CN113364741A - Application access method and proxy server - Google Patents
Application access method and proxy server Download PDFInfo
- Publication number
- CN113364741A CN113364741A CN202110534251.8A CN202110534251A CN113364741A CN 113364741 A CN113364741 A CN 113364741A CN 202110534251 A CN202110534251 A CN 202110534251A CN 113364741 A CN113364741 A CN 113364741A
- Authority
- CN
- China
- Prior art keywords
- application
- domain name
- accessor
- access request
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000013507 mapping Methods 0.000 claims description 17
- 230000004044 response Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 8
- 238000002955 isolation Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000000052 comparative effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Abstract
The invention discloses an application access method and a proxy server, wherein the method is applied to the proxy server, the proxy server is deployed in a public network, and the method comprises the following steps: receiving a first access request sent by a client, wherein a request domain name in the first access request is a proxy domain name; replacing the request domain name in the first access request with the application domain name corresponding to the proxy domain name to generate a second access request; determining an accessor used for forwarding the second access request according to the I P address corresponding to the application domain name, wherein the accessor and an application server corresponding to the application domain name are deployed in the same local area network; sending the second access request to the accessor, so that the second access request is forwarded to the application server through the accessor. According to the technical scheme, the safety of the application server can be guaranteed in the resource access process.
Description
Technical Field
The invention relates to the technical field of internet, in particular to an application access method and a proxy server.
Background
With the rise of interactive web applications, network security issues related to web applications are also of concern. Currently, remote users may access application resources in an intranet environment through a VPN. Specifically, a VPN server may be deployed in the application server, and in order to enable a remote user to connect to the VPN server, a public network IP address needs to be configured on the VPN server, or port mapping needs to be performed on an egress device of the application server, so that the user can access the VPN server. In this way, whether public network IP addresses or port mappings are configured, such information needs to be exposed to the user, and the application server is likely to be exposed to malicious attacks from the public network. In view of the above, a more secure application access method is needed.
Disclosure of Invention
The application aims to provide an application access method and a proxy server, which can guarantee the safety of the application server in the resource access process.
In order to achieve the above object, an aspect of the present application provides an application access method, where the method is applied to a proxy server, and the proxy server is deployed in a public network, and the method includes: receiving a first access request sent by a client, wherein a request domain name in the first access request is a proxy domain name; replacing the request domain name in the first access request with the application domain name corresponding to the proxy domain name to generate a second access request; determining an accessor used for forwarding the second access request according to the IP address corresponding to the application domain name, wherein the accessor and an application server corresponding to the application domain name are deployed in the same local area network; sending the second access request to the accessor, so that the second access request is forwarded to the application server through the accessor.
In order to achieve the above object, another aspect of the present application further provides a proxy server, which includes a memory and a processor, wherein the memory is used for storing a computer program, and the computer program, when executed by the processor, implements the above application access method.
In order to achieve the above object, another aspect of the present application further provides a distributed proxy service cluster, where the cluster includes the above proxy server.
In order to achieve the above object, another aspect of the present application further provides an application access transmission system, where the system includes a controller, the above proxy server or the above distributed proxy service cluster, at least one application server, and an accessor deployed in the same local area network as the application server, where the controller issues tenant information corresponding to the application server to the proxy server or the cluster, and issues a connection instruction to the accessor, where the connection instruction is used to instruct the accessor to establish a tunnel connection with the proxy server or a proxy server in the cluster.
Therefore, according to the technical scheme provided by the application, the proxy server can be deployed in the public network, and the proxy server and the application server can communicate through the accessor, wherein the accessor and the application server are deployed in the same local area network, for example, the accessor and the application server can be located in the same Data center (Internet Data center, IDC), so that the address of the application server is prevented from being exposed in the public network, and the safety of the application server is ensured.
