CN117097591B - Application security access gateway system and route forwarding method - Google Patents

Application security access gateway system and route forwarding method Download PDF

Info

Publication number
CN117097591B
CN117097591B CN202311356991.2A CN202311356991A CN117097591B CN 117097591 B CN117097591 B CN 117097591B CN 202311356991 A CN202311356991 A CN 202311356991A CN 117097591 B CN117097591 B CN 117097591B
Authority
CN
China
Prior art keywords
filter
application
route
forwarding
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311356991.2A
Other languages
Chinese (zh)
Other versions
CN117097591A (en
Inventor
邓大建
张捷
黄浩
阮正平
宋卫平
高攀
田富强
谷波
席萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Zhongdian Aostar Information Technologies Co ltd
Original Assignee
Sichuan Zhongdian Aostar Information Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Zhongdian Aostar Information Technologies Co ltd filed Critical Sichuan Zhongdian Aostar Information Technologies Co ltd
Priority to CN202311356991.2A priority Critical patent/CN117097591B/en
Publication of CN117097591A publication Critical patent/CN117097591A/en
Application granted granted Critical
Publication of CN117097591B publication Critical patent/CN117097591B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses an application security access gateway system and a route forwarding method, wherein the system comprises a background management system and a service gateway system, and the service gateway system comprises a front router, a global routing table, a virtual repeater and a global forwarding filter. The gateway cluster groups are a plurality of gateway cluster groups with independent sub domain names, each gateway cluster group is provided with a global routing table, and each application corresponds to a virtual transponder; the front-end router is used for matching the route object according to the global route table; the global routing table is used for providing matching basis and strategy for the front-end router; the routing group table is used for being responsible for the routing forwarding work of all the requests; the global forwarding filter is used for realizing the copy forwarding and protocol conversion of the request data packet. The invention has flexible and expandable cluster architecture, can support the linear and non-stop expansion of gateway service, automatically shunts request flow and ensures the stable operation of service.

