Recherche Images Maps Play YouTube Actualités Gmail Drive Plus »
Connexion
Les utilisateurs de lecteurs d'écran peuvent cliquer sur ce lien pour activer le mode d'accessibilité. Celui-ci propose les mêmes fonctionnalités principales, mais il est optimisé pour votre lecteur d'écran.

Brevets

  1. Recherche avancée dans les brevets
Numéro de publicationCN100571188 C
Type de publicationOctroi
Numéro de demandeCN 200710121688
Date de publication16 déc. 2009
Date de dépôt12 sept. 2007
Date de priorité12 sept. 2007
Autre référence de publicationCN101119274A
Numéro de publication200710121688.9, CN 100571188 C, CN 100571188C, CN 200710121688, CN-C-100571188, CN100571188 C, CN100571188C, CN200710121688, CN200710121688.9
Inventeurs飓 王
Déposant杭州华三通信技术有限公司
Exporter la citationBiBTeX, EndNote, RefMan
Liens externes:  SIPO, Espacenet
Method for improving treatment efficiency of SSL gateway and SSL gateway
CN 100571188 C
Résumé  Langue du texte original : Chinois
本发明提供了一种提高SSL网关处理效率的方法,该方法包括:在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同,或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址;SSL网关收到client发起的访问server的web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于server发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 The present invention provides a method for improving the processing efficiency of SSL gateway, the method comprising: providing the SSL gateway virtual IP address, the virtual IP address and SSL gateway protection the same network server IP address, or the SSL gateway IP address to the IP address corresponding to the domain name server; after SSL gateway receives client access server-initiated web requests, not the URL of the web request to be replaced, according to the rules of its configuration web requests received directly processing; and, for the server to send information to the client's URL, SSL gateway URL nor replace the original URL information is sent directly to the client. 另外,本发明还提供了一种SSL网关。 Further, the present invention also provides a SSL gateway. 采用本发明所提供的技术方案,能够减轻SSL网关的处理负担,提高SSL网关的处理效率。 The technical proposal provided by the invention, it is possible to reduce the processing load on the SSL gateway, improve processing efficiency SSL gateway.
Revendications(10)  Langue du texte original : Chinois
1、一种提高SSL网关处理效率的方法,其特征在于,包括: 在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同;或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址; Client发起的以Server IP地址作为URL或者以Server域名作为URL的访问Server的Web请求被路由到SSL网关,SSL网关收到该web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于server发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 An increase processing efficiency SSL gateway method comprising: setting the SSL gateway virtual IP address, the virtual IP address and SSL gateway protection the same network server IP address; or, the SSL gateway IP address to the IP address corresponding to the domain name server; Client initiated to Server IP address with a Web URL or domain name to the Server Access Server as a URL request is routed to the SSL gateway, SSL gateway after the web request received not the URL of the web request to be replaced, according to the rules of its configuration directly to web requests received for processing; and, for the server to send information to the client's URL, SSL gateway URL nor replacement, information is sent directly to the original URL to the client.
2、 根据权利要求1所述的方法,其特征在于,当SSL网关旁路在自身所保护网络与外网连接的路径上时,所述Client发起的Web请求被路由到SSL网关包括:所述^4圣上的转发设备收到client发起的访问server的web请求后, 将该web请求重定向给SSL网关。 2. The method according to claim 1, characterized in that when in the path of their own protected network and external network connected to an SSL gateway bypass the Client-initiated Web requests are routed to the SSL gateway comprising: After forwarding device 4 ^ His Majesty received web client sends a request to access the server, the web requests are redirected to the SSL gateway.
3、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:在向域名服务器申请所述server域名对应的IP地址时,直接将SSL网关的IP地址申请为与所述server域名对应的IP地址。 3. The method according to claim 1 or claim 2, wherein the will of the corresponding domain name server IP addresses include SSL gateway IP address settings: in the application of the domain name server IP address corresponding to the domain name server directly to the IP address of the SSL gateway application for the domain name with the corresponding IP address of the server.
4、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:当SSL网关所保护网络内存在内网域名服务器时,SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 4. The method according to claim 1, characterized in that the IP address of the SSL gateway set to the IP address corresponding to the domain name server include: When SSL gateway network, including domain name server memory protection, DNS DNS packet domain name server domain name server sent out within the SSL gateways to intercept, modify the correspondence between the portable server IP address and the domain name server for the correspondence between domain names and SSL gateway server IP address, and modified message is sent to the external domain name server.
5、 根据权利要求4所述的方法,其特征在于,当SSL网关旁路在内网域名服务器与外网域名服务器连接的路径上时,所述SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文包括:所述路径上的转发设备收到内网域名服务器发往外网域名服务器的DNS报文后,将该DNS报文重定向给SSL网关。 5. The method of claim 4, wherein, when the path of bypass SSL gateway server and domain names, including Internet domain name server connections, SSL gateway intercepts within the domain name server domain name server out DNS packets to be sent include: forwarding device on the path received within the domain name server sends out the domain name server DNS packet, the DNS packet redirection to the SSL gateway.
6、 根据权利要求1所述的方法,其特征在于,所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括:当SSL网关所保护网络内存在内网域名服务器时,内网域名服务器与外网域名服务器相连的必经路径上的域名服务器代理截取内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 6. The method according to claim 1 or claim 2, wherein the IP address of the SSL gateway set to the IP address corresponding to the domain name server include: When SSL gateway network, including domain name server memory protection, domain name server in the domain name server agent intercepts a necessary path within the domain name server and Internet domain name of the server is connected to the domain name on the outside of the DNS server sends the message, which will be modified to carry the correspondence between the domain name server and server IP addresses correspondence between domain names and SSL gateway server IP address and DNS packets sent to the Internet domain name server modifications.
7、 根据权利要求1至6任一项所述的方法,其特征在于,所述server上的所有URL连接都使用https作为前缀。 7. The method according to any one of claims 1-6, characterized in that all URL connection on the server used as a prefix https.
8、 根据权利要求1至6任一项所述的方法,其特征在于,当所述client发起的访问server的web请求中的URL以http为前缀时,该方法进一步包括:SSL网关在收到所述以http作为URL前缀的web请求后,向所述cilent发送http重定向报文,引导该client以https作为URL的前缀发起web请求。 8. The method according to any one of claims 1-6, characterized in that when the client sends a request to access a web server in the URL is prefixed with http, the method further comprises: SSL gateway in receipt After the web as the URL prefix to http request, send http redirect packets to the cilent, guiding the client be prefixed with https URL initiated web requests.
9、 一种SSL网关,其特征在于,该SSL网关的虚拟IP地址与SSL网关所保护网络中的server IP地址相同,或者,该SSL网关的IP地址与所述server 的域名相对应,并且,该SSL网关包括:HTTP报文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换;HTTP报文反向处理单元,用于接收server发送给所迷client的URL信息, 并直接将该原始URL信息转发给所述client,不进行URL替换。 9. A SSL gateway, characterized in that the protection of the same virtual IP address of the SSL Gateway and SSL Gateway network server IP address, or, IP address of the SSL gateway and the server domain name corresponds, and, The SSL Gateway include: HTTP packet forward processing unit for receiving external network access to client-initiated web requests of the server, and configure itself according to the rules of web requests received for processing, not the web request URL to be replaced; HTTP packets inversion processing unit for receiving client server sends URL information to the fans, and direct the original URL forwarding information to the client, not the replacement URL.
10、 根据权利要求9所述的SSL网关,其特征在于,该SSL网关进一步包括:DNS报文修改单元,用于在所述SSL网关所保护网络内存在内网域名服务带的与所述server域名对应的IP地址修改为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 10. The SSL gateway of claim 9, wherein the SSL gateway further comprises: DNS packet modification unit for the SSL gateway protection network, including domain name services with the memory of the server the corresponding IP address changes for the IP address of the SSL gateway, and DNS packets sent to the Internet domain name server modifications.
Description  Langue du texte original : Chinois

一种提高SSL网关处理效率的方法及SSL网关 SSL gateway for improving the processing efficiency of the method and SSL gateway

技术领域 Technical Field

本发明涉及网络通信技术,尤其涉及一种提高安全套接层(SSL, Secure Sockets Layer)网关处理效率的方法及SSL网关。 The present invention relates to network communication technology, particularly to a method of improving the processing efficiency of gateway Secure Sockets Layer (SSL, Secure Sockets Layer) and SSL gateway.

背景技术 Background

SSL协议是一种在两台设备之间提供安全通道的协议,通过加密方式保护在互联网上传输的数据安全性,SSL的诞生为基于超文本传输协议(HTTP, Hypertext Transfer Protocol)的网络传输提供了安全保障。 SSL is a protocol between two devices provide safe passage agreement, to protect the security of data transmitted over the Internet through encryption, SSL birth to provide transmission network Hypertext Transfer Protocol (HTTP, Hypertext Transfer Protocol) based a security. 虚拟专用网络(VPN, Virtual Private Network )则主要应用于虚拟连接网络,它可以确保数据的机密性并且具有一定的访问控制功能。 Virtual private network (VPN, Virtual Private Network) is mainly applied to the virtual network connection, it can ensure the confidentiality of the data and has some access control functions. 以HTTPS (以SSL为基础的HTTP )为基础的VPN称为SSL VPN, SSL的独特性以及VPN所能提供的安全远程访问控制能力,使得SSL VPN成为解决远程用户访问敏感企业数据的最简单最安全的解决技术。 In HTTPS (with SSL-based HTTP) based VPN called SSL VPN, secure remote access control capabilities as well as the uniqueness of SSL VPN can provide, so part of the solution SSL VPN remote user access to sensitive corporate data, the simplest and most security solutions technology.

支持SSL VPN功能的设备称为SSL网关,图1示出了典型的SSL网关組网图,受保护的局域网通过SSL网关与广域网连接。 SSL VPN support SSL-enabled devices called gateways, Figure 1 shows a typical SSL gateway network diagram, the protected LAN connection via SSL gateway and WAN. SSL网关的工作原理如图2所示,对于用户(client)侧,SSL网关模拟一个服务器(server)的行为,为client提供服务;对于server侧,SSL网关才莫拟——个client的4亍为, 从server获取信息并传递给真正的client。 SSL gateway works shown in Figure 2, the user (client) side, SSL gateway simulate the behavior of a server (server) for client service; for the server side, SSL gateways that Mo proposed - a client of 4 right foot to obtain information from the server and passed to the real client. 当外网中的client想要访问受保护的server上的web应用时,首先client需要和SSL网关建立SSL连接并进行身份认证,然后再将相关web请求发给SSL网关;SSL网关收到client 发起的web请求后,根据自身配置的过滤及转换规则,对client的web请求进行处理。 When the client extranet web application wants to access the protected server, the first client needs and SSL gateway and establish an SSL connection for authentication, then the relevant web requests to SSL gateway; SSL gateway receives client launch After the web request, according to their configured filter and conversion rules for the web client request processing. 如果用户权限不够,SSL网关则直接拒绝用户的web请求;如果用户有足够的权限,SSL网关则根据收到的web请求向真正的server发起请求,获取相应的数据,然后再通过已经建立的SSL连接将获取的数据发送 If user access is not enough, SSL gateway directly deny the user's web request; if the user has sufficient permissions, SSL gateway is based on web requests it received a request to initiate a real server, obtain the appropriate data, and then through the established SSL Get connected to the data transmission

给client。 To the client. 为了保证数据传输的安全性,SSL网关与client之间的通讯使用SSL协议进行加密,采用密文传输。 To ensure the security of data transmission, communication between SSL gateway and client uses SSL protocol to encrypt transmitted in ciphertext.

其中,SSL网关在将server提供的数据发送给client时,需要将server 开发给client的web页面上的所有统一资源定位符(URL, Uniform Resource Locator)全部搜索出来,并对这些URL进行转换,以保证client下次使用这些URL访问server时,访问请求会经过SSL网关,而不是直接被发送到server上。 Wherein, SSL gateway server when sending data to provide client, all you need to Uniform Resource Locator (URL, Uniform Resource Locator) on the server to the client's web page development of all search out, and these URL converted to next time you use the URL to ensure client access server, an access request will go through SSL gateway, rather than being sent to the server. 比如,SSL网关将server提供给client的URL连接http:〃101.3.205.1/defect/defectList.do?fileID=930 替换为 For example, SSL gateway server to the URL client connection http:? 〃101.3.205.1 / defect / defectList.do fileID = 930 Replace

https:〃U.3.202/http/p/101.3.205.1/defect/defectList.do?fileID=930;或者,将http:〃www.myspace.com/defect/defectList.do?fileID=930 替换为https:Z/svpn.myspace.com/http/0/www.myspace.com/defect/defectList.do?filelD =930。 ? https: 〃U.3.202 / http / p / 101.3.205.1 / defect / defectList.do fileID = 930; Or, http: 〃www.myspace.com / defect / defectList.do fileID = 930 is replaced https:? Z / svpn.myspace.com / http / 0 / www.myspace.com / defect / defectList.do? filelD = 930. 其中,SSL网关在URL替换中添加的1.1.3.202或svpn.myspace.com 为SSL网关的IP地址或域名。 Wherein, 1.1.3.202 or svpn.myspace.com SSL gateway URL added to replace the IP address or domain SSL gateway. 一个URL通常由前缀、域名/IP地址、后缀三部分組成,在SSL网关的转换过程中,后缀一般保持不变。 URL usually consists of a prefix, the domain name / IP address, the suffix of three parts, the conversion process SSL gateway, the suffix is generally unchanged. 如果server 提供给client的URL是相对URL,即只有后缀而不包括前缀和域名/IP地址的URL,则SSL网关无需进行转换,因为client在访问时会自动添加上次访问时使用的前缀和域名/IP地址。 If the server to the URL client is a relative URL, that is, only without including the URL prefix and suffix domain name / IP address, the SSL gateway without the need for conversion, because when accessing client will automatically add a prefix and domain name used when last visited / IP addresses.

本文为便于描述,将server提供的URL称作原始URL,将经SSL网关转换后的URL称作网关URL。 For ease of description herein, will be referred to the original URL server provide the URL, known as the gateway URL by URL SSL gateway after conversion. 当client使用网关URL来访问server上的资源时,SSL网关需要将client发起的网关URL替换成server能够认识的原始URL;对于访问后获得的server向client推出的web页面,SSL网关需要将web页面上的所有URL全部搜索出来,并将这些原始URL替换成网关URL, 然后再将替换后的网关URL发送给client。 When a client uses the gateway URL to access resources on the server, SSL gateway client needs to be replaced initiated gateway server URL can recognize the original URL; for the server after a visit to get introduced to the client web page, SSL gateway needs to web pages All URL on all search out and replace these original URL to the gateway URL, and then replace the gateway after the URL is sent to client.

可见,在现有的SSL网关处理过程中,SSL网关需要进行大量的替换工作,不仅需要将client发来的网关URL替换成原始URL,还需要将server 发给client的web页面中的所有原始URL全部搜索出来替换成网关URL,这些替换工作将耗费大量的处理资源。 Seen in the existing SSL gateway process, SSL gateway needs to replace a lot of work, not only need to be sent to the client gateway URL replace the original URL, also you need to be sent to client server's web page all the original URL search out all replaced Gateway URL, the replacement work will cost a lot of processing resources. 由于SSL网关本身做SSL加密认证及用户规则匹配就已经负担很重了,因此,再增加这些URL替换操作,会导致SSL网关处理效率的降低。 Because SSL encryption SSL gateway itself do user authentication and matching rules has been a heavy burden, and therefore, to add these URL replacement operation, the SSL gateway processing efficiency.

发明内容 DISCLOSURE

有鉴于此,本发明的主要目的在于提供一种提高SSL网关处理效率的方法及SSL网关,以提高SSL网关的处理效率。 In view of this, the main object of the present invention is to provide an improved method of processing efficiency SSL gateway and SSL gateway, in order to improve processing efficiency SSL gateway. 为达到上述目的,本发明提供的技术方案如下: 一种提高SSL网关处理效率的方法,包括: To achieve the above object, the present invention provides the following: a gateway SSL improving processing efficiency, comprising:

在SSL网关上设置虚拟IP地址,该虚拟IP地址与SSL网关所保护网络中的server IP地址相同;或者,将SSL网关的IP地址设置为与所述server域名对应的IP地址; Set in the SSL gateway virtual IP address, the virtual IP address and SSL gateway protection the same network server IP address; or the IP address of the SSL gateway set to the IP address corresponding to the domain name server;

SSL网关收到client发起的访问server的web请求后,不对该web请求中的URL进行替换,直接根据自身配置的规则对收到的web请求进行处理;并且,对于servsr 发送给client的URL信息,SSL网关也不进行URL替换,直接将原始URL信息发送给client。 After SSL gateway receives web server access request initiated by the client, not the URL of the web request to be replaced, according to the rules of its configuration directly to web requests received for processing; and, for servsr URL information sent to the client, SSL gateway URL nor replace the original URL information will be sent directly to the client.

当SSL网关旁路在自身所保护网络与外网连接的路径上时,该方法进一步包括: When SSL gateway bypass path itself on protecting the network and external network connections, the method further comprises:

所述路径上的转发设备收到client发起的访问server的web请求后,将该 After forwarding device receives the path initiated by client requests access to a web server, the

web请求重定向给SSL网关。 web requests are redirected to the SSL gateway.

所迷将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 在向域名服务器申请所述server域名对应的IP地址时,直接将SSL网关的 The fans will be SSL gateway IP address to the IP address corresponding to the domain name server comprising: applying the domain name server IP address corresponding to the domain name server, directly to the SSL gateway

IP地址申请为与所述server域名对应的IP地址。 IP address of the application for the domain name with the corresponding IP address of the server.

所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 当SSL网关所保护网络内存在内网域名服务器时,SSL网关截取内网域名 The IP address of the SSL gateway set to the IP address corresponding to the domain name server include: When SSL gateway network, including domain name server memory protection, interception of domain names within the SSL gateways

服务器向外网域名服务器发出的DNS报文,将其中携带的server域名与server DNS server outside the domain name packets sent by the server, which will be carried by the server and the server domain name

IP地址的对应关系修改为server 域名与SSL网关IP地址的对应关系,并将修改后的DNS报文发送给外网域名服务器。 Correspondence between the IP address changes to the correspondence between domain names and SSL gateway server IP address and DNS packets sent to the Internet domain name server modifications.

当SSL网关旁路在内网域名服务器与外网域名服务器连接的路径上时, 所述SSL网关截取内网域名服务器向外网域名服务器发出的DNS报文包 When the path of the bypass SSL gateway server and domain names, including Internet domain name server connections, DNS domain name server domain name server sent out within the SSL gateways to intercept packets package

括:所述路径上的转发设备收到内网域名服务器发往外网域名服务器的DNS报 Including: forwarding device on the path received within the domain name server sends out DNS domain name of the server message

文后,将该DNS报文重定向给SSL网关。 Later, the DNS packet redirection to the SSL gateway.

所述将SSL网关的IP地址设置为与所述server域名对应的IP地址包括: 当SSL网关所保护网络内存在内网域名服务器时,内网域名服务器与外网 The IP address of the SSL gateway set to the IP address corresponding to the domain name server include: When SSL gateway network, including domain name server memory protection, internal and external network domain name server

域名服务器相连的必经路径上的域名服务器代理截取内网域名服务器向外网域 A necessary path in the domain name server domain name server is connected to the interception of domain names on the proxy server outside the domain

名服务器发出的DNS报文,将其中携带的server域名与server IP地址的对应关 DNS packets were sent by the server, which will be carried by the correspondence server domain and server IP addresses

系修改为server域名与SSL网关IP地址的对应关系,并将修改后的DNS报文 Department revised to correspondence between domain names and SSL gateway server IP address, and the modified DNS packets

发送给外网域名服务器。 Send to Internet domain name server.

所述server上的声斤有URL连才妻^卩孑吏用https作为前缀。 Sound pounds on the server are URL even before his wife ^ Jie Jie officials prefixed with https.

当所述client发起的访问server的web请求中的URL以http为前缀时,该 When the client sends a request to access a web server in the URL is prefixed with http, the

方法进一步包括: The method further comprising:

SSL网关在收到所述以http作为URL前缀的web请求后,向所述cilent发送http重定向报文,引导该client以https作为URL的前缀发起web请求。 SSL gateway after receiving the order as the URL prefix http web request, send http redirect packets to the cilent, guiding the client be prefixed with https URL initiated web requests.

IP地址相同,或者,该SSL网关的IP地址与所述server的域名相对应,并且, 该SSL网关包括: The same IP address, or, IP address and the domain name of the SSL gateway server corresponds, and the SSL gateway comprises:

HTTP报文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换; HTTP packet forward processing unit for receiving web requests initiated extranet client accessing the server, and to configure itself according to the rules of web requests received for processing, not the web URL request to replace;

HTTP报文反向处理单元,用于接收server发送给所述client的URL信息, 并直接将该原始URL信息转发给所述client,不进行URL替换。 HTTP packets inversion processing unit for receiving server sends URL information to the client and forwards the original URL information directly to the client, not the replacement URL.

该SSL网关进一步包括:DNS报文修改单元,用于在所迷SSL网关所保护网络内存在内网域名服务器时,截取所述内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的与所述server域名对应的IP地址修改 The SSL gateway further comprises: DNS packet modification unit for fans when SSL gateway network, including domain name server memory protection, intercepting the internal domain name server outside the domain name server sends a DNS packet, which the domain name server IP address corresponding changes carry

8为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 8 SSL gateway IP address, DNS and the modified message is sent to the external domain name server.

由此可见,本发明通过在SSL网关上设置与server IP地址相同的虚拟IP地址,或者将与server域名对应的IP地址设置为SSL网关IP地址的方式, 使得SSL网关无需进行原始URL与网关URL的替换操作,就可以拦截广域网用户发起的访问server的web请求,从而避免了由于大量的URL替换操作而造成的SSL网关处理负担增加的问题,提高了SSL网关的处理效率。 Thus, the present invention is provided on the SSL gateway server IP address in the same virtual IP address, or domain name with the corresponding IP address of the server set the gateway IP address SSL manner that the original URL without SSL gateway and gateway URL replacement operation, it can intercept WAN access server's user-initiated web requests, thus avoiding the SSL gateway handling the increased burden of problems due to a large number of URL replacement operation caused, improve the processing efficiency of SSL gateway.

附图说明 Brief Description

图1为现有技术中典型的SSL网关组网图。 Figure 1 shows a typical prior art SSL gateway network diagram. 图2为现有技术中SSL网关的应用示意图。 Figure 2 is a schematic view of the application of the art SSL gateway. 图3为本发明实施例中SSL网关的组网示意图。 Figure 3 is a schematic view of the invention Networking Gateway SSL implementation. 图4为本发明实施例中旁路方式下SSL网关的组网示意图。 Figure 4 is a schematic view of the invention in bypass mode network SSL gateway in the examples. 图5为本发明实施例中SSL网关守护的网络内部有DNS服务器的组网示意图。 Figure 5 embodiment of the present invention within the network SSL gateway guardian have DNS server networking schematic illustration.

具体实施方式 DETAILED DESCRIPTION

为使本发明的目的、技术方案及优点更加清楚明白,下面参照附图并举实施例,对本发明作进一步详细说明。 For the purposes of this invention, technical solutions and advantages more clearly understood, the following examples with reference to accompanying drawings and the present invention will be described in further detail.

由背景技术描述可见,在现有技术中,SSL网关不仅需要将server提供给client的原始URL替换成网关URL,还需要将client发来的网关URL替换成原始URL,这种原始URL与网关URL之间的替换会耗费SSL网关大量的处理资源,导致SSL网关处理效率的降低。 A background technical description, in the prior art, SSL gateway server not only needs to be provided to the client's original URL replaced Gateway URL, also you need to be sent to the client gateway URL replace the original URL, this original URL and the gateway URL Replace SSL gateway between consuming large amounts of processing resources, resulting in SSL gateway processing efficiency.

为了克服上述问题,本发明提供了两种不同的解决方案。 To overcome the above problems, the present invention provides two different solutions.

一、在SSL网关上设置一个虚拟的IP地址,使其等于server的IP地址, 以保证外网中的client发起的以server IP地址作为URL或者以server域名作为URL的访问server的web请求都被路由到SSL网关处理。 First, set a virtual IP address on the SSL gateway server's IP address to be equal, in order to ensure the client extranet initiated to server IP address as the URL or domain name to the server as the URL to access the web server requests are SSL gateway routing to handle. 比如,图3 中,server的域名为www.myspace.com, IP地址为202.31.99.6; SSL网关的域名为svpn.myspace.com, IP地址为202.31.75.2。 For example, in Figure 3, server name as www.myspace.com, IP address 202.31.99.6; domain SSL gateway for svpn.myspace.com, IP address 202.31.75.2. 这里,可以在SSL网关上设置一个虚拟IP地址202.31.99.6。 Here, you can set up a virtual IP address 202.31.99.6 on the SSL gateway.

如果SSL网关串联在内网与外网连通的唯一路径上,那么,所有来自外网侧的报文首先被SSL网关截取这一点显然可以保证。 If the only way SSL gateway series, including network and external network connectivity, then all packets from the external network side first interception SSL gateway that clearly can be guaranteed. 如图3中,client 发出的http:〃202.31.99.6/这样的web请求必然会被SSL网关处理。 Figure 3, http client issued: 〃202.31.99.6 / this web requests will certainly be SSL gateway handles.

如果SSL网关不是串联在内网与外网连接的唯一路径上,而只是旁路在这条路径上,如图4所示,那么,则需要对应关键路径上的路由器(router) 或交换机等转发设备做策略路由,将来自外网的到server上的报文重定向给SSL网关,而不是直接发送给server。 If SSL gateway is not the only path in series including network and external network connections, but only pass on this path, shown in Figure 4, then you need the critical path of the corresponding router (router) or switches forwarding equipment to do policy routing from the external network to the server redirects packets to the SSL gateway, instead of being sent directly to the server. 这样,client访问server的数据同样会先被SSL网关所截取。 Thus, client access server data will also be first intercepted SSL gateway. 其中,所述关键路径上的转发设备是指内网与外网通信时必经的转发设备。 Wherein forwarding device on the critical path refers to the internal network and external network communication must go through the forwarding devices.

二、通过修改域名服务器(DNS)上的域名和IP地址之间的对应关系, 使得对外界网络而言,server域名所对应的IP地址就是SSL网关的IP地址, 而不是真实的server 地址。 Second, by modifying the correspondence between the domain name server (DNS) and IP address on between, making the outside world in terms of network, server domain name corresponding to the IP address is the IP address of the SSL gateway, rather than the real server address. 这样,client发起的以server i或名作为URL的i方问server的web请求就会^皮发送《会SSL网关处理。 Thus, client-initiated or name to server i asked as i party URL of web server request is sent ^ Paper "will deal with SSL gateway.

比如,在图3 中,将www.myspace.com对应的IP地址修改为202.31.75.2,而不是真实的server地址202.31.99.6,这样可以使client发向www.myspace.com的报文被发送给SSL网关。 For example, in Figure 3, the corresponding IP address www.myspace.com modify 202.31.75.2, instead of the real server address 202.31.99.6, so you can make is sent to the client send packets to www.myspace.com SSL gateway. 要达到这一目的,可以在向DNS申请server域名对应的IP地址时,直接就使用SSL网关的IP地址进行申请,而不是使用server的IP地址,也就是说,将SSL网关的IP地址申请为与server域名相对应的IP地址。 To achieve this purpose, you can apply to the DNS server IP address corresponding to the domain name directly apply to the use of SSL gateway IP address, instead of using the server's IP address, that is, the IP address of the SSL gateway application for the IP address corresponding to the domain name server.

另外,当SSL网关守护的网络内部有DNS服务器时,对外界的DNS 欺骗还可以通过拦截穿越SSL网关的DNS报文,并1^改其中的server域名所对应的IP地址来实现。 In addition, when the network has an internal DNS guard SSL gateway server, DNS spoofing on the outside you can also intercept DNS packets through SSL gateway, and 1 ^ change which server domain corresponding IP addresses. 比如,参见图5所示,在外网中有一个外网域名服务器Foreign Name Server,在SSL网关守护的网络内部有一个内网域名服务器Name Server, SSL网关串联在内外网域名服务器Name Server和Foreign Name Server相连的唯一路径上。 For example, referring to Figure 5, the foreign network has a foreign domain name server Foreign Name Server, SSL gateway within the network has a guardian within the domain name server Name Server, SSL gateway series inside and outside the domain name server Name Server and Foreign Name The only path is connected to the Server. 其中,Name Server上保存的与server域名www.myspace.com对应的IP地址是server的IP地址202.31.99.6。 Among them, the Name Server saved www.myspace.com and server IP address corresponding to the domain name server's IP address is 202.31.99.6. 在图5中, SSL网关拦截内部Name Server向外部Foreign Name Server发出的DNS报文,如维护请求(maintenance queries)报文,并修改其中携带的域名和IP 地址的只于应关系,将与server i或名www.myspace.com对应的IP地iM奮改为SSL网关的IP地址,然后再将if改后的DNS ^艮文发送纟合Foreign Name Server。 In Figure 5, DNS packet intercept SSL gateway internal Name Server sent to external Foreign Name Server, such as maintenance request (maintenance queries) packets, and modify domain names and IP addresses carried only in corresponding relationship will work with server i or name www.myspace.com corresponding IP to change iM Fen SSL gateway IP address, and then if DNS change after sending Si ^ Gen co Foreign Name Server. 这样,夕卜网域名服务器Foreign Name Server上所记录的域名和IP 地址的对应关系就是被SSL网关修改过的,所有的外部访问都会指向SSL 网关。 Thus, Xi Bu domain name server Name Server on Foreign correspondence between the domain name and IP address of record is being modified SSL gateway, all external access will point SSL gateway.

如果SSL网关不是串联在内外网域名服务器相连的唯一路径上,而只是旁路在这条路径上,那么,则需要在对应关键路径的路由器或交换机等转发设备上做策略路由,由该转发设备将Name Server发往Foreign Name Server的DNS报文重定向到SSL网关上。 If the SSL gateway is not the only path in series with the internal and external domain name server is connected, but only pass on this path, then you need to do in the corresponding routing strategy on the critical path of routers or switches forwarding device from the transponder device Name Server will be sent to the Foreign Name Server's DNS packets to the SSL gateway. SSL网关收到后,将与server域名对应的IP地址修改为SSL网关的IP地址,然后再将修改后的DNS报文发送给Foreign Name Server。 After SSL gateway receives the corresponding domain name and server IP address changes for the IP address of the SSL gateway, and then modified DNS packets sent to Foreign Name Server.

另外,上述修改域名与IP地址对应关系的功能,还可以由一个独立的位于Name Server与Foreign Name Server相连的必经路径上的域名服务器代理(DNS Proxy )来实现,而不是由SSL网关来实现。 Further, the modification domain names and IP addresses corresponding to the functional relationship can also be located by an independent proxy domain name server (DNS Proxy) to achieve a necessary path to Name Server and connected on Foreign Name Server, rather than by the SSL gateway to achieve . 也就是说,所述DNS Proxy截取Name Server发往Foreign Name Server的DNS报文,并将其中携带的与server域名对应的IP地址修改为SSL网关的IP地址,然后再将修改后的DNS才艮文发送纟合Foreign Name Server。 That is, the DNS Proxy intercepts Name Server DNS packets sent to the Foreign Name Server, and wherein the corresponding domain name server IP address carried modify SSL gateway IP address, DNS and then revised before Gen sending Si co Foreign Name Server.

可见,无论是采用上述第一种方式还是第二种方式都可以让访问server 的web请求被路由到SSL网关处理。 Visible, whether it is the first one way or the second way can allow access to the web server request is routed to the SSL gateway handles.

在本发明所提供的技术方案中,SSL网关在收到外网client发起的访问 In the aspect of the present invention are provided, SSL gateway received outside the network client initiated access

server的web请求后,无需对该web请求中的URL进行转换,可以直接根 After the web server requests without the web URL request for conversion, you can directly root

据自身配置的规则对client发起的web请求进行处理,比如,根据用户权限 According to its rules, the configuration of the client-initiated web requests are processed, for example, based on user permissions

判定是否拒绝或转发client的web请求。 Determine whether to reject or forward a web client requests. 对于server提供给client的web页 For the server to the client's web page

面,SSL网关也无需将该web页面中的全部URL都搜索出来进行转换,SSL Face, SSL gateways do not need all of the web page URL will search out the conversion, SSL

li网关直接将server提供给client的原始URL信息转发给client即可。 li gateway server to the client directly to the original URL information can be forwarded to the client. 其中, 所述SSL网关根据自身配置的规则对client发起的web请求进行处理的具体过程与现有技术一致,这里不再赘述。 Wherein, web the SSL gateway configuration according to the rules of its own client-initiated request is consistent with the specific process for the prior art, no further explanation.

另外,为了保证数据传输的安全性, 一般要求所有的访问都是加密的, 即前缀应该是https,而不是http。 In addition, to ensure the security of data transmission, generally require all access are encrypted, that prefix should be https, not http. 这可以通过以下两种方式解决: This can be done in two ways:

1、 要求server上的所有URL连接都使用https作为前缀,而不是http。 1, all URL on the server connection requires use https as a prefix, not http. 这样不仅client和SSL网关之间使用SSL加密,且SSL网关和server之间也使用SSL加密。 This will not only use SSL encryption between the client and SSL Gateway and SSL use SSL encryption between the gateway and server. 但由于并不是所有的server都支持SSL加密,因此,这种方式一般较少采用,通常可以采用第2种方式。 However, not all the server supports SSL encryption, so this approach is generally less used, you can usually use the first two ways.

2、 在SSL网关上同时开启http服务,SSL网关收到client发起的以http 作为URL前缀的访问server的web请求后,向client发送http重定向报文, 引导client以https作为URL前缀发起web请求。 2, at the same time open the SSL gateway http service, SSL Gateway web client initiated after receiving a URL prefix to http server access request, send http redirect packets to the client, in order to guide the client as the URL prefix https initiated web requests . 比如,图3中,SSL网关在收到client发起的URL为http:〃www.myspace.com,'的web请求后,需要向client发送http重定向报文;client收到重定向报文后,以https作为URL 前缀发起URL为https:〃www.myspace.com/的web i奮求,这才羊就会在力口密通道中传输了。 For example, the figure, SSL gateway 3 receives client initiated URL is http: After the web 〃www.myspace.com 'request, http redirect packets need to be sent to the client; client after receiving the redirected packet, As a URL prefixed with https URL to initiate https: 〃www.myspace.com / the web i zealot for, this sheep will be transmitted in force in a densely populated channel.

另外,本发明还提供了一种SSL网关,该SSL网关的虚拟IP地址与SSL 网关所保护网络中的server IP地址相同,或者,该SSL网关的IP地址与所述server的域名相对应,并且,该SSL网关还包括:HTTP冲艮文正向处理单元和HTTP报文反向处理单元。 Further, the present invention also provides a SSL gateway, virtual IP address of the SSL gateway and SSL gateway protection the same network server IP address, or, IP address and the domain name of the SSL gateway server corresponds, and The SSL gateway also includes: HTTP Chong Gen Wen unit and reverse HTTP packet processing unit forward process. 其中, Among them,

HTTP l艮文正向处理单元,用于接收外网client发起的访问所述server的web请求,并根据自身配置的规则对收到的web请求进行处理,不对该web请求中的URL进行替换; HTTP l Gen Wen forward processing unit for receiving web extranet client sends a request to access the server, and to configure itself according to the rules of web requests received for processing, not the web URL request to replace;

HTTP报文反向处理单元,用于接收server发送给所述client的URL信息,并直接将该原始URL信息转发给所述client,不进行URL替换。 HTTP packets inversion processing unit for receiving server sends URL information to the client and forwards the original URL information directly to the client, not the replacement URL.

该SSL网关还可进一步包括:DNS报文修改单元,用于在所述SSL网关所保护网络内存在内网域名服务器时,截取所述内网域名服务器向外网域名服务器发出的DNS报文,将其中携带的与所述server域名对应的IP地址修改为SSL网关的IP地址,并将修改后的DNS报文发送给外网域名服务器。 The SSL gateway may further comprise: DNS packets to modify the unit, when the SSL gateway for the Internet domain name servers, including memory protection, intercepting DNS packet domain name server domain name server sends out the interior, in which the domain name with the corresponding IP address of the server carried modify SSL gateway IP address and DNS packets sent to the Internet domain name server modifications. 总而言之,釆用本发明所提供的技术方案后,SSL网关无需进行原始URL与网关URL的替换,从而減轻了SSL网关的处理负担,提高了SSL 网关的处理效率。 All in all, after Bian aspect the present invention provides, SSL gateway without the need for replacing the original URL and the gateway URL, thereby reducing the processing burden of SSL gateways to improve the processing efficiency of SSL gateway.

以上所述对本发明的目的、技术方案和有益效果进行了进一步的详细说明,所应理解的是,以上所述并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above objectives, technical solutions and advantages of the present invention has been described in further detail, it should be understood that the above is not intended to limit the invention within the spirit and principles of the present invention, did Any modification, equivalent replacement and improvement, should be included within the scope of the present invention.

Citations de brevets
Brevet cité Date de dépôt Date de publication Déposant Titre
CN1422468A7 févr. 20014 juin 2003内特里公司Method for high-performance delivery of web content
US2004/0230820 Titre non disponible
US608190016 mars 199927 juin 2000Novell, Inc.Secure intranet access
Référencé par
Brevet citant Date de dépôt Date de publication Déposant Titre
CN102546594A *7 déc. 20114 juil. 2012北京星网锐捷网络技术有限公司Network resource access control method, device and related equipment
CN102546594B7 déc. 20112 juil. 2014北京星网锐捷网络技术有限公司Network resource access control method, device and related equipment
Classifications
Classification internationaleH04L29/12, H04L12/66, H04L12/46
Événements juridiques
DateCodeÉvénementDescription
6 févr. 2008C06Publication
14 mai 2008C10Entry into substantive examination
16 déc. 2009C14Grant of patent or utility model
26 avr. 2017CP03