In the whole resource access process, the client side only interacts with the proxy server through the proxy domain name, and the information of the real application server is not exposed to the client side. In addition, the accessor in the same local area network with the application server can only reach the public network environment, and does not need to configure the IP address of the public network and carry out port mapping, so that the accessor can avoid the attack from the public network. In addition, the communication between the accessor and the application server belongs to the communication in the data center, so that the safety is high, and the application server can be further prevented from being attacked by a malicious user.
In one implementation, a plurality of application managers are created on the proxy server, and the generating the second access request further includes: the proxy server selects the corresponding application manager according to the application domain name; forwarding the second access request to the application manager.
In one implementation, the application manager is created for the proxy server correspondingly for each client based on client information issued by the controller, where the client information includes a mapping relationship between an application domain name and a proxy domain name, and the replacing a request domain name in the first access request with the application domain name corresponding to the proxy domain name includes: and determining the application domain name corresponding to the proxy domain name based on the mapping relation.
In one implementation, each of the application managers respectively establishes a tunnel connection with a different accessor, and acquires a service network segment from the accessor that establishes the connection, and determining an accessor for forwarding the second access request according to the IP address corresponding to the application domain name specifically includes: the application manager receives the second access request; acquiring the IP address corresponding to the application domain name in the second access request; and determining the accessor containing the IP address in the service network segment as an accessor used for forwarding the second access request according to the service network segment and the IP address.
In one implementation, if there are multiple accessors including the IP address in the service segment, the accessor for forwarding the second access request is determined according to a service state of an application server corresponding to the accessor.
In one implementation, the method for acquiring the IP address corresponding to the application domain name in the second access request specifically includes: the application manager acquires the IP address corresponding to the application domain name from a local cache; or, a DNS resolution request is initiated based on the application domain name, so as to obtain the IP address from response information of the DNS resolution request.
In an implementation, the step of establishing, by each of the application managers, a tunnel connection with a different accessor specifically includes: the application manager receives a tunnel establishment request sent by the accessor and establishes tunnel connection with the accessor, wherein the accessor sends the tunnel establishment request based on a connection instruction sent by a controller.
In one implementation, the acquiring a service segment from the accessor establishing the connection specifically includes: and the application manager learns the service network segment issued by the accessor based on a dynamic routing protocol.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of an architecture of an application access system in an embodiment of the present invention;
FIG. 2 is a schematic diagram of the steps of an application access method in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a proxy server in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The application provides an application access method which can be applied to a system architecture as shown in fig. 1. Referring to fig. 1, the system architecture may include a client, a proxy server deployed in a public network, a controller, a DNS server, and an application server and an accessor deployed in an intranet, where the application server and the accessor deployed in a data center of a client intranet are illustrated as an example.
The controller can be used for managing clients, including adding, changing and deleting clients, and specifically, the controller can provide a client management platform for receiving management operations, such as adding, updating and deleting, for the clients, and correspondingly, the controller can issue control commands to the proxy server and the corresponding accessor according to the received client management operations to realize the corresponding client management operations, taking the added clients as an example, managers can input information of the added clients, including client IDs, application information in the client local area network and mapping relationships between application domain names and proxy domain names, for example, proxy services need to be provided for applications M1 and M2 of enterprise a, the application domain name of the application M1 is M1.a. com, a proxy domain name p1.vpn. com can be correspondingly generated, and mapping relationships between M1.a. vpn. com are established, similarly, if the application domain name of the application M2 is M2.a.com, the proxy domain name P2.vpn.com may be correspondingly generated, and a mapping relationship between the M2.a.com and the P2.vpn.com is established, and it is noted that the manner of generating the proxy domain name based on the application domain name may include calculating an identifier corresponding to the application domain name based on a random algorithm, an encryption algorithm, or the like, for example, the identifier corresponding to the M1.a.com is P1, and simultaneously, the identifier and a preset proxy flag form a corresponding proxy domain name P1.vpn.com, where the proxy flag is predetermined, and when the identifier forms the proxy domain name, the proxy flag needs to exist in the form of an upper-level domain name, so that it is ensured that the proxy domain names generated based on the application domain names are all the same, and it is convenient to subsequently perform configuration of DNS rules.