Description

Application security access gateway system and route forwarding method
Technical Field
The invention belongs to the technical field of network data transmission, and particularly relates to an application security access gateway system and a route forwarding method.
Background
In the process of enterprise digitization and office mobile construction, with the gradual popularization and application of various mobile platforms, such as enterprise WeChat, more and more core services realize mobile office, so that higher requirements on the security of service data are provided, and the security of the service data in the internet transmission process must be ensured.
In the prior art, the safety interaction platform uniformly built in the enterprise prior art architecture route can partially meet the transmission safety requirement of the service data network of offline application in the mobile platform. As shown in fig. 1, the secure interactive platform mainly consists of three modules: the method comprises the steps of safe interaction background, safe interaction agent and JS-SDK. The security interaction background is deployed and implemented in the enterprise data center in a unified way and serves as a unique entrance of the mobile terminal internet request, and the security interaction background uniformly forwards the request route to background services of all business applications. The JS-SDK integrated component is provided for the APP application at the mobile terminal, and the security interaction agent process can be started on the mobile phone through the interface provided by the JS-SDK, and the access address of the security interaction agent is obtained. The security interaction agent and the security interaction background are responsible for establishing a security network channel, all service request addresses of the mobile APP are access addresses of the security interaction agent, and the service request is forwarded to the service background service through the established security network channel.
At present, most of commonly used service gateway systems are realized based on Spring Cloud Gateway expansion, a registry component is used for dynamically constructing a route or a static route is constructed through a configuration file, and the system only has a basic request route forwarding function in default, so that the following problems mainly exist:
(1) the existing service gateway system can only carry out access management by taking micro services as units, and the constructed routing table also takes micro services as units. In the actual production operation and operation maintenance system, the management mode takes the business system as a unit. Under the micro-service architecture, a large service system is composed of a plurality of micro-service components, so that the micro-services of the service system are required to be packaged into a whole, and unified management and configuration are required.
(2) Only the basic route forwarding function is provided, and no perfect safety protection measures are provided. The gateway is used as a unified entrance of the service system, and besides basic request route forwarding, necessary security protection measures are also needed to ensure the security of interfaces and data of the service system.
(3) The configuration parameters cannot be maintained online and validated in real time. The traditional mode is to maintain system parameters by means of configuration files, the system is required to be restarted after the parameters are changed, the parameters can be effective, and the interruption of service in a high-concurrency gateway system is not preferable.
(4) Only dynamic routing is supported through the registry or static routing is supported through the configuration file. However, the configuration parameters related to the static route cannot be edited online, and the service gateway must be restarted after the static route parameters are modified.
(5) Support for multiple application layer network protocols cannot be provided, and generally only HTTP/HTTPS protocols are supported for gateway services. There is also an urgent need to support multiple mainstream network data transmission protocols (e.g., websocket, dubbo, etc.) in industry, and support private data transmission protocols through a protocol parsing and expanding mechanism.
(6) In addition to conventional routing matching policies based on application request paths, no other extension mechanism implements flexible routing matching implementation, e.g., policies based on request metadata, client source address matching, etc. For application of private data transfer protocols, the route matching policy is to be able to be customized quickly.
(7) As more applications are accessed, the global routing table becomes huge, so that the routing matching efficiency of the request data packet is drastically reduced, and the application efficiency and throughput are seriously affected.
With the development of various distributed development frameworks, distributed network data communication protocols with different purposes are adopted, such as application layer cross-platform text protocol HTTP, RPC binary proprietary protocol based on TCP/IP protocol, application layer full duplex communication protocol Websocket, etc. There is a need for a service mechanism that uniformly manages and coordinates access to various protocols and routing of packets. Secondly, as more and more applications are accessed, the global routing table is enlarged, the request routing matching efficiency is seriously affected, and the throughput of the whole system is reduced. The whole application access management system architecture cannot realize the real transverse service capability expansion and apportion the flow of the application request.
Disclosure of Invention
The invention aims to provide an application security access gateway system and a route forwarding method, and aims to solve the problems.
The invention is realized mainly by the following technical scheme:
the application security access gateway system comprises a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance; the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, and is provided with a service port and a management port, wherein the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing a background management system;
the gateway cluster groups are a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table;
the front router is used for analyzing a data communication protocol used by the request data packet, matching a route object according to a global route table of a gateway cluster group of a corresponding application, and sending the successfully matched route object to a virtual repeater of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet.
To better implement the present invention, the routing group table further includes a filter chain module for executing a filter chain, and a forwarding module for forwarding requests to a global forwarding filter.
In order to better realize the invention, the filter chain further comprises an HTTP checking filter, an authentication and authorization filter, an encryption and decryption filter, an anti-heavy filter, an XSS filter and an SQL injection filter which are sequentially arranged from front to back.
In order to better implement the present invention, further, the routing entries in the global routing table are divided into a static adjustment group, a dynamic adjustment group and a default group according to the matching priority from high to low.
