,所述配置信息至少包括与所述连接器客户端对应的至少一个连接器服务端的地址信息;Obtain configuration information of a connector client bound to the target application according to the identifier of the target application, where the configuration information includes at least address information of at least one connector server corresponding to the connector client;
    基于第三负载均衡策略和获取的所述连接器客户端的配置信息,从所述目标应用对应的每个连接器服务端中确定目标连接器服务端;Based on the third load balancing policy and the acquired configuration information of the connector client, determine the target connector server from each connector server corresponding to the target application;
    根据所述目标连接器服务端的地址信息,转发所述访问请求至所述目标连接器服务端。forwarding the access request to the target connector server according to the address information of the target connector server.
  13. 一种隐藏源站的方法,应用于管理平台,包括:A method of hiding the source site, applied to the management platform, including:
    生成至少一个连接器客户端对应的配置信息,所述配置信息至少包括连接器客户端的标识信息和与所述连接器客户端对应的连接器服务端的地址信息;Generate configuration information corresponding to at least one connector client, where the configuration information includes at least identification information of the connector client and address information of a connector server corresponding to the connector client;
    生成目标应用对应的应用配置信息,所述应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种;Generate application configuration information corresponding to the target application, where the application configuration information includes at least one of a domain name of the target application, a back-to-source address, and identification information of an associated connector client;
    发送所述连接器客户端的配置信息;sending the configuration information of the connector client;
    发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端的配置信息;sending the application configuration information of the target application required by the edge node server and the configuration information of the connector client associated with the target application;
    接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一。receiving and displaying the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least including at least one of heartbeat information and system resource usage.
  14. 一种隐藏源站的系统,包括:管理平台、边缘节点服务器、连接器服务端和连接器客户端;A system for hiding source sites, including: a management platform, an edge node server, a connector server and a connector client;
    管理平台,用于生成目标应用的应用配置信息,以及生成连接器客户端对应的配置信息;发送所述连接器客户端的配置信息;发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端的配置信息;接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一;The management platform is used to generate the application configuration information of the target application, and generate the configuration information corresponding to the connector client; send the configuration information of the connector client; send the application configuration information of the target application required by the edge node server and configuration information of the connector client associated with the target application; receiving and displaying the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information being at least including at least one of heartbeat information and system resource usage;
    边缘节点服务器,用于接收目标终端发送的针对目标应用的访问请求;并根据所述访问请求包含的目标应用的标识,将所述访问请求向对应的连接器服务端进行发送;The edge node server is configured to receive the access request for the target application sent by the target terminal; and send the access request to the corresponding connector server according to the identifier of the target application included in the access request;
    连接器服务端,用于接收所述边缘节点服务器发送的所述访问请求;根据在先建立的与连接器客户端的会话连接,将所述访问请求转发至对应的连接器客户端;The connector server is configured to receive the access request sent by the edge node server; forward the access request to the corresponding connector client according to the previously established session connection with the connector client;
    连接器客户端,用于接收所述连接器服务端发送的所述访问请求,并将所述访问请求转 发至对应的目标应用。The connector client is configured to receive the access request sent by the connector server, and forward the access request to a corresponding target application.
  15. 根据权利要求14所述的系统,其中,所述会话连接为所述连接器客户端至所述连接器服务端的出站连接。The system of claim 14, wherein the session connection is an outbound connection from the connector client to the connector server.
  16. 一种隐藏源站的装置,应用于连接器客户端,包括:A device for hiding the source station, applied to the connector client, including:
    配置获取模块,用于获取与所述连接器客户端对应的至少一个连接器服务端的地址信息,所述地址信息为离所述连接器客户端最近的至少一个连接器服务端的地址信息;A configuration acquisition module, configured to acquire address information of at least one connector server corresponding to the connector client, where the address information is address information of at least one connector server closest to the connector client;
    建立会话模块,用于根据所述至少一个连接器服务端的地址信息,建立与所述至少一个连接器服务端之间的会话连接,所述会话连接为由所述连接器客户端至所述至少一个连接器服务端的出站连接;Establishing a session module, configured to establish a session connection with the at least one connector server according to the address information of the at least one connector server, the session connection is from the connector client to the at least one an outbound connection from a connector server;
    源服务器确定模块,用于基于所述会话连接,若接收到由连接器服务端转发的针对目标应用的访问请求,则基于第一负载均衡策略,从所述目标应用对应的多个源服务器中确定目标源服务器;The source server determining module is configured to, based on the session connection, if the access request for the target application forwarded by the connector server is received, based on the first load balancing strategy, from the plurality of source servers corresponding to the target application Determine the target source server;
    第一发送模块,用于将所述访问请求发送至所述目标源服务器中的所述目标应用;将接收到的请求响应信息向所述连接器服务端进行发送,所述请求响应信息由所述目标源服务器中的所述目标应用根据所述访问请求进行反馈。A first sending module, configured to send the access request to the target application in the target source server; send the received request response information to the connector server, and the request response information is determined by the The target application in the target source server performs feedback according to the access request.
  17. 一种隐藏源站的装置,应用于连接器服务端,包括:A device for hiding the source site, applied to the connector server, including:
    接收模块,用于接收由至少一个连接器客户端发送的连接请求;A receiving module, configured to receive a connection request sent by at least one connector client;
    建立会话模块,用于根据所述连接请求,建立与所述至少一个连接器客户端之间的会话连接,所述会话连接为由所述至少一个连接器客户端至所述连接器服务端的出站连接;Establishing a session module, configured to establish a session connection with the at least one connector client according to the connection request, and the session connection is an outgoing connection from the at least one connector client to the connector server station connection;
    所述接收模块,还用于接收由边缘节点服务器转发的针对目标应用的访问请求;The receiving module is also used to receive the access request for the target application forwarded by the edge node server;
    连接器客户端确定模块,用于基于第二负载均衡策略,从所述至少一个连接器客户端中确定与所述目标应用对应的目标连接器客户端;A connector client determining module, configured to determine a target connector client corresponding to the target application from the at least one connector client based on a second load balancing strategy;
    第二发送模块,用于根据与所述目标连接器客户端对应的会话连接,转发所述访问请求至所述目标连接器客户端。The second sending module is configured to forward the access request to the target connector client according to the session connection corresponding to the target connector client.
  18. 一种隐藏源站的装置,应用于边缘节点服务器,包括:A device for hiding source sites, applied to edge node servers, including:
    接收模块,用于接收由目标终端发送的针对目标应用的访问请求,所述访问请求包含所述目标应用的标识,所述目标应用的标识包括域名、协议、IP地址和端口之间的一种或多种;The receiving module is configured to receive an access request for a target application sent by a target terminal, the access request includes an identifier of the target application, and the identifier of the target application includes one of domain name, protocol, IP address and port or more;
    配置获取模块,用于根据所述目标应用的标识,获取与所述目标应用绑定的连接器客户端的配置信息,所述配置信息至少包括与所述连接器客户端对应的至少一个连接器服务端的地址信息;A configuration acquiring module, configured to acquire configuration information of a connector client bound to the target application according to the identifier of the target application, the configuration information at least including at least one connector service corresponding to the connector client end address information;
    连接器服务端确定模块,用于根据所述配置信息及第三负载均衡策略,从所述目标应用对应的每个连接器服务端中确定目标连接器服务端;A connector server determination module, configured to determine a target connector server from each connector server corresponding to the target application according to the configuration information and the third load balancing strategy;
    第三发送模块,用于根据所述目标连接器服务端的地址信息,转发所述访问请求至所述目标连接器服务端。The third sending module is configured to forward the access request to the target connector server according to the address information of the target connector server.
  19. 一种隐藏源站的装置,应用于管理平台,包括:A device for hiding the source station, applied to the management platform, including:
    配置生成模块,用于生成至少一个连接器客户端对应的配置信息,所述配置信息至少包括连接器客户端的标识信息和与所述连接器客户端对应的连接器服务端的地址信息;生成目标应用对应的应用配置信息,所述应用配置信息包括目标应用的域名、回源地址、相关联的连接器客户端的标识信息中的至少一种;A configuration generating module, configured to generate configuration information corresponding to at least one connector client, the configuration information at least including identification information of the connector client and address information of a connector server corresponding to the connector client; generating a target application Corresponding application configuration information, the application configuration information includes at least one of the domain name of the target application, the return address, and the identification information of the associated connector client;
    配置发送模块,用于发送所述连接器客户端所需的配置信息;发送边缘节点服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接器客户端配置信息;A configuration sending module, configured to send the configuration information required by the connector client; send the application configuration information of the target application required by the edge node server and the connector client configuration information associated with the target application;
    状态信息接收模块,用于接收并显示所述连接器客户端经由其对应的连接器服务端周期性上报的所述连接器客户端的状态信息,所述状态信息至少包括心跳信息和系统资源使用率中的至少之一。A status information receiving module, configured to receive and display the status information of the connector client periodically reported by the connector client via its corresponding connector server, the status information at least including heartbeat information and system resource usage at least one of the .
  20. 一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器运行所述计算机程序以实现如权利要求1-13任一项所述的方法。An electronic device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, the processor runs the computer program to achieve any one of claims 1-13 the method described.
  21. 一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行实现如权利要求1-13中任一项所述的方法。A computer-readable storage medium, on which a computer program is stored, and the program is executed by a processor to implement the method according to any one of claims 1-13.
PCT/CN2022/113500 2021-08-20 2022-08-19 Method, system and apparatus for hiding source station, and device and storage medium WO2023020606A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110962434.XA CN113872933B (en) 2021-08-20 2021-08-20 Method, system, device, equipment and storage medium for hiding source station
CN202110962434.X 2021-08-20

Publications (1)

Publication Number Publication Date
WO2023020606A1 true WO2023020606A1 (en) 2023-02-23

Family

ID=78988014

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/113500 WO2023020606A1 (en) 2021-08-20 2022-08-19 Method, system and apparatus for hiding source station, and device and storage medium

Country Status (2)

Country Link
CN (1) CN113872933B (en)
WO (1) WO2023020606A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117914935A (en) * 2024-03-05 2024-04-19 北京长亭科技有限公司 Concealed communication method and system based on rerouting technology

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872933B (en) * 2021-08-20 2023-05-26 上海云盾信息技术有限公司 Method, system, device, equipment and storage medium for hiding source station

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150150114A1 (en) * 2012-01-30 2015-05-28 Martello Technologies Corporation Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network
CN108064443A (en) * 2017-09-30 2018-05-22 深圳前海达闼云端智能科技有限公司 A kind of agency retransmission method and device, proxy server and Multistage Proxy network
CN109417536A (en) * 2016-04-15 2019-03-01 高通股份有限公司 For managing the technology of the transmission of secure content in content delivery network
CN110166432A (en) * 2019-04-17 2019-08-23 平安科技(深圳)有限公司 The access method of internal net destination service provides the method for Intranet destination service
CN113341798A (en) * 2021-05-28 2021-09-03 上海云盾信息技术有限公司 Method, system, device, equipment and storage medium for remotely accessing application
CN113872933A (en) * 2021-08-20 2021-12-31 上海云盾信息技术有限公司 Method, system, device, equipment and storage medium for hiding source station

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102347959B (en) * 2011-11-18 2014-07-23 运软网络科技(上海)有限公司 Resource access system and method based on identity and session
CN112769835B (en) * 2021-01-13 2023-04-18 网宿科技股份有限公司 Method for initiating access request and terminal equipment
CN113204730B (en) * 2021-05-19 2024-06-07 网宿科技股份有限公司 Resource acquisition method, webvpn proxy server, system and server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150150114A1 (en) * 2012-01-30 2015-05-28 Martello Technologies Corporation Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network
CN109417536A (en) * 2016-04-15 2019-03-01 高通股份有限公司 For managing the technology of the transmission of secure content in content delivery network
CN108064443A (en) * 2017-09-30 2018-05-22 深圳前海达闼云端智能科技有限公司 A kind of agency retransmission method and device, proxy server and Multistage Proxy network
CN110166432A (en) * 2019-04-17 2019-08-23 平安科技(深圳)有限公司 The access method of internal net destination service provides the method for Intranet destination service
CN113341798A (en) * 2021-05-28 2021-09-03 上海云盾信息技术有限公司 Method, system, device, equipment and storage medium for remotely accessing application
CN113872933A (en) * 2021-08-20 2021-12-31 上海云盾信息技术有限公司 Method, system, device, equipment and storage medium for hiding source station

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117914935A (en) * 2024-03-05 2024-04-19 北京长亭科技有限公司 Concealed communication method and system based on rerouting technology
CN117914935B (en) * 2024-03-05 2024-05-28 北京长亭科技有限公司 Concealed communication method and system based on rerouting technology

Also Published As

Publication number Publication date
CN113872933B (en) 2023-05-26
CN113872933A (en) 2021-12-31

Similar Documents

Publication Publication Date Title
US9954902B1 (en) Secure proxy
US12010135B2 (en) Rule-based network-threat detection for encrypted communications
US11190493B2 (en) Concealing internal applications that are accessed over a network
US20210336934A1 (en) Cloud-based web application and API protection
US12015590B2 (en) Methods and systems for efficient cyber protections of mobile devices
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US8892766B1 (en) Application-based network traffic redirection for cloud security service
US11949661B2 (en) Systems and methods for selecting application connectors through a cloud-based system for private application access
US20210314301A1 (en) Private service edge nodes in a cloud-based system for private application access
US20170034174A1 (en) Method for providing access to a web server
US20190215308A1 (en) Selectively securing a premises network
WO2023020606A1 (en) Method, system and apparatus for hiding source station, and device and storage medium
EP4022876B1 (en) Preventing a network protocol over an encrypted channel, and applications thereof
WO2008147475A2 (en) Providing a generic gateway for accessing protected resources
US9100369B1 (en) Secure reverse connectivity to private network servers
US20230019448A1 (en) Predefined signatures for inspecting private application access
US20160219035A1 (en) Methods for providing secure access to network resources and devices thereof
US10348687B2 (en) Method and apparatus for using software defined networking and network function virtualization to secure residential networks
US20210377223A1 (en) Client to Client and Server to Client communication for private application access through a cloud-based system
US20210336932A1 (en) Sub-clouds in a cloud-based system for private application access
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
US20230015603A1 (en) Maintaining dependencies in a set of rules for security scanning
US20230231884A1 (en) Browser fingerprinting and control for session protection and private application protection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22857915

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22857915

Country of ref document: EP

Kind code of ref document: A1