After receiving the client newly-added information, the controller can issue a client newly-added instruction to the proxy server to indicate the proxy server to provide proxy service for the client and issue a mapping relation between an application domain name and a proxy domain name under the client name; the controller may also issue a connection control instruction to an accessor deployed within the client lan to instruct the accessor to actively establish a connection with the proxy server. Thereby completing the operation of adding the new customer. Those skilled in the art can understand that the deletion and the update of the client may refer to the newly added operation process, and are not described again.
The client may be a terminal device of a user, and the user may send an access request to the intranet application server through a browser installed on the client, where a request domain name in the access request is a proxy domain name corresponding to the intranet application server, and the access request may be generated based on a URL directly input by the user, or may be initiated based on a page fed back by the proxy server, where an application domain name in the page fed back by the proxy server has been replaced with a corresponding proxy domain name.
In an embodiment of the present application, a domain name resolution rule may be configured on the DNS server, and a resolution address corresponding to the proxy domain name may be configured as an IP address of the proxy server, so that an access request issued by the client to the proxy domain name may be received by the proxy server, for example, the configured domain name resolution rule may be to resolve a domain name of the generic domain name, which includes the proxy flag, into the IP address of the proxy server.
The application servers in the embodiment of the application are all deployed in a client intranet, and in order to ensure data security, an extranet user cannot directly access the application servers, but needs to initiate access to the application servers through proxy servers, wherein the proxy servers and the application servers are communicated based on a vpn tunnel.
The accessor and the application server are deployed in the same local area network, namely, are located in the same intranet as the application server, and can be used as a transfer device between the proxy server and the application server in the same local area network. Specifically, the network connection device may be a network connection device with a routing function, such as a router, and preferably, in order to ensure the security of the accessor, in this embodiment of the application, the accessor only needs to have a capability of reaching the public network, and does not need to be configured with a public network IP or a mapping port, in other words, the accessor can actively access the device in the public network, but does not accept the active access of the public network device, and based on this, the accessor can be prevented from being attacked by the public network, and the security of network access can be ensured. It is noted that, in the same client lan, a plurality of application servers may be deployed, and accordingly, the accessor may simultaneously interface with the opposite application server. In the embodiment of the application, the proxy server deployed in the public network needs to perform data interaction with the application server through the accessor, so that the information of the application server can be prevented from being directly exposed to the proxy server, and the communication safety is further enhanced.
After the access device receives the connection control instruction sent by the controller, the access device can actively initiate a connection establishment request to a proxy server specified in the connection control instruction, specifically a VPN tunnel establishment request, such as IPsec and GRE tunnel establishment requests, so that the proxy server and the access device can communicate based on the established VPN tunnel. It should be noted that, since the VPN tunnel is established by the active request of the accessor, the proxy server only needs to respond, and therefore, in the embodiment of the present application, it is not necessary to configure a public network IP or port mapping for the accessor, thereby ensuring the security of the accessor.
The proxy server can be used as a VPN gateway to receive various requests of the client, and can establish communication connection with an accessor of an intranet data center through a VPN network so as to forward an access request sent by an extranet user through the client to a corresponding application server and send data responded by the application server to the client. Therefore, the proxy server can realize data proxy between the external network client and the internal network application server. It is noted that, in one embodiment, the VPN tunnel established between the proxy server and the accessor may be implemented based on a VPN accelerated Network, wherein the VPN accelerated Network used may be implemented based on SD-WAN (Software-Defined Wide Area Network) technology.
In some practical application scenarios, in order to save device resources, one proxy server often needs to serve multiple clients simultaneously, and under such a need, the proxy server may create different tenant spaces for different clients through a tenant isolation technology (e.g., namespace technology), that is, create corresponding application managers for different clients, and respectively process access requests of each client. Based on the tenant isolation technology, data among different tenant spaces can be isolated from each other, so that a plurality of different clients can share the same proxy server, and the multi-tenant scene requirements are met.
It will be appreciated that in some application scenarios, the same customer may own multiple local area networks, e.g., may own multiple data centers deployed in different internal networks, e.g., in fig. 1, enterprise a may own two data centers deployed in different local area networks, which may contain application M1 and application M2, respectively. Enterprise B may have only one data center with application N1 deployed therein. Correspondingly, an application manager A serving the enterprise A and an application manager B serving the enterprise B are correspondingly created on the proxy server.
Referring to fig. 1 and fig. 2, an application access method provided by an embodiment of the present application may be applied to the above proxy server, and the method may include the following steps.
S1: receiving a first access request sent by a client, wherein a request domain name in the first access request is a proxy domain name.
As described above, in the first access request sent by the user to the intranet application through the client, the request domain name is the proxy domain name corresponding to the application domain name, so that after DNS resolution, the first access request is sent to the proxy server and can be received by the proxy server.
S2: and replacing the request domain name in the first access request with the application domain name corresponding to the proxy domain name to generate a second access request.
Specifically, after receiving the mapping relationship between the application domain name and the proxy domain name issued by the controller, the proxy server may store the information in the local, and when receiving the first access request, may query the application domain name corresponding to the request domain name based on a locally stored record, thereby determining the application that the user really wants to access, and replace the request domain name in the first access request with the corresponding application domain name, so as to generate the second access request.
In implementation, since the client information may change, including increase and decrease of the client, change of the information, or increase and decrease of the client application and change of the information, the proxy server may adaptively change the mapping relationship between the locally stored application domain name and the proxy domain name according to a corresponding instruction issued by the controller. If the proxy server does not find the application domain name corresponding to the proxy domain name in the first access request in the locally maintained record, the first access request is an illegal request, and the access can be directly denied.
S3: and determining an accessor used for forwarding the second access request according to the IP address corresponding to the application domain name, wherein the accessor and an application server corresponding to the application domain name are deployed in the same local area network.
For a single tenant scenario, when the proxy server generates the second access request, the proxy server needs to further obtain an IP address corresponding to the application domain name, where the manner in which the proxy server obtains the IP address corresponding to the application domain name may include obtaining the IP address corresponding to the application domain name from a local cache, and initiating a DNS resolution request based on the application domain name to obtain the IP address, and in one implementation, the proxy server may first obtain the IP address corresponding to the application domain name from the local cache; if the acquisition fails, a DNS analysis request is initiated based on the application domain name, so that a corresponding IP address, namely the IP address of the application server pointed by the application domain name, is acquired from the response information of the DNS analysis request. It can be understood that, since the application server is deployed in the intranet and does not need to configure a public network IP, the IP address corresponding to the application domain name is generally an intranet IP address, and therefore, in order to enable the proxy server to obtain the corresponding IP address, the application domain name and the corresponding IP address may be stored locally in the proxy server in advance or configured on the DNS server.
Since the proxy server can only communicate with the application server through the accessor corresponding to the application server, the proxy server needs to determine the accessor corresponding to the application domain name first. Specifically, as described above, after receiving a connection instruction issued by the controller, the access device actively establishes a tunnel connection with the proxy server, and meanwhile, the access device may synchronize service network segments of the application servers corresponding to the access device to the proxy server based on a dynamic Routing Protocol, where the application servers and the access device are deployed in the same local area network, the dynamic Routing Protocol may be selected from Open short Path First Gateway Protocol (OSPF), Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS) IGRP (inter Gateway Routing Protocol, Interior Gateway Routing Protocol), Enhanced Interior Gateway Routing Protocol (Enhanced Interior Gateway Routing Protocol), Border Gateway Protocol (BGP), and the like, the method can be flexibly selected according to actual application scenes. Therefore, the proxy server can acquire the service network segment of each application server corresponding to each accessor from each connected accessor based on the dynamic routing protocol as the service network segment of each accessor, and based on this, the proxy server can determine the accessor containing the IP address in the service network segment as the accessor for forwarding the second access request according to the acquired service network segment of each accessor and the IP address corresponding to the application domain name.
For a multi-tenant scenario, after receiving a customer add instruction issued by a controller, a proxy server may correspondingly create an application manager for specifically serving the added customer, and add a pair of virtual network card interfaces (veth) locally for data interaction between the proxy program in the proxy server and the application manager. In order to realize data isolation among tenants, when the accessor establishes tunnel connection with the proxy server according to a connection instruction issued by the controller, the accessor can establish tunnel connection with the corresponding application manager and synchronize the corresponding service network segment to the application manager based on a dynamic routing protocol, so that the application manager can acquire the service network segment corresponding to each accessor establishing tunnel connection with the application manager.
After confirming the application domain name corresponding to the request domain name in the first access request, the proxy server may select a corresponding application manager from the local multiple application managers according to the application domain name, and forward the generated second access request to the application manager, specifically, forward the second access request through the created virtual network card interface.
After receiving the second access request, the application manager may first analyze the request domain name, that is, the application domain name, to obtain the corresponding IP address, where the method for obtaining the IP address may refer to the foregoing embodiments, and is not described in detail. Similarly, after the application manager obtains the IP address corresponding to the application domain name, it may determine, according to the service network segment corresponding to each accessor obtained by the application manager and the IP address, that the accessor in the service network segment including the IP address is an accessor used for forwarding the second access request. In this embodiment, for an application scenario of multiple tenants, data isolation between tenants can be achieved by creating a corresponding application manager on the proxy server, so that data security of each tenant is ensured, and meanwhile, the utilization rate of equipment can be improved, and equipment resources are saved.
In one implementation, in order to ensure data security and high availability of the system, a client deploys the same application server in different local area networks, and thus, the same IP address may belong to service network segments of different accessors, in this case, the service state of each application server may be monitored by adding a probe mechanism, for example, the service state of the application server is checked in real time or periodically by means of tcping, and an accessor for forwarding a second access request is selected based on the service state, so that it is further ensured that the access request of the client obtains a normal response, and user experience is improved.
S4: sending the second access request to the accessor, so that the second access request is forwarded to the application server through the accessor.
Specifically, after determining the accessor, the proxy server or the application manager may forward the second access request to the accessor through a tunnel established with the accessor, forward the second access request to the corresponding application server through the accessor, receive response data fed back by the application server, and finally send the received response data to the client, thereby completing the process of accessing the proxy.
In summary, based on the application access method provided in the embodiments of the present application, a tunnel connection may be pre-established through a proxy server deployed in a public network and an accessor deployed in an intranet, so as to transmit an access request initiated by a client to an intranet application, and not only is it unnecessary to expose information of the application server to a user, but also the accessor does not need to configure a public network IP or perform port mapping, thereby avoiding an intranet service device from being maliciously attacked due to address exposure, and ensuring data security of the intranet. Furthermore, for an application scenario of multiple tenants, the proxy server can process access requests for different clients by correspondingly creating the application manager locally, so that not only is data isolation between tenants realized, but also data transmission safety of each tenant is guaranteed, and equipment utilization rate is improved.
Based on the same inventive concept, the present application further provides a proxy server, please refer to fig. 3, where the proxy server includes a memory and a processor, the memory is used for storing a computer program, and the computer program, when executed by the processor, implements the application access method described above.
The application also provides a distributed proxy service cluster, which comprises the proxy server.
The application also provides an application access transmission system, which comprises a controller, the above proxy server or the above distributed proxy service cluster, at least one application server, and an accessor deployed in the same local area network with the application server, wherein the controller issues tenant information corresponding to the application server to the proxy server or the cluster, and issues a connection instruction to the accessor, and the connection instruction is used for indicating the accessor and the proxy server or a proxy server in the cluster to establish tunnel connection.
In one embodiment, before issuing the connection command, the controller selects a preferred proxy server from the cluster according to the geographical location information, and instructs the accessor to establish a tunnel connection with the proxy server through the connection command.
In one embodiment, the system comprises at least two identical application servers, wherein the at least two application servers belong to the same tenant and are deployed in different local area networks.
Therefore, according to the technical scheme provided by the application, the proxy server can be deployed between the client of the user and the application server for storing the application resources, meanwhile, the proxy server does not directly communicate with the application server, but establishes communication with the accessor, and subsequently initiates resource access to the application server through the accessor. The accessor and the application server can be deployed in the same local area network, and the communication safety between the accessor and the application server is guaranteed.
In the whole resource access process, the client side only interacts with the proxy server through the proxy domain name, and real resources of the application server are not exposed to the client side. In addition, the accessor in the same local area network with the application server can reach the public network environment, and does not need to configure the IP address of the public network or carry out port mapping, so that the accessor can avoid the attack from the public network. In addition, the communication between the accessor and the application server belongs to the communication in the data center, so that the safety is high, and the application server can be further prevented from being attacked by a malicious user.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the proxy server, reference may be made to the introduction of embodiments of the method described above for a comparative explanation.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (13)
1. An application access method, which is applied in a proxy server, wherein the proxy server is deployed in a public network, and the method comprises:
receiving a first access request sent by a client, wherein a request domain name in the first access request is a proxy domain name;
replacing the request domain name in the first access request with the application domain name corresponding to the proxy domain name to generate a second access request;
determining an accessor used for forwarding the second access request according to the IP address corresponding to the application domain name, wherein the accessor and an application server corresponding to the application domain name are deployed in the same local area network;
sending the second access request to the accessor, so that the second access request is forwarded to the application server through the accessor.
2. The method of claim 1, wherein a plurality of application managers are created on the proxy server, and wherein generating the second access request further comprises:
the proxy server selects the corresponding application manager according to the application domain name;
forwarding the second access request to the application manager.
3. The method according to claim 2, wherein the application manager is created for the proxy server correspondingly for each client based on client information issued by the controller, wherein the client information includes a mapping relationship between an application domain name and a proxy domain name, and the replacing the request domain name in the first access request with the application domain name corresponding to the proxy domain name includes:
and determining the application domain name corresponding to the proxy domain name based on the mapping relation.
4. The method according to claim 2, wherein each of the application managers establishes a tunnel connection with a different one of the accessors, and acquires a service segment from the accessor that establishes the connection, and the determining, according to the corresponding IP address of the application domain name, an accessor that is used for forwarding the second access request specifically includes:
the application manager receives the second access request;
acquiring the IP address corresponding to the application domain name in the second access request;
and determining the accessor containing the IP address in the service network segment as an accessor used for forwarding the second access request according to the service network segment and the IP address.
5. The method according to claim 4, wherein if there are a plurality of said accessors in said service network segment containing said IP address, determining said accessor for forwarding said second access request according to a service state of an application server corresponding to said accessor.
6. The method according to claim 4, wherein the method for obtaining the IP address corresponding to the application domain name in the second access request specifically comprises:
the application manager acquires the IP address corresponding to the application domain name from a local cache; alternatively, the first and second electrodes may be,
and initiating a DNS resolution request based on the application domain name so as to acquire the IP address from response information of the DNS resolution request.
7. The method according to claim 4, wherein the step of each of the application managers respectively establishing tunnel connections with different accessors specifically comprises:
the application manager receives a tunnel establishment request sent by the accessor and establishes tunnel connection with the accessor, wherein the accessor sends the tunnel establishment request based on a connection instruction sent by a controller.
8. The method of claim 4, wherein the obtaining a service segment from the accessor establishing the connection specifically comprises:
and the application manager learns the service network segment issued by the accessor based on a dynamic routing protocol.
9. A proxy server, characterized in that it comprises a memory for storing a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8, and a processor.
10. A distributed proxy service cluster, characterized in that said cluster comprises a proxy server according to claim 9.
11. An application access transmission system, comprising a controller, the proxy server according to claim 9 or the distributed proxy service cluster according to claim 10, at least one application server, and an accessor deployed in the same local area network as the application server, wherein the controller issues tenant information corresponding to the application server to the proxy server or the cluster, and issues a connection instruction to the accessor, and the connection instruction is used for instructing the accessor to establish a tunnel connection with the proxy server or a proxy server in the cluster.
12. The system of claim 11, wherein the controller selects a preferred proxy server from the cluster based on the geographic location information before issuing the connection command, and instructs the accessor to establish a tunnel connection with the proxy server via the connection command.
13. The system of claim 11, wherein the system comprises at least two identical application servers belonging to the same tenant and deployed in different local area networks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110534251.8A CN113364741A (en) | 2021-05-17 | 2021-05-17 | Application access method and proxy server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110534251.8A CN113364741A (en) | 2021-05-17 | 2021-05-17 | Application access method and proxy server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113364741A true CN113364741A (en) | 2021-09-07 |
Family
ID=77526913
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110534251.8A Pending CN113364741A (en) | 2021-05-17 | 2021-05-17 | Application access method and proxy server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113364741A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992748A (en) * | 2021-09-18 | 2022-01-28 | 上海泛宥信息科技有限公司 | Reverse proxy method, system, medium, and terminal |
| CN114244602A (en) * | 2021-12-15 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Multi-user online network service system, method, device and medium |
| CN114745380A (en) * | 2022-03-29 | 2022-07-12 | 阿里巴巴(中国)有限公司 | Cross-private-network multi-cluster management method and device based on service grid |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115001854A (en) * | 2022-07-18 | 2022-09-02 | 江苏艾盾网络科技有限公司 | Big data-based tracing-prevention server cluster management and control system and method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
| US20080144625A1 (en) * | 2006-12-14 | 2008-06-19 | Array Networks, Inc. | Dynamic system and method for virtual private network (VPN) application level content routing using dual-proxy method |
| CN108040134A (en) * | 2017-12-06 | 2018-05-15 | 杭州迪普科技股份有限公司 | A kind of method and device of DNS Transparent Proxies |
| CN108173976A (en) * | 2016-12-07 | 2018-06-15 | 腾讯科技(深圳)有限公司 | Domain name analytic method and device |
| CN110324436A (en) * | 2019-07-05 | 2019-10-11 | 网宿科技股份有限公司 | A kind of Proxy Method and device of transport-layer proxy |
| CN110808897A (en) * | 2019-11-06 | 2020-02-18 | 深信服科技股份有限公司 | Proxy access method, user equipment, storage medium, device and system |
| CN111294220A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Network isolation configuration method and device based on nginx |
| CN112272158A (en) * | 2020-09-16 | 2021-01-26 | 厦门网宿有限公司 | Data proxy method, system and proxy server |
| CN112714194A (en) * | 2021-03-26 | 2021-04-27 | 南京美乐威电子科技有限公司 | Method for accessing intranet equipment by extranet host and network topology structure |
| CN112769835A (en) * | 2021-01-13 | 2021-05-07 | 网宿科技股份有限公司 | Method for initiating access request and terminal equipment |
-
2021
- 2021-05-17 CN CN202110534251.8A patent/CN113364741A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
| US20080144625A1 (en) * | 2006-12-14 | 2008-06-19 | Array Networks, Inc. | Dynamic system and method for virtual private network (VPN) application level content routing using dual-proxy method |
| CN108173976A (en) * | 2016-12-07 | 2018-06-15 | 腾讯科技(深圳)有限公司 | Domain name analytic method and device |
| CN108040134A (en) * | 2017-12-06 | 2018-05-15 | 杭州迪普科技股份有限公司 | A kind of method and device of DNS Transparent Proxies |
| CN111294220A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Network isolation configuration method and device based on nginx |
| CN110324436A (en) * | 2019-07-05 | 2019-10-11 | 网宿科技股份有限公司 | A kind of Proxy Method and device of transport-layer proxy |
| CN110808897A (en) * | 2019-11-06 | 2020-02-18 | 深信服科技股份有限公司 | Proxy access method, user equipment, storage medium, device and system |
| CN112272158A (en) * | 2020-09-16 | 2021-01-26 | 厦门网宿有限公司 | Data proxy method, system and proxy server |
| CN112769835A (en) * | 2021-01-13 | 2021-05-07 | 网宿科技股份有限公司 | Method for initiating access request and terminal equipment |
| CN112714194A (en) * | 2021-03-26 | 2021-04-27 | 南京美乐威电子科技有限公司 | Method for accessing intranet equipment by extranet host and network topology structure |
Non-Patent Citations (1)
| Title |
|---|
| 鄢萍等: "基于DDNS和NAT的服务器内外网动态映射", 《计算机工程》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992748A (en) * | 2021-09-18 | 2022-01-28 | 上海泛宥信息科技有限公司 | Reverse proxy method, system, medium, and terminal |
| CN114244602A (en) * | 2021-12-15 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Multi-user online network service system, method, device and medium |
| CN114244602B (en) * | 2021-12-15 | 2023-04-25 | 腾讯科技(深圳)有限公司 | Multi-user online network service system, method, device and medium |
| CN114745380A (en) * | 2022-03-29 | 2022-07-12 | 阿里巴巴(中国)有限公司 | Cross-private-network multi-cluster management method and device based on service grid |
| CN114745380B (en) * | 2022-03-29 | 2024-02-06 | 阿里巴巴(中国)有限公司 | Service grid-based cross-private network multi-cluster management method and device |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115001854A (en) * | 2022-07-18 | 2022-09-02 | 江苏艾盾网络科技有限公司 | Big data-based tracing-prevention server cluster management and control system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11563681B2 (en) | Managing communications using alternative packet addressing | |
| US11588886B2 (en) | Managing replication of computing nodes for provided computer networks | |
| US11063819B2 (en) | Managing use of alternative intermediate destination computing nodes for provided computer networks | |
| US11362986B2 (en) | Resolution of domain name requests in heterogeneous network environments | |
| CN107690800B (en) | Managing dynamic IP address allocation | |
| CN107852604B (en) | System for providing Global Virtual Network (GVN) | |
| US9736016B2 (en) | Managing failure behavior for computing nodes of provided computer networks | |
| CN113364741A (en) | Application access method and proxy server | |
| US20210273977A1 (en) | Control access to domains, servers, and content | |
| US9654340B2 (en) | Providing private access to network-accessible services | |
| EP2922246B1 (en) | Method and data center network for cross-service zone communication | |
| CN111327668B (en) | Network management method, device, equipment and storage medium | |
| CN113572831B (en) | Communication method, computer equipment and medium between Kubernetes clusters | |
| US20120191769A1 (en) | Site-aware distributed file system access from outside enterprise network | |
| CN108848145B (en) | Method and system for accessing near-end network management of equipment through WEB agent and far-end network management | |
| WO2017114363A1 (en) | Packet processing method, bng and bng cluster system | |
| US20210234835A1 (en) | Private cloud routing server connection mechanism for use in a private communication architecture | |
| WO2023020606A1 (en) | Method, system and apparatus for hiding source station, and device and storage medium | |
| JP5726302B2 (en) | Secret or protected access to a network of nodes distributed across a communication architecture using a topology server | |
| US20070147376A1 (en) | Router-assisted DDoS protection by tunneling replicas | |
| GB2609677A (en) | Private cloud routing server connection mechanism for use in a private communication architecture | |
| CN117579352A (en) | Service access method, system, electronic equipment and storage medium of business node | |
| CN117579425A (en) | Cloud network access method, device, medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210907 |