In order to better realize the invention, the background management system further comprises an application access module, a route forwarding module, a security configuration module and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
The invention is realized mainly by the following technical scheme:
the routing forwarding method of the application security access gateway is carried out by adopting the gateway system and comprises the following steps:
step S100: the background management system interacts with the service gateway system and is accessed to the application system;
step S200: after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway system:
step S201: the client sends a request to a service port of the service gateway system, after the service gateway system receives the request, the front router matches the route according to the global routing table matching strategy, if the route is not matched, the service gateway system directly returns an error prompt, and if the route is successfully matched, the step S202 is entered;
step S202: requesting virtual forwarder processing, the virtual forwarder executing a filter chain, the filter chain executing each filter in turn, if the filter processing fails, directly returning an error prompt, otherwise, after the filter chain is executed, forwarding the request to a global forwarding filter by a forwarding module;
step S203: the global forwarding filter copies the request and forwards the request to the remote application, the remote application processes the request and returns a response to the global forwarding filter, the global forwarding filter processes the response, if the processing fails, an error prompt is returned to the server, and otherwise, a normal response is returned to the client.
In order to better implement the present invention, further, the step S202 includes the steps of:
step A1: firstly, checking message headers related to request cross-domain and request methods in an HTTP protocol through an HTTP checking filter, checking the value of the related message header Referer, origin through a trusted domain name white list in the request cross-domain, wherein the request methods only allow GET and POST to be used;
step A1: caller identity verification and application interface access authority checking are achieved through an authentication authorization filter;
step A2: the encryption and decryption filter adopts a national encryption SM2 and dynamic SM4 combination algorithm to decrypt the HTTP request main body and encrypt the response main body;
step A3: the anti-replay filter generates a message header according to a specified algorithm and protocol, and the service gateway system checks the message header to determine whether the request is a repeated request;
step A4: the tamper-resistant filter signs the requested data, and the service gateway system checks whether the signatures of the data are consistent, if not, the tamper-resistant filter indicates that the requested data are tampered;
step A5: the XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions respectively.
In order to better implement the present invention, further, the step S100 includes the steps of:
step S101: the user operates the application configuration through a UI interface provided by a background management system, and the background management system uses the persistent application configuration data of the relational database;
step S102: the service gateway system uses the management port to receive the application configuration parameter list, and a virtual forwarder component in the service gateway system updates a route group table according to the application configuration parameter list and updates an applied route forwarding rule and a filter chain;
step S103: the route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration;
step S104: the service gateway system monitors a management port and a service port, wherein the management port serves a control plane and processes application configuration parameters and service gateway running state index query; the service port serves the data plane and processes the service request of the application system.
The beneficial effects of the invention are as follows:
(1) According to the invention, the gateway cluster is divided into a plurality of gateway cluster groups with independent sub domain names, so that the gateway system has a flexible and expandable cluster architecture, the gateway service linearity and the non-stop expansion can be supported, the request flow is automatically split, and the stable operation of the service is ensured;
(2) The global routing table provides routing matching performance according to cluster fragment processing and routing item priority ordering strategies; when the routes are matched, firstly calculating the items in the static adjustment group, then matching the route items of the dynamic adjustment group, and finally calculating the default group items. The design aims to enable an administrator to intervene in the dynamic adjustment result, so that the request matching performance of the service gateway is improved, and the method has good practicability;
(3) The invention has unified application request network entrance, realizes standardized and standardized application access management, reduces application access difficulty and has lower access cost; the invention supports the security parameter configuration of simultaneous access and application individuation of multiple types of applications; the gateway system has the advantages of high concurrency, safety and stability, can meet the requirements of multiple types of application access, supports the safety access requirements of WEB application and REST application, has better universality and adaptability, has smaller influence on an application system, and can finish the access by a small amount of modification of a service system;
(4) The application realizes the functions of request route forwarding and security check through the working mechanism of the route group and the filter chain. The invention realizes the online management and real-time pushing update effect of the configuration parameters; the routing table supports dynamic routing and static routing, and the static routing can also realize online editing through a background management function. The application can adjust the application configuration parameters according to the needs through background management, and the application configuration parameters are pushed to the service gateway in real time, and the service gateway can update the routing group table in real time according to the application configuration parameters;
(5) The invention realizes the security guarantee of the application data in the network transmission process and the authorized access of the service interface, and ensures the integrity and confidentiality of the data through the data encryption and decryption and signature of the application layer. In addition, the service gateway also needs to support XSS script attack and SQL injection interception, and HTTP protocol cross-domain request and message header protection.
Drawings
FIG. 1 is a functional block diagram of a prior secure interactive platform;
FIG. 2 is a diagram of a deployment architecture of the present invention;
FIG. 3 is a general framework diagram of the application security access gateway system of the present invention;
FIG. 4 is a diagram of the creation of a global routing table;
FIG. 5 is a schematic diagram of a pre-router process;
FIG. 6 is a gateway cluster group relationship diagram;
FIG. 7 is a diagram of a gateway global routing table packet relationship;
FIG. 8 is a timing diagram of application configuration parameter management and real-time publishing;
FIG. 9 is a timing diagram of request route forwarding;
FIG. 10 is a timing diagram of filter chain execution;
fig. 11 is a schematic diagram of the operation of the registry.
Detailed Description
Example 1:
in the application security access gateway system, as shown in fig. 2, a service gateway adopts a cluster deployment mode to divide a gateway cluster into a plurality of gateway cluster groups with independent sub-domain names, and each gateway cluster group is correspondingly provided with a global routing table, and application services are correspondingly associated with specific gateway cluster groups through the sub-domain names, so that clients can access the application services by using the sub-domain names of the corresponding cluster groups. A virtual forwarder is provided for each application service, i.e. a routing group table is provided for each application service.
Preferably, as shown in fig. 11, the service provider registers service related information in a registry for maintaining a service registry, and the service gateway is for regularly pulling the registry information from the registry and updating the routing table information. Preferably, the information at the service provider includes a service ID, a protocol, an IP address, and a port registered in the registration center. The registry detects the health status of the service provider through a heartbeat mechanism. If it is detected that the service is down, the registry deletes the service registration information from the registry.
Preferably, the gateway system comprises a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance. As shown in fig. 3, the service gateway system includes a pre-router, a global routing table, a virtual repeater, and a global forwarding filter, where the service gateway system is provided with a service port and a management port, the service port is used for receiving a request and sending the request to the pre-router, and the management port is used for accessing a background management system.
Preferably, the gateway clusters are grouped into a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is respectively provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table.
Preferably, the pre-router is configured to parse a data communication protocol used by the request packet, match a routing object according to a global routing table of the gateway cluster group of the corresponding application, and send the successfully matched routing object to the virtual forwarder of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet. Preferably, the routing entries in the global routing table are classified into a static adjustment group, a dynamic adjustment group and a default group according to the matching priority from high to low.
Preferably, the routing group table includes a filter chain module for executing a filter chain, and a forwarding module for forwarding requests to a global forwarding filter. Preferably, the filter chain comprises an HTTP check filter, an authentication authorization filter, an encryption and decryption filter, an anti-heavy filter, an XSS filter and an SQL injection filter which are sequentially arranged from front to back.
Preferably, the background management system comprises an application access module, a route forwarding module, a security configuration module and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
The gateway cluster is divided into a plurality of gateway cluster groups with independent sub domain names, so that the gateway system has a flexible and expandable cluster architecture, can support the linear and non-stop expansion of gateway service, and can automatically shunt the request flow to ensure the stable operation of the service. The global routing table of the present invention provides route matching performance according to cluster fragment processing and route entry prioritization policies. The invention has unified application request network entrance, and realizes standardized and standardized application access management; the invention supports the security parameter configuration of simultaneous access and application individuation of multiple types of applications; the gateway system has the advantages of high concurrency, safety and stability, can meet the requirements of multiple types of application access, supports the safety access requirements of WEB application and REST application, has better universality and adaptability, has smaller influence on an application system, and can finish the access by a small amount of modification of a service system.
Example 2:
the application security access gateway system comprises a background management system and a service gateway system, as shown in fig. 3, wherein the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, the service gateway system is provided with a service port and a management port, the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing the background management system.
The background management system is used for providing a WEB terminal management interface and is responsible for application access management and application configuration parameter maintenance, wherein the configuration parameters comprise a route forwarding rule, security configuration and a national secret SM2 key pair. The routing forwarding rule is used for constructing a route, the security configuration is used for configuring a filter chain, and the cryptographic SM2 key pair is used for data encryption and signature. After the application configuration parameters are changed, the background management system adopts an active push mode and distributes the application configuration parameters to all service gateways in real time.
As shown in fig. 2, to support high concurrency, high availability, service gateways typically employ a cluster deployment mode and are located at network boundaries behind firewalls. The service gateway and the application service are typically deployed in the same data center, and the service gateway and the application service (application data center) communicate using a local area network. In order to ensure the security of application configuration parameters, background management and management terminals are also typically deployed in local area networks. The network environment of the client is relatively complex, and can be a company local area network or the Internet.
As shown in fig. 4, the global routing table module is responsible for maintaining static routing and dynamic routing information, the dynamic routing is automatically created by acquiring application service information through the registry, the static routing is created as required through application configuration module information, and the priority of the static routing is specified to be higher than that of the dynamic routing. Preferably, the registry supports a variety of three-party service providers, such as ali cloud, hua cloud, service governance services. The global routing table provides API request matching basis and strategy for the front-end router.
As shown in fig. 5, the pre-router is responsible for processing the API interface request packet, analyzing the data communication protocol used by the request packet, and matching the routing object according to the global routing table. The global routing table matches the route objects according to the data communication protocol and the matching policy of the route configuration. Preferably, the route matching policy is an open interface, and can match the route object according to the communication protocol and the information such as the characteristics of the request data packet. Common matching policy implementations include: request path matching, request metadata matching, request parameter matching and the like, and a matching mode with stronger function can be realized by logically combining a plurality of matching strategies.
And the virtual forwarder completes the request forwarding work according to the matched routing object. The virtual forwarder is an application-oriented functional module, and each accessed application corresponds to one virtual forwarder respectively and is responsible for the routing forwarding work of all requests of the application. The global forwarding filter is responsible for managing network communication with remote applications and realizing copy forwarding and protocol conversion of request data packets. The routing object in the global routing table also belongs to an application, and the corresponding virtual forwarder can be directly matched according to the application to complete the request forwarding.
The largest difference between the global routing table and the routing group table components is that the objects of the service are different, the global routing table serves the front routers of the service gateway, each route corresponds to one micro service, and the routing group table serves the application system. The route group is composed of at least one route, a forwarding module and a filter chain. The routing group table is created according to the application configuration parameters, and one routing group corresponds to one accessed application system in the routing group table. The application configuration parameters are changed, and the routing group table is synchronously updated in real time.
Preferably, as shown in fig. 6, a service cluster is a common high availability, high throughput solution, implementing multiple service nodes sharing traffic pressure according to some load policy. However, in the single service cluster mode, the service node also has an extended online, and cannot be extended infinitely. In addition, as the number of applications accessed is increased, the routing table becomes huge, so that more CPU time is spent in calculation of the routing matching strategy, and the performance of the whole service cluster is reduced. And dividing a large cluster into a plurality of small clusters (gateway clusters) by a cluster grouping mode, wherein each small cluster realizes the load balancing access of the gateway cluster through cloud native SLB load balancing service or other components, and an independent sub domain name is allocated to each small cluster.
Preferably, as shown in fig. 7, after the gateway cluster is divided into a plurality of small clusters (gateway clusters), the global routing table also needs to be split into a plurality of small routing tables, so that entries in the routing tables are reduced, and the routing traversal matching performance is improved. When the application is accessed, the background management needs to manually specify which cluster group carries the access flow of the application, so that the routing group of the application can only belong to the global routing table of one small cluster group, and the client uses the subdomain name of the corresponding cluster group to access the service of the application.
Preferably, routing entries in the global routing table by default determine the order of routing entries in the routing table based on application registration time. However, the order of the route entries may not be optimal for the route matching policy, and in the extreme case, the route entries applied by the maximum throughput are ranked most backward in the route table, and when the routes are matched, the matching calculation is sequentially performed on the previous route entries, and when the last route entry is matched, the target is hit. A sequential priority score is set for each route entry, the higher the value, the higher the priority, and the route matching is calculated first. And adopting two modes of static adjustment and dynamic adjustment aiming at the scores of the route entries in the global routing table. Static adjustment the score is set manually by the administrator through a background management function. Dynamic adjustment calculates the score dynamically according to some algorithmic strategy, e.g., the score is calculated according to concurrent accesses applied over a period of time, the greater the access, the higher the score, and the higher the routing entry priority. The order of the routing entries in the dynamic adjustment mode is automatically adjusted over time.
Preferably, the routing entries in the global routing table are divided into 3 logical groups: static adjustment group, dynamic adjustment group and default group, the priority is from high to low. The entries in the static adjustment group are calculated first during route matching, so that the purpose of the design is to enable an administrator to intervene in the dynamic adjustment result, then the dynamic adjustment group route entries are matched again, and finally the default group entries are calculated. Which group the application routing entry belongs to is configured by the administrator in the background management.
Dynamic routing is different from URL addresses forwarded in the data structure of static routing. The URL address of dynamic route adopts lb protocol, host address is service ID of micro service, service registry information is used to convert service ID into real IP address and port when route is forwarded.
Preferably, as shown in fig. 11, service-related information including a service ID, a protocol, an IP address, and a port is registered in the registry after the service provider is successfully started, among the micro service registry, the service gateway, and the service provider. The registry maintains a service registry that detects the health status of the service provider through a heartbeat mechanism. If it is detected that the service is down, the registry deletes the service registration information from the registry. The service gateway periodically pulls registry information from the registry and updates the routing table information.
Example 3:
the application security access gateway route forwarding method is carried out by adopting the gateway system, and the background management and the service gateway are interacted to access the application system. After the application system is successfully accessed, all requests must be routed through the service gateway.
Preferably, as shown in fig. 8, after the user operates the application configuration parameters, the interaction process between the background management and the service gateway is as follows:
the user operates the application configuration through the UI interface provided by the background management, and the background management uses the relation database to persist the application configuration data. The service gateway receives the application configuration parameter list by using the management port, and the virtual forwarder component in the service gateway updates the route group table according to the application configuration parameter list, and mainly updates the route forwarding rule and the filter chain of the application. The route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration.
The service gateway listens to two ports: management ports and service ports. The management port serves a control plane, and processes functions such as application configuration parameters, service gateway running state index query and the like. The service port serves the data plane and processes the service request of the application system. The security of the service gateway is further ensured by adopting a mode of separating a control plane from a data plane.
Preferably, as shown in fig. 9, the service gateway service request route forwarding process is as follows:
after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway. The client in the above figure may be a front end interface of an application system or a third party service system, and the client sends the request to a service port of the gateway. After receiving the request, the service gateway matches the route according to the global routing table matching policy, if the route is not matched, the gateway directly returns 404 an error, if the route is successfully matched, the virtual forwarder is requested to start processing in the next step. The virtual forwarder will execute a filter chain. The filter chain will execute each filter in turn, returning 400 a direct error if the filter processing fails. The forwarding module is responsible for requesting forwarding after the execution of the filter chain, and requests global forwarding filter processing. The global forwarding filter is responsible for realizing request replication and forwarding, and the application service processes the request and responds, at this time, the global forwarding filter processes the response, and if the processing fails, an error is returned 500.
Preferably, as shown in fig. 10, the execution of the filters in the filter chain is as follows:
(1) Whether a filter in the filter chain performs control by application configuration parameters. The user can operate the application configuration parameters through the management interface to turn on or off a certain filter function. In extreme cases all filter functions may be turned off.
(2) The HTTP check filter mainly checks important message headers in the HTTP protocol, including message headers related to the request cross-domain and request methods. Requesting cross-domain checking of the associated message header Referer, origin value by trusted domain name whitelists. The security requirement request method according to the national network only allows the use of GET and POST, if other request methods are used, the direct response 400 is wrong.
(3) The authentication authorization filter implements caller authentication and application interface access rights checking. Caller authentication supports Basic authentication modes of OAuth2 protocol and HTTP protocol. The service gateway realizes the function of a resource server in the OAuth2 protocol standard and supports the type of the beer access token. The system does not provide identity management and authorization management functions, and can only be realized through integrating a third party OAuth2 authorization center, such as a national network unified authority management system.
Aiming at the Basic authentication mode of the HTTP protocol, a service gateway issues an access Key and a secret Key for a caller, and the Basic authentication mode is needed to be adopted when a client requests each time.
OAuth2 protocol is more used for user identity authentication of WEB applications, and Basic authentication is often used for identity authentication of interface call between REST application background three-way systems.
The access right check depends on the identity verification result, and the access right check can be performed only after the identity verification is passed. The access right checking is also realized by delegating the third party OAuth2 authorization center. The service gateway defines an access rights checking REST interface specification.
(4) The encryption and decryption filter adopts a combination algorithm of the national cipher SM2 and the dynamic SM4 to decrypt the HTTP request main body and encrypt the response main body, so that the confidentiality of transmission in the data network is improved.
The value of the request header X-acuud-Crypto-symmetry-Code is the SM4 key, and the SM4 key text is encrypted using the SM2 public key. The background obtains an SM4 key through decryption of a corresponding SM2 private key, decrypts the request ciphertext by using the SM4 key, and encrypts the response by using the same SM4 key.
The SM2 key pair in the application configuration parameters is used for the WEB application, and if the REST application is used for the SM2 key pair distributed for the caller.
(5) The anti-replay filter generates a message header according to a prescribed algorithm and protocol and the service gateway checks the message header to determine if the request is a duplicate request.
(6) The tamper resistant filter checks whether the signature of the data is consistent by signing the requested data, and if not, this indicates that the requested data is tampered with.
(7) The XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions.
The invention can realize the simultaneous access management of various types of applications, and the service gateway supports the simultaneous operation of a plurality of applications. The method can realize the online management and the real-time pushing of the application configuration parameters, and the service gateway updates and takes effect in real time, so that the service gateway is prevented from interrupting the service due to parameter variation. Request route forwarding and security checking of the application system based on the route group and the filter chain may be implemented. The invention adopts the execution mode of the filter chain to realize the safety functions of identity authentication, access authorization check, data encryption transmission, SQL injection check, script attack protection and the like. And supports on-line configuration to turn on or off related inspection functions as needed. The filter chain may implement body data format conversion and metadata adaptation for request and response packets under the same data communication protocol, for example, adding header information and converting body media types in the HTTP protocol. The method for creating the route object in the global route table module supports dynamic route and configured static route constructed by the registry. And flexible and extensible route matching strategies are supported, and the route matching scenes of various protocol data packets are met. The global routing table routes the logic grouping of priority and dynamic calculation strategy of priority, has improved the performance that the service gateway requests to match effectively.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent variation, etc. of the above embodiment according to the technical matter of the present invention fall within the scope of the present invention.

Claims (6)

1. The application security access gateway system is characterized by comprising a background management system and a service gateway system, wherein the background management system is used for providing a WEB terminal management interface, application access management and application configuration parameter maintenance; the service gateway system comprises a front-end router, a global routing table, a virtual repeater and a global forwarding filter, and is provided with a service port and a management port, wherein the service port is used for receiving a request and sending the request to the front-end router, and the management port is used for accessing a background management system;
the gateway cluster groups are a plurality of gateway cluster groups with independent sub-domain names, each gateway cluster group is provided with a global routing table, and the background management system is used for accessing the service of the application by using the gateway cluster group with the corresponding sub-domain name; each accessed application corresponds to a virtual repeater, and the virtual repeater is used for taking charge of routing forwarding work of all requests of the application, and comprises an application configuration module and a routing group table;
the front router is used for analyzing a data communication protocol used by the request data packet, matching a route object according to a global route table of a gateway cluster group of a corresponding application, and sending the successfully matched route object to a virtual repeater of the corresponding application; the global routing table is used for maintaining static routing and dynamic routing information and providing API request matching basis and strategy for the front-end router; the application configuration module is used for creating a static route and pushing the static route to the global routing table, and the registry is used for acquiring application service information and creating a dynamic route and pushing the dynamic route to the global routing table; the routing group table is used for being responsible for applying the routing forwarding work of all requests and sending the routing forwarding work to the global forwarding filter; the global forwarding filter is used for managing network communication with a remote application and realizing copy forwarding and protocol conversion of a request data packet;
the routing group table comprises a filter chain module and a forwarding module, wherein the filter chain module is used for executing a filter chain, and the forwarding module is used for forwarding a request to a global forwarding filter;
and the routing entries in the global routing table are divided into a static adjustment group, a dynamic adjustment group and a default group from high to low according to the matching priority.
2. The system of claim 1, wherein the filter chain comprises an HTTP check filter, an authentication authorization filter, an encryption/decryption filter, an anti-replay filter, an XSS filter, and an SQL injection filter, which are sequentially arranged from front to back.
3. The application security access gateway system of claim 1, wherein the background management system comprises an application access module, a route forwarding module, a security configuration module, and a configuration distribution module; the application access module is used for configuring a national secret SM2 key pair to realize data encryption and signature; the route forwarding module is used for configuring route forwarding rules to realize the construction of routes; the security configuration module is used for configuring a filter chain; the configuration distribution module is used for distributing the changed application configuration parameters to all service gateways in real time by adopting an active push mode.
4. A method for forwarding a route using a secure access gateway, which is performed using the gateway system of any one of claims 1 to 3, and is characterized by comprising the following steps:
step S100: the background management system interacts with the service gateway system and is accessed to the application system;
step S200: after the application system is successfully accessed, all requests must be routed and forwarded through the service gateway system:
step S201: the client sends a request to a service port of the service gateway system, after the service gateway system receives the request, the front router matches the route according to the global routing table matching strategy, if the route is not matched, the service gateway system directly returns an error prompt, and if the route is successfully matched, the step S202 is entered;
step S202: requesting virtual forwarder processing, the virtual forwarder executing a filter chain, the filter chain executing each filter in turn, if the filter processing fails, directly returning an error prompt, otherwise, after the filter chain is executed, forwarding the request to a global forwarding filter by a forwarding module;
step S203: the global forwarding filter copies the request and forwards the request to the remote application, the remote application processes the request and returns a response to the global forwarding filter, the global forwarding filter processes the response, if the processing fails, an error prompt is returned to the server, and otherwise, a normal response is returned to the client.
5. The method for forwarding the application security access gateway route according to claim 4, wherein said step S202 comprises the steps of:
step A1: firstly, checking message headers related to request cross-domain and request methods in an HTTP protocol through an HTTP checking filter, checking the value of the related message header Referer, origin through a trusted domain name white list in the request cross-domain, wherein the request methods only allow GET and POST to be used;
step A1: caller identity verification and application interface access authority checking are achieved through an authentication authorization filter;
step A2: the encryption and decryption filter adopts a national encryption SM2 and dynamic SM4 combination algorithm to decrypt the HTTP request main body and encrypt the response main body;
step A3: the anti-replay filter generates a message header according to a specified algorithm and protocol, and the service gateway system checks the message header to determine whether the request is a repeated request;
step A4: the tamper-resistant filter signs the requested data, and the service gateway system checks whether the signatures of the data are consistent, if not, the tamper-resistant filter indicates that the requested data are tampered;
step A5: the XSS script attack filter and the SQL injection filter check whether related keywords exist in the request parameters and the request body through regular expressions respectively.
6. The method for forwarding the application security access gateway route according to claim 4, wherein the step S100 comprises the steps of:
step S101: the user operates the application configuration through a UI interface provided by a background management system, and the background management system uses the persistent application configuration data of the relational database;
step S102: the service gateway system uses the management port to receive the application configuration parameter list, and a virtual forwarder component in the service gateway system updates a route group table according to the application configuration parameter list and updates an applied route forwarding rule and a filter chain;
step S103: the route group table component pushes the configured static route to the global route table component, and the global route table component updates route table information according to the static route configuration;
step S104: the service gateway system monitors a management port and a service port, wherein the management port serves a control plane and processes application configuration parameters and service gateway running state index query; the service port serves the data plane and processes the service request of the application system.
CN202311356991.2A 2023-10-19 2023-10-19 Application security access gateway system and route forwarding method Active CN117097591B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311356991.2A CN117097591B (en) 2023-10-19 2023-10-19 Application security access gateway system and route forwarding method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311356991.2A CN117097591B (en) 2023-10-19 2023-10-19 Application security access gateway system and route forwarding method

Publications (2)

Publication Number Publication Date
CN117097591A CN117097591A (en) 2023-11-21
CN117097591B true CN117097591B (en) 2024-01-23

Family

ID=88777312

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311356991.2A Active CN117097591B (en) 2023-10-19 2023-10-19 Application security access gateway system and route forwarding method

Country Status (1)

Country Link
CN (1) CN117097591B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014015697A1 (en) * 2012-05-04 2014-01-30 运软网络科技(上海)有限公司 Autonomic management system and method of virtual network
WO2015138043A2 (en) * 2014-03-14 2015-09-17 Nicira, Inc. Route advertisement by managed gateways
WO2017070545A1 (en) * 2015-10-23 2017-04-27 Interdigital Technology Corporation Software-defined network enhancements enabling programmable information centric networking in edge networks
CN111386676A (en) * 2018-03-21 2020-07-07 华为技术有限公司 Control method of application programming interface API gateway cluster and API gateway cluster
CN112217555A (en) * 2020-08-24 2021-01-12 成都天奥集团有限公司 Formation satellite routing method based on SDN architecture and adopting SR routing protocol
CN113572689A (en) * 2021-09-24 2021-10-29 深圳市信润富联数字科技有限公司 Microservice gateway management method, system, device, readable storage medium and product
CN115883471A (en) * 2021-09-28 2023-03-31 上海宝信软件股份有限公司 Application gateway and flow management and control method thereof
CN116055254A (en) * 2023-01-10 2023-05-02 华中科技大学 Safe and trusted gateway system, control method, medium, equipment and terminal
CN116633724A (en) * 2022-02-14 2023-08-22 上海宝信软件股份有限公司 System and deployment method for multidimensional current limiting and dynamic routing
CN116743742A (en) * 2023-03-16 2023-09-12 阿里巴巴(中国)有限公司 OpenVPN cluster, inter-instance communication method thereof and cloud gateway

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070082738A1 (en) * 2005-10-06 2007-04-12 Game Driven Corporation Self-organizing turn base games and social activities on a computer network

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014015697A1 (en) * 2012-05-04 2014-01-30 运软网络科技(上海)有限公司 Autonomic management system and method of virtual network
WO2015138043A2 (en) * 2014-03-14 2015-09-17 Nicira, Inc. Route advertisement by managed gateways
WO2017070545A1 (en) * 2015-10-23 2017-04-27 Interdigital Technology Corporation Software-defined network enhancements enabling programmable information centric networking in edge networks
CN111386676A (en) * 2018-03-21 2020-07-07 华为技术有限公司 Control method of application programming interface API gateway cluster and API gateway cluster
CN112217555A (en) * 2020-08-24 2021-01-12 成都天奥集团有限公司 Formation satellite routing method based on SDN architecture and adopting SR routing protocol
CN113572689A (en) * 2021-09-24 2021-10-29 深圳市信润富联数字科技有限公司 Microservice gateway management method, system, device, readable storage medium and product
CN115883471A (en) * 2021-09-28 2023-03-31 上海宝信软件股份有限公司 Application gateway and flow management and control method thereof
CN116633724A (en) * 2022-02-14 2023-08-22 上海宝信软件股份有限公司 System and deployment method for multidimensional current limiting and dynamic routing
CN116055254A (en) * 2023-01-10 2023-05-02 华中科技大学 Safe and trusted gateway system, control method, medium, equipment and terminal
CN116743742A (en) * 2023-03-16 2023-09-12 阿里巴巴(中国)有限公司 OpenVPN cluster, inter-instance communication method thereof and cloud gateway

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WAP网关集群的分布式负载均衡;潘育飞, 吴震华, 顾尔丹, 陈 纯;计算机工程(第04期);全文 *

Also Published As

Publication number Publication date
CN117097591A (en) 2023-11-21

Similar Documents

Publication Publication Date Title
US11449596B2 (en) Event-based user state synchronization in a local cloud of a cloud storage system
US9491201B2 (en) Highly scalable architecture for application network appliances
AU2015324004B2 (en) Using credentials stored in different directories to access a common endpoint
US7613131B2 (en) Overlay network infrastructure
US8566474B2 (en) Methods, systems, and computer readable media for providing dynamic origination-based routing key registration in a diameter network
JP4304055B2 (en) Methods and structures for providing client session failover
US7894359B2 (en) System and method for distributing information in a network environment
US20160164826A1 (en) Policy Implementation at a Network Element based on Data from an Authoritative Source
EP3605948B1 (en) Distributing overlay network ingress information
WO1999030460A2 (en) Highly-distributed servers for network applications
US20080082823A1 (en) Systems and methods for management of secured networks with distributed keys
US20080072282A1 (en) Intelligent overlay for providing secure, dynamic communication between points in a network
US20140204955A1 (en) Inline Network Switch Having Serial Ports for Out-of-Band Serial Console Access
US11658812B1 (en) Distributed key management system
US20200127975A1 (en) Cloud computing architecture with secure multi-cloud integration
CN116668191B (en) Internet of things application virtual gateway with data encryption convergence function
CN111343070B (en) Communication control method for sdwan network
US11936633B2 (en) Centralized management of private networks
CN117097591B (en) Application security access gateway system and route forwarding method
US20080072281A1 (en) Enterprise data protection management for providing secure communication in a network
US20190089680A1 (en) Enhanced packet formating for security inter-computing system communication
US20220255905A1 (en) Centralized management control lists for private networks
Nandini Efficient-way of Data Storage on Decentralized Cloud using Blockchain Technology
KR102120229B1 (en) Load balancing system and method based on artificial intelligence for security control of 4-tier type CASB
Karmakar et al. On the design and implementation of a security architecture for end to end services in software defined networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant