[go: up one dir, main page]

CN117135104A - Data processing method, apparatus, computer device, storage medium, and program product - Google Patents

Data processing method, apparatus, computer device, storage medium, and program product Download PDF

Info

Publication number
CN117135104A
CN117135104A CN202210551174.1A CN202210551174A CN117135104A CN 117135104 A CN117135104 A CN 117135104A CN 202210551174 A CN202210551174 A CN 202210551174A CN 117135104 A CN117135104 A CN 117135104A
Authority
CN
China
Prior art keywords
drainage
access request
target
port
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210551174.1A
Other languages
Chinese (zh)
Inventor
吴岳廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202210551174.1A priority Critical patent/CN117135104A/en
Publication of CN117135104A publication Critical patent/CN117135104A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/14Routing performance; Theoretical aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data processing method, a data processing device, computer equipment and a storage medium, and relates to the technical fields of cloud technology, cloud security, intelligent traffic and the like. When the network resource belongs to the drainage resource, the access request is drained to a target gateway for accessing a target server based on the target address and a preconfigured drainage port by determining the communication link information corresponding to the access request, and the access request can be forwarded to the target server through the target gateway, so that the access to the resource to be drained is automatically drained to the corresponding gateway for access; by recording the association relation between the source address and the process information, when corresponding response data is received, a response page corresponding to the access request is displayed based on the association relation, so that the whole access process initiated by the access request is ensured to be accurately executed, a routing table is not required to be modified, the problem of poor practicability of the related technology is effectively solved, and the accuracy and the practicability of the access process to the private network are improved.

Description

Data processing method, apparatus, computer device, storage medium, and program product
Technical Field
The application relates to the technical fields of communication, cloud technology, intelligent transportation and the like, and relates to a data processing method, a data processing device, computer equipment, a storage medium and a program product.
Background
In the art, for a private network to be restricted access, access to the private network is generally achieved by means of VPN (Virtual Private Network ). For example, a private network is established over a public network for encrypted communications to enable access to network resources within an enterprise.
In the related art, a system routing table mechanism is generally used to access a private network, for example, a TUN/TAP virtual network card is used, and a route pointing to the virtual network card is set as a default route and has the highest priority by adjusting the priority of the default route of the routing table. However, by utilizing the system routing table mechanism for drainage, conflict with the third-party VPN software robbery routing table is easy to occur, and even part of VPN software is provided with a routing table protection function, so that access failure is caused. Therefore, in many scenarios, access to the private network cannot be achieved using the system routing table mechanism, resulting in a low practicality of access modes.
Disclosure of Invention
The application provides a data processing method, a data processing device, computer equipment, a storage medium and a program product, which can solve the problem of low practicability in the related technology. The technical scheme is as follows:
in one aspect, a data processing method is provided, the method including:
in response to receiving an access request to a network resource, determining communication link information corresponding to the access request, wherein the communication link information comprises a source address and a target address;
responding to a preset target drainage strategy to determine that the network resource belongs to drainage resources, and based on the target address and a preset drainage port, guiding the access request to a target gateway to access a target server, and recording the association relationship between the source address and the process information;
the target gateway is used for forwarding the access request to a target server and forwarding response data of the target server to the source address, and the process information is used for indicating execution of a process for initiating the access request;
and receiving response data returned by the target server through the target gateway, and displaying a response page corresponding to the access request based on the response data and the association relationship between the source address and the process information.
In another aspect, there is provided a data processing apparatus, the apparatus comprising:
a communication link determining module, configured to determine, in response to receiving an access request to a network resource, communication link information corresponding to the access request, where the communication link information includes a source address and a target address;
the drainage module is used for responding to the preset target drainage policy to determine that the network resource belongs to drainage resources, draining the access request to a target gateway for accessing a target server based on the target address and a preset drainage port, and recording the association relationship between the source address and the process information;
the target gateway is used for forwarding the access request to a target server and forwarding response data of the target server to the source address, and the process information is used for indicating execution of a process for initiating the access request;
the receiving module is used for receiving response data returned by the target server through the target gateway;
and the display module is used for displaying a response page corresponding to the access request based on the response data and the association relation between the source address and the process information.
In one possible implementation, the drain port indicates an address for carrying the intercepted access request;
the drainage module is used for responding to the fact that the network resource belongs to the drainage resource based on the target drainage policy, modifying a target address of the access request into the drainage port in a network layer, and calling a callback processing function corresponding to a protocol type of the access request so as to execute the authentication of the access request intercepted to the drainage port and then send the access request to the target server through the target gateway;
the callback processing function is used for executing authentication on the access request and sending the access request to a target server based on a transmission mode of a corresponding protocol type.
In one possible implementation, the apparatus further includes:
the input module is used for inputting the function entry address corresponding to at least one protocol type into the preconfigured kernel component through the preconfigured proxy process;
the drainage module is used for:
modifying the target address into a drainage port of the proxy process at a network layer through the kernel component;
calling a callback processing function corresponding to the protocol type based on a function entry address transmitted by the proxy process through the kernel component so as to execute the authentication of an access request intercepted to the drainage port and then send the access request to the target server through the target gateway;
The target gateway is a gateway corresponding to the target address in the association relationship between the gateway service address and the gateway.
In one possible implementation, the apparatus further includes:
starting data detection of the drainage port through a preconfigured proxy process;
the drainage module is configured to respond to detection of the access request intercepted by the drainage port, by using a source address and a source port of the access request as keys and using the process information as a value through the proxy process, correspondingly store an association relationship among the source address, the source port and the process information, and the communication link information further includes the source port.
In one possible implementation manner, the communication link information further includes a source port, and the association relationship includes a correspondence relationship using a source address and the source port as keys and using the process information as a value;
the display module is used for determining a receiving address and a receiving port for receiving the response data; determining the process information corresponding to the receiving address and the receiving port from the corresponding relation taking the source address and the source port as keys and the process information as values by taking the receiving address and the receiving port as keys; and based on the receiving address and the process information corresponding to the receiving port, the response data is returned to the application program which initiates the access request, and the response page is displayed in the application program based on the response data.
In one possible implementation, the apparatus further includes any one of:
the short connection releasing module is used for releasing the source port in the process of initiating the access request, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, and the communication connection between the target server and the request equipment is short connection;
and the long connection releasing module is used for keeping the source port in the process until the communication connection between the target server and the terminal equipment reaches a long connection ending condition, releasing the source port in the process, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, and the communication connection between the target server and the request equipment is long connection.
In one possible implementation manner, the device further includes an obtaining module, where the obtaining module is configured to obtain, when obtaining the target drainage policy, the target drainage policy corresponding to the current object from a management server of the drainage management application based on object login information of the current object when the current object is logged in to the drainage management application; and storing the target drainage strategy into a memory space corresponding to the preconfigured kernel component.
In one possible implementation, the target drainage policy includes: at least one of a preconfigured steered resource domain name and port, a steered resource network address and port, a steered resource protocol type, steered resource process characteristic information, a non-steered resource domain name and port, a non-steered resource network address and port, a non-steered resource protocol type, or non-steered resource process characteristic information.
In one possible implementation, the non-drainage resource domain name and port includes a domain name and port bound by the management server;
the drainage resource domain name and port comprise domain names and ports bound by resource servers in a private network of the target network, and the non-drainage resource domain name and port comprise domain names and ports bound by resource servers in a public network of the target network.
In one possible implementation, the drainage module is further configured to at least one of:
responding to the domain name and port of the access request belonging to the drainage resource domain name and port, and determining that the network resource belongs to the drainage resource;
responding to the target address and the target port of the access request belong to a network address and a port of a drainage resource, and determining that the network resource belongs to the drainage resource;
Determining that the network resource belongs to a drainage resource in response to the protocol type of the access request belongs to a drainage resource protocol type;
and determining that the network resource belongs to the drainage resource according to the process information of the access request conforming to the drainage resource process characteristic information.
In one possible implementation, the apparatus further includes:
and the redirection module is used for responding that the domain name and the port of the access request belong to the domain name and the port of the drainage resource, redirecting the domain name of the access request into a virtual network address, wherein the virtual network address is not the real network address corresponding to the domain name of the access request.
In one possible implementation manner, the apparatus further includes a non-drainage resource sending module, where the non-drainage resource sending module is configured to:
responding to the domain name and port of the access request belonging to the domain name and port of the non-drainage resource, and transmitting the access request based on the communication link information;
transmitting the access request based on the communication link information in response to the process information conforming to non-drainage resource process characteristic information;
and when the communication quintuple responding to the access request is not matched with any one of the network address and the port of the drainage resource, the type of the drainage resource protocol or the characteristic information of the drainage resource process respectively, sending the access request based on the communication link information.
In another aspect, a computer device is provided, including a memory, a processor, and a computer program stored on the memory, the processor executing the computer program to implement the data processing method described above.
In another aspect, a computer readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, implements the above-mentioned data processing method.
In another aspect, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the data processing method described above.
The technical scheme provided by the embodiment of the application has the beneficial effects that:
according to the data processing method provided by the application, through determining the communication link information corresponding to the access request, when the network resource belongs to the drainage resource, the access request is drained to the target gateway for accessing the target server based on the target address and the preconfigured drainage port, and the access request can be forwarded to the target server through the target gateway, so that the access to the resource to be drained is automatically drained to the corresponding gateway for access; by recording the association relationship between the source address and the process information of the process initiating the access request, when receiving the response data returned by the target server, the response page corresponding to the access request is displayed based on the association relationship between the source address and the process information, so that the whole access process initiated by the access request is ensured to be accurately executed, and the operations of installing a virtual network card, modifying a system routing table and the like are not required, the problem of poor practicability in the related technology is effectively solved, and the accuracy and the practicability of the access process to the private network are improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are required to be used in the description of the embodiments of the present application will be briefly described below.
FIG. 1 is a schematic diagram of an implementation environment of a data processing method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a policy configuration page according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a policy configuration page according to an embodiment of the present application;
FIG. 5 is a schematic page diagram of a drainage management application according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a policy configuration page according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a dedicated network access architecture according to an embodiment of the present application
Fig. 8 is a schematic diagram of a dedicated network access architecture according to an embodiment of the present application;
fig. 9 is a signaling interaction schematic diagram of a data processing method according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the drawings in the present application. It should be understood that the embodiments described below with reference to the drawings are exemplary descriptions for explaining the technical solutions of the embodiments of the present application, and the technical solutions of the embodiments of the present application are not limited.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. The terms "comprises" and "comprising" as used in embodiments of the present application mean that the corresponding features may be implemented as presented features, information, data, steps, operations, but do not exclude the implementation as other features, information, data, steps, operations, etc. supported by the state of the art.
It will be appreciated that in the specific embodiments of the present application, any data related to an object or related to a device of an object, such as object login information, communication link information, source address, destination port, source port, device information, operating system, process information, etc., when the above embodiments of the present application are applied to specific products or technologies, permission or consent of the object needs to be obtained, and collection, use and processing of the related data need to comply with related laws and regulations and standards of related countries and regions.
Fig. 1 is a schematic diagram of an implementation environment of a data processing method according to an embodiment of the present application, as shown in fig. 1, where the implementation environment includes: a requesting device 11, a management server 12, a target gateway 13 and a target server 14. The requesting device 11 runs a streaming management application, and the management server 12 is a background server of the streaming management application. The drainage management application can provide the functions of intercepting and guiding the resources to be drained to a designated gateway for access. The target server 14 is for providing network resources accessed by the requesting device 11 and the target gateway 13 is for forwarding access requests of the requesting device 11 to the target server 14.
The management server 12 is configured with a target drainage policy that indicates network resources that need to be drained. The requesting device 11 may obtain the target drainage policy based on the drainage management application. The requesting device 11 initiates an access request for accessing a network resource and determines whether the network resource belongs to a policing resource based on the target policing policy. If the network resource belongs to the drainage resource, the drainage of the access request to the target gateway 13 for accessing the target server 14 is continued based on the drainage management application. For example, the network resource to be drained may be a service resource in the intranet that is restricted from being accessed, and the enterprise administrator may configure the service resource as a drain resource in the target drain policy of the management server 12; when the request device 11 initiates an access request to the service resource, the request device 11 determines that the resource accessed by the access request is an aggregation resource based on the target aggregation policy; the requesting device 11 may implement, based on the offload management application, offloading the access request to the target gateway 13 to access the target server 14 where the traffic resource resides.
In one possible scenario, if the network resource belongs to a sink resource, the management server 12 may authenticate the access request, the management server 12 authenticates, and the requesting device 11 accesses the target server 14 via the target gateway 13. For example, the drainage management application may be a service access client, the current object logs in the service access client on the request device 11, and the request device 11 obtains, from the management server 12, a target drainage policy corresponding to the current object based on object login information of the current object. When the requesting device 11 receives an access request from any application, it can determine whether the network resource to be accessed belongs to the drainage resource based on the target drainage policy. When it is determined that the network resource to be accessed belongs to the steered resource based on the target steered policy, the requesting device 11 intercepts the access request based on the target address and the steered port. The requesting device 11 may also send an authentication request to the management server 12 based on the object login information, the network resource to be accessed by the current object, and so on. After passing the authentication, the access request intercepted to the drain port is sent to the target server 14 through the target gateway 13.
In one possible scenario, the streaming of access requests to the target gateway 13 to access the target server 14 may be accomplished by a preconfigured process or component. For example, the requesting device 11 may be preconfigured with a control process by which the current object logs in to the offload management application on the requesting device 11, and the target offload policy may be obtained from the management server 12 and the proxy process may be pulled up. The kernel component is loaded through the proxy process, and the initialization logic of the kernel component is called to complete the initialization of the kernel component. And storing the target drainage strategy into a corresponding storage space of the kernel component in the memory through the proxy process. The kernel component is execution logic that requests the device 11 to configure in the operating system. The network resource to be accessed by any access request received by the request device 11 can be judged by the target drainage policy stored by the kernel component, and when the network resource belongs to the drainage resource, the target address of the access request is modified into the drainage port by the kernel component so as to intercept the request data of the access request to the drainage port. And executing a callback processing function corresponding to the protocol type of the call access request through the proxy process so as to send the access request intercepted to the drainage port to the target server proxy process through the target gateway after authentication.
The requesting device 11 may be a server or a terminal, for example. The servers may be independent physical servers, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server or a server cluster that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligence platforms, and the like. The network may include, but is not limited to: a wired network, a wireless network, wherein the wired network comprises: local area networks, metropolitan area networks, and wide area networks, the wireless network comprising: bluetooth, wi-Fi, and other networks implementing wireless communications. The terminal may be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, a notebook computer, a digital broadcast receiver, an MID (Mobile Internet Devices, mobile internet device), a PDA (personal digital assistant), a desktop computer, a vehicle-mounted terminal (such as a vehicle-mounted navigation terminal, a vehicle-mounted computer, etc.), a smart speaker, a smart watch, etc., and the terminal and the server may be directly or indirectly connected through wired or wireless communication manners, but are not limited thereto. And in particular, the method can be determined based on actual application scene requirements, and is not limited herein.
Fig. 2 is a flow chart of a data processing method according to an embodiment of the present application. The execution subject of the method may be the requesting device. As shown in fig. 2, the method includes the following steps.
Step 201, requesting equipment acquires a target drainage strategy.
The target drainage policy indicates the drainage resources to be drained, i.e. which resources are defined in the target drainage policy to be drained. The requesting device may obtain the target drainage policy from the management server to subsequently determine whether to drain the resource requesting access based on the target drainage policy. The drainage resource refers to a network resource configured to limit access, for an access request of the access drainage resource, the request device intercepts and guides the access request to a gateway designated by a destination to access the network resource, and operations such as verification, authentication and the like can be performed on the access request, an object, an application, a device and the like which initiate the access request, and the network resource is drained to the designated gateway after the verification and the authentication pass. The non-drainage resource can be a network resource without limiting access, such as a network resource in a public network, without limiting access authority, and the request for accessing the non-drainage resource can be directly transmitted without interception and drainage.
In one possible implementation, the resources to be drained may be defined from the perspective of domain names, ports, network addresses, protocol types of the employed communication protocols, process information, etc. Illustratively, the target drainage strategy includes: at least one of pre-configured drainage resource domain name and port, drainage resource network address and port, drainage resource protocol type, and drainage resource process characteristic information.
The domain name and port of the drainage resource may be a domain name and port of a network resource to be drained, for example, an enterprise administrator may configure the enterprise internal domain name and access port as the drainage resource domain name and port in the management server. The drainage resource domain name can be a generic domain name or an accurate domain name; the generic domain name refers to the domain name information with a ligand, and indicates all sub-domains conforming to a certain feature. For example, a certain enterprise network domain is named "www.ABCD.com"; the generic domain name may be "×abcd.com", then "www.ABCD.com", "mail.abcd.com", etc. all belong to the domain name range covered by the generic domain name "×abcd.com". The sink resource port may be a designated port or ports, for example, the sink resource port may be a port list or all ports, of course, if all ports, i.e., the filtering of ports under the sink resource domain name is ignored.
The network address and port of the drainage resource may be a network address and port of a network resource to be drained, and the network address may be an IP (Internet Protocol ) address, for example, an enterprise administrator may configure a service IP and an access port of the enterprise in the management server, and an access request initiated by the requesting device to these service IP and access port needs to be intercepted and drained.
The drain resource protocol type may be a drain-required protocol type that needs to be intercepted and drained when the requesting device accesses the network resource with an access request of the drain-required protocol type. For example, the drain resource protocol type may include at least one of TCP or UDP, e.g., where a particular TCP protocol is employed to access a specified network resource, and no drain is required to access the network resource for the UDP protocol, thereby enabling traffic interception and venting for the particular protocol.
The drainage resource process characteristic information may be a drainage process, and when the requesting device initiates an access request to the network resource through a process with the drainage resource process characteristic information, the access needs to be intercepted and drained. The process information may include one or more of a process number (pid), a process name, a process path, a process executable hash value (e.g., MD 5), version information, whether or not there is specified signature information, and other attribute information of the process executable, etc. The process characteristic information may include a drainage condition, such as no designated signature, a process path being a preconfigured path to be drained, and so on.
In one possible implementation, the target drainage policy may also indicate non-drainage resources that do not need to be drained, i.e., the target drainage policy may also define which resources are not drained. Illustratively, the target drainage policy may further include: at least one of a non-steered resource domain name and port, a non-steered resource network address and port, a non-steered resource protocol type, or non-steered resource process characteristic information is preconfigured. For example, an enterprise administrator may configure resource domains and ports at the management server that are prohibited from interception, e.g., to avoid affecting access to a specified business system, the enterprise administrator may configure the domain name of the specified business system to be a non-aggregate resource domain name. Illustratively, the non-steered resource network address refers to a network address of a network resource that does not require steering. For example, the enterprise administrator may also designate a portion of the IP addresses in the enterprise network address as IP lists or IP segments that are prohibited from interception and drainage, and when the destination address of the access request of the requesting device hits the designated IP list or IP segment, i.e., the access request is released, no interception and drainage is performed.
In one possible example, the requesting device may not need to intercept, stream, or otherwise direct the communication connection between the requesting device and the management server. That is, the access request of the management server initiated by the requesting device does not need to be intercepted and drained. Illustratively, the non-aggregate resource domain name and port includes a domain name and port to which the management server is bound. For example, the requesting device transmits a policy update request for updating the streaming policy, a login request to login to the streaming management application, and the like to the management server. For example, the network address and port of the non-drainage resource may include a network address and port bound by a management server, for example, a server cluster address, a load balancer address, an access gateway address, and the like deployed in the background of the drainage management application are used as resources for prohibiting drainage, and the requesting device may be directly accessed.
In another possible example, the requesting device may also be configured as non-steered resources for part of the network resources of the target network as resources to be steered. Illustratively, the aggregate resource domain name and port includes a domain name and port bound by a resource server in a private network of the target network, and the non-aggregate resource domain name and port includes a domain name and port bound by a resource server in a public network of the target network. The target network may be an intranet, for example, a part of separated IP addresses in the intranet are used as direct access site information without drainage, and the other part of separated IP addresses are used as access-restricted sites with drainage.
In one possible implementation manner, the management server may configure the drainage policy corresponding to each object with granularity, and the requesting device may obtain the target drainage policy based on the information of the current object. For example, the process of the requesting device obtaining the target drainage policy may include: when the request equipment responds to the current object to log in the drainage tube management application, acquiring a target drainage strategy corresponding to the current object from a management server of the drainage management application based on the object login information of the current object; and the request equipment stores the target drainage strategy into a memory space corresponding to the preconfigured kernel component. The requesting device may also periodically update the drain policy stored in memory by the kernel component, for example. The update process may include: the request device periodically executes object login information based on the current object according to a target update period, acquires a target drainage policy from a management server, and updates the drainage policy stored in the memory space of the kernel component based on the target drainage policy. By way of example, the object login information may include, but is not limited to: the login account number, login address, login device information, login time, etc. of the current object, where the login device information may include information such as a device name, a model number, an operating system type, etc.
The current object logs in the drainage management application, and the requesting device can execute a target drainage strategy corresponding to the current object from the management server through a control process; and pulling up the proxy process by the control process; through the proxy process, kernel component initialization logic is invoked to insert a preconfigured kernel component in the operating system of the requesting device. The request device performs format checking and analysis processing on a target drainage policy acquired from a management server through the control process, pushes the target drainage policy to an application layer proxy process through an interface of an IPC (Inter-Process Communication ) or proxy process, calls an SDK (Software Development Kit ) interface provided by a kernel component externally through the proxy process, and stores the target drainage policy in a memory space corresponding to the kernel component. Of course, the update process of the drainage policy can also be completed cooperatively based on the control process, the proxy process and the kernel component. For example, when the stored drainage policy in the memory corresponding to the kernel component is different from the target drainage policy newly acquired by the control process, the requesting device updates the drainage policy in the memory corresponding to the kernel component to the latest target drainage policy. Through the cooperation process, when the strategy of the server side changes, the kernel component and the proxy process can quickly complete strategy storage, strategy updating synchronization and updating of the memory related data structure in a short time.
It should be noted that, the request device may implement the process of intercepting, authenticating, and guiding the access request to the target gateway to access the target server through the proxy process, the kernel component, and the control process.
As shown in fig. 3, fig. 3 shows that, in the management server, an enterprise administrator configures resources to be drained corresponding to a single object with the object as granularity, for example, in the service system configuration for the object 1, the resources to be drained corresponding to the object 1 are configured as all URLs (uniform resource locator, uniform resource location system) in the service system, that is, the object 1 has access rights to all the resources in the service system, and URL requests initiated by the object 1 to any resource need to be intercepted and drained. Of course, the access-initiating application of the object 1 may be configured with rights, and the application with access rights may be configured as a trusted application, where the trusted application is an application carrier trusted by the management server and requesting that the device can access the internal service system. As shown in fig. 3, in the trusted application configuration, the configuration of the trusted application in different systems such as a Windows system and a mac system is supported and distinguished; any application in the device from the Windows system of object 1 is a trusted application. Of course, applications may also be grouped, each grouping including one or more trusted applications to configure corresponding groupings for respective objects. As shown in fig. 4, there may be multiple objects under the whole network account, and the service system configuration and the trusted application configuration may also be performed for different objects in the management server.
As shown in FIG. 5, FIG. 5 provides a page schematic of a drainage management application. As shown in fig. 5, the drainage management application provides zero trust office services, and of course, other services such as virus killing, compliance detection, bug fixes, and computer tools. For the zero-trust office service, when the current object logs in the drainage management application, the request device can connect the company intranet corresponding to the current object based on the object login information of the current object, so that the current object accesses the internal network resource of the company content by using the special network access method provided by the application. The page of the zero-trust office service can also display the functions of office security real-time protection, trusted software configuration, compliance policy configuration, account login and the like provided by the drainage management application. As shown in fig. 5, if the compliance policy is not currently configured, a tag for which the compliance policy is not configured is displayed. For example, displaying the trusted software configured page in the current page and displaying the configured trusted software in the trusted software configured page may include any application. Of course, the intercepted software may also be displayed. So that the current object can clearly understand the access to the company content, thereby facilitating the current object's access to the administrator configured business system of the company content using the designated trusted application.
Step 202, the requesting device determines the communication link information corresponding to the access request in response to receiving the access request to the network resource.
The communication link information includes a source address and a destination address. The source address refers to the address of the device that originated the access request, i.e., the requesting device. The target address refers to a network address where the network resource to be accessed by the access request is located. In one possible embodiment, the communication link information may be a communication quintuple of the access request, and the communication link information may include: source address, source port, destination address, destination port, and protocol type.
In one possible example, the requesting device may obtain the communication link information through a preconfigured kernel component. The kernel component can include execution logic that obtains a communication link for an access request when the access request is received. The kernel component inserts execution logic in the operating system as a requesting device through which the requesting device can execute the step 202.
In one possible implementation manner, the requesting device may further obtain, through the kernel component, information such as a domain name and a port, process information, an initiated application program, and the like corresponding to the access request. The request device may also obtain, through the kernel component, a domain name and a port corresponding to an access request, where the domain name and the port corresponding to the access request are a domain name and a port of a network resource to be accessed. In an example, the requesting device may also obtain, through the kernel component, process information of the access request; the process information refers to information for executing the process that initiated the access request, which may include, but is not limited to: a process name, a process path, a process executable file hash value (e.g., MD 5), version information, whether one or more of specified signature information and other attribute information of the process executable file are present. In an example, the request device may further obtain, through the kernel component, an application program that initiates the access request, where the application program refers to a program that triggers the access request by the current object; for example, the current object triggers a browse request for a file that is restricted from access in an enterprise application, which is the application that initiated the access request. The requesting device may perform the following steps 203-204 through a drain management application to effect interception and drain of the browse request.
Step 203, the requesting device determines that the network resource belongs to a drainage resource based on a preconfigured target drainage policy, and based on the target address and the preconfigured drainage port, the requesting device drains the access request to the target gateway to access the target server, and records the association relationship between the source address and the process information.
The target gateway is used for forwarding the access request to the target server and forwarding response data of the target server to the source address, and the process information is used for indicating to execute a process for initiating the access request. The drain port is used to indicate the address of the intercepted access request.
In this step, the requesting device may determine, based on the target drainage policy, whether the network resource to be accessed belongs to the drainage resource. If the network resource belongs to the drainage resource, the request equipment modifies the target address of the access request into a drainage port so as to intercept the access request; and after the request equipment authenticates the access request, the access request is sent to a target server through the target gateway. In one possible implementation, this step 203 may include the following steps 2031-2032.
Step 2031, the requesting device determines, based on the target drainage policy, whether the network resource belongs to a drainage resource.
The requesting device may determine whether the network resource belongs to the offload resource based on at least one of a domain name, a destination address, a protocol type, and process information of the access request.
Illustratively, the requesting device may make the determination using a domain name. This step 2031 may include: the requesting device determines that the network resource belongs to the drainage resource in response to the domain name and the port of the access request belonging to the drainage resource domain name and the port. For example, the requesting device may compare, via the kernel component, the domain name and port of the access request with the domain name and port of the drainage resource in the memory space corresponding to the kernel component, and determine that the network resource belongs to the drainage resource if the domain name and port of the access request belong to the domain name and port of the drainage resource. The request device may compare the domain name of the access request with the domain name of the drainage resource, and if the domain name of the access request belongs to the domain name of the drainage resource, it may also determine that the network resource belongs to the drainage resource. For example, taking the access request as a DNS (Domain Name System ) request, a DNS redirection list is stored in a memory corresponding to the kernel component, where the DNS redirection list includes a domain name of the DNS request to be redirected, and if the domain name of the DNS request belongs to the DNS redirection domain name list, a resource to be accessed by the DNS request belongs to the drainage resource.
Illustratively, the requesting device may employ the destination address for the determination. This step 2031 may include: the requesting device determines that the network resource belongs to the sink resource in response to the target address and the target port of the access request belonging to the sink resource network address and the port. For example, the requesting device may compare, by the kernel component, the target address and the target port of the access request with the network address and the port of the sink resource in the memory space corresponding to the kernel component, and determine that the network resource belongs to the sink resource if the target address and the target port of the access request belong to the network address and the port of the sink resource. For example, the kernel component may store an IP address and a port list to be drained in a corresponding memory; if the destination address belongs to the IP address or the destination address and the destination port belong to the IP address and port list; the network resource belongs to the drainage resource.
Illustratively, the requesting device may make the determination in connection with the protocol type. This step 2031 may include: the requesting device determines that the network resource belongs to the sink resource in response to the protocol type of the access request belonging to the sink resource protocol type. For example, the requesting device may compare, by the kernel component, the protocol type of the access request with the drain resource protocol type in the memory space corresponding to the kernel component, and determine that the network resource belongs to the drain resource if the protocol type of the access request belongs to the drain resource network protocol type.
Illustratively, the requesting device may make the determination in connection with the process information. This step 2031 may include: and the request equipment responds to the process information of the access request to accord with the process characteristic information of the drainage resource, and determines that the network resource belongs to the drainage resource. For example, the requesting device may compare, by using the kernel component, process information of the access request with process feature information in a memory space corresponding to the kernel component, and determine that the network resource belongs to the drainage resource if the process coincidence information of the access request belongs to the drainage resource process feature information. For example, if the process path of the access request is a designated pre-configured drainage process path, and the process of the access request does not have designated signature information, it may be determined that the network resource from which the process initiates access belongs to the drainage resource.
It should be noted that the requesting device may determine in conjunction with one or more of a domain name, a network address, a protocol type, or process information, to exemplify in conjunction with a network address and a protocol type. For example, the target drainage policy in the kernel component corresponding to the memory may include a drainage resource network address port and a protocol type. The request device may compare, by the kernel component, the target address and the target port, and the protocol type of the access request with the network address and the port of the drainage resource and the protocol type of the drainage resource in the memory space corresponding to the kernel component, and determine that the network resource belongs to the drainage resource if the target address and the target port of the access request belong to the network address and the port of the drainage resource and the protocol type belongs to the network protocol type of the drainage resource. For example, access requests belonging to enterprise content-specific IP segments and employing TCP protocol need to be intercepted and drained.
In one possible implementation manner, the target drainage policy further defines network resources that are not drained, and the requesting device may further perform the process of determining based on the target drainage policy, which further includes the following four cases. In the first case, the request device determines that the network resource belongs to the non-drainage resource in response to the domain name and the port of the access request belong to the non-drainage resource domain name and the port. And secondly, the request equipment responds to the process information of the access request to accord with the non-drainage resource process characteristic information, and the network resource is determined to belong to the non-drainage resource. For example, after the request device obtains the process information according to the process identification information (such as the process number pid) through the kernel component, the request device compares the process information with a non-drainage process list in the target drainage policy, and if the matching is successful, the request device directly releases the access request without interception and drainage. If the mismatch is successful, then execution continues with step 2032 for further processing. And thirdly, when the communication quintuple of the request equipment responding to the access request is respectively not matched with any one of the network address and the port of the drainage resource, the type of the drainage resource protocol or the characteristic information of the drainage resource process, determining that the network resource belongs to the non-drainage resource. And fourthly, the request equipment responds to the non-drainage resource network address and port of the target address and the target port of the access request, and determines that the network resource belongs to the non-drainage resource.
For example, if the network resource belongs to a non-aggregate resource, the requesting device may send the access request based on the communication link information. For example, if the domain name of the DNS request is a domain name that prohibits redirection, the direct connection process is directly put through the core component without intercepting and draining the DNS request. For example, for an IP list or an IP segment configured by an enterprise administrator and prohibiting interception of traffic, if a target address of an access request hits the IP list or the IP segment, the access request is directly transmitted without interception and drainage. For example, for an access request to an access management server, the access request is directly passed through.
Of course, the requesting device may also make decisions in combination with the characteristics of the steered resources and the non-steered resources. For example, a determination is made as to whether the target address hits in a directly connected segment list based on the segment list of non-drained resources in the target drain policy. If hit, the access request is passed directly to direct access of the access request. If the target resource is not hit, combining the three information of the target address, the target port and the protocol type in the five-tuple, and carrying out filtering and searching based on at least one item of IP, the port or the protocol list corresponding to the resource to be drained in the target drainage strategy. If either of the following conditions is satisfied: if the target address hits the IP corresponding to the resource to be drained, or if the target address and the target port hit the IP corresponding to the resource to be drained, or if the target address, the target port and the protocol type hit the IP corresponding to the resource to be drained, the port and the protocol list, the network resource is determined to belong to the resource to be drained, and the access request is required to be drained to the proxy process. If any of the above conditions cannot be satisfied, determining that the network resource belongs to a non-drainage resource, and directly releasing the processing through the kernel component.
If the network resource belongs to the drain resource, the requesting device intercepts, authenticates and drains the access request by executing the following step 2032.
In one possible implementation, for the domain name of the access request to belong to the domain name of the drainage resource, the requesting device may further configure a virtual IP address for the access request, so before performing step 2032 below, the requesting device performs step a below, and in response to the domain name and the port of the access request belonging to the domain name and the port of the drainage resource, the requesting device redirects the domain name of the access request to a virtual network address, where the virtual network address is not the real network address corresponding to the domain name of the access request.
Illustratively, when the requesting device determines, through the kernel component, that the domain name of the access request belongs to the domain name of the drainage resource, the requesting device resolves, through a proxy process, the domain name of the access request to a virtual network address. For example, taking a DNS request as an example, if the kernel component determines that the domain name of the DNS request belongs to a redirect domain name, the kernel component requests a proxy process of an application layer to further determine that the domain name of the DNS request really belongs to a domain name to be drained through the proxy process, if an enterprise domain name to be restricted from access is required, DNS resolution is performed on the domain name through the proxy process, so as to assign a virtual IP to the DNS request. Of course, if the proxy process further determines that the domain name of the DNS request does not belong to the domain name to be drained, the proxy process directly forwards the DNS request to the upstream DNS server to perform a real DNS domain name resolution process, so as to allocate a real network address corresponding to the domain name of the DNS request to the DNS request.
Step 2032, the requesting device responds to the network resource belonging to the drainage resource, and based on the target address and the preconfigured drainage port, the access request is drained to the target gateway to access the target server.
The drain port indicates an address for carrying the intercepted access request.
In one possible implementation manner, the request device may intercept the access request by using the drainage port, and authenticate and drain the request data of the intercepted access request to the target gateway. Illustratively, this step 2032 may include: the request device responds to the determination that the network resource belongs to the drainage resource based on the target drainage policy, modifies the target address of the access request into the drainage port in a network layer, and calls a callback processing function corresponding to the protocol type of the access request so as to execute the authentication of the access intercepted to the drainage port and then send the access intercepted to the drainage port to the target server through the target gateway. Illustratively, the requesting device may modify the target address at the network layer to be a drain port of the proxy process through a kernel component; the request equipment intercepts an access request sent to the drainage port through the proxy process; and calling a callback processing function corresponding to the protocol type of the access request through the kernel component to finish the execution process corresponding to the callback processing function.
The port for draining is illustratively a port detected by a proxy process, and before the requesting device executes step 2032, that is, before draining the access request to the target gateway for accessing the target server based on the target address and the pre-configured draining port, the requesting device starts data detection on the draining port by the pre-configured proxy process. For example, the proxy process may open a designated port on a locally configured loop-back network card as a drain port to detect data received by the drain port. Thus, when the requesting device modifies the destination address of the access request to the port of the drain at the network layer, the requesting device may detect the access request sent to the port of the drain through the proxy process, thereby obtaining the request data of the access request.
The callback processing function is used for executing authentication on the access request and sending the access request to the target server based on a transmission mode of a corresponding protocol type. The protocol type transmission modes include, but are not limited to: transmission methods of TCP and UDP, and the like.
For the authentication process, the requesting device may send, by means of an agent process, one or more of process information of the access request, a destination address and a destination port before modification, a source address and a source port, a protocol type, an application program that initiates the access request, and object login information, to the control process by means of inter-process communication. The request equipment authenticates the access request through a control process based on the information sent by the proxy process; for example, the authentication process may include at least one of the following verification operations: verifying whether an application program initiating an access request is a trusted application, verifying whether the target address and the target port are designated sites, verifying whether the access request is a compliance request, verifying whether a process of the access request is a compliance process, verifying whether a device environment of the access request is safe, verifying whether the current object has access rights to resources of the target address and the target port, and the like. If the authentication is passed, the request equipment sends a credential application request to a management server through the control process; wherein the credential application request is used for applying gateway access credentials to the management server; the credential application request may carry authentication information for authentication, which may include at least one item of information sent by the proxy process to the control process. The management server can authenticate the access request based on the authentication information carried by the credential application request, and when the authentication of the management server is passed, the management server sends gateway access credentials to the requesting device. The request equipment receives the gateway access credential and transmits the gateway access credential to the proxy process through the control process; the requesting device sends the gateway access credential to the target gateway through the proxy process. The target gateway can send the gateway access credential to the target server for further authentication, and the target gateway sends an authentication passing message to the requesting device based on the authentication passing message returned by the target server. The requesting device sends the access request to the target gateway. And finally, sending the access request to a target server through the target gateway.
In one possible implementation, the requesting device may pass through a proxy process to an address of a callback processing function in the kernel component to cause the callback processing function to be invoked by the kernel component. Therefore, before calling the callback processing function corresponding to the protocol type of the access request, the requesting device may execute the following step B, and the requesting device transmits, through a preconfigured proxy process, a function entry address corresponding to at least one protocol type to the preconfigured kernel component. Accordingly, the implementation of step 2032 may include: the request equipment can modify the target address into a drainage port of the proxy process at a network layer through the kernel component; and calling a callback processing function corresponding to the protocol type based on a function entry address transmitted by the proxy process through the kernel component so as to execute the authentication of the access request intercepted to the drainage port and then send the access request to the target server through the target gateway.
Illustratively, the proxy process stores a function entry address corresponding to at least one protocol type in a memory space, for example, a function entry address of a TCP callback processing function and a function entry address of a UDP callback processing function. For example, the kernel driver handler operation is directly read and written by the proxy process to call the SDK interface of the kernel component; and transmitting the function entry address of the TCP callback processing function and the function entry address of the UDP callback processing function into the SDK interface of the kernel component through the proxy process, so that the kernel component calls the corresponding callback processing function based on the transmitted function entry address.
The target gateway is a gateway corresponding to the target address in an association relationship between a gateway service address and a gateway. For example, an enterprise administrator may configure in a management server the association between gateway service addresses, which may include addresses of servers providing the offload resources, and gateways. The requesting device may use the gateway corresponding to the target address as the target gateway based on the association relationship between the gateway service address and the gateway.
As shown in fig. 6, after the enterprise administrator configures the drainage policy in the management server, a corresponding accessible gateway may also be configured for each service system, for example, different gateways provide gateway services for different service addresses. For example, gateway A may correspond to a service address of "9.134.65.163:9443"; of course, after the enterprise administrator configures the plurality of gateways, the enterprise administrator may also configure an access order of the respective gateways, e.g., define a ranking of the respective gateways such that the respective intelligent gateways are accessed based on the ranking.
Step 2033, the requesting device records the association relationship between the source address and the process information.
In the step, the request equipment starts the data detection of the drainage port through a preconfigured proxy process; therefore, when the requesting device detects an access request of the portal through the proxy process, the requesting device records an association relationship between a source address of the access request and process information.
In one possible implementation, the communication link information further includes a source port, and the requesting device may correspondingly store the source address and the process information in a key-value pair manner. Accordingly, embodiments of the present step may include: the request device responds to the access request intercepted by the drainage port, and correspondingly stores the association relationship among the source address, the source port and the process information by taking the source address and the source port of the access request as keys and taking the process information as values through the proxy process.
Illustratively, the proxy process may detect, through the drain port, an access request sent to the drain port, with a source address (LocalAddr) and a source port (LocalPort) in a communication five-tuple of the access request as keys. The request equipment can report the process information of the access request to the proxy process through the kernel component; the request device uses the process information as a value through the proxy process, so that a key-value form mapping table structure is constructed in a memory space corresponding to the proxy process. By way of example, the process information may include a process ID (e.g., the process ID may be a process number pid), a process name, a process full path, etc.; of course, one or more of a process executable file hash value (for example, MD 5), version information, whether or not the specified signature information is provided, other attribute information of the process executable file, and the like may be included; the application does not limit the specific content of the process information, and the section is only exemplified by a process ID, a process name, a process full path and the like. In one possible example, the requesting device may also report, through the kernel component, the traffic ID, communication quintuple, etc. details of the access request to the proxy process. Therefore, the request device can also construct the corresponding relation between the source address and the source port, the process information and the communication quintuple by taking the source address and the source port in the communication quintuple as keys and taking the process information and the communication quintuple as values through the proxy process. For another example, the source address and the source port in the communication quintuple may be used as keys, and the traffic ID, the process information, and the communication quintuple may be used as values, so as to construct the correspondence between the source address and the source port, the traffic ID, the process information, and the communication quintuple. For example, the detailed information received by the requesting device via the proxy process that is reported by the kernel component may include at least one of:
It should be noted that, step 2032 and step 2033 may be performed synchronously, and of course, the sequence numbers of step 2032 and step 2033 may also be performed sequentially, which does not limit the sequential execution sequence between the two steps.
Step 204, the request device receives the response data returned by the target server through the target gateway, and displays a response page corresponding to the access request based on the response data and the association relationship between the source address and the process information.
The request device receives the response data, determines an application program corresponding to the response data based on the association relation between the source address and the process information, and displays a response page responding to the access request in the application program based on the response data. The application program corresponding to the response data refers to an application program initiating an access request corresponding to the response data. The request equipment can determine an application program corresponding to the response data based on the process information; for example, the process information may include an application ID of the application that initiated the access request. For example, the current object initiates a request for browsing a specified file in the enterprise application, the requesting device receives file data returned by the business server of the enterprise, locates the enterprise application corresponding to the file data based on the association relationship, and displays the file data in a page of the enterprise application.
In one possible implementation manner, the association relationship includes a correspondence relationship taking a source address and a source port as keys and taking the process information as a value; the implementation of step 204 may include: the request device determining a receiving address and a receiving port for receiving the response data; the request device uses the receiving address and the receiving port as keys, and determines the process information corresponding to the receiving address and the receiving port from the corresponding relation which uses the source address and the source port as keys and the process information as values; the request device returns the response data to the application program which initiates the access request based on the receiving address and the process information corresponding to the receiving port, and the response page is displayed in the application program based on the response data. The receiving address and receiving port of the response data refer to the address and port for receiving the response data. The receiving address and the receiving port of the response data are the source address and the source port of the access request corresponding to the response data. In the golang language, net.tcpconn may be used to obtain the IP and port of the TCP communication peer; the netudpconn may be used to obtain the IP and port of the UDP communication peer, i.e. the receiving address and receiving port.
Illustratively, the callback processing function is further configured to execute process information corresponding to the determined response data. The requesting device calls the callback processing function to determine the process information corresponding to the response data based on the receiving address and the receiving port of the response data when the requesting device responds to the response data. For example, the requesting device may obtain, by a proxy process, a receiving address and a receiving port of the response data, drive a handle operation by a read-write kernel, transfer the receiving address and the receiving port and the response data to a kernel component, execute, by the kernel component, the callback processing function based on the data transferred by the proxy process, to determine process information corresponding to the response data from a correspondence relationship maintained by the proxy process and having a source address and a source port as keys and the process information as values, and transfer the response data back to an application program so as to display the response page in the application program.
In one possible implementation manner, after receiving the response data returned by the target server through the target gateway, the requesting device may release the resources involved in the access process based on the sending and response process of the access request after receiving the response data returned by the target server through the target gateway. For example, the occupied source port is released. In one possible example, if the communication connection between the target server and the requesting device is a short connection; the requesting device may release the source port in the process that initiated the access request and delete the correspondence with the source address and the source port as keys and the process information as values. For example, if a short connection is established between the target server and the request device, the request device receives the response data, the access between the target server and the request device is finished, and the request device can release the source port occupied by the access. In another possible example, if the communication connection between the target server and the requesting device is a long connection; the request device may maintain the source port in the process until the communication connection between the target server and the terminal device reaches a long connection end condition, release the source port in the process, and delete the correspondence relationship with the source address and the source port as keys and the process information as values. Wherein the long connection end condition may include, but is not limited to: the communication duration exceeds a long connection duration threshold, a trigger operation triggering the end of the long connection is received, and the like. For example, when the current object views a video resource in an intranet, a long connection may be established between the requesting device and the target server, and when the long connection duration exceeds a threshold, or the current object triggers an operation of closing the viewing of the video, the requesting device releases the source port.
It should be noted that, by timely releasing the source ports in the case of short connection or long connection, one source port is guaranteed to only correspond to a unique access request at the same time, so that accurate one-to-one correspondence between access initiated based on the access request and response is guaranteed, and accuracy of access is guaranteed.
Fig. 7 provides a simplified diagram of a framework that is accessed by a dedicated me. As shown in fig. 7, the drainage management application is used as a provider of a security service of the zero trust network, the request device is used as an access subject for initiating an access request, the resource server of the private network is used as an accessed access object, and the zero trust proxy and the access gateway provide a unified entry between the access subject and the access object, so that the whole access process from step 201 to step 204 is realized.
Fig. 8 provides a schematic diagram of a framework for private network access, where the framework includes a requesting device, a management server, an intelligent gateway, and a service server, as shown in fig. 8. The access process of the special network is realized by interaction among all devices in the framework, which comprises the following steps:
and (1) intercepting an access request to be drained by the request equipment through a proxy process proxy, and acquiring information such as URL (uniform resource locator), process pid (process number), communication quintuple, domain name and the like of the access request.
And (2) the request equipment can request the bill from the drainage management application through the proxy process. The ticket may include a voucher ticket for logging into the drainage management application, a voucher ticket for accessing a network resource, and the like.
And (3) the request equipment acquires information of an application program initiating the access request, process characteristics initiating the access request and the like through the drainage management application.
And (4) the request equipment sends a bill replacement request to the management server, wherein the bill replacement request is used for accessing the private network based on the bill replacement.
And (5) the request equipment sends the information acquired based on the step (3) to a management server so as to realize process inspection. The management server is configured with a policy center, a censoring service, a ticket center, and the like. The sending service can be used for checking whether the request equipment has the access right or not based on the information sent by the request equipment. The policy center is used for managing the drainage policies, such as configuring the drainage policies of all objects; the ticket center is used to manage tickets, such as ticket replacement.
And (6) after the authentication of the management server is passed, the request equipment returns a bill response to the proxy process.
And (7) the request equipment forwards the bill and the access request to the intelligent gateway through the proxy process.
And (8) the intelligent gateway sends a bill verification request to the management server based on the bill.
And (9) the intelligent gateway receives a verification result returned by the management server.
Step (d), if the checking result indicates that the access authority is available, requesting the intelligent gateway to verify and forwarding the access request to the corresponding service server.
Step (a)The service server returns response data to the target gateway based on the access request.
Step (a)The target gateway returns the response data to the proxy process of the requesting device.
Step (a)The request device determines the process information corresponding to the response data through the proxy process, and based on the process information, returns the response data to the corresponding application program so as to access the response result corresponding to the request in the response page of the application program.
According to the data processing method provided by the application, through determining the communication link information corresponding to the access request, when the network resource belongs to the drainage resource, the access request is drained to the target gateway for accessing the target server based on the target address and the preconfigured drainage port, and the access request can be forwarded to the target server through the target gateway, so that the access to the resource to be drained is automatically drained to the corresponding gateway for access; by recording the association relationship between the source address and the process information of the process initiating the access request, when receiving the response data returned by the target server, the response page corresponding to the access request is displayed based on the association relationship between the source address and the process information, so that the whole access process initiated by the access request is ensured to be accurately executed, and the operations of installing a virtual network card, modifying a system routing table and the like are not required, the problem of poor practicability in the related technology is effectively solved, and the accuracy and the practicability of the access process to the private network are improved.
In addition, the application does not need to install a virtual network card, does not need to modify the system routing table, the local DNS configuration and other risky conflict operations, and can avoid the difficult-to-solve compatibility problem in the related technology in the whole access process.
The application realizes the access to the private network by providing the simplified kernel component at the driving layer and interacting with the proxy process and the control process of the application layer, and outputs the flow which does not need to be drained by the original path of the system through the process communication among the proxy process, the kernel component and the control process, and the flow which needs to be drained automatically enters the callback processing function for processing through the proxy process; the whole access process can be ensured to be accurately executed. In the aspects of stability and compatibility, the system is not configured globally, so that the stability and compatibility of the system are greatly improved.
In addition, in the aspect of performance improvement, no additional other resource initialization process exists, and the drainage drive is started and works instantly by the data processing method, so that rapid drainage, access and response data return of an access request can be realized, and the access efficiency is improved. In addition, by the method, after the accurate drainage of the resources to be drained is performed based on the target drainage strategy, the service outside the strategy goes away from the original outlet of the system and is not influenced by drainage, and in summary, the method has great improvement in the aspects of stability, compatibility, performance and the like.
Fig. 9 is a signaling interaction schematic diagram of a data processing method provided by the present application, and as shown in fig. 9, the method is implemented by interaction among a requesting device, a management server, a target gateway, and a target server. The information interaction process includes the following steps.
Step 901, a request device sends a login request to a management server.
The login request is used for requesting a login drainage management application, and the login request can carry object login information of a current object. The request equipment can start and run the drainage management application based on the triggering operation of the current object; the request device may display a login page of the drainage management application, the current object may input information such as a login name, a login key, etc. in the login page, and the request device sends a login request to the management device based on the object login information.
Step 902, the management server returns a target drainage policy to the requesting device based on the login request.
The management server can determine a target drainage policy corresponding to the current object based on the object login information.
Step 903, the requesting device receives the target drainage policy.
The implementation of step 903 is the same as that of step 201, and will not be described here again.
Step 904, the requesting device determines, in response to receiving an access request to a network resource, communication link information corresponding to the access request.
For example, the access request may be an access request for a private network, e.g., for a teleoffice scenario, the current object may connect to the intranet through the drainage management application and initiate an access request for access to network resources in the intranet. For example, a browsing request to browse files in an enterprise intranet is initiated in an enterprise application; viewing requests to view video in an intranet, etc.
The communication link information includes a source address and a destination address; the implementation of step 904 is a process similar to the manner of step 202, and will not be described in detail herein.
Step 905, the requesting device determines, based on the target drainage policy, whether the network resource belongs to the drainage resource.
For example, the offload resource may be considered a network resource in an enterprise intranet that needs to be restricted from access.
Step 906, if the network resource belongs to a drainage resource, the request device modifies the target address of the access request into a drainage port so as to intercept the access request to the drainage port, and records the association relationship between the source address and the process information.
The target gateway is used for forwarding the access request to the target server and forwarding response data of the target server to the source address, and the process information is used for indicating to execute a process for initiating the access request.
Step 907, the requesting device sends the access request intercepted to the drainage port to the target gateway after authentication.
For example, the target gateway may be a gateway that serves an intranet server, e.g., may provide authentication, authorization, forwarding, etc., of each access request to access enterprise resources.
The implementation of steps 905-907 is the same as that of step 203, and will not be described here again.
The authentication process is similar to the authentication process in step 2032, and is illustrated by the corresponding step flow in fig. 8, which is not described in detail herein.
Step 908, the target gateway sends the access request to the target server.
For example, the target server may be a server in an intranet for providing a target resource in the intranet.
Step 909, the target server returns corresponding response data to the target gateway based on the access request.
For example, the response data may be file data corresponding to the browsing request; alternatively, a video data stream, an audio data stream, or the like corresponding to the request may be viewed at the time.
Step 910, the target gateway receives the response data and sends the response data to the requesting device.
Step 911, the request device receives the response data returned by the target server through the target gateway; and displaying a response page corresponding to the access request based on the response data and the association relation between the source address and the process information.
For example, the requesting device may display a file to be browsed in a file presentation page of an enterprise application based on the file data, or a download portal to the file in a file download page so that the current object downloads the file. For example, the requesting device may play the video in a video play page of the enterprise application based on the video data stream, the audio data stream, or may display a download portal to the video in a video download for the current object to download the video.
The implementation of step 911 is a process similar to that of step 204, and will not be described in detail herein.
The application provides a data processing method, which relates to the following cloud security, cloud computing technology and the like. By way of example, the method and the system can realize the processes of authenticating the access request, guiding the access request to the target gateway to access the target server and the like by utilizing the cloud security technology, so as to ensure the security of each link in the access process of guiding the resources.
It should be understood that Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, objects, institutions, and secure Cloud platforms that are based on Cloud computing business model applications. The main research directions of cloud security include: 1. cloud computing safety, which mainly researches how to ensure the safety of the cloud and various applications on the cloud, including cloud computer system safety, safe storage and isolation of object data, object access authentication, information transmission safety, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for objects based on cloud computing platforms, such as anti-virus services and the like.
It should be appreciated that Cloud Computing (Cloud Computing) is a Computing model that distributes Computing tasks across a large pool of computer-made resources, enabling various application systems to acquire Computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.
Fig. 10 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. As shown in fig. 10, the apparatus includes:
a communication link determining module 1001, configured to determine, in response to receiving an access request to a network resource, communication link information corresponding to the access request, where the communication link information includes a source address and a destination address;
the drainage module 1002 is configured to respond to determining that the network resource belongs to a drainage resource based on a preconfigured target drainage policy, drain the access request to a target gateway to access a target server based on the target address and a preconfigured drainage port, and record an association relationship between the source address and process information;
the target gateway is used for forwarding the access request to a target server and forwarding response data of the target server to the source address, and the process information is used for indicating to execute a process for initiating the access request;
a receiving module 1003, configured to receive response data returned by the target server through the target gateway;
the display module 1004 is configured to display a response page corresponding to the access request based on the response data and an association relationship between the source address and the process information.
In one possible implementation, the drain port indicates an address for carrying the intercepted access request;
the flow-guiding module 1002 is configured to modify, at a network layer, a target address of the access request to the flow-guiding port in response to determining that the network resource belongs to the flow-guiding resource based on the target flow-guiding policy, and call a callback processing function corresponding to a protocol type of the access request, so as to perform authentication of the access request intercepted to the flow-guiding port, and send the authenticated access request to the target server through the target gateway;
the callback processing function is used for executing authentication on the access request and sending the access request to the target server based on a transmission mode of a corresponding protocol type.
In one possible implementation, the apparatus further includes:
the input module is used for inputting the function entry address corresponding to at least one protocol type into the preconfigured kernel component through the preconfigured proxy process;
the drainage module 1002 is configured to:
modifying the target address into a drainage port of the proxy process at a network layer through the kernel component;
calling a callback processing function corresponding to the protocol type based on a function entry address transmitted by the proxy process through the kernel component so as to execute the authentication of an access request intercepted to the drainage port and then send the access request to the target server through the target gateway;
The target gateway is a gateway corresponding to the target address in the association relationship between the gateway service address and the gateway.
In one possible implementation, the apparatus further includes:
starting data detection of the drainage port through a preconfigured proxy process;
the flow-guiding module 1002 is configured to, in response to detecting the access request intercepted by the flow-guiding port, store, by the proxy process, an association relationship among the source address, the source port and the process information, with the source address and the source port of the access request as keys and the process information as values, where the communication link information further includes the source port.
In one possible implementation manner, the communication link information further includes a source port, and the association relationship includes a correspondence relationship taking a source address and the source port as keys and taking the process information as a value;
the display module 1004 is configured to determine a receiving address and a receiving port for receiving the response data; determining the process information corresponding to the receiving address and the receiving port from the corresponding relation taking the source address and the source port as keys and the process information as values by taking the receiving address and the receiving port as keys; and returning the response data to the application program which initiates the access request based on the process information corresponding to the receiving address and the receiving port, and displaying the response page in the application program based on the response data.
In one possible implementation, the apparatus further includes any one of:
the short connection releasing module is used for releasing the source port in the process of initiating the access request, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, and the communication connection between the target server and the request equipment is short connection;
and the long connection releasing module is used for maintaining the source port in the process until the communication connection between the target server and the terminal equipment reaches a long connection ending condition, releasing the source port in the process, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, and ensuring that the communication connection between the target server and the request equipment is long connection.
In one possible implementation manner, the device further includes an obtaining module, when obtaining the target drainage policy, configured to obtain, based on the object login information of the current object, the target drainage policy corresponding to the current object from a management server of the drainage management application when responding to the current object to log in the drainage management application; and storing the target drainage strategy into a memory space corresponding to the preconfigured kernel component.
In one possible implementation, the target drainage strategy includes: at least one of a preconfigured steered resource domain name and port, a steered resource network address and port, a steered resource protocol type, steered resource process characteristic information, a non-steered resource domain name and port, a non-steered resource network address and port, a non-steered resource protocol type, or non-steered resource process characteristic information.
In one possible implementation, the non-drainage resource domain name and port includes a domain name and port bound by the management server;
the aggregate resource domain name and port includes a domain name and port bound by a resource server in a private network of the target network, and the non-aggregate resource domain name and port includes a domain name and port bound by a resource server in a public network of the target network.
In one possible implementation, the drainage module 1002 is further configured to at least one of:
responding to the domain name and port of the access request belonging to the drainage resource domain name and port, and determining that the network resource belongs to the drainage resource;
responding to the target address and the target port of the access request belong to the network address and the port of the drainage resource, and determining that the network resource belongs to the drainage resource;
Determining that the network resource belongs to the drainage resource in response to the protocol type of the access request belonging to the drainage resource protocol type;
and determining that the network resource belongs to the drainage resource according to the process information of the access request conforming to the drainage resource process characteristic information.
In one possible implementation, the apparatus further includes:
and the redirection module is used for responding that the domain name and the port of the access request belong to the domain name and the port of the drainage resource, and redirecting the domain name of the access request to a virtual network address which is not the real network address corresponding to the domain name of the access request.
In one possible implementation manner, the apparatus further includes a non-drainage resource transmitting module, where the non-drainage resource transmitting module is configured to:
responding to the domain name and port of the access request belonging to the domain name and port of the non-drainage resource, and transmitting the access request based on the communication link information;
responding to the process information to accord with the non-drainage resource process characteristic information, and transmitting the access request based on the communication link information;
and when the communication quintuple responding to the access request is not matched with any one of the network address and the port of the drainage resource, the type of the drainage resource protocol or the characteristic information of the drainage resource process respectively, sending the access request based on the communication link information.
According to the data processing device provided by the application, through determining the communication link information corresponding to the access request, when the network resource belongs to the drainage resource, the access request is drained to the target gateway for accessing the target server based on the target address and the preconfigured drainage port, and the access request can be forwarded to the target server through the target gateway, so that the access to the resource to be drained is automatically drained to the corresponding gateway for access; by recording the association relationship between the source address and the process information of the process initiating the access request, when receiving the response data returned by the target server, the response page corresponding to the access request is displayed based on the association relationship between the source address and the process information, so that the whole access process initiated by the access request is ensured to be accurately executed, and the operations of installing a virtual network card, modifying a system routing table and the like are not required, the problem of poor practicability in the related technology is effectively solved, and the accuracy and the practicability of the access process to the private network are improved.
In addition, the application does not need to install a virtual network card, does not need to modify the system routing table, the local DNS configuration and other risky conflict operations, and can avoid the difficult-to-solve compatibility problem in the related technology in the whole access process.
The application realizes the access to the private network by providing the simplified kernel component at the driving layer and interacting with the proxy process and the control process of the application layer, and outputs the flow which does not need to be drained by the original path of the system through the process communication among the proxy process, the kernel component and the control process, and the flow which needs to be drained automatically enters the callback processing function for processing through the proxy process; the whole access process can be ensured to be accurately executed. In the aspects of stability and compatibility, the system is not configured globally, so that the stability and compatibility of the system are greatly improved.
In addition, in the aspect of performance improvement, no additional other resource initialization process exists, and the drainage drive is started and works instantly by the data processing method, so that rapid drainage, access and response data return of an access request can be realized, and the access efficiency is improved. In addition, by the method, after the accurate drainage of the resources to be drained is performed based on the target drainage strategy, the service outside the strategy goes away from the original outlet of the system and is not influenced by drainage, and in summary, the method has great improvement in the aspects of stability, compatibility, performance and the like.
The device of the embodiment of the present application may perform the method provided by the embodiment of the present application, and its implementation principle is similar, and actions performed by each module in the device of the embodiment of the present application correspond to steps in the method of the embodiment of the present application, and detailed functional descriptions of each module of the device may be referred to the descriptions in the corresponding methods shown in the foregoing, which are not repeated herein.
Fig. 11 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 11, the computer device includes: a memory, a processor and a computer program stored on the memory, the processor executing the above computer program to implement the steps of the data processing method, the steps being implementable in comparison with the related art:
according to the data processing method provided by the application, through determining the communication link information corresponding to the access request, when the network resource belongs to the drainage resource, the access request is drained to the target gateway for accessing the target server based on the target address and the preconfigured drainage port, and the access request can be forwarded to the target server through the target gateway, so that the access to the resource to be drained is automatically drained to the corresponding gateway for access; by recording the association relationship between the source address and the process information of the process initiating the access request, when receiving the response data returned by the target server, the response page corresponding to the access request is displayed based on the association relationship between the source address and the process information, so that the whole access process initiated by the access request is ensured to be accurately executed, the operations of installing a virtual network card, modifying a system routing table and the like are not required, the problem of poor practicability in the related technology is effectively solved, and the accuracy and the practicability of the access process to the private network are improved.
In addition, the application does not need to install a virtual network card, does not need to modify the system routing table, the local DNS configuration and other risky conflict operations, and can avoid the difficult-to-solve compatibility problem in the related technology in the whole access process.
The application realizes the access to the private network by providing the simplified kernel component at the driving layer and interacting with the proxy process and the control process of the application layer, and outputs the flow which does not need to be drained by the original path of the system through the process communication among the proxy process, the kernel component and the control process, and the flow which needs to be drained automatically enters the callback processing function for processing through the proxy process; the whole access process can be ensured to be accurately executed. In the aspects of stability and compatibility, the system is not configured globally, so that the stability and compatibility of the system are greatly improved.
In addition, in the aspect of performance improvement, no additional other resource initialization process exists, and the drainage drive is started and works instantly by the data processing method, so that rapid drainage, access and response data return of an access request can be realized, and the access efficiency is improved. In addition, by the method, after the accurate drainage of the resources to be drained is performed based on the target drainage strategy, the service outside the strategy goes away from the original outlet of the system and is not influenced by drainage, and in summary, the method has great improvement in the aspects of stability, compatibility, performance and the like.
In an alternative embodiment, a computer device is provided, as shown in fig. 11, the computer device 1100 shown in fig. 11 comprising: a processor 1101 and a memory 1103. The processor 1101 is coupled to a memory 1103, such as via a bus 1102. Optionally, the computer device 1100 may also include a transceiver 1104, where the transceiver 1104 may be used for data interactions between the computer device and other computer devices, such as transmission of data and/or reception of data, etc. It should be noted that, in practical applications, the transceiver 1104 is not limited to one, and the structure of the computer device 1100 is not limited to the embodiment of the present application.
The processor 1101 may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 1101 may also be a combination that performs computing functions, such as a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
Bus 1102 may include a path that communicates information between the components. Bus 1102 may be a PCI (Peripheral Component Interconnect, peripheral component interconnect Standard) bus or an EISA (Extended Industry Standard Architecture ) bus, or the like. Bus 1102 may be divided into address bus, data bus, control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 11, but not only one bus or one type of bus.
The Memory 1103 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory ), a CD-ROM (Compact Disc ReadOnly Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media\othermagnetic storage devices, or any other medium that can be used to carry or store a computer program and that can be Read by a computer, without limitation.
The memory 1103 is used for storing a computer program for executing an embodiment of the present application, and is controlled to be executed by the processor 1101. The processor 1101 is configured to execute a computer program stored in the memory 1103 to implement the steps shown in the foregoing method embodiments.
Among them, electronic devices include, but are not limited to: a server, a terminal, or a cloud computing center device, etc.
Embodiments of the present application provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor, implements the steps of the foregoing method embodiments and corresponding content.
The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program can realize the steps and corresponding contents of the embodiment of the method when being executed by a processor.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. The terms "comprises" and "comprising" as used in embodiments of the present application mean that the corresponding features may be implemented as presented features, information, data, steps, operations, but do not exclude the implementation as other features, information, data, steps, operations, etc. supported by the state of the art.
The terms "first," "second," "third," "fourth," "1," "2," and the like in the description and in the claims and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate, such that the embodiments of the application described herein may be implemented in other sequences than those illustrated or otherwise described.
It should be understood that, although various operation steps are indicated by arrows in the flowcharts of the embodiments of the present application, the order in which these steps are implemented is not limited to the order indicated by the arrows. In some implementations of embodiments of the application, the implementation steps in the flowcharts may be performed in other orders as desired, unless explicitly stated herein. Furthermore, some or all of the steps in the flowcharts may include multiple sub-steps or multiple stages based on the actual implementation scenario. Some or all of these sub-steps or phases may be performed at the same time, or each of these sub-steps or phases may be performed at different times, respectively. In the case of different execution time, the execution sequence of the sub-steps or stages can be flexibly configured according to the requirement, which is not limited by the embodiment of the present application.
The foregoing is merely an optional implementation manner of some of the implementation scenarios of the present application, and it should be noted that, for those skilled in the art, other similar implementation manners based on the technical ideas of the present application are adopted without departing from the technical ideas of the scheme of the present application, and the implementation manner is also within the protection scope of the embodiments of the present application.

Claims (16)

1. A method of data processing, the method comprising:
in response to receiving an access request to a network resource, determining communication link information corresponding to the access request, wherein the communication link information comprises a source address and a target address;
responding to a preset target drainage strategy to determine that the network resource belongs to drainage resources, and based on the target address and a preset drainage port, guiding the access request to a target gateway to access a target server, and recording the association relationship between the source address and the process information;
the target gateway is used for forwarding the access request to a target server and forwarding response data of the target server to the source address, and the process information is used for indicating execution of a process for initiating the access request;
And receiving response data returned by the target server through the target gateway, and displaying a response page corresponding to the access request based on the response data and the association relationship between the source address and the process information.
2. The method of claim 1, wherein the drain port indicates an address for carrying the intercepted access request;
the responding to the determination that the network resource belongs to the drainage resource based on the preconfigured target drainage policy, and the drainage of the access request to the target gateway for accessing the target server based on the target address and the preconfigured drainage port comprises the following steps:
responding to the determination that the network resource belongs to a drainage resource based on the target drainage policy, modifying a target address of the access request into the drainage port in a network layer, and calling a callback processing function corresponding to a protocol type of the access request so as to execute the authentication of the access request intercepted to the drainage port and then send the access request to the target server through the target gateway;
the callback processing function is used for executing authentication on the access request and sending the access request to a target server based on a transmission mode of a corresponding protocol type.
3. The method of claim 2, wherein before the calling the callback processing function corresponding to the protocol type of the access request, the method further comprises:
transmitting a function entry address corresponding to at least one protocol type into a preconfigured kernel component through a preconfigured proxy process;
the modifying the target address of the access request into the drainage port at the network layer, and calling a callback processing function corresponding to the protocol type of the access request to execute the authentication of the access request intercepted to the drainage port and then send the access request to the target server through the target gateway, comprising:
modifying the target address into a drainage port of the proxy process at a network layer through the kernel component;
calling a callback processing function corresponding to the protocol type based on a function entry address transmitted by the proxy process through the kernel component so as to execute the authentication of an access request intercepted to the drainage port and then send the access request to the target server through the target gateway;
the target gateway is a gateway corresponding to the target address in the association relationship between the gateway service address and the gateway.
4. The method of claim 1, wherein the method further comprises, prior to the draining the access request to the target gateway for access to the target server based on the target address and the pre-configured drain port:
starting data detection of the drainage port through a preconfigured proxy process;
the recording the association relationship between the source address and the process information comprises the following steps:
and responding to the access request intercepted by the drainage port, by using a source address and a source port of the access request as keys and using the process information as a value through the proxy process, correspondingly storing the association relationship among the source address, the source port and the process information, wherein the communication link information also comprises the source port.
5. The method of claim 1, wherein the communication link information further includes a source port, and wherein the association relationship includes a correspondence relationship with a source address and a source port as keys and the process information as a value;
the displaying the response page corresponding to the access request based on the response data and the association relationship between the source address and the process information includes:
Determining a receiving address and a receiving port for receiving the response data;
determining the process information corresponding to the receiving address and the receiving port from the corresponding relation taking the source address and the source port as keys and the process information as values by taking the receiving address and the receiving port as keys;
and based on the receiving address and the process information corresponding to the receiving port, the response data is returned to the application program which initiates the access request, and the response page is displayed in the application program based on the response data.
6. The method of claim 5, wherein after receiving the response data returned by the target server via the target gateway, the method further comprises any one of:
releasing the source port in the process of initiating the access request, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, wherein the communication connection between the target server and the request equipment is short connection;
and maintaining the source port in the process until the communication connection between the target server and the terminal equipment reaches a long connection ending condition, releasing the source port in the process, deleting the corresponding relation taking the source address and the source port as keys and the process information as values, and enabling the communication connection between the target server and the request equipment to be long connection.
7. The method of claim 1, wherein the obtaining the target drainage policy comprises:
when a current object logs in a drainage tube management application, acquiring a target drainage strategy corresponding to the current object from a management server of the drainage management application based on object login information of the current object;
and storing the target drainage strategy into a memory space corresponding to the preconfigured kernel component.
8. The method of claim 7, wherein the target drainage strategy comprises: at least one of a preconfigured steered resource domain name and port, a steered resource network address and port, a steered resource protocol type, steered resource process characteristic information, a non-steered resource domain name and port, a non-steered resource network address and port, a non-steered resource protocol type, or non-steered resource process characteristic information.
9. The method of claim 8, further comprising at least one of:
the non-drainage resource domain name and port comprise a domain name and port bound by the management server;
the drainage resource domain name and port comprise domain names and ports bound by resource servers in a private network of the target network, and the non-drainage resource domain name and port comprise domain names and ports bound by resource servers in a public network of the target network.
10. The method of claim 8, wherein the determining that the network resource belongs to a drainage resource based on a pre-configured target drainage policy comprises at least one of:
responding to the domain name and port of the access request belonging to the drainage resource domain name and port, and determining that the network resource belongs to the drainage resource;
responding to the target address and the target port of the access request belong to a network address and a port of a drainage resource, and determining that the network resource belongs to the drainage resource;
determining that the network resource belongs to a drainage resource in response to the protocol type of the access request belongs to a drainage resource protocol type;
and determining that the network resource belongs to the drainage resource according to the process information of the access request conforming to the drainage resource process characteristic information.
11. The method of claim 8, wherein the method further comprises, based on the target address and a pre-configured offload port, prior to offload of the access request to a target gateway for access to a target server:
and responding that the domain name and the port of the access request belong to the domain name and the port of the drainage resource, and redirecting the domain name of the access request into a virtual network address, wherein the virtual network address is not the real network address corresponding to the domain name of the access request.
12. The method of claim 8, wherein the method further comprises:
responding to the domain name and port of the access request belonging to the domain name and port of the non-drainage resource, and transmitting the access request based on the communication link information;
transmitting the access request based on the communication link information in response to the process information conforming to non-drainage resource process characteristic information;
and when the communication quintuple responding to the access request is not matched with any one of the network address and the port of the drainage resource, the type of the drainage resource protocol or the characteristic information of the drainage resource process respectively, sending the access request based on the communication link information.
13. A data processing apparatus, the apparatus comprising:
a communication link determining module, configured to determine, in response to receiving an access request to a network resource, communication link information corresponding to the access request, where the communication link information includes a source address and a target address;
the drainage module is used for responding to the preset target drainage policy to determine that the network resource belongs to drainage resources, draining the access request to a target gateway for accessing a target server based on the target address and a preset drainage port, and recording the association relationship between the source address and the process information;
The target gateway is used for forwarding the access request to a target server and forwarding response data of the target server to the source address, and the process information is used for indicating execution of a process for initiating the access request;
the receiving module is used for receiving response data returned by the target server through the target gateway;
and the display module is used for displaying a response page corresponding to the access request based on the response data and the association relation between the source address and the process information.
14. A computer device comprising a memory, a processor and a computer program stored on the memory, characterized in that the processor executes the computer program to carry out the steps of the method according to any one of claims 1 to 12.
15. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 12.
16. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any of claims 1 to 12.
CN202210551174.1A 2022-05-18 2022-05-18 Data processing method, apparatus, computer device, storage medium, and program product Pending CN117135104A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210551174.1A CN117135104A (en) 2022-05-18 2022-05-18 Data processing method, apparatus, computer device, storage medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210551174.1A CN117135104A (en) 2022-05-18 2022-05-18 Data processing method, apparatus, computer device, storage medium, and program product

Publications (1)

Publication Number Publication Date
CN117135104A true CN117135104A (en) 2023-11-28

Family

ID=88855108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210551174.1A Pending CN117135104A (en) 2022-05-18 2022-05-18 Data processing method, apparatus, computer device, storage medium, and program product

Country Status (1)

Country Link
CN (1) CN117135104A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714514A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 A game acceleration method and device for edge computing scenarios
CN118432957A (en) * 2024-07-04 2024-08-02 阿里云计算有限公司 Network communication management and control method, readable storage medium, device and product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714514A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 A game acceleration method and device for edge computing scenarios
CN118432957A (en) * 2024-07-04 2024-08-02 阿里云计算有限公司 Network communication management and control method, readable storage medium, device and product

Similar Documents

Publication Publication Date Title
US10574698B1 (en) Configuration and deployment of decoy content over a network
EP3716108B1 (en) Cloud-based web content processing system providing client threat isolation and data integrity
US11985168B2 (en) Synthetic request injection for secure access service edge (SASE) cloud architecture
US11831683B2 (en) Cloud object security posture management
US12395534B2 (en) Cloud policy enforcement with synthetic request injection logic
US10326730B2 (en) Verification of server name in a proxy device for connection requests made using domain names
US11647052B2 (en) Synthetic request injection to retrieve expired metadata for cloud policy enforcement
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
US20150046997A1 (en) Accessing Enterprise Resources While Providing Denial-of-Service Attack Protection
CN115996122B (en) Access control method, device and system
CN114745145B (en) Business data access method, device and equipment and computer storage medium
US11496594B1 (en) Regulation methods for proxy services
US10367788B2 (en) Passport-controlled firewall
Damopoulos et al. User privacy and modern mobile services: are they on the same path?
US12335263B2 (en) Identity proxy and access gateway
US11451517B2 (en) Secure and auditable proxy technology using trusted execution environments
US12095741B1 (en) Secure proxy service
CN117135104A (en) Data processing method, apparatus, computer device, storage medium, and program product
US12015594B2 (en) Policy integration for cloud-based explicit proxy
CN115913583B (en) Business data access method, device and equipment and computer storage medium
CN115795493A (en) Access control policy deployment method, related device and access control system
US20250112912A1 (en) System and Method for Authenticating and Authorizing Cloud Accounts to Access On-Premises Services
US12445451B2 (en) Inline proxy with synthetic request injection logic for cloud policy enforcement
US20250039131A1 (en) System and method for client-based traffic control utilizing domain catalog
HK40084296A (en) Business data access method, device and apparatus, and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination