WO2022247751A1

WO2022247751A1 - Method, system and apparatus for remotely accessing application, device, and storage medium

Info

Publication number: WO2022247751A1
Application number: PCT/CN2022/094195
Authority: WO
Inventors: 胡金涌; 刘贺
Original assignee: 上海云盾信息技术有限公司
Priority date: 2021-05-28
Filing date: 2022-05-20
Publication date: 2022-12-01
Also published as: CN114995214A; CN113341798A

Abstract

The present disclosure provides a method, system and apparatus for remotely accessing an application, a device, and a storage medium. The method comprises: acquiring address information of at least one edge security server corresponding to a connection server; establishing a session connection with the at least one edge security server according to the acquired address information; on the basis of the session connection, if an access request, forwarded by the edge security server, for a target application is received, sending the access request to the target application; and sending, to the edge security server, received request response information fed back by the target application.

Description

远程访问应用的方法、***、装置、设备及存储介质Method, system, device, device and storage medium for remote access application

本公开基于2021年05月28日提交中国专利局、申请号为202110595342.2，发明名称为“远程访问应用的方法、***、装置、设备及存储介质”的中国专利申请提出，并要求该中国专利申请的优先权，该中国专利申请的全部内容在此引入本公开作为参考。This disclosure is based on the Chinese patent application submitted to the Chinese Patent Office on May 28, 2021, with the application number 202110595342.2, and the invention title is "Method, system, device, equipment and storage medium for remote access applications", and requires the Chinese patent application The entire content of this Chinese patent application is hereby incorporated into this disclosure as a reference.

技术领域technical field

本公开实施例涉及但不限于一种远程访问应用的方法、***、装置、设备及存储介质。Embodiments of the present disclosure relate to, but are not limited to, a method, system, device, device, and storage medium for remotely accessing applications.

背景技术Background technique

过去企业员工访问企业应用时，大多需要使用VPN(Virtual Private Network，虚拟专用网络)进行访问，其由***门为员工分配VPN凭证，员工登陆VPN并输入VPN凭证即可访问到应用。In the past, when enterprise employees accessed enterprise applications, most of them needed to use VPN (Virtual Private Network, virtual private network) for access. The security department assigned VPN credentials to employees, and employees logged in to the VPN and entered the VPN credentials to access the application.

而随着云计算技术的发展，企业的基础设施发生了重大变革，企业的应用可广泛分布于公有云、私有云和混合云中，随之改变的是，企业员工对企业应用的访问需求也呈现出新的变化，如移动化、远程办公、第三方合作伙伴的访问等等。企业需要为日益多样化、分布广泛的用户提供服务，也需要保证应用的安全性。With the development of cloud computing technology, major changes have taken place in enterprise infrastructure, and enterprise applications can be widely distributed in public clouds, private clouds, and hybrid clouds. With this change, enterprise employees' access requirements for enterprise applications are also changing. There are new changes, such as mobility, telecommuting, access to third-party partners, and more. Enterprises need to provide services for increasingly diverse and widely distributed users, and also need to ensure application security.

但基于传统的VPN方案难以胜任这种新的变化。首先，企业在多分支机构和多云环境下部署VPN面临着成本高、管理复杂的问题；其次，传统的VPN体验较差，因网络波动容易导致访问延迟或者服务不稳定等问题，影响工作效率；再者，传统VPN主要通过不受信任的网络连接企业的基础设施，本身就会在防火墙上形成漏洞。一旦VPN凭证被黑客利用，黑客即可通过VPN访问到企业网络并在内部横向移动以访问应用程序和数据，这给企业带来巨大的安全风险。But the traditional VPN solution is difficult to cope with this new change. First of all, enterprises face the problems of high cost and complex management when deploying VPN in multi-branch and multi-cloud environments; secondly, the traditional VPN experience is poor, and network fluctuations can easily lead to problems such as access delays or unstable services, which affect work efficiency; Furthermore, the traditional VPN mainly connects to the enterprise infrastructure through an untrusted network, which itself will form a loophole in the firewall. Once the VPN credentials are used by hackers, hackers can gain access to the enterprise network through the VPN and move laterally internally to access applications and data, which poses a huge security risk to the enterprise.

发明内容Contents of the invention

以下是对本公开详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the subject matter described in detail in this disclosure. This summary is not intended to limit the scope of the claims.

为克服相关技术中存在的问题，本公开提出一种远程访问应用的方法、***、装置、设备及存储介质，进而至少可以在一定程度上既可以避免VPN不稳定且难以维护的问题，还可以保证目标应用的安全性。In order to overcome the problems existing in related technologies, the present disclosure proposes a method, system, device, equipment and storage medium for remote access applications, which can at least to a certain extent avoid the problem of unstable and difficult-to-maintain VPN, and can also Guarantee the security of the target application.

根据本公开的第一方面，提供一种远程访问应用的方法，应用于连接服务器，所述连接服务器与至少一个目标应用相关联，包括：According to a first aspect of the present disclosure, there is provided a method for remotely accessing an application, which is applied to a connection server, and the connection server is associated with at least one target application, including:

获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息；Obtain address information of at least one edge security server corresponding to the connection server;

根据所述至少一个边缘安全服务器的地址信息，建立与所述至少一个边缘安全服务器之间的会话连接，所述会话连接为由所述连接服务器至所述至少一个边缘安全服务器的出站连接；Establishing a session connection with the at least one edge security server according to the address information of the at least one edge security server, where the session connection is an outbound connection from the connection server to the at least one edge security server;

基于所述会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将所述访问请求发送至所述目标应用；Based on the session connection, if an access request for the target application forwarded by the edge security server is received, send the access request to the target application;

将接收到的请求响应信息向所述边缘安全服务器进行发送，所述请求响应信息由所述目标应用根据所述访问请求进行反馈。Send the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.

根据本公开的第二方面，提供一种远程访问应用的方法，应用于边缘安全服务器，包括：According to a second aspect of the present disclosure, a method for remotely accessing an application is provided, which is applied to an edge security server, including:

接收由至少一个连接服务器发送的连接请求；receiving a connection request sent by at least one connection server;

根据所述连接请求，建立与所述至少一个连接服务器之间的会话连接；establishing a session connection with the at least one connection server according to the connection request;

接收由边缘加速服务器转发的针对目标应用的访问请求，确定与所述目标应用对应的目标连接服务器；receiving the access request for the target application forwarded by the edge acceleration server, and determining the target connection server corresponding to the target application;

根据与所述目标连接服务器对应的会话连接，转发所述访问请求至所述目标连接服务器。Forwarding the access request to the target connection server according to the session connection corresponding to the target connection server.

根据本公开的第三方面，提供一种远程访问应用的方法，应用于边缘加速服务器，包括：According to a third aspect of the present disclosure, a method for remotely accessing an application is provided, which is applied to an edge acceleration server, including:

接收由目标终端发送的针对目标应用的访问请求，所述访问请求包含所述目标应用的域名；receiving an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;

根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息；According to the domain name of the target application, determine the address information of the edge security server corresponding to the domain name of the target application;

根据所述边缘安全服务器的地址信息，转发所述访问请求至所述边缘安全服务器。forwarding the access request to the edge security server according to the address information of the edge security server.

根据本公开的第四方面，提供一种远程访问应用的方法，应用于管理平台，包括：According to a fourth aspect of the present disclosure, a method for remotely accessing an application is provided, which is applied to a management platform, including:

生成连接服务器对应的服务器配置信息，所述服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息；Generate server configuration information corresponding to the connection server, where the server configuration information at least includes identification information of the connection server and address information of an edge security server corresponding to the connection server;

生成目标应用对应的应用配置信息，所述应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种；Generate application configuration information corresponding to the target application, where the application configuration information includes at least one of the domain name of the target application, a back-to-source address, identification information of an associated connection server, an identity authentication policy, and an access control policy;

发送所述连接服务器所需的服务器配置信息；Send the server configuration information required to connect to the server;

发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息。Sending the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.

根据本公开的第五方面，提供一种远程访问应用的***，包括：管理平台、边缘加速服务器、边缘安全服务器和连接服务器；According to a fifth aspect of the present disclosure, a system for remotely accessing applications is provided, including: a management platform, an edge acceleration server, an edge security server, and a connection server;

管理平台，设置为生成目标应用的应用配置信息，以及生成连接服务器对应的服务器配置信息；发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息，并发送所述连接服务器所需的服务器配置信息；The management platform is configured to generate the application configuration information of the target application, and generate the server configuration information corresponding to the connection server; send the application configuration information of the target application required by the edge acceleration server and the connection server associated with the target application Server configuration information, and send the server configuration information required to connect to the server;

边缘加速服务器，设置为接收目标终端发送的针对目标应用的访问请求；并根据所述访问请求包含的目标应用的域名，将所述访问请求向对应的边缘安全服务器进行发送；The edge acceleration server is configured to receive the access request sent by the target terminal for the target application; and send the access request to the corresponding edge security server according to the domain name of the target application included in the access request;

边缘安全服务器，设置为接收所述边缘加速服务器发送的所述访问请求；根据在先建立的与连接服务器的会话连接，将所述访问请求转发至对应的连接服务器；The edge security server is configured to receive the access request sent by the edge acceleration server; forward the access request to the corresponding connection server according to the previously established session connection with the connection server;

连接服务器，设置为接收所述边缘安全服务器发送的所述访问请求，并将所述访问请求转发至对应的目标应用。The connection server is configured to receive the access request sent by the edge security server, and forward the access request to a corresponding target application.

根据本公开的第六方面，提供一种远程访问应用的装置，应用于连接服务器，包括：According to a sixth aspect of the present disclosure, there is provided a device for remotely accessing an application, which is used to connect to a server, including:

获取模块，设置为获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息；An acquisition module configured to acquire address information of at least one edge security server corresponding to the connection server;

建立会话模块，设置为根据所述至少一个边缘安全服务器的地址信息，建立与所述至少一个边缘安全服务器之间的会话连接，所述会话连接为由所述连接服务器至所述至少一个边缘安全服务器的出站连接；Establishing a session module, configured to establish a session connection with the at least one edge security server according to the address information of the at least one edge security server, the session connection is from the connection server to the at least one edge security server outbound connections to the server;

发送模块，设置为基于所述会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将所述访问请求发送至所述目标应用；将接收到的请求响应信息向所述边缘安全服务器进行发送，所述请求响应信息由所述目标应用根据所述访问请求进行反馈。The sending module is configured to send the access request to the target application if an access request for the target application forwarded by the edge security server is received based on the session connection; and send the received request response information to the edge The security server sends it, and the request response information is fed back by the target application according to the access request.

根据本公开的第七方面，提供一种远程访问应用的装置，应用于边缘安全服务器，包括：According to a seventh aspect of the present disclosure, a device for remotely accessing applications is provided, which is applied to an edge security server, including:

接收模块，设置为接收由至少一个连接服务器发送的连接请求；A receiving module configured to receive a connection request sent by at least one connection server;

建立会话模块，设置为根据所述连接请求，建立与所述至少一个连接服务器之间的会话连接；Establishing a session module, configured to establish a session connection with the at least one connection server according to the connection request;

所述接收模块，还设置为接收由边缘加速服务器转发的针对目标应用的访问请求；The receiving module is also configured to receive the access request for the target application forwarded by the edge acceleration server;

确定模块，设置为确定与所述目标应用对应的目标连接服务器；A determining module, configured to determine a target connection server corresponding to the target application;

发送模块，设置为根据与所述目标连接服务器对应的会话连接，转发所述访问请求至所述目标连接服务器。A sending module, configured to forward the access request to the target connection server according to the session connection corresponding to the target connection server.

根据本公开的第八方面，提供一种远程访问应用的装置，应用于边缘加速服务器，包括：According to an eighth aspect of the present disclosure, a device for remotely accessing applications is provided, which is applied to an edge acceleration server, including:

接收模块，设置为接收由目标终端发送的针对目标应用的访问请求，所述访问请求包含所述目标应用的域名；The receiving module is configured to receive an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;

确定模块，设置为根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息；The determination module is configured to determine the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application;

发送模块，设置为根据所述边缘安全服务器的地址信息，转发所述访问请求至所述边缘安全服务器。A sending module, configured to forward the access request to the edge security server according to the address information of the edge security server.

根据本公开的第九方面，提供一种远程访问应用的装置，应用于管理平台，包括：According to a ninth aspect of the present disclosure, a device for remotely accessing applications is provided, which is applied to a management platform, including:

生成模块，设置为生成连接服务器对应的服务器配置信息，所述服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息；生成目标应用对应的应用配置信息，所述应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种；The generation module is configured to generate server configuration information corresponding to the connection server, the server configuration information at least including the identification information of the connection server and the address information of the edge security server corresponding to the connection server; generating application configuration information corresponding to the target application, the The application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication strategy, and the access control strategy;

发送模块，设置为发送所述连接服务器所需的服务器配置信息；发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息。The sending module is configured to send the server configuration information required by the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.

根据本公开的第十方面，提供一种电子设备，包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序，所述处理器运行所述计算机程序以实现上述第一至第四方面中任一方面所述的方法。According to a tenth aspect of the present disclosure, there is provided an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor runs the computer program to realize The method described in any one of the first to fourth aspects above.

根据本公开的第十一方面，提供一种计算机可读存储介质，其上存储有计算机程序，所述程序被处理器执行实现上述第一至第四方面中任一方面所述的方法。According to an eleventh aspect of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, and the program is executed by a processor to implement the method described in any one of the first to fourth aspects above.

本公开实施例中提供的技术方案，至少具有如下技术效果或优点：The technical solutions provided in the embodiments of the present disclosure have at least the following technical effects or advantages:

在本公开实施例中，通过连接服务器的设置并建立连接服务器与边缘安全服务器之间的会话连接，该会话连接为连接服务器至边缘安全服务器之间的出站连接，使得用户不需要使用VPN服务器即可实现目标终端远程访问目标应用，解决了VPN服务器不稳定且难以维护的问题。同时，基于该会话连接，接收由边缘安全服务器转发的针对目标应用的访问请求，可以避免由其他服务器主动向连接服务器发送信息或者建立连接的情况发生，降低了遭受恶意攻击的风险，保证了目标应用的安全性。In the embodiment of the present disclosure, through setting the connection server and establishing a session connection between the connection server and the edge security server, the session connection is an outbound connection between the connection server and the edge security server, so that the user does not need to use the VPN server The target terminal can remotely access the target application, which solves the problem that the VPN server is unstable and difficult to maintain. At the same time, based on the session connection, receiving the access request for the target application forwarded by the edge security server can avoid the occurrence of other servers actively sending information to the connection server or establishing a connection, reducing the risk of malicious attacks and ensuring the security of the target application. App security.

在阅读并理解了附图和详细描述后，可以明白其他方面。Other aspects will be apparent to others upon reading and understanding the drawings and detailed description.

附图说明Description of drawings

构成本公开的一部分的附图用来提供对本公开的进一步理解，本公开的示意性实施例及其说明用于解释本公开，并不构成对本公开的不当限定。而且在整个附图中，用相同的参考符号表示相同的部件。在附图中：The accompanying drawings constituting a part of the present disclosure are used to provide a further understanding of the present disclosure, and the schematic embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute improper limitations to the present disclosure. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

图1是根据一示例性实施例示出的可以应用本公开实施例的技术方案的示例性***架构的示意图；Fig. 1 is a schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of the present disclosure can be applied according to an exemplary embodiment;

图2是根据一示例性实施例示出的一种远程访问应用的方法的信令交互图；Fig. 2 is a signaling interaction diagram of a method for remotely accessing an application according to an exemplary embodiment;

图3是根据一示例性实施例示出的目标应用的应用配置信息及连接器的模板参数信息的示意图；Fig. 3 is a schematic diagram showing application configuration information of a target application and template parameter information of a connector according to an exemplary embodiment;

图4是根据一示例性实施例示出的连接服务器与边缘安全服务器建立会话连接的过程示意图；Fig. 4 is a schematic diagram showing the process of establishing a session connection between a connection server and an edge security server according to an exemplary embodiment;

图5是根据一示例性实施例示出的边缘安全服务器建立连接服务器的标识信息与会话的映射关系的示意图；Fig. 5 is a schematic diagram showing an edge security server establishing a mapping relationship between identification information of a connection server and a session according to an exemplary embodiment;

图6是根据一示例性实施例示出的一种远程访问应用的方法的流程图；Fig. 6 is a flowchart showing a method for remotely accessing an application according to an exemplary embodiment;

图7是根据一示例性实施例示出的一种远程访问应用的方法的另一流程图；Fig. 7 is another flowchart of a method for remotely accessing an application according to an exemplary embodiment;

图8是根据一示例性实施例示出的一种远程访问应用的方法中连接服务器的操作流程图；Fig. 8 is an operation flowchart of connecting to a server in a method for remotely accessing an application according to an exemplary embodiment;

图9是根据一示例性实施例示出的一种远程访问应用的方法中边缘安全服务器的操作流程图；Fig. 9 is an operation flowchart of an edge security server in a method for remotely accessing an application according to an exemplary embodiment;

图10是根据一示例性实施例示出的一种远程访问应用的方法中边缘加速服务器的操作流程图；Fig. 10 is an operation flowchart of an edge acceleration server in a method for remotely accessing an application according to an exemplary embodiment;

图11是根据一示例性实施例示出的一种远程访问应用的方法中管理平台的操作流程图；Fig. 11 is an operation flowchart of a management platform in a method for remotely accessing an application according to an exemplary embodiment;

图12是根据一示例性实施例示出的一种应用于连接服务器的远程访问应用的装置的结构示意图；Fig. 12 is a schematic structural diagram of a device for connecting to a remote access application of a server according to an exemplary embodiment;

图13是根据一示例性实施例示出的一种应用于边缘安全服务器的远程访问应用的装置的结构示意图；Fig. 13 is a schematic structural diagram of a device for remote access applications applied to an edge security server according to an exemplary embodiment;

图14是根据一示例性实施例示出的一种应用于边缘加速服务器的远程访问应用的装置的结构示意图；Fig. 14 is a schematic structural diagram of a device for remote access applications applied to an edge acceleration server according to an exemplary embodiment;

图15是根据一示例性实施例示出的一种应用于管理平台的远程访问应用的装置的结构示意图；Fig. 15 is a schematic structural diagram of a device for remotely accessing applications applied to a management platform according to an exemplary embodiment;

图16是根据一示例性实施例示出的一种电子设备的结构示意图；Fig. 16 is a schematic structural diagram of an electronic device according to an exemplary embodiment;

图17是根据一示例性实施例示出的一种存储介质的示意图。Fig. 17 is a schematic diagram of a storage medium according to an exemplary embodiment.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施方式。虽然附图中显示了本公开的示例性实施方式，然而应当理解，可以以各种形式实现本公开而不应被这里阐述的实施方式所限制。相反，提供这些实施方式是为了能够更透彻地理解本公开，并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

需要注意的是，除非另有说明，本公开使用的技术术语或者科学术语应当为本公开所属领域技术人员所理解的通常意义。It should be noted that, unless otherwise specified, the technical terms or scientific terms used in the present disclosure shall have the usual meanings understood by those skilled in the art to which the present disclosure belongs.

下面结合附图来描述根据本公开实施例提出的一种远程访问应用的方法、***、装置、设备及存储介质。A method, system, device, device, and storage medium for remote accessing applications proposed according to embodiments of the present disclosure are described below with reference to the accompanying drawings.

本公开实施例提供了一种远程访问应用的方法，参见图1，该方法所基于的网络***架构包括连接服务器、边缘安全服务器、边缘加速服务器、管理平台和目标终端。其中，连接服务器可以采用VPC(Virtual Private Cloud，专有网络)/NAT(Network Address Translation，网络地址转换)，配置有一个或多个连接器的服务器称为连接服务器，连接器可以为用于进行网络通信的软件程序，连接服务器可以通过其自身所配置的连接器与至少一个目标应用相关联。具体地，连接服务器中的每个连接器均可以与一个或多个目标应用通信连接，目标应用可以为内网中的内部应用，也可以为公网中的应用，例如源站等。An embodiment of the present disclosure provides a method for remotely accessing an application. Referring to FIG. 1 , the network system architecture based on the method includes a connection server, an edge security server, an edge acceleration server, a management platform, and a target terminal. Among them, the connection server can use VPC (Virtual Private Cloud, proprietary network)/NAT (Network Address Translation, network address translation), the server configured with one or more connectors is called a connection server, and the connector can be used for A software program for network communication, the connection server can be associated with at least one target application through its own configured connector. Specifically, each connector in the connection server can communicate with one or more target applications, and the target applications can be internal applications in the intranet or applications in the public network, such as source sites.

图1中仅示意性地画出了连接服务器包括一个连接器，该连接器与内网中的一个目标应用通信连接。连接服务器通过连接器与边缘安全服务器建立会话连接，该会话连接为出向的通信连接，该会话连接可以为TCP(Transmission Control Protocol，传输控制协议)连接或HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer，超文本传输安全协议)连接或SSL/TLS连接等。边缘加速服务器与边缘安全服务器和目标终端通信，管理平台与边缘加速服务器通信连接。FIG. 1 only schematically shows that the connection server includes a connector, and the connector communicates with a target application in the intranet. The connection server establishes a session connection with the edge security server through the connector. The session connection is an outgoing communication connection. The session connection can be a TCP (Transmission Control Protocol, Transmission Control Protocol) connection or HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, Hypertext Transfer Security Protocol) connection or SSL/TLS connection, etc. The edge acceleration server communicates with the edge security server and the target terminal, and the management platform communicates with the edge acceleration server.

如图1所示，该网络***架构中还可以通过边缘加速节点对目标终端的用户执行认证策略，以保证只有通过该认证策略的目标终端才可以进行目标应用的访问，保证目标应用的安全性。在一示例中，边缘加速节点可以通过认证中心获取目标用户的身份信息，以针对该身份信息执行认证策略。其中，该认证中心可以为设置于边缘加速服务器中的认证组件或者为独立于边缘加速服务器的认证设备，该认证中心与边缘加速服务器相连接。在一示例中，该认证中心可以与第三方身份认证***相连接，以从第三方身份认证***中获取目标用户的身份信息；在另一示例中，该认证中心也可以通过边缘加速服务器、边缘安全服务器和连接服务器从内部身份认证***中获取目标用户的身份信息。由此，认证中心可以根据用户所选择的认证方式，从第三方身份认证***或内部身份认证***中获取目标用户的身份信息，等等。本领域技术人员可以根据实际实现需要，确定对应的身份信息获取方式，本公开对此不作特殊限定。As shown in Figure 1, in the network system architecture, the edge acceleration node can also execute the authentication policy on the user of the target terminal to ensure that only the target terminal that passes the authentication policy can access the target application and ensure the security of the target application . In an example, the edge acceleration node may acquire the identity information of the target user through the authentication center, so as to implement an authentication policy based on the identity information. Wherein, the authentication center may be an authentication component set in the edge acceleration server or an authentication device independent of the edge acceleration server, and the authentication center is connected with the edge acceleration server. In one example, the authentication center can be connected with a third-party identity authentication system to obtain the identity information of the target user from the third-party identity authentication system; in another example, the authentication center can also pass through the edge acceleration server, the edge The security server and the connection server obtain the identity information of the target user from the internal authentication system. Thus, the authentication center can obtain the identity information of the target user from the third-party identity authentication system or the internal identity authentication system according to the authentication method selected by the user, and so on. Those skilled in the art can determine the corresponding identity information acquisition method according to actual implementation requirements, which is not specifically limited in the present disclosure.

需要说明的是，当无需第三方身份认证***提供身份信息或者进行身份信息的验证时，边缘加速服务器也可以通过边缘安全服务器和连接服务器从内部身份认证***中获取身份信息或者进行身份信息验证，而无需认证中心的参与，即在该网络***架构中，认证中心并不是一定存在的，本领域技术人员可以根据实际实现需要进行配置，本公开对此不作特殊限定。It should be noted that when there is no need for a third-party identity authentication system to provide identity information or verify identity information, the edge acceleration server can also obtain identity information from the internal identity authentication system through the edge security server and connection server or perform identity information verification. The participation of the authentication center is not required, that is, the authentication center does not necessarily exist in the network system architecture, and those skilled in the art can configure it according to actual implementation needs, which is not specifically limited in the present disclosure.

需要说明的，该目标终端可以包括智能手机、平板电脑、便携式电脑或者台式计算机中的一种或者多种。可以理解的，图1中的目标终端、边缘加速服务器、认证中心、管理平台、边缘安全服务器以及连接服务器的数目仅仅是示意性的，根据实现需要，可以具有任意数目的目标终端、边缘加速服务器、认证中心、管理平台、边缘安全服务器以及连接服务器。例如，该网络架构中可以包括一个或多个边缘加速服务器以及一个或多个边缘安全服务器，图1中仅示意性地画出了一个边缘加速服务器和一个边缘安全服务器。It should be noted that the target terminal may include one or more of a smart phone, a tablet computer, a portable computer, or a desktop computer. It can be understood that the number of target terminals, edge acceleration servers, authentication centers, management platforms, edge security servers, and connection servers in FIG. , authentication center, management platform, edge security server, and connection server. For example, the network architecture may include one or more edge acceleration servers and one or more edge security servers, and FIG. 1 only schematically shows one edge acceleration server and one edge security server.

值得注意的是，本公开实施例提到的边缘加速服务器和边缘安全服务器，是两个逻辑概念，分开提出来是为了帮助理解，实践中可以分开部署，也可以部署在同一台服务器设备上，本公开对此不作特殊限定。It is worth noting that the edge acceleration server and the edge security server mentioned in the embodiments of the present disclosure are two logical concepts, which are proposed separately to facilitate understanding. In practice, they can be deployed separately or on the same server device. The present disclosure does not specifically limit this.

基于上述网络架构，不需要使用VPN服务器即可实现目标终端访问内网中的目标应用，解决了VPN服务器不稳定且难以维护的问题。直接将内网的目标应用发布到公网上，由边缘加速服务器对用户身份及访问权限进行认证，消除了恶意攻击的风险。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS(Software-as-a-Service，软件即服务)化。且通过增加边缘加速服务器和边缘安全服务器的数量，能够很方便地进行扩容，能够适应目标用户数量很大的应用场景。Based on the above network architecture, the target terminal can access the target application in the intranet without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain. Directly publish the target application on the intranet to the public network, and the edge acceleration server will authenticate the user's identity and access rights, eliminating the risk of malicious attacks. The target application in the intranet can be SaaS (Software-as-a-Service, software as a service) without modifying the original network topology. Moreover, by increasing the number of edge acceleration servers and edge security servers, capacity expansion can be easily performed, and it can adapt to application scenarios with a large number of target users.

以下对本公开实施例的技术方案的实现细节进行详细阐述：The implementation details of the technical solutions of the embodiments of the present disclosure are described in detail below:

图2示出了本公开一实施例所提供的的一种远程访问应用的方法的信令交互图。参照图2所示，该方法至少包括步骤101至步骤113，详细介绍如下：Fig. 2 shows a signaling interaction diagram of a method for remotely accessing an application provided by an embodiment of the present disclosure. Referring to Figure 2, the method at least includes step 101 to step 113, described in detail as follows:

步骤101：管理平台生成连接服务器对应的服务器配置信息，该服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息。Step 101: The management platform generates server configuration information corresponding to the connection server, the server configuration information at least including identification information of the connection server and address information of an edge security server corresponding to the connection server.

其中，管理平台可以为云计算平台，如私有云或公有云等。该管理平台可以为企事业单位或社会组织等团体的连接服务器提供服务器配置信息。该服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息。其中，标识信息可以用于唯一标识连接服务器，可以为连接服务器的IP地址、MAC(Media Access Control Address，硬件地址)地址或人为设定或自动生成的能够唯一标识该连接服务器的字符序列等。Wherein, the management platform may be a cloud computing platform, such as a private cloud or a public cloud. The management platform can provide server configuration information for connection servers of groups such as enterprises, institutions or social organizations. The server configuration information at least includes identification information of the connection server and address information of the edge security server corresponding to the connection server. Among them, the identification information can be used to uniquely identify the connection server, which can be the connection server's IP address, MAC (Media Access Control Address, hardware address) address, or a character sequence that can uniquely identify the connection server, which is artificially set or automatically generated.

连接服务器可以是安装有连接器的服务器，连接器为用于进行网络通信的软件程序，将连接器安装在企事业单位或社会组织等团体的连接服务器上，使得连接服务器能够通过连接器与外部网络建立会话连接，通过建立的会话连接实现内部网络的远程访问。The connection server can be a server installed with a connector. The connector is a software program for network communication. The connector is installed on the connection server of groups such as enterprises, institutions or social organizations, so that the connection server can communicate with the outside world through the connector. The network establishes a session connection, and realizes remote access to the internal network through the established session connection.

边缘安全服务器可以是能够与连接服务器进行通信的服务器，其可以与连接服务器之间建立用以传输信息的会话连接。可以理解的，边缘安全服务器的地址信息可以包括域名和/IP地址，若为域名，则根据该域名可以解析到一个或多个边缘安全服务器的IP地址。需要说明的是，一个边缘安全服务器可以与一个或者多个连接服务器进行通信，一个连接服务器也可以与一个或者多个边缘安全服务器进行连接，本公开对此不作特殊限定。The edge security server may be a server capable of communicating with the connection server, and may establish a session connection with the connection server for transmitting information. It can be understood that the address information of the edge security server may include a domain name and /IP address, and if it is a domain name, it can be resolved to one or more IP addresses of the edge security server according to the domain name. It should be noted that one edge security server may communicate with one or more connection servers, and one connection server may also be connected with one or more edge security servers, which is not specifically limited in this disclosure.

在本公开一示例性实施例中，在通过连接服务器实现远程访问前，首先在管理平台上生成连接服务器对应的服务器配置信息，该服务器配置信息可以作为连接服务器对应的启动参数，以在根据该服务器配置信息对连接服务器进行配置之后启用该连接服务器。In an exemplary embodiment of the present disclosure, before realizing remote access through the connection server, first generate server configuration information corresponding to the connection server on the management platform. After the server configuration information configures the connection server, the connection server is enabled.

作为一种实现方式，客户可以自行配置该服务器配置信息，具体地，管理平台可以支持客户的配置操作，接收客户配置的服务器配置信息。其也可以由客户将应用服务器的相关配置信息提供给服务提供方，再由服务提供方在管理平台上配置该客户的应用服务器对应的服务器配置信息。As an implementation manner, the customer can configure the server configuration information by himself. Specifically, the management platform can support the customer's configuration operation and receive the server configuration information configured by the customer. It is also possible that the client provides the relevant configuration information of the application server to the service provider, and then the service provider configures the server configuration information corresponding to the client's application server on the management platform.

作为另一种实现方式，管理平台也可以自动生成连接服务器对应的服务器配置信息，具体地，管理平台可以为连接服务器分配用于唯一标识该连接服务器的标识信息，以及根据整个网络***架构中包括的所有边缘安全服务器的配置信息，分配与该连接服务器对应的边缘安全服务器。其中，边缘安全服务器的配置信息中可以包括但不限于边缘安全服务器的地址信息、已关联的连接器的数目、能关联的连接器数目的上限值等。管理平台为该连接服务器分配标识信息及相关联的边缘安全服务器后，将该标识信息及该连接服务器对应的边缘安全服务器的地址信息等确定为该连接服务器对应的服务器配置信息。As another implementation, the management platform can also automatically generate server configuration information corresponding to the connection server. Specifically, the management platform can assign the connection server identification information for uniquely identifying the connection server, and according to the entire network system architecture. The configuration information of all the edge security servers of the connection server is allocated to the edge security server corresponding to the connection server. Wherein, the configuration information of the edge security server may include but not limited to the address information of the edge security server, the number of associated connectors, the upper limit of the number of associated connectors, and the like. After the management platform allocates the identification information and the associated edge security server to the connection server, it determines the identification information and the address information of the edge security server corresponding to the connection server as the server configuration information corresponding to the connection server.

在本公开一示例性实施例中，连接器可以是在管理平台上创建的，管理平台可以为服务提供方提供用于创建连接器的接口。连接器可以运行在多种平台上，如VMware的虚拟机、Docker(应用容器引擎)、公有云云主机等。服务提供方利用管理平台提供的接口创建运行在不同平台上的连接器。在创建出连接器后，还生成连接器对应的安装包和配置信息，该配置信息中包括连接器的唯一标识、连接器对应的边缘安全服务器的地址信息等，该边缘安全服务器的地址信息可以包括边缘安全服务器的域名和/或IP地址。In an exemplary embodiment of the present disclosure, the connector may be created on the management platform, and the management platform may provide the service provider with an interface for creating the connector. The connector can run on a variety of platforms, such as VMware's virtual machine, Docker (application container engine), public cloud cloud host, etc. The service provider uses the interface provided by the management platform to create connectors running on different platforms. After the connector is created, the installation package and configuration information corresponding to the connector are also generated. The configuration information includes the unique identifier of the connector, the address information of the edge security server corresponding to the connector, etc., and the address information of the edge security server can be Include the domain name and/or IP address of the edge security server.

需要说明的，管理平台上可以创建一个连接器，也可以创建多个连接器，且在各连接器对应的配置信息中可以包括该连接器所对应的一个或多个边缘安全服务器的地址信息，以便连接服务器安装并启动连接器之后，该连接器可以与图1所示***架构中的一个或多个边缘安全服务器建立会话连接。It should be noted that one connector or multiple connectors can be created on the management platform, and the configuration information corresponding to each connector can include the address information of one or more edge security servers corresponding to the connector, After the connection server installs and starts the connector, the connector can establish a session connection with one or more edge security servers in the system architecture shown in FIG. 1 .

例如，图3中示出了一个连接器的配置信息，该配置信息中包括连接器的唯一标识“连接器id:12345”，以及连接器对应的边缘安全服务器的域名“companyA.connector.com”。For example, Figure 3 shows the configuration information of a connector, which includes the unique identifier of the connector "connector id: 12345" and the domain name "companyA.connector.com" of the edge security server corresponding to the connector .

另外，在一示例性实施例中，为了实现访问的高可用，边缘安全服务器的地址信息包括的域名至少会解析到两个边缘安全服务器的IP地址。由此，连接服务器可以根据解析到的多个边缘安全服务器的IP地址，分别建立与多个边缘安全服务器之间的会话连接，从而在某一会话连接失效或者故障时，可以通过其他的会话连接进行信息传输。可以理解的，根据该多个边缘安全服务器所建立的会话连接可以是用于传输相同信息的会话连接，换言之，多个会话连接中有的可以作为主会话连接，其他的作为副会话连接，以在主会话连接失效时，可以通过副会话连接所传输的信息进行处理，以保证访问的稳定性。In addition, in an exemplary embodiment, in order to achieve high access availability, the domain name included in the address information of the edge security server will be resolved to at least two IP addresses of the edge security server. Thus, the connection server can respectively establish session connections with multiple edge security servers according to the resolved IP addresses of multiple edge security servers, so that when a certain session connection fails or fails, it can be connected through other sessions. carry out information transmission. It can be understood that the session connections established by the multiple edge security servers may be session connections for transmitting the same information. In other words, some of the multiple session connections may be used as primary session connections and others as secondary session connections. When the main session connection fails, the information transmitted by the secondary session connection can be used for processing to ensure the stability of access.

步骤102：管理平台生成目标应用对应的应用配置信息，该应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种。Step 102: The management platform generates application configuration information corresponding to the target application. The application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy .

其中，目标应用可以为企事业单位或社会组织等团体的内网中的应用，如OA***、Web(网站)、SSH(Secure Shell，安全外壳协议)、VNC(Virtual Network Console，虚拟网络控制台)、RDP(Remote Desktop Protocol，远程桌面协议)、内部IAM(Identity and Access Management，身份识别与访问管理)等。目标应用也可以为公网中的应用程序。Among them, the target application can be the application in the intranet of groups such as enterprises, institutions or social organizations, such as OA system, Web (website), SSH (Secure Shell, secure shell protocol), VNC (Virtual Network Console, virtual network console) ), RDP (Remote Desktop Protocol, Remote Desktop Protocol), internal IAM (Identity and Access Management, identity identification and access management), etc. The target application can also be an application program in the public network.

在本公开一示例性实施例中，在访问目标应用之前，由管理平台生成目标应用对应的应用配置信息。具体地，管理平台可以支持用户的配置操作，用户依据自身需求确定允许远程访问的目标应用，然后在管理平台上配置这些目标应用对应的应用配置信息，管理平台可以接收并存储用户所配置的应用配置信息，并将该应用配置信息与对应的目标应用相关联。In an exemplary embodiment of the present disclosure, before accessing the target application, the management platform generates application configuration information corresponding to the target application. Specifically, the management platform can support user configuration operations. Users determine the target applications that allow remote access according to their own needs, and then configure the application configuration information corresponding to these target applications on the management platform. The management platform can receive and store the applications configured by the user. configuration information, and associate the application configuration information with the corresponding target application.

在一示例性实施例中，该应用配置信息可以包括回源地址、目标应用的域名、身份认证策略、访问权限控制策略以及与该目标应用相关联的连接服务器的标识信息等多种信息中的一种或多种的组合。其中，回源地址可以包括目标应用所在设备的IP地址及目标应用所在设备对外开放的端口号等。身份认证策略用于规定目标用户的身份认证方式，访问权限控制策略用于规定对该目标应用具有访问权限的用户身份。In an exemplary embodiment, the application configuration information may include return-to-source address, domain name of the target application, identity authentication policy, access control policy, and identification information of the connection server associated with the target application. One or more combinations. Wherein, the back-to-source address may include the IP address of the device where the target application is located and the port number opened to the outside world by the device where the target application is located. The identity authentication policy is used to specify the identity authentication method of the target user, and the access control policy is used to specify the identity of the user who has access to the target application.

例如，图3中示出的目标应用对应的应用配置信息中的回源地址为172.16.1.100:433，其中172.16.1.100为目标应用所在设备的IP地址，433表示目标应用所在设备对外开放的端口仅为433端口(即网页浏览端口)。图3中应用配置信息包括的目标应用的域名为“oa.companyA.com”，回源负载均衡策略为“轮询”，身份认证方式为“企业微信”，访问权限控制策略为“允许财务人员访问”，与该目标应用相关联的连接服务器的唯一标识为“绑定连接器：12345”。For example, the back-to-source address in the application configuration information corresponding to the target application shown in Figure 3 is 172.16.1.100:433, where 172.16.1.100 is the IP address of the device where the target application is located, and 433 indicates the port open to the outside world on the device where the target application is located Only port 433 (that is, web browsing port). The domain name of the target application included in the application configuration information in Figure 3 is "oa.companyA.com", the back-to-source load balancing policy is "Polling", the identity authentication method is "Enterprise WeChat", and the access control policy is "Allow financial personnel Access", the unique identifier of the Connection Server associated with this target application is "Binding Connector:12345".

通过步骤101和102的操作，在管理平台上生成连接服务器对应的服务器配置信息及目标应用对应的应用配置信息，通过在应用配置信息中设置相关联的连接服务器的标识信息将该目标应用与连接服务器关联起来。Through the operations of steps 101 and 102, the server configuration information corresponding to the connection server and the application configuration information corresponding to the target application are generated on the management platform, and the target application is connected to the connection server by setting the identification information of the associated connection server in the application configuration information. The server is linked.

需要说明的，目标应用与连接服务器可以处于同一网络，例如均属于内部网络、均属于公共网络或者属于同一C段网络等，目标应用与连接服务器也可以处于不同网络，例如一个在公网、另一个在内部网络等，本公开对此不作特殊限定，只需目标应用与连接服务器之间可以通信即可。It should be noted that the target application and the connection server can be in the same network, for example, both belong to the internal network, both belong to the public network, or belong to the same segment C network, etc. The target application and the connection server can also be in different networks, for example, one is on the public network and the other One is in the internal network, etc., which is not particularly limited in the present disclosure, as long as the target application and the connection server can communicate.

步骤103：管理平台发送连接服务器所需的服务器配置信息。Step 103: the management platform sends the server configuration information required to connect to the server.

在本公开一示例性实施例中，连接服务器可以直接从管理平台中下载连接器的安装包，依据下载的安装包在连接服务器本地安装连接器。具体地，连接服务器发送连接器获取请求给管理平台，管理平台根据接收到的连接服务器的连接器获取请求，将连接器的安装包发送给该连接服务器。连接服务器从管理平台下载连接器的安装包后，根据该安装包在连接服务器中安装该连接器。In an exemplary embodiment of the present disclosure, the connection server may directly download the installation package of the connector from the management platform, and install the connector locally on the connection server according to the downloaded installation package. Specifically, the connection server sends a connector acquisition request to the management platform, and the management platform sends the installation package of the connector to the connection server according to the received connection server's connector acquisition request. After the connection server downloads the installation package of the connector from the management platform, the connector is installed in the connection server according to the installation package.

或者，连接服务器的云主机中可以预先安装有连接器。或者，还可以是连接服务器从管理平台中下载完整的连接器镜像文件进行安装，等等。本公开实施例对连接服务器如何安装连接器的方式不作特殊限定。Alternatively, a connector may be pre-installed in the cloud host where the server is connected. Alternatively, the connection server may also download a complete connector image file from the management platform for installation, and so on. The embodiments of the present disclosure make no special limitation on how the connection server installs the connector.

在连接服务器安装连接器后，可以从管理平台请求服务器配置信息。管理平台响应连接服务器的请求，发送服务器配置信息给连接服务器。连接服务器安装连接器并从管理平台获得服务器配置信息后，以服务器配置信息来启动此连接器。在一示例中，连接服务器向管理平台请求服务器发送配置信息获取请求，该配置信息获取请求中可以包含该连接服务器的标识信息(即连接器的标识信息)，管理平台可以根据该标识信息，将对应的服务器配置信息向连接服务器进行反馈。After the Connect Server installs the connector, you can request server configuration information from the management platform. The management platform responds to the connection server request and sends server configuration information to the connection server. After connecting the server to install the connector and obtain the server configuration information from the management platform, start the connector with the server configuration information. In an example, the connection server sends a configuration information acquisition request to the management platform requesting server, and the configuration information acquisition request may include the identification information of the connection server (that is, the identification information of the connector), and the management platform may, according to the identification information, set The corresponding server configuration information is fed back to the connection server.

在本公开实施例中，同一连接服务器可以部署一个或多个连接器。在部署多个连接器的应用场景中，多个连接器可以与相同的目标应用关联，对于该相同的目标应用来说，其关联的多个连接器可以划分为主用连接器和备用连接器，以便在主用连接器故障时采用备用连接器进行通信，提高远程访问应用的网络稳定性。In an embodiment of the present disclosure, one or more connectors may be deployed on the same connection server. In the application scenario where multiple connectors are deployed, multiple connectors can be associated with the same target application. For the same target application, the associated multiple connectors can be divided into active connectors and standby connectors , so that the backup connector can be used for communication when the primary connector fails, and the network stability of the remote access application can be improved.

需要说明的，当一个连接服务器中部署多个连接器时，多个连接器的标识信息均可以作为该连接服务器的标识信息，例如在连接服务器A中包含两个连接器，两个连接器的标识信息分别为123456和234567，那么，该连接服务器A的标识信息可以为两个即123456和234567，等等。又或者，当一个连接服务器中部署多个连接器时，可以为该连接服务器配置一个标识信息，该标识信息则可以与多个连接器的标识信息存在映射关系。本领域技术人员可以根据实际实现需要确定对应的实现方式，本公开对此不作特殊限定。It should be noted that when multiple connectors are deployed in a connection server, the identification information of multiple connectors can be used as the identification information of the connection server. For example, in connection server A, there are two connectors, and the The identification information is 123456 and 234567 respectively, then the identification information of the connection server A can be two, that is, 123456 and 234567, and so on. Alternatively, when multiple connectors are deployed in one connection server, one identification information may be configured for the connection server, and the identification information may have a mapping relationship with the identification information of multiple connectors. Those skilled in the art may determine the corresponding implementation manner according to actual implementation requirements, which is not specifically limited in the present disclosure.

步骤104：连接服务器获取与连接服务器对应的至少一个边缘安全服务器的地址信息。Step 104: the connection server acquires address information of at least one edge security server corresponding to the connection server.

在本公开一示例性实施例中，连接服务器由管理平台中获取连接服务器对应的服务器配置信息。可选的，连接服务器可以直接从管理平台中获取服务器配置信息。或者，连接服务器也可以通过中间媒介间接从管理平台获取服务器配置信息，例如管理平台将该连接服务器的服务器配置信息下发至配置中心，连接服务器再从配置中心获取该服务器配置信息。连接服务器在获得服务器配置信息后，从该服务器配置信息中获取与连接服务器对应的至少一个边缘安全服务器的地址信息。该地址信息包括边缘安全服务器的IP地址和/或域名。In an exemplary embodiment of the present disclosure, the connection server obtains server configuration information corresponding to the connection server from the management platform. Optionally, the connection server can directly obtain server configuration information from the management platform. Alternatively, the connection server can also indirectly obtain server configuration information from the management platform through an intermediary, for example, the management platform sends the server configuration information of the connection server to the configuration center, and the connection server obtains the server configuration information from the configuration center. After obtaining the server configuration information, the connection server obtains address information of at least one edge security server corresponding to the connection server from the server configuration information. The address information includes the IP address and/or domain name of the edge security server.

步骤105：连接服务器根据至少一个边缘安全服务器的地址信息，建立与至少一个边缘安全服务器之间的会话连接，该会话连接为由连接服务器至所述至少一个边缘安全服务器的出站连接。Step 105: The connection server establishes a session connection with at least one edge security server according to the address information of the at least one edge security server, and the session connection is an outbound connection from the connection server to the at least one edge security server.

在本公开一示例性实施例中，在连接服务器中安装连接器，且连接器运行正常之后，连接服务器需要通过连接器建立与该连接服务器对应的至少一个边缘安全服务器之间的会话连接。若至少一个边缘安全服务器的地址信息中包括边缘安全服务器的IP地址，则根据至少一个边缘安全服务器的IP地址，直接建立该连接服务器与至少一个边缘安全服务器之间的会话连接。In an exemplary embodiment of the present disclosure, after a connector is installed in the connection server and the connector operates normally, the connection server needs to establish a session connection between at least one edge security server corresponding to the connection server through the connector. If the address information of the at least one edge security server includes the IP address of the edge security server, a session connection between the connection server and the at least one edge security server is directly established according to the IP address of the at least one edge security server.

若至少一个边缘安全服务器的地址信息中仅包括边缘安全服务器的域名，则连接服务器发送该至少一个边缘安全服务器的域名解析请求给域名服务器。域名服务器对每个域名进行域名解析，得到每个域名对应的IP地址，然后将每个域名对应的IP地址发送给连接服务器。连接服务器接收域名服务器返回的每个域名对应的IP地址，根据每个IP地址，分别发送连接请求给每个IP地址对应的边缘安全服务器，该连接请求包括该连接服务器的标识信息，以建立并唯一标识该连接服务器与其对应的至少一个边缘安全服务器之间的会话连接。If the address information of at least one edge security server only includes the domain name of the edge security server, the connection server sends the domain name resolution request of the at least one edge security server to the domain name server. The domain name server performs domain name analysis for each domain name, obtains the IP address corresponding to each domain name, and then sends the IP address corresponding to each domain name to the connection server. The connection server receives the IP address corresponding to each domain name returned by the domain name server, and sends a connection request to the edge security server corresponding to each IP address according to each IP address. The connection request includes the identification information of the connection server to establish and A session connection between the connection server and at least one corresponding edge security server is uniquely identified.

在本公开实施例中，该会话连接为由连接服务器至所述至少一个边缘安全服务器的出站连接，这些会话连接是连接服务器主动向外的通信连接。连接服务器禁止入向的连接，具体地，可以在连接服务器的防火墙中配置禁止入向的连接请求，从而使连接服务器能够通过防火墙禁止除上述建立的会话连接以外的所有入向请求。如此能够确保连接服务器只能通过建立的会话连接接收入向的信息，通过建立的会话连接实现对目标应用程序的远程访问，同时能够避免其他入向访问，确保目标应用程序的安全性。在目标应用为内网的应用时，能够极大地提高内网的安全性。In the embodiment of the present disclosure, the session connection is an outbound connection from the connection server to the at least one edge security server, and these session connections are active outgoing communication connections of the connection server. The connection server prohibits incoming connections. Specifically, the firewall of the connection server can be configured to prohibit incoming connection requests, so that the connection server can prohibit all incoming requests except the above-mentioned established session connections through the firewall. This can ensure that the connection server can only receive incoming information through the established session connection, realize remote access to the target application program through the established session connection, and at the same time avoid other incoming accesses, ensuring the security of the target application program. When the target application is an intranet application, the security of the intranet can be greatly improved.

步骤106：边缘安全服务器接收由至少一个连接服务器发送的连接请求，根据连接请求，建立与至少一个连接服务器之间的会话连接。Step 106: The edge security server receives the connection request sent by at least one connection server, and establishes a session connection with the at least one connection server according to the connection request.

步骤105中连接服务器建立与边缘安全服务器之间的会话连接之前，发送连接请求给边缘安全服务器，该连接请求中包括该连接服务器的标识信息。由于一个边缘安全服务器可以与至少一个连接服务器建立会话连接，因此边缘安全服务器能接收到至少一个连接服务器发送的连接请求，根据接收的连接请求包括的标识信息，建立与这至少一个连接服务器之间的会话连接，该会话连接是边缘安全服务器与连接服务器中安装的连接器之间的会话连接。In step 105, before the connection server establishes the session connection with the edge security server, it sends a connection request to the edge security server, and the connection request includes the identification information of the connection server. Since an edge security server can establish a session connection with at least one connection server, the edge security server can receive a connection request sent by at least one connection server, and establish a connection with the at least one connection server according to the identification information included in the received connection request. , which is a session connection between the Edge Security Server and the connector installed in Connection Server.

在本公开实施例中，边缘安全服务器接收到的连接请求的数量可以为多个，连接请求中包含对应的连接服务器的标识信息。边缘安全服务器根据多个连接请求，分别建立与至少一个连接服务器之间的会话连接，并将各连接请求包括的标识信息与对应的会话连接相关联。具体地，边缘安全服务器将连接请求包括的标识信息与对应的会话存储在连接服务器的标识信息与会话的映射关系中。In this embodiment of the present disclosure, the number of connection requests received by the edge security server may be multiple, and the connection request includes identification information of the corresponding connection server. The edge security server respectively establishes a session connection with at least one connection server according to multiple connection requests, and associates the identification information included in each connection request with the corresponding session connection. Specifically, the edge security server stores the identification information included in the connection request and the corresponding session in the mapping relationship between the identification information of the connection server and the session.

在本公开实施例中，连接服务器中的一个连接器可以与一个或多个边缘安全服务器建立会话连接，一个边缘安全服务器可以与一个或多个连接服务器连接，即一个边缘安全服务器可以与一个连接服务器中的一个或多个连接器建立会话连接，如此能够避免某个连接器、某个连接服务器或某个边缘安全服务器出现故障导致远程访问中断的情况。In the embodiment of the present disclosure, a connector in the connection server can establish a session connection with one or more edge security servers, and one edge security server can be connected with one or more connection servers, that is, one edge security server can be connected with a One or more connectors in the server establish a session connection, which prevents the failure of a connector, a connection server, or an edge security server from interrupting remote access.

在本公开实施例中，连接服务器与边缘安全服务器之间的会话连接是建立在443端口(即网页浏览端口)上，在该会话连接上实现应用层的连接复用，并在该会话连接的回路上实现请求回源。为了实现连接器的高可用，连接器可以与多个边缘安全服务器建立持久的会话连接。对于连接服务器来说，因为连接器对应的会话连接是出向的，目标应用的回源访问只依赖于该会话连接，不需要建立任何入向的连接，因此内网防火墙或者VPC(Virtual Private Cloud，虚拟私有云)的安全策略里不需要设置很复杂的网络策略，只需要开放出向443端口并且阻断一切的入向连接即可。In the embodiment of the present disclosure, the session connection between the connection server and the edge security server is established on port 443 (that is, the webpage browsing port), and the connection multiplexing of the application layer is realized on the session connection, and the session connection Implement request back-to-source on the circuit. In order to achieve high availability of the connector, the connector can establish persistent session connections with multiple edge security servers. For the connection server, because the session connection corresponding to the connector is outbound, the back-to-source access of the target application only depends on the session connection, and does not need to establish any inbound connection. Therefore, the intranet firewall or VPC (Virtual Private Cloud, Virtual private cloud) security policy does not need to set a very complex network policy, only need to open port 443 and block all incoming connections.

为了便于理解连接服务器与边缘安全服务器之间的会话连接的建立过程，下面结合附图进行说明。如图4所示，假设连接服务器的服务器配置信息中包括的边缘安全服务器的域名为“abc.yundun-tunnel.com”，连接服务器将该域名“abc.yundun-tunnel.com”的解析请求发送给域名服务器。域名服务器对该域名解析后将解析得到的IP地址发送给连接服务器。连接服务器根据该IP地址建立与边缘安全服务器之间的会话连接，该会话连接是建立在443端口上的。连接服务器基于超文本传输协议http2通过该会话与边缘安全服务器进行数据通信。连接服务器的防火墙只需要开放443端口并阻断所有入向连接即可。In order to facilitate the understanding of the establishment process of the session connection between the connection server and the edge security server, it will be described below with reference to the accompanying drawings. As shown in Figure 4, assuming that the domain name of the edge security server included in the server configuration information of the connection server is "abc.yundun-tunnel.com", the connection server sends a resolution request for the domain name "abc.yundun-tunnel.com" to nameservers. The domain name server resolves the domain name and sends the resolved IP address to the connection server. The connection server establishes a session connection with the edge security server according to the IP address, and the session connection is established on port 443. The connection server performs data communication with the edge security server through the session based on the hypertext transfer protocol http2. The firewall connected to the server only needs to open port 443 and block all incoming connections.

如图5所示，边缘安全服务器上维护连接服务器的标识信息与会话之间的映射关系。图5中IP地址为“1.1.1.1”的边缘安全服务器分别与连接服务器1、2和3中的一个连接器建立了会话连接。因此边缘安全服务器上维护的映射关系中包括连接器12345：会话1、连接器34567：会话2以及连接器45678：会话3。As shown in FIG. 5 , the edge security server maintains a mapping relationship between the identification information of the connection server and the session. In FIG. 5 , the edge security server with the IP address "1.1.1.1" establishes a session connection with a connector in connection servers 1, 2 and 3 respectively. Therefore, the mapping relationship maintained on the edge security server includes connector 12345: session 1, connector 34567: session 2, and connector 45678: session 3.

管理平台上创建了连接器及设置好目标应用对应的应用配置信息，以及连接服务器中安装连接器，且连接器与边缘安全服务器建立会话连接，并将允许进行远程访问的所有目标应用的域名均解析到边缘加速服务器的IP地址上，从而将这些目标应用直接发布在公网中。之后远程终端即可通过本公开实施例提供的方法来访问目标应用。The connector is created on the management platform and the application configuration information corresponding to the target application is set, and the connector is installed in the connection server, and the connector establishes a session connection with the edge security server, and the domain names of all target applications that are allowed to be accessed remotely It is resolved to the IP address of the edge acceleration server, so that these target applications can be directly published on the public network. Then the remote terminal can access the target application through the method provided by the embodiment of the present disclosure.

步骤107：边缘加速服务器接收目标终端发送的针对目标应用的访问请求，该访问请求包括目标应用的域名。Step 107: The edge acceleration server receives the access request for the target application sent by the target terminal, where the access request includes the domain name of the target application.

边缘加速服务器上提供了DDoS(Distributed Denial of Service，分布式拒绝服务)清洗、缓存加速、WAF(Web Application Firewall，Web应用防护***)、负载均衡等功能，同时还作为边缘安全网关提供身份认证、权限管理、访问控制等功能。目标用户在访问目标应用时，先访问到边缘加速服务器。The edge acceleration server provides DDoS (Distributed Denial of Service, distributed denial of service) cleaning, cache acceleration, WAF (Web Application Firewall, Web application protection system), load balancing and other functions, and also serves as an edge security gateway to provide identity authentication, Rights management, access control and other functions. When the target user accesses the target application, he first accesses the edge acceleration server.

在一具体应用场景中，在家办公或出差的员工需要访问公司内网中的目标应用时，通过目标终端查看公司在公网上发布的多个目标应用，从中选择自己需要访问的目标应用，例如可以通过点击的方式进行选择。目标终端监测到某个目标应用被点击时，获取被点击的目标应用的域名，发送针对该目标应用的域名的解析请求给域名服务器。域名服务器对该目标应用的域名进行解析，由于之前将发布到公网上的所有目标应用的域名均解析到了边缘加速服务器的IP地址上，因此域名服务器对当前的目标应用的域名进行解析能够得到对应的边缘加速服务器的IP地址。域名服务器将域名解析得到的IP地址返回给该目标终端。目标终端根据该IP地址，发送访问请求给对应的边缘加速服务器，该访问请求中包括目标用户需要访问的目标应用的域名。In a specific application scenario, when an employee working at home or on a business trip needs to access a target application in the company's intranet, he can view multiple target applications published by the company on the public network through the target terminal, and select the target application he needs to access. For example, Select by clicking. When the target terminal detects that a certain target application is clicked, it obtains the domain name of the clicked target application, and sends a resolution request for the domain name of the target application to the domain name server. The domain name server resolves the domain name of the target application. Since the domain names of all target applications published on the public network have been resolved to the IP address of the edge acceleration server, the domain name server can resolve the domain name of the current target application. The IP address of the edge acceleration server. The domain name server returns the IP address obtained through domain name analysis to the target terminal. The target terminal sends an access request to the corresponding edge acceleration server according to the IP address, and the access request includes the domain name of the target application that the target user needs to access.

在本公开的另一些实施例中，边缘加速服务器还可以记录目标用户的访问行为日志，该访问行为日志中可以包括访问时间、访问对象、身份信息等，这些信息可以便于企业的安全管理人员对用户的行为进行审计和管控。In some other embodiments of the present disclosure, the edge acceleration server may also record the target user's access behavior log, which may include access time, access object, identity information, etc., and such information can facilitate the security management personnel of the enterprise to User behavior is audited and controlled.

步骤108：边缘加速服务器根据目标应用的域名，确定与目标应用的域名对应的边缘安全服务器的地址信息。Step 108: The edge acceleration server determines the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application.

在本公开一示例性实施例中，边缘加速服务器可以预先从管理平台中获取各目标应用对应的应用配置信息以及连接服务器的服务器配置信息。需要说明的，边缘加速服务器可以直接从管理平台中获取，也可以从配置中心等中间媒介获取该信息，本公开对此不作特殊限定。In an exemplary embodiment of the present disclosure, the edge acceleration server may obtain the application configuration information corresponding to each target application and the server configuration information of the connection server from the management platform in advance. It should be noted that the edge acceleration server may obtain the information directly from the management platform, or may obtain the information from an intermediary such as a configuration center, which is not specifically limited in this disclosure.

当边缘加速服务器接收到针对目标应用的访问请求之后，可以获取该访问请求中所包含的目标应用的域名，根据该目标应用的域名，确定其对应的应用配置信息，再根据该应用配置信息确定与该目标应用相关联的连接服务器的标识信息。基于所确定的连接服务器的标识信息，确定对应的服务器配置信息，由此，可以从该服务器配置信息中获取与该连接服务器相关联的边缘安全服务器的地址信息。When the edge acceleration server receives the access request for the target application, it can obtain the domain name of the target application included in the access request, determine the corresponding application configuration information according to the domain name of the target application, and then determine the corresponding application configuration information according to the application configuration information. Identification information for the connection server associated with the target application. Based on the determined identification information of the connection server, the corresponding server configuration information is determined, whereby the address information of the edge security server associated with the connection server can be obtained from the server configuration information.

可以理解的，该地址信息可以包括域名和/或IP地址，若该地址信息为域名，则边缘加速服务器可以将该边缘安全服务器的域名解析请求发送至域名服务器中进行解析，以使域名服务器反馈对应的边缘安全服务器的IP地址。It can be understood that the address information may include a domain name and/or an IP address. If the address information is a domain name, the edge acceleration server may send the domain name resolution request of the edge security server to the domain name server for resolution, so that the domain name server returns IP address of the corresponding edge security server.

需要说明的，边缘安全服务器的地址信息可以是一个也可以是多个，例如具有多个边缘安全服务器的IP地址，或者域名服务器反馈的域名对应的IP地址为一个或者多个，等等。多个地址信息所对应的边缘安全服务器，有的可以作为主用的边缘安全服务器，其他的则可以作为备用的边缘安全服务器。It should be noted that there may be one or more edge security server address information, for example, multiple edge security server IP addresses, or one or more IP addresses corresponding to the domain name fed back by the domain name server, and so on. Some edge security servers corresponding to multiple address information can be used as primary edge security servers, and others can be used as backup edge security servers.

在本公开另一示例性实施例中，边缘加速服务器向管理平台请求或接受管理平台关于目标应用的应用配置信息的推送。管理平台根据边缘加速服务器发送的包含该目标应用的域名的查询请求，查询该目标应用的应用配置信息，从该应用配置信息中获取与该目标应用相关联的连接服务器的标识信息，然后根据该标识信息获取该连接服务器的服务器配置信息，从该服务器配置信息中获取与该连接服务器关联的边缘安全服务器的地址信息，发送该边缘安全服务器的地址信息给边缘加速服务器。In another exemplary embodiment of the present disclosure, the edge acceleration server requests or accepts push from the management platform about the application configuration information of the target application. The management platform queries the application configuration information of the target application according to the query request containing the domain name of the target application sent by the edge acceleration server, obtains the identification information of the connection server associated with the target application from the application configuration information, and then according to the The identification information obtains the server configuration information of the connection server, obtains the address information of the edge security server associated with the connection server from the server configuration information, and sends the address information of the edge security server to the edge acceleration server.

在本公开一示例性实施例中，在确定与目标应用的域名对应的边缘安全服务器的地址信息之前，边缘加速服务器可以对用户的身份信息执行认证策略，该认证策略可以包括身份认证策略和/或访问权限认证策略。In an exemplary embodiment of the present disclosure, before determining the address information of the edge security server corresponding to the domain name of the target application, the edge acceleration server may execute an authentication policy on the user's identity information, and the authentication policy may include an identity authentication policy and/or or access rights authentication policy.

具体地，在对用户的身份信息执行身份认证策略时，边缘加速服务器可以在接收到访问请求后，检测该访问请求中是否携带目标用户的身份信息，因为该用户在首次访问时访问请求中是不会携带有身份信息的。若边缘加速服务器检测到访问请求中不包括用户身份信息，则触发身份认证操作。需要说明的，图1所示的认证中心可以是设置于边缘加速服务器中的认证组件，或者独立于边缘加速服务器的认证设备，该认证中心可以与第三方身份认证***或内网中的内部身份认证***进行数据交互。Specifically, when executing the identity authentication policy on the user's identity information, the edge acceleration server can detect whether the access request carries the target user's identity information after receiving the access request, because the user's access request for the first time is No identity information will be carried. If the edge acceleration server detects that the user identity information is not included in the access request, an identity authentication operation is triggered. It should be noted that the authentication center shown in Figure 1 can be an authentication component set in the edge acceleration server, or an authentication device independent of the edge acceleration server. The authentication center can communicate with a third-party identity authentication system or an internal identity in the intranet. The authentication system performs data interaction.

其中，第三方身份认证***通过互联网即可访问，内网中的内部身份认证***则需要通过边缘加速服务器、边缘安全服务器和连接服务器来访问。在一示例中，通过互联网访问第三方身份认证***，或通过边缘加速服务器和边缘安全服务器访问内网中的内部身份认证***，第三方身份认证***或内网中的内部身份认证***可以向认证中心返回目标用户的身份信息。需要说明的，若认证中心接收到返回的身份信息，则可以认定该身份信息已经通过身份认证，可以进行后续步骤。Among them, the third-party identity authentication system can be accessed through the Internet, and the internal identity authentication system in the intranet needs to be accessed through the edge acceleration server, edge security server and connection server. In an example, the third-party identity authentication system is accessed through the Internet, or the internal identity authentication system in the intranet is accessed through the edge acceleration server and the edge security server. The third-party identity authentication system or the internal identity authentication system in the The center returns the identity information of the target user. It should be noted that if the authentication center receives the returned identity information, it can be determined that the identity information has passed identity authentication, and subsequent steps can be performed.

在其他示例中，认证中心也可以向边缘加速服务器发送一个身份认证页面。边缘加速服务器可以将该身份认证页面发送给目标终端，目标终端显示该身份认证页面，该身份认证页面中包括至少一个身份认证选项。例如，该身份认证页面中可以包括但不限于微信认证、企业微信认证、手机号认证等多个身份认证选项，用户可以选择对应的身份认证选项，从而确定对应的身份认证策略。例如，用户选择了微信认证这一选项，则可以通过该用户的微信号、微信密码等信息对该用户进行身份认证，等等。当目标用户选择对应的身份认证选项后，该身份认证页面则可以对应获取目标用户与该身份认证选项相对应的待验证身份信息，例如用户选择了微信认证，则获取对应的微信号和微信密码，等等。认证中心可以将身份认证页面所接收到的待验证身份信息向对应的第三方身份认证***或者内部身份认证***进行认证，由第三方身份认证***或内部身份认证***反馈验证结果，即是否通过身份认证。In other examples, the authentication center may also send an identity authentication page to the edge acceleration server. The edge acceleration server may send the identity authentication page to the target terminal, and the target terminal displays the identity authentication page, and the identity authentication page includes at least one identity authentication option. For example, the identity authentication page may include but not limited to multiple identity authentication options such as WeChat authentication, corporate WeChat authentication, and mobile phone number authentication. The user can select the corresponding identity authentication option to determine the corresponding identity authentication strategy. For example, if the user selects the option of WeChat authentication, the user can be authenticated through the user's WeChat ID, WeChat password and other information, and so on. When the target user selects the corresponding identity authentication option, the identity authentication page can correspondingly obtain the identity information of the target user corresponding to the identity authentication option to be verified. For example, if the user selects WeChat authentication, the corresponding WeChat ID and WeChat password will be obtained. ,and many more. The authentication center can authenticate the identity information received on the identity authentication page to the corresponding third-party identity authentication system or internal identity authentication system, and the third-party identity authentication system or internal identity authentication system will feed back the verification result, that is, whether the identity information is passed or not. certified.

通过身份认证后，边缘加速服务器会为此次身份认证所基于的用户身份信息设置有效期，存储该用户身份信息及其对应的有效期，并指示后续该目标终端每次请求访问目标应用时都会在访问请求中携带该用户身份信息。After passing the identity authentication, the edge acceleration server will set the validity period for the user identity information based on this identity authentication, store the user identity information and the corresponding validity period, and instruct the target terminal to access the target application every time it requests to access the target application. The request carries the user identity information.

若检测结果为该访问请求中包含用户身份信息，则通过对应的认证策略包括的身份认证策略来对该用户身份信息进行认证。具体地，获取该用户身份信息对应的有效期，若确定其有效期未到达，则表明该用户身份信息之前已通过身份认证且尚在有效期内，无需再次进行身份认证，则直接确定当前用户身份认证通过。If the detection result is that the access request contains user identity information, the user identity information is authenticated through the identity authentication policy included in the corresponding authentication policy. Specifically, the validity period corresponding to the user identity information is obtained. If it is determined that the validity period has not arrived, it indicates that the user identity information has passed identity authentication before and is still within the validity period. There is no need to perform identity authentication again, and it is directly determined that the current user identity authentication has passed .

若该检测结果为该访问请求包括用户身份信息，但该用户身份信息的有效期已到达，则根据边缘加速服务器中配置的身份认证策略对目标用户重新进行身份认证。If the detection result is that the access request includes user identity information, but the user identity information has expired, re-authenticate the target user according to the identity authentication policy configured in the edge acceleration server.

在本公开一示例性实施例中，在重新认证时，边缘加速服务器可以通过认证中心将该访问请求包括的目标用户的标识信息(例如用户账号等)发送给第三方身份认证***。第三方身份认证***根据该目标用户的标识信息获取目标用户的身份信息，并将该目标用户的身份信息反馈给认证中心。边缘加速服务器通过认证中心获得目标用户的身份信息后，根据预先配置的认证策略对该用户身份信息进行身份认证和/或访问权限认证。In an exemplary embodiment of the present disclosure, during re-authentication, the edge acceleration server may send the target user's identification information (such as user account, etc.) included in the access request to the third-party identity authentication system through the authentication center. The third-party identity authentication system obtains the identity information of the target user according to the identity information of the target user, and feeds back the identity information of the target user to the authentication center. After the edge acceleration server obtains the identity information of the target user through the authentication center, it performs identity authentication and/or access authority authentication on the user identity information according to a pre-configured authentication policy.

在本公开一示例性实施例中，当认证中心需要从内部身份认证***中获取目标用户的身份信息时，可以将目标用户的标识信息通过边缘加速服务器、边缘安全服务器和连接服务器发送给内网中的内部身份认证***，以从内部身份认证***获取目标用户的身份信息。具体地，在一示例中，边缘加速服务器可以发送该目标应用的域名给管理平台，管理平台从与该目标应用相关联的连接服务器对应的服务器配置信息中获取与该连接服务器对应的边缘安全服务器的地址信息，发送该边缘安全服务器的地址信息给边缘加速服务器。若该地址信息包括边缘安全服务器的IP地址，则边缘加速服务器根据该IP地址，建立与该边缘安全服务器之间的通信连接，并发送访问请求包括的目标用户的标识信息及目标应用的域名给该边缘安全服务器。若该地址信息中仅包括边缘安全服务器的域名，则边缘加速服务器发送该边缘安全服务器的域名的解析请求给域名服务器。域名服务器对边缘安全服务器的域名进行域名解析，得到边缘安全服务器的IP地址，发送该IP地址给边缘加速服务器。边缘加速服务器根据该IP地址建立与该边缘安全服务器之间的通信连接，发送携带访问请求包括的目标用户的标识信息及目标应用的域名给该边缘安全服务器。In an exemplary embodiment of the present disclosure, when the authentication center needs to obtain the identity information of the target user from the internal identity authentication system, the identity information of the target user can be sent to the intranet through the edge acceleration server, the edge security server and the connection server The internal authentication system in , to obtain the identity information of the target user from the internal authentication system. Specifically, in an example, the edge acceleration server may send the domain name of the target application to the management platform, and the management platform obtains the edge security server corresponding to the connection server from the server configuration information corresponding to the connection server associated with the target application The address information of the edge security server is sent to the edge acceleration server. If the address information includes the IP address of the edge security server, the edge acceleration server establishes a communication connection with the edge security server according to the IP address, and sends the identification information of the target user and the domain name of the target application included in the access request to The edge security server. If the address information only includes the domain name of the edge security server, the edge acceleration server sends a resolution request of the domain name of the edge security server to the domain name server. The domain name server performs domain name analysis on the domain name of the edge security server, obtains the IP address of the edge security server, and sends the IP address to the edge acceleration server. The edge acceleration server establishes a communication connection with the edge security server according to the IP address, and sends the identification information of the target user and the domain name of the target application included in the access request to the edge security server.

边缘安全服务器可以发送包含该目标应用的域名的查询目标应用相关联的连接服务器的请求给管理平台。管理平台根据该域名从该目标应用对应的应用配置信息中获取与该目标应用相关联的连接服务器的标识信息，发送该连接服务器的标识信息给边缘安全服务器。边缘安全服务器根据该连接服务器的标识信息，从连接服务器的标识信息与会话连接的映射关系中获取该连接服务器对应的会话连接，通过该会话连接将目标用户的标识信息发送给该连接服务器。连接服务器接收到该目标用户的标识信息后，将该目标用户的标识信息转发给该目标应用所属的内网中的内部身份认证***，内部身份认证***根据该目标用户的标识信息获取该目标用户的身份信息，并将目标用户的身份信息依次经过该连接服务器、上述边缘安全服务器原路返回给上述边缘加速服务器对应的认证中心。The edge security server may send a request including the domain name of the target application to query the connection server associated with the target application to the management platform. The management platform obtains the identification information of the connection server associated with the target application from the application configuration information corresponding to the target application according to the domain name, and sends the identification information of the connection server to the edge security server. According to the identification information of the connection server, the edge security server obtains the session connection corresponding to the connection server from the mapping relationship between the identification information of the connection server and the session connection, and sends the identification information of the target user to the connection server through the session connection. After receiving the identification information of the target user, the connection server forwards the identification information of the target user to the internal identity authentication system in the intranet to which the target application belongs, and the internal identity authentication system obtains the identity information of the target user according to the identification information of the target user. , and return the identity information of the target user to the authentication center corresponding to the above-mentioned edge acceleration server via the connection server and the above-mentioned edge security server in turn.

在另一示例中，边缘安全服务器也可以不向管理平台查询对应的连接服务器的标识信息，而是由边缘加速服务器根据目标应用的域名从管理平台获取该目标应用对应的应用配置信息，并将用户身份信息及该应用配置信息一并发送给边缘安全服务器。边缘安全服务器从该应用配置信息中查询目标应用关联的连接服务器的标识信息，进而依据该标识信息，通过与该连接服务器之间的会话连接将目标用户的标识信息转发至对应的内网中的内部身份认证***。该内部身份认证***根据该目标用户的标识信息获取该目标用户的身份信息，并将目标用户的身份信息通过原路返回给边缘加速服务器对应的认证中心。In another example, the edge security server may not query the management platform for the identification information of the corresponding connection server, but the edge acceleration server obtains the application configuration information corresponding to the target application from the management platform according to the domain name of the target application, and The user identity information and the application configuration information are sent to the edge security server together. The edge security server queries the identification information of the connection server associated with the target application from the application configuration information, and then forwards the identification information of the target user to the corresponding server in the intranet through the session connection with the connection server according to the identification information. Internal authentication system. The internal identity authentication system obtains the identity information of the target user according to the identity information of the target user, and returns the identity information of the target user to the authentication center corresponding to the edge acceleration server through the original path.

在本公开的另一些实施例中，也可以不通过首次认证后设置用户身份信息的有效期的方式，而是可以在每次访问时都由边缘加速服务器指示目标终端显示上述身份认证页面，用户对身份认证页面包括的每个身份认证选项进行选择后，目标终端根据用户选择的每个选项信息确定对应的用户身份信息，例如以该用户在该选项对应的应用的登录信息作为用户身份信息，在发送访问请求给边缘加速服务器时，在该访问请求中携带该用户身份信息。然后边缘加速服务器通过认证中心将该用户身份信息转发给第三方身份认证***或内网中的内部身份认证***对该用户身份信息进行认证，并将认证结果反馈给认证中心。In some other embodiments of the present disclosure, instead of setting the validity period of the user identity information after the first authentication, the edge acceleration server may instruct the target terminal to display the above identity authentication page each time the user visits. After selecting each identity authentication option included in the identity authentication page, the target terminal determines the corresponding user identity information according to each option information selected by the user. For example, the user's login information in the application corresponding to the option is used as the user identity information. When sending an access request to the edge acceleration server, the user identity information is carried in the access request. Then the edge acceleration server forwards the user identity information to the third-party identity authentication system or the internal identity authentication system in the intranet through the authentication center to authenticate the user identity information, and feeds back the authentication result to the authentication center.

通过上述任一方式对访问请求包括的用户身份信息进行身份认证，若认证未通过，则发送错误提示信息给目标终端，该错误提示信息用于提示用户身份认证失败。若身份认证通过，且边缘加速服务器中部署的认证策略中仅包括身份认证策略，则确定对该目标用户认证通过。若认证策略中还包括访问权限认证策略，则还需要根据访问权限控制策略判断用户是否具有目标应用的访问权限。访问权限控制策略中可以规定能够访问该目标应用的用户身份，比如一些财务相关的目标应用可能只允许财务人员访问，一些人事管理相关的目标应用可能只允许人力资源部门的人员访问，等等。或者，访问权限控制策略中可以规定该目标应用的访问口令，访问口令可以为一个字符串构成的密码，或者为约定好的一句话等。The user identity information included in the access request is authenticated by any of the above methods, and if the authentication fails, an error prompt message is sent to the target terminal, and the error prompt message is used to prompt the user identity authentication failure. If the identity authentication is passed, and the authentication policy deployed in the edge acceleration server only includes the identity authentication policy, then it is determined that the target user is authenticated. If the authentication policy also includes the access authority authentication policy, it is also necessary to determine whether the user has the access authority of the target application according to the access authority control policy. The access control policy can specify the identity of the user who can access the target application. For example, some financial-related target applications may only allow access to financial personnel, and some personnel management-related target applications may only allow access to personnel in the human resources department, and so on. Alternatively, an access password of the target application may be specified in the access right control policy, and the access password may be a password composed of a character string, or an agreed word, etc.

边缘加速服务器对目标用户进行访问权限认证，可以指示目标终端显示权限认证界面，该权限认证界面中包括一个或多个权限认证选项。例如，权限认证选项可以包括工号、姓名、联系方式、身份证号、访问口令等选项中的一个或多个。用户在该权限认证界面中提交认证选项信息后，目标终端将该认证选项信息发送给边缘加速服务器。边缘加速服务器可以发送目标应用的域名给管理服务器，管理服务器根据目标应用的域名，从该目标应用的应用配置信息中获取该目标应用的访问权限的相关配置信息，该访问权限的相关配置信息中可以包括能够访问该目标应用的用户的工号、姓名、联系方式、身份证号等用户信息，和/或，该访问权限的相关配置信息中还可以包括该目标应用的访问口令。管理平台将该访问权限的相关配置信息发送给边缘加速服务器。边缘加速服务器根据该访问权限的相关配置信息和用户提交的认证选项信息，来判断该目标用户是否具有访问该目标应用的权限。The edge acceleration server authenticates the access authority of the target user, and may instruct the target terminal to display an authority authentication interface, and the authority authentication interface includes one or more authority authentication options. For example, the permission authentication options may include one or more of job number, name, contact information, ID number, access password and other options. After the user submits the authentication option information in the authority authentication interface, the target terminal sends the authentication option information to the edge acceleration server. The edge acceleration server can send the domain name of the target application to the management server, and the management server can obtain the relevant configuration information of the access rights of the target application from the application configuration information of the target application according to the domain name of the target application. User information such as job numbers, names, contact information, and ID numbers of users who can access the target application may be included, and/or, the configuration information related to the access rights may also include the access password of the target application. The management platform sends the relevant configuration information of the access right to the edge acceleration server. The edge acceleration server judges whether the target user has the permission to access the target application according to the relevant configuration information of the access permission and the authentication option information submitted by the user.

或者，管理平台也可以直接将该目标应用的应用配置信息发送给边缘加速服务器。边缘加速服务器从该应用配置信息中获取访问权限的相关配置信息，并据此判断该目标用户是否具有访问权限。例如，在应用配置信息中可以包括允许访问该目标应用的岗位名称，例如某一应用可以由财务、经理进行访问，等等。而用户的身份信息可以包括该用户的岗位名称，边缘加速服务器可以将用户的岗位名称与目标应用对应的岗位名称进行比对，若用户的岗位名称与该目标应用对应的岗位名称相匹配，即该用户的岗位名称是允许访问该目标应用的岗位名称之一，则表示该用户通过访问权限认证策略，反之则未通过。Alternatively, the management platform may also directly send the application configuration information of the target application to the edge acceleration server. The edge acceleration server obtains relevant configuration information of the access right from the application configuration information, and judges whether the target user has the access right based on this. For example, the application configuration information may include the title of the position that is allowed to access the target application, for example, a certain application can be accessed by finance, managers, and so on. The user's identity information can include the user's job title, and the edge acceleration server can compare the user's job title with the job title corresponding to the target application. If the user's job title matches the job title corresponding to the target application, that is If the user's job title is one of the job titles allowed to access the target application, it means that the user has passed the access authority authentication policy, otherwise, it has not passed.

或者，边缘加速服务器也可以不从管理平台获取访问权限的相关配置信息或该目标应用的应用配置信息。而是确定与该目标应用关联的连接服务器，及与该连接服务器管理的边缘安全服务器，然后将该目标用户的认证选项信息依次经过该边缘安全服务器和连接服务器转发给内网中的内部身份认证***，以对目标用户的认证选项信息进行权限认证，并将认证结果原路返回给边缘加速服务器。Alternatively, the edge acceleration server may not obtain related configuration information of access rights or application configuration information of the target application from the management platform. Instead, determine the connection server associated with the target application and the edge security server managed by the connection server, and then forward the authentication option information of the target user to the internal identity authentication in the intranet through the edge security server and the connection server in turn The system is used to perform authorization authentication on the authentication option information of the target user, and return the authentication result to the edge acceleration server through the original route.

因通过上述任一方式对目标用户进行访问权限认证，实现了在边缘加速服务器通过访问权限控制策略进行细粒度的访问权限控制，能够有效消除恶意分子对目标应用恶意攻击的风险。By any of the above-mentioned ways to authenticate the target user's access authority, the edge acceleration server can implement fine-grained access authority control through the access authority control policy, which can effectively eliminate the risk of malicious attacks on the target application by malicious elements.

请继续参照图2，步骤109：边缘加速服务器根据边缘安全服务器的地址信息，转发该访问请求至边缘安全服务器。Please continue to refer to FIG. 2, step 109: the edge acceleration server forwards the access request to the edge security server according to the address information of the edge security server.

在本公开一示例性实施例中，若边缘安全服务器的地址信息包括边缘安全服务器的IP地址，则边缘加速服务器根据该IP地址，直接将该访问请求转发给边缘安全服务器。若该地址信息中仅包括边缘安全服务器的域名，则边缘加速服务器发送该边缘安全服务器的域名解析请求给域名服务器。域名服务器对边缘加速服务器发送的域名进行域名解析，得到对应的每个边缘安全服务器的IP地址，将得到的每个IP地址组成IP列表，返回该IP列表给边缘加速服务器，该IP列表中包括一个或多个边缘安全服务器的IP地址。In an exemplary embodiment of the present disclosure, if the address information of the edge security server includes the IP address of the edge security server, the edge acceleration server directly forwards the access request to the edge security server according to the IP address. If the address information only includes the domain name of the edge security server, the edge acceleration server sends the domain name resolution request of the edge security server to the domain name server. The domain name server performs domain name analysis on the domain name sent by the edge acceleration server to obtain the corresponding IP address of each edge security server, forms an IP list for each obtained IP address, and returns the IP list to the edge acceleration server. The IP list includes The IP addresses of one or more edge security servers.

边缘加速服务器接收域名服务器返回的IP列表，从该IP列表中选择一个IP地址。具体地，若该IP列表中仅包括一个IP地址，则直接选择该IP地址。若该IP列表中包括多个IP地址，则从这多个IP地址中选择一个主用的边缘安全服务器的IP地址。边缘加速服务器根据选择的IP地址，建立与选择的IP地址对应的边缘安全服务器之间的通信连接，然后发送该访问请求给该边缘安全服务器。The edge acceleration server receives the IP list returned by the domain name server, and selects an IP address from the IP list. Specifically, if the IP list includes only one IP address, the IP address is directly selected. If the IP list includes multiple IP addresses, an IP address of an active edge security server is selected from the multiple IP addresses. The edge acceleration server establishes a communication connection between edge security servers corresponding to the selected IP address according to the selected IP address, and then sends the access request to the edge security server.

在本公开的另一些实施例中，在发送该访问请求给边缘安全服务器之前，边缘加速服务器还可以与边缘安全服务器进行双向认证，进一步确保目标应用访问的安全性。例如，边缘加速服务器发送自身的第一证书给边缘安全服务器。该边缘安全服务器接收边缘加速服务器的第一证书，并对第一证书进行验证，验证第一证书是否由自己新来的CA中心所签发，若是则表示验证通过，若不是，则可以向边缘加速服务器返回一个警告信息，警告边缘加速服务器这个第一证书不是可以信赖的。验证通过后，边缘安全服务器可以比较证书里的信息，例如域名和公钥，若该域名或公钥符合预先设定的信息传输规则，则认可该边缘加速服务器的合法身份In other embodiments of the present disclosure, before sending the access request to the edge security server, the edge acceleration server may also perform mutual authentication with the edge security server to further ensure the security of the target application access. For example, the edge acceleration server sends its first certificate to the edge security server. The edge security server receives the first certificate of the edge acceleration server and verifies the first certificate to verify whether the first certificate is issued by its new CA center. The server returns a warning message, warning the edge acceleration server that the first certificate is not trustworthy. After the verification is passed, the edge security server can compare the information in the certificate, such as the domain name and public key, and if the domain name or public key conforms to the preset information transmission rules, the legal identity of the edge acceleration server is recognized

边缘加速服务器也可以要求边缘安全服务器发送其自身的第二证书，收到该第二证书之后，边缘加速服务器可以对该第二证书进行验证，若没有通过验证，则拒绝连接，若通过验证，则二者之间可以进行信息传输。The edge acceleration server can also ask the edge security server to send its own second certificate. After receiving the second certificate, the edge acceleration server can verify the second certificate. If the verification is not passed, the connection will be rejected. If the verification is passed, Then information can be transmitted between the two.

在本公开实施例中，边缘加速服务器与边缘安全服务器之间通过上述方式进行双向认证，第一证书和第二证书中只要有一个认证不通过，边缘加速服务器就不会将访问请求发送给边缘安全服务器，大大提高了内网访问的安全性。边缘加速服务器还可以先对访问请求进行加密，将加密后的数据发送给边缘安全服务器，以提高数据传输的安全性。In the embodiment of the present disclosure, the two-way authentication is carried out between the edge acceleration server and the edge security server through the above method. As long as one of the first certificate and the second certificate fails to pass the authentication, the edge acceleration server will not send the access request to the edge The security server greatly improves the security of intranet access. The edge acceleration server can also encrypt the access request first, and send the encrypted data to the edge security server to improve the security of data transmission.

步骤110：边缘安全服务器接收由边缘加速服务器转发的针对目标应用的访问请求，确定与目标应用对应的目标连接服务器。Step 110: The edge security server receives the access request for the target application forwarded by the edge acceleration server, and determines the target connection server corresponding to the target application.

在本公开一示例性实施例中，边缘安全服务器是一个中转媒介，可以实现边缘加速服务器与目标应用的打通，当目标应用位于内网，可以实现边缘加速服务器与内网应用的打通。边缘安全服务器启动后，等待边缘加速服务器和连接服务器中连接器的连接并转发来自边缘加速服务器的访问请求。In an exemplary embodiment of the present disclosure, the edge security server is a transit medium, which can realize the connection between the edge acceleration server and the target application. When the target application is located in the intranet, the connection between the edge acceleration server and the intranet application can be realized. After the edge security server starts, it waits for the connection between the edge acceleration server and the connector in the connection server and forwards the access request from the edge acceleration server.

边缘安全服务器接收到边缘加速服务器转发的目标终端对目标应用的访问请求后，将该访问请求中包括的目标应用的域名发送给管理平台。管理平台根据该目标应用的域名，获取该目标应用的应用配置信息，从该应用配置信息中查询与该目标应用相关联的连接服务器的标识信息，与该目标应用相关联的连接服务器即为目标连接服务器，管理平台将该目标连接服务器的标识信息发送给边缘安全服务器。边缘安全服务器接收该目标连接服务器的标识信息。After receiving the access request from the target terminal to the target application forwarded by the edge acceleration server, the edge security server sends the domain name of the target application included in the access request to the management platform. The management platform obtains the application configuration information of the target application according to the domain name of the target application, and queries the identification information of the connection server associated with the target application from the application configuration information, and the connection server associated with the target application is the target To connect to the server, the management platform sends the identification information of the target connection server to the edge security server. The edge security server receives the identification information of the target connection server.

在本公开的另一些实施例中，也可以由边缘加速服务器在对目标用户进行认证的阶段从管理平台获取目标应用的应用配置信息及与该目标应用相关联的连接服务器的服务器配置信息，并由边缘加速服务器将访问请求及应用配置信息一并转发给边缘安全服务器。如此边缘安全服务器可以在本地从应用配置信息中获取与该目标应用相关联的连接服务器的标识信息，并确定该标识信息即为目标连接服务器的标识信息。In other embodiments of the present disclosure, the edge acceleration server may also obtain the application configuration information of the target application and the server configuration information of the connection server associated with the target application from the management platform during the stage of authenticating the target user, and The edge acceleration server forwards the access request and application configuration information to the edge security server. In this way, the edge security server can locally obtain the identification information of the connection server associated with the target application from the application configuration information, and determine that the identification information is the identification information of the target connection server.

在本公开再一示例性实施例中，边缘加速服务器在向边缘安全服务器转发该访问请求时，可以将该访问请求对应的目标应用的应用配置信息一起向边缘安全服务器进行发送。由此，边缘安全服务器可以根据该应用配置信息中所包括的与该目标应用相关联的连接服务器的标识信息，确定目标连接服务器。可以理解的，边缘安全服务器确定出的目标连接服务器的数量可以为一个或多个。In yet another exemplary embodiment of the present disclosure, when the edge acceleration server forwards the access request to the edge security server, it may also send the application configuration information of the target application corresponding to the access request to the edge security server. Thus, the edge security server can determine the target connection server according to the identification information of the connection server associated with the target application included in the application configuration information. It can be understood that the number of target connection servers determined by the edge security server may be one or more.

若目标连接器的数量为多个即两个或者两个以上的任意数量，则其中一个目标连接服务器可以作为主目标连接服务器，除主目标连接服务器之外的为副目标连接服务器，从而在主目标连接服务器失效或者故障时，可以通过副目标连接服务器进行访问目标应用。If the number of target connectors is multiple, that is, any number of two or more than two, then one of the target connection servers can be used as the main target connection server, and the other target connection servers are secondary target connection servers. When the target connection server fails or fails, the target application can be accessed through the secondary target connection server.

可以理解的，主目标连接服务器和副目标连接服务器二者相关联的目标应用应是相同的，或者主目标连接服务器所关联的目标应用被包含于副目标连接服务器所关联的目标应用中，又或者主目标连接服务器与副目标连接服务器之间具有部分相同的相关联的目标应用，等等。It can be understood that the target applications associated with the primary target connection server and the secondary target connection server should be the same, or the target application associated with the primary target connection server is included in the target application associated with the secondary target connection server, and Or the primary target connection server and the secondary target connection server have partially the same associated target applications, and so on.

步骤111：边缘安全服务器根据与目标连接服务器对应的会话连接，转发访问请求至目标连接服务器。Step 111: The edge security server forwards the access request to the target connection server according to the session connection corresponding to the target connection server.

在本公开一示例性实施例中，边缘安全服务器根据确定出的每个目标连接服务器的标识信息，从本地存储的连接服务器的标识信息与会话之间的映射关系中，分别获取每个连接服务器对应的会话连接。通过每个连接服务器对应的会话连接，将该访问请求转发给每个目标连接服务器。In an exemplary embodiment of the present disclosure, the edge security server obtains the identification information of each connection server from the locally stored mapping relationship between the identification information of the connection server and the session according to the determined identification information of each target connection server. The corresponding session connection. The access request is forwarded to each target connection server through the session connection corresponding to each connection server.

在本公开一示例性实施例中，边缘安全服务器在将访问请求转发给目标连接服务器前，还可以通过与连接服务器对应的会话连接获取连接服务器的健康状态信息，该健康状态信息包括连接服务器的负载状态信息、网络状态信息、***状态信息、磁盘状态信息中的一种或多种。具体地，边缘安全服务器通过与每个连接服务器对应的会话连接发送健康检查请求给每个连接服务器。连接服务器中的连接器接收到该健康检查请求后获取自身的健康状态信息，通过与该边缘安全服务器之间的会话连接将健康状态信息发送给该边缘安全服务器。In an exemplary embodiment of the present disclosure, before the edge security server forwards the access request to the target connection server, it may also obtain the health status information of the connection server through the session connection corresponding to the connection server, and the health status information includes the connection server's One or more of load status information, network status information, system status information, and disk status information. Specifically, the edge security server sends a health check request to each connection server through a session connection corresponding to each connection server. After receiving the health check request, the connector in the connection server obtains its own health status information, and sends the health status information to the edge security server through a session connection with the edge security server.

边缘安全服务器根据每个连接服务器的健康状态信息，从每个连接服务器中选择一个满足预设健康条件的连接服务器，预设健康条件可以包括负载量小于预设阈值，网络状态、***状态和磁盘状态无异常，预设健康条件中可以列举出网络状态、***状态和磁盘状态的一些异常情况，如网络中断、***资源占用率超过预设比例、磁盘剩余存储空间小于预设值等。若边缘安全服务器确定出多个满足预设健康条件的连接服务器，则可从中随机选取或者依次选取以确定一个目标连接服务器。在确定目标连接服务器之后，边缘安全服务器可以根据该目标连接服务器的标识信息对应的会话连接，将该访问请求转发至该目标连接服务器中的连接器。According to the health status information of each connected server, the edge security server selects a connected server that meets the preset health conditions from each connected server. The preset health conditions can include load less than a preset threshold, network status, system status and disk There is no abnormality in the state, and some abnormalities in the network state, system state, and disk state can be listed in the preset health conditions, such as network interruption, system resource usage exceeding the preset ratio, and the remaining storage space of the disk is less than the preset value. If the edge security server determines a plurality of connection servers satisfying the preset health conditions, it may select randomly or sequentially from them to determine a target connection server. After determining the target connection server, the edge security server may forward the access request to the connector in the target connection server according to the session connection corresponding to the identification information of the target connection server.

在本公开的另一些实施例中，边缘安全服务器还可以通过轮询的方式来将访问请求转发给连接服务器中的连接器。具体地，边缘安全服务器中配置了预设轮询规则，预设轮询规则中规定了该目标应用关联的每个目标连接服务器的轮询顺序，根据该轮询顺序从与该目标应用关联的每个目标连接服务器中选择一个目标连接服务器。根据选择的目标连接服务器的标识信息，从标识信息与会话的映射关系中获取选择的目标连接服务器对应的会话连接，通过获取的会话连接将该访问请求转发给该目标连接服务器。In some other embodiments of the present disclosure, the edge security server may also forward the access request to the connector in the connection server in a polling manner. Specifically, a preset polling rule is configured in the edge security server, and the preset polling rule specifies the polling sequence of each target connection server associated with the target application. Select one target connection server per target connection server. According to the identification information of the selected target connection server, the session connection corresponding to the selected target connection server is obtained from the mapping relationship between the identification information and the session, and the access request is forwarded to the target connection server through the obtained session connection.

为了便于理解目标终端的访问请求发送至目标连接服务器的流程，下面结合附图进行说明。如图6所示，远程终端发送访问请求给边缘加速服务器，该访问请求包括待访问的目标应用的域名“oa.companyA.com”。边缘加速服务器根据该域名，从管理平台获取域名“oa.companyA.com”对应的应用配置信息，该应用配置信息中绑定的连接器的唯一标识为“12345”，也从管理平台获取连接器12345的服务器配置信息。边缘加速服务器获得该应用配置信息和服务器配置信息后，发送服务器配置信息包括的边缘安全服务器的域名“companyA.connector.com”的解析请求给域名服务器，接收域名服务器返回的该边缘安全服务器的IP地址“1.1.1.1”。边缘加速服务器根据该IP地址“1.1.1.1”建立与该边缘安全服务器之间的通信连接，将访问请求及应用配置信息发送给该边缘安全服务器。IP地址为“1.1.1.1”的边缘安全服务器根据应用配置信息中包括的连接器的唯一标识“12345”，从预存的映射关系中获得该连接器对应的会话连接，通过该会话连接将该访问请求发送给企业A的连接服务器1中的连接器12345。In order to facilitate the understanding of the process of sending the access request of the target terminal to the target connection server, it will be described below with reference to the accompanying drawings. As shown in FIG. 6 , the remote terminal sends an access request to the edge acceleration server, and the access request includes the domain name "oa.companyA.com" of the target application to be accessed. According to the domain name, the edge acceleration server obtains the application configuration information corresponding to the domain name "oa.companyA.com" from the management platform. The unique identifier of the connector bound in the application configuration information is "12345", and also obtains the connector from the management platform. 12345's server configuration information. After the edge acceleration server obtains the application configuration information and server configuration information, it sends a resolution request of the domain name "companyA.connector.com" of the edge security server included in the server configuration information to the domain name server, and receives the IP address of the edge security server returned by the domain name server. Address "1.1.1.1". The edge acceleration server establishes a communication connection with the edge security server according to the IP address "1.1.1.1", and sends the access request and application configuration information to the edge security server. The edge security server with the IP address "1.1.1.1" obtains the session connection corresponding to the connector from the pre-stored mapping relationship according to the unique identifier "12345" of the connector included in the application configuration information, and through the session connection, the access The request is sent to connector 12345 in connection server 1 of enterprise A.

步骤112：连接服务器基于与边缘安全服务器之间的会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将该访问请求发送至目标应用。Step 112: Based on the session connection with the edge security server, if the connection server receives the access request for the target application forwarded by the edge security server, send the access request to the target application.

在本公开实施例中，连接服务器中可以配置有与其关联的每个目标应用的域名与回源地址的映射关系。或者管理平台可以将每个目标应用的回源地址或应用配置信息下发给连接服务器。连接服务器若接收到边缘安全服务器通过二者之间的会话连接发送的针对目标应用的访问请求，则连接服务器根据该访问请求包括的目标应用的域名，在本地查询目标应用的回源地址，根据该回源地址，将该访问请求转发给对应的目标应用。In the embodiment of the present disclosure, the connection server may be configured with a mapping relationship between the domain name of each target application associated with it and the return-to-origin address. Alternatively, the management platform may send the back-to-source address or application configuration information of each target application to the connection server. If the connection server receives the access request for the target application sent by the edge security server through the session connection between the two, the connection server will query the back-to-source address of the target application locally according to the domain name of the target application included in the access request. The back-to-source address forwards the access request to a corresponding target application.

在本公开的另一些实施例中，连接服务器中也可以不配置相关联的目标应用的域名与回源地址的映射关系。而是由边缘安全服务器从管理平台或者边缘加速服务器处获得该目标应用对应的应用配置信息，该应用配置信息中包括目标应用对应的回源地址，边缘安全服务器在将该访问请求转发给目标连接服务器中对应的连接器时还可以将该回源地址发送给连接器。连接器根据该回源地址，将该访问请求转发给对应的目标应用。目标应用对该访问请求进行响应，将生成的响应消息传输给与该目标应用关联的连接服务器。In some other embodiments of the present disclosure, the mapping relationship between the domain name of the associated target application and the return-to-origin address may not be configured in the connection server. Instead, the edge security server obtains the application configuration information corresponding to the target application from the management platform or the edge acceleration server. The application configuration information includes the back-to-source address corresponding to the target application, and the edge security server forwards the access request to the target connection The corresponding connector in the server can also send the back-to-source address to the connector. The connector forwards the access request to the corresponding target application according to the back-to-source address. The target application responds to the access request, and transmits the generated response message to the connection server associated with the target application.

步骤113：连接服务器将接收到的请求响应信息向边缘安全服务器进行发送，该请求响应信息由目标应用根据访问请求进行反馈。Step 113: The connection server sends the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.

在本公开一示例性实施例中，目标应用根据访问请求进行反馈生成请求响应信息，发送该请求响应信息给该连接服务器。该连接服务器再通过自身与边缘安全服务器之间的会话连接将该请求响应信息发送给边缘安全服务器。边缘安全服务器将该请求响应信息发送给边缘加速服务器，边缘加速服务器再将该请求响应信息发送给该目标终端。In an exemplary embodiment of the present disclosure, the target application generates request response information according to the feedback of the access request, and sends the request response information to the connection server. The connection server then sends the request response information to the edge security server through the session connection between itself and the edge security server. The edge security server sends the request response information to the edge acceleration server, and the edge acceleration server sends the request response information to the target terminal.

在本公开实施例中，连接服务器与边缘安全服务器之间的会话连接的传输协议可以为加密传输协议，连接服务器与边缘安全服务器之间的数据都是加密传输，以确保传输过程中的数据安全性。In the embodiment of the present disclosure, the transmission protocol of the session connection between the connection server and the edge security server may be an encrypted transmission protocol, and the data between the connection server and the edge security server is encrypted transmission to ensure data security during transmission sex.

在本公开实施例中，多个连接服务器可以与相同的目标应用关联，对于该相同的目标应用来说，其关联的多个连接服务器可以包括主用连接服务器和备用连接服务器，在主用连接服务器故障时，可以通过备用连接服务器对应的会话连接接收目标终端对目标应用的访问请求，或通过备用连接服务器对应的会话连接发送目标应用对访问请求进行响应而产生的请求响应信息。一个连接服务器中也可以包括多个连接器，分成主连接器和副连接器，在主连接器故障或者达到负载上限后，由副连接器来进行数据传输。In this embodiment of the present disclosure, multiple connection servers may be associated with the same target application. For the same target application, the multiple connection servers associated therewith may include a primary connection server and a standby connection server. When the server fails, the access request of the target terminal to the target application can be received through the session connection corresponding to the standby connection server, or the request response information generated by the target application responding to the access request can be sent through the session connection corresponding to the standby connection server. A connection server may also include multiple connectors, which are divided into primary connectors and secondary connectors. After the primary connector fails or the load limit is reached, the secondary connector performs data transmission.

另外，连接服务器还可以每隔预设时间段(例如2min、0.5h或者1h等)发送自身的健康状态信息及每个连接器的健康状态信息给管理平台，管理平台根据连接服务器的健康状态信息及每个连接器的健康状态信息判断连接服务器及连接器是否出现异常，若有异常则及时向管理人员发出告警信息。In addition, the connection server can also send its own health status information and the health status information of each connector to the management platform every preset time period (such as 2min, 0.5h or 1h, etc.), and the management platform And the health status information of each connector to judge whether there is an abnormality in the connection server and the connector, and if there is an abnormality, an alarm message will be sent to the management personnel in time.

为了便于理解本公开实施例提供的应用访问过程，下面结合附图进行说明。如图7所示，连接服务器A中的连接器1和2，以及连接服务器B中的连接器3和4均根据各自的配置信息中的边缘安全服务器的域名，从域名服务器获取对应的边缘安全服务器的IP地址，然后依据获取的IP地址建立与边缘安全服务器之间的会话连接。In order to facilitate understanding of the application access process provided by the embodiments of the present disclosure, the following description will be made in conjunction with the accompanying drawings. As shown in Figure 7, connectors 1 and 2 in connection server A and connectors 3 and 4 in connection server B obtain the corresponding edge security server domain name from the domain name server according to the domain name of the edge security server in their respective configuration information. The IP address of the server, and then establish a session connection with the edge security server based on the obtained IP address.

远程用户发送访问请求给边缘加速服务器，该访问请求包括目标应用的域名。边缘加速服务器确定访问请求中是否包括尚在有效期内的用户身份信息，如果是，则确定身份认证通过。如果否，则边缘加速服务器重定向至身份认证页面，获得当前用户的用户身份信息。边缘加速服务器从管理平台获取待访问的目标应用的应用配置信息和与该目标应用关联的连接服务器的服务器配置信息。边缘加速服务器根据该应用配置信息包括的身份认证策略对获得的用户身份信息进行身份认证。身份认证通过后，边缘加速服务器将服务器配置信息包括的边缘安全服务器的域名的域名解析请求发送给域名服务器，根据域名服务器返回的边缘安全服务器的IP地址，将访问请求和应用配置信息发送到边缘安全服务器中。如图7所示，域名“A.yundun-tunnel.com”对应于IP地址分别为“1.1.1.1”和“2.2.2.2”的两个边缘安全服务器，IP地址为“1.1.1.1”的边缘安全服务器为主用的边缘安全服务器， IP地址为“2.2.2.2”的边缘安全服务器为备用的边缘安全服务器。域名“B.yundun-tunnel.com”对应于IP地址分别为“3.3.3.3”和“4.4.4.4”的两个边缘安全服务器，IP地址为“3.3.3.3”的边缘安全服务器为主用的边缘安全服务器，IP地址为“4.4.4.4”的边缘安全服务器为备用的边缘安全服务器。The remote user sends an access request to the edge acceleration server, and the access request includes the domain name of the target application. The edge acceleration server determines whether the access request includes user identity information that is still valid, and if so, determines that the identity authentication is passed. If not, the edge acceleration server redirects to the identity authentication page to obtain the user identity information of the current user. The edge acceleration server acquires the application configuration information of the target application to be accessed and the server configuration information of the connection server associated with the target application from the management platform. The edge acceleration server authenticates the obtained user identity information according to the identity authentication policy included in the application configuration information. After the identity authentication is passed, the edge acceleration server sends the domain name resolution request of the domain name of the edge security server included in the server configuration information to the domain name server, and sends the access request and application configuration information to the edge server according to the IP address of the edge security server returned by the domain name server in the security server. As shown in Figure 7, the domain name "A.yundun-tunnel.com" corresponds to two edge security servers with IP addresses "1.1.1.1" and "2.2.2.2" respectively, and the edge server with IP address "1.1.1.1" The security server is the active edge security server, and the edge security server with the IP address "2.2.2.2" is the standby edge security server. The domain name "B.yundun-tunnel.com" corresponds to two edge security servers with IP addresses "3.3.3.3" and "4.4.4.4", and the edge security server with IP address "3.3.3.3" is the main The edge security server, the edge security server with the IP address "4.4.4.4" is the backup edge security server.

假设访问请求是对连接服务器A中的目标应用的访问，则边缘加速服务器可以将访问请求及应用配置信息发送到IP地址为“1.1.1.1”的边缘安全服务器。边缘安全服务器再通过与连接器1或连接器2之间的会话连接将访问请求发送给连接服务器A。Assuming that the access request is an access to the target application in connection server A, the edge acceleration server may send the access request and application configuration information to the edge security server with the IP address "1.1.1.1". The edge security server then sends the access request to connection server A through the session connection with connector 1 or connector 2 .

在本公开实施例中，不需要使用VPN服务器即可实现目标终端访问连内网中的目标应用，解决了VPN服务器不稳定且难以维护的问题。直接将目标应用发布到公网上，用户访问体验更好。由边缘加速服务器对用户身份及访问权限进行认证，消除了恶意攻击的风险。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS化。且通过增加边缘加速服务器和边缘安全服务器的数量，能够很方便地进行扩容，能够适应目标用户数量很大的应用场景。In the embodiment of the present disclosure, the target terminal can access the target application in the intranet without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain. Directly publish the target application to the public network, and the user access experience is better. The edge acceleration server authenticates user identity and access rights, eliminating the risk of malicious attacks. The target application in the intranet can be SaaS-based without modifying the original network topology. Moreover, by increasing the number of edge acceleration servers and edge security servers, capacity expansion can be easily performed, and it can adapt to application scenarios with a large number of target users.

本公开的另一些实施例提供了一种远程访问应用的方法，该方法应用于连接服务器。参见图8，该方法具体包括以下步骤：Some other embodiments of the present disclosure provide a method for remotely accessing an application, and the method is used to connect to a server. Referring to Figure 8, the method specifically includes the following steps:

步骤201：连接服务器获取与连接服务器对应的至少一个边缘安全服务器的地址信息。Step 201: The connection server acquires address information of at least one edge security server corresponding to the connection server.

在本公开一示例性实施例中，连接服务器由管理平台中获取连接服务器对应的服务器配置信息。在一示例中，连接服务器可以直接从管理平台中获取服务器配置信息。在另一示例中，连接服务器也可以通过中间媒介间接从管理平台获取服务器配置信息，例如管理平台将该连接服务器的服务器配置信息下发至配置中心，连接服务器再从配置中心获取该服务器配置信息。连接服务器获得服务器配置信息后，从该服务器配置信息中获取与连接服务器对应的至少一个边缘安全服务器的地址信息。该地址信息包括边缘安全服务器的IP地址和/或域名。In an exemplary embodiment of the present disclosure, the connection server obtains server configuration information corresponding to the connection server from the management platform. In an example, the connection server can directly obtain server configuration information from the management platform. In another example, the connection server can also indirectly obtain server configuration information from the management platform through an intermediary, for example, the management platform sends the server configuration information of the connection server to the configuration center, and the connection server then obtains the server configuration information from the configuration center . After obtaining the server configuration information, the connection server obtains address information of at least one edge security server corresponding to the connection server from the server configuration information. The address information includes the IP address and/or domain name of the edge security server.

步骤202：连接服务器根据至少一个边缘安全服务器的地址信息，建立与至少一个边缘安全服务器之间的会话连接，所述会话连接为由连接服务器至所述至少一个边缘安全服务器的出站连接。Step 202: The connection server establishes a session connection with at least one edge security server according to the address information of at least one edge security server, and the session connection is an outbound connection from the connection server to the at least one edge security server.

在本公开一示例性实施例中，若边缘安全服务器的地址信息中仅包括IP地址，则连接服务器根据至少一个边缘安全服务器的IP地址，建立与这至少一个边缘安全服务器之间的会话连接。若边缘安全服务器的地址信息中仅包括边缘安全服务器的域名，则连接服务器发送这至少一个边缘安全服务器的域名给域名服务器；接收域名服务器返回的每个域名对应的IP地址；根据每个IP地址，分别发送连接请求给一个或多个边缘安全服务器，连接请求包括连接服务器的标识信息，以建立连接服务器与一个或多个边缘安全服务器之间的会话连接。In an exemplary embodiment of the present disclosure, if the address information of the edge security server only includes an IP address, the connection server establishes a session connection with the at least one edge security server according to the IP address of the at least one edge security server. If the address information of the edge security server only includes the domain name of the edge security server, the connection server sends the domain name of at least one edge security server to the domain name server; receives the IP address corresponding to each domain name returned by the domain name server; according to each IP address , respectively sending a connection request to one or more edge security servers, where the connection request includes identification information of the connection server, so as to establish a session connection between the connection server and the one or more edge security servers.

值得注意的是，该会话连接为连接服务器到边缘安全服务器之间的出站连接，其是连接服务器主动向外的通信连接，该连接服务器禁止任何入向的连接请求，从而可以避免遭受他人的恶意攻击，保证目标应用的安全性。在一示例中，可以在连接服务器中配置禁止入向的连接请求，从而使连接服务器能够通过防火墙禁止除上述建立的会话连接以外的所有入向的请求。It is worth noting that the session connection is an outbound connection between the connection server and the edge security server, which is an active outgoing communication connection of the connection server. Malicious attacks to ensure the security of the target application. In an example, prohibiting incoming connection requests may be configured in the connection server, so that the connection server can prohibit all incoming requests except the session connection established above through the firewall.

在一示例中，该会话连接的传输协议为加密传输协议，即通过该会话连接进行传输的数据均通过加密后以密文的形式进行传输，以提高数据传输的安全性。In an example, the transmission protocol of the session connection is an encrypted transmission protocol, that is, the data transmitted through the session connection is encrypted and then transmitted in ciphertext, so as to improve the security of data transmission.

步骤203：连接服务器基于建立的会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将访问请求发送至目标应用。Step 203: Based on the established session connection, if the connection server receives the access request for the target application forwarded by the edge security server, it sends the access request to the target application.

步骤204：连接服务器将接收到的请求响应信息向边缘安全服务器进行发送，该请求响应信息由目标应用根据访问请求进行反馈。Step 204: The connection server sends the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.

在本公开实施例中，连接服务器可以包括主连接服务器和副连接服务器，在主连接服务器故障时使用副连接服务器。连接服务器中可以部署多个连接器，多个连接器中包括主用连接器和备用连接器，主用连接器和备用连接器与相同的目标应用关联；在主用连接器故障时，通过备用连接器对应的会话连接接收目标终端对目标应用的访问请求。In the embodiment of the present disclosure, the connection server may include a primary connection server and a secondary connection server, and the secondary connection server is used when the primary connection server fails. Multiple connectors can be deployed in Connection Server, including active connectors and standby connectors. The active connectors and standby connectors are associated with the same target application; when the active connector fails, the standby The session connection corresponding to the connector receives the access request of the target terminal to the target application.

连接服务器还每隔预设时间段发送连接器的健康状态信息给管理平台，健康状态信息包括连接器的负载状态信息、网络状态信息、***状态信息、磁盘状态信息中的一种或多种。The connection server also sends the health status information of the connector to the management platform every preset time period. The health status information includes one or more of the load status information, network status information, system status information, and disk status information of the connector.

连接服务器还可以通过连接器对应的会话连接接收边缘安全服务器发送的健康检查请求，通过该会话连接发送连接器的健康状态信息给边缘安全服务器。The connection server can also receive the health check request sent by the edge security server through the session connection corresponding to the connector, and send the health status information of the connector to the edge security server through the session connection.

在本公开实施例中，连接服务器的具体操作细节均可参考上述任一实施例中连接服务器的操作，在此不再赘述。In the embodiments of the present disclosure, for specific operation details of connecting to the server, reference may be made to the operation of connecting to the server in any of the foregoing embodiments, which will not be repeated here.

在本公开实施例中，连接服务器通过连接器建立与边缘安全服务器之间的会话连接，通过该会话连接实现目标终端对目标应用的访问。不需要使用VPN服务器，解决了VPN服务器不稳定且难以维护的问题。直接将目标应用发布到公网上，用户访问体验更好。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS化。In the embodiment of the present disclosure, the connection server establishes a session connection with the edge security server through the connector, and the target terminal can access the target application through the session connection. There is no need to use a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain. Directly publish the target application to the public network, and the user access experience is better. The target application in the intranet can be SaaS-based without modifying the original network topology.

本公开的一些实施例提供了一种远程访问应用的方法，该方法应用于边缘安全服务器，参见图9，该方法具体包括以下步骤：Some embodiments of the present disclosure provide a method for remotely accessing an application. The method is applied to an edge security server. Referring to FIG. 9 , the method specifically includes the following steps:

步骤301：边缘安全服务器接收由至少一个连接服务器发送的连接请求。Step 301: The edge security server receives a connection request sent by at least one connection server.

在一示例中，连接请求的数量可以为多个，连接请求中包含对应的连接服务器的标识信息。In an example, there may be multiple connection requests, and the connection request includes identification information of a corresponding connection server.

步骤302：边缘安全服务器根据连接请求，建立与至少一个连接服务器之间的会话连接。Step 302: The edge security server establishes a session connection with at least one connection server according to the connection request.

在一示例中，边缘安全服务器根据多个连接请求，分别建立与至少一个连接服务器之间的会话连接，并将各连接服务器的标识信息与对应的会话连接相关联。In an example, the edge security server respectively establishes a session connection with at least one connection server according to multiple connection requests, and associates the identification information of each connection server with the corresponding session connection.

步骤303：边缘安全服务器接收由边缘加速服务器转发的针对目标应用的访问请求，确定与目标应用对应的目标连接服务器。Step 303: The edge security server receives the access request for the target application forwarded by the edge acceleration server, and determines the target connection server corresponding to the target application.

步骤304：边缘安全服务器根据与目标连接服务器对应的会话连接，转发访问请求至目标连接服务器。Step 304: The edge security server forwards the access request to the target connection server according to the session connection corresponding to the target connection server.

在一示例中，目标连接服务器的数量可以为多个，边缘安全服务器根据与多个目标连接服务器的标识信息相关联的会话连接，转发访问请求至每个目标连接服务器。In an example, there may be multiple target connection servers, and the edge security server forwards the access request to each target connection server according to the session connection associated with the identification information of the multiple target connection servers.

具体地，边缘安全服务器从应用配置信息中提取出与目标应用关联的每个连接服务器的标识信息；根据每个连接服务器的标识信息，从映射关系中分别获取每个连接服务器对应的会话连接；通过每个连接服务器对应的会话连接分别获取每个连接服务器的健康状态信息；根据每个连接服务器的健康状态信息，从每个连接服务器中选择一个满足预设健康条件的目标连接服务器，通过选择的目标连接服务器对应的会话连接将访问请求转发给目标连接服务器。Specifically, the edge security server extracts the identification information of each connection server associated with the target application from the application configuration information; according to the identification information of each connection server, obtains the session connection corresponding to each connection server from the mapping relationship; Obtain the health status information of each connection server through the session connection corresponding to each connection server; according to the health status information of each connection server, select a target connection server that meets the preset health conditions from each connection server, and select The session connection corresponding to the target connection server forwards the access request to the target connection server.

在本公开的另一些实施例中，边缘安全服务器还可以轮询的机制来转发访问请求。具体地，从应用配置信息中提取出与目标应用关联的每个连接服务器的标识信息；根据预设轮询规则，从每个连接服务器中选择一个目标连接服务器；根据选择的目标连接服务器的标识信息，从映射关系中获取选择的目标连接服务器对应的会话连接；通过获取的会话连接将访问请求转发给目标连接服务器。In other embodiments of the present disclosure, the edge security server may also use a polling mechanism to forward the access request. Specifically, extract the identification information of each connection server associated with the target application from the application configuration information; select a target connection server from each connection server according to a preset polling rule; Information, obtain the session connection corresponding to the selected target connection server from the mapping relationship; forward the access request to the target connection server through the obtained session connection.

边缘安全服务器的具体操作细节均可参考上述任一实施例中边缘安全服务器的操作，在此不再赘述。For the specific operation details of the edge security server, reference may be made to the operation of the edge security server in any of the foregoing embodiments, and details are not repeated here.

在本公开实施例中，边缘安全服务器建立了与连接服务器中的连接器之间的会话连接，通过该会话连接将来自目标终端的访问请求转发给连接服务器，不使用VPN服务器就能实现目标终端对目标应用的访问，解决了VPN服务器不稳定且难以维护的问题。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS化。且通过增加边缘安全服务器的数量，能够很方便地进行扩容，能够适应目标用户数量很大的应用场景。In the embodiment of the present disclosure, the edge security server establishes a session connection with the connector in the connection server, through which the access request from the target terminal is forwarded to the connection server, and the target terminal can be realized without using a VPN server. Access to the target application solves the problem that the VPN server is unstable and difficult to maintain. The target application in the intranet can be SaaS-based without modifying the original network topology. Moreover, by increasing the number of edge security servers, the capacity can be easily expanded, and it can adapt to application scenarios with a large number of target users.

本公开的一些实施例提供了一种远程访问应用的方法，该方法应用于边缘加速服务器，参见图10，该方法具体包括以下步骤：Some embodiments of the present disclosure provide a method for remotely accessing an application. The method is applied to an edge acceleration server. Referring to FIG. 10 , the method specifically includes the following steps:

步骤401：边缘加速服务器接收由目标终端发送的针对目标应用的访问请求，访问请求包含目标应用的域名。Step 401: The edge acceleration server receives an access request for the target application sent by the target terminal, and the access request includes the domain name of the target application.

步骤402：边缘加速服务器根据目标应用的域名，确定与目标应用的域名对应的边缘安全服务器的地址信息。Step 402: The edge acceleration server determines the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application.

在本公开一示例性实施例中，在确定与目标应用的域名对应的边缘安全服务器的地址信息之前，边缘加速服务器还可以检测访问请求中是否携带目标用户的身份信息；根据检测结果，对目标用户的身份信息执行与所述检测结果对应的认证策略，认证策略包括身份认证策略和/或访问权限认证策略；若目标用户的身份信息通过认证策略的认证，则根据目标应用的域名，确定与目标应用的域名对应的边缘安全服务器的地址信息。In an exemplary embodiment of the present disclosure, before determining the address information of the edge security server corresponding to the domain name of the target application, the edge acceleration server can also detect whether the access request carries the identity information of the target user; The identity information of the user executes an authentication strategy corresponding to the detection result, and the authentication strategy includes an identity authentication strategy and/or an access authority authentication strategy; if the identity information of the target user passes the authentication of the authentication strategy, then according to the domain name of the target application, determine the The address information of the edge security server corresponding to the domain name of the target application.

步骤403：边缘加速服务器根据边缘安全服务器的地址信息，转发访问请求至边缘安全服务器。Step 403: The edge acceleration server forwards the access request to the edge security server according to the address information of the edge security server.

边缘加速服务器的具体操作细节均可参考上述任一实施例中边缘加速服务器的操作，在此不再赘述。For the specific operation details of the edge acceleration server, reference may be made to the operation of the edge acceleration server in any of the foregoing embodiments, which will not be repeated here.

在本公开实施例中，边缘加速服务器对用户身份及访问权限进行认证，消除了恶意攻击的风险。边缘加速服务器将访问请求及应用配置信息转发给边缘安全服务器，再通过边缘安全服务器将访问请求转发给连接服务器，不需要使用VPN服务器即可实现目标终端访问连接服务器中的目标应用，解决了VPN服务器不稳定且难以维护的问题。直接将目标应用发布到公网上，用户访问体验更好。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS化。且通过增加边缘加速服务器和边缘安全服务器的数量，能够很方便地进行扩容，能够适应目标用户数量很大的应用场景。In the embodiment of the present disclosure, the edge acceleration server authenticates the user identity and access rights, eliminating the risk of malicious attacks. The edge acceleration server forwards the access request and application configuration information to the edge security server, and then forwards the access request to the connection server through the edge security server. The target terminal can access the target application in the connection server without using a VPN server, which solves the problem of VPN The server is unstable and difficult to maintain. Directly publish the target application to the public network, and the user access experience is better. The target application in the intranet can be SaaS-based without modifying the original network topology. Moreover, by increasing the number of edge acceleration servers and edge security servers, capacity expansion can be easily performed, and it can adapt to application scenarios with a large number of target users.

本公开的一些实施例提供了一种远程访问应用的方法，该方法应用于管理平台，参见图11，该方法具体包括以下步骤：Some embodiments of the present disclosure provide a method for remotely accessing an application. The method is applied to a management platform. Referring to FIG. 11 , the method specifically includes the following steps:

步骤501：管理平台生成连接服务器对应的服务器配置信息，服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息。Step 501: The management platform generates server configuration information corresponding to the connection server. The server configuration information includes at least identification information of the connection server and address information of the edge security server corresponding to the connection server.

步骤502：管理平台生成目标应用对应的应用配置信息，应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种。Step 502: The management platform generates application configuration information corresponding to the target application. The application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy.

步骤503：管理平台发送连接服务器所需的服务器配置信息。Step 503: the management platform sends the server configuration information needed to connect to the server.

步骤504：管理平台发送边缘加速服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接服务器的服务器配置信息。Step 504: The management platform sends the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.

管理平台的具体操作细节均可参考上述任一实施例中管理平台的操作，在此不再赘述。For the specific operation details of the management platform, reference may be made to the operation of the management platform in any of the above embodiments, and details are not repeated here.

在本公开实施例中，管理平台中生成了连接服务器的服务器配置信息，以及生成了目标应用的应用配置信息，将目标应用与连接服务器相关联。并通过管理平台发送服务器配置信息给连接服务器。再发送边缘加速服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接服务器的服务器配置信息。不需要使用VPN服务器即可实现目标终端访问连接服务器中的目标应用，解决了VPN服务器不稳定且难以维护的问题。不需要对原有的网络拓扑进行修改即可将内网中的目标应用SaaS化，能够很方便地进行扩容，能够适应目标用户数量很大的应用场景。In the embodiment of the present disclosure, server configuration information of the connection server and application configuration information of the target application are generated in the management platform, and the target application is associated with the connection server. And send the server configuration information to the connection server through the management platform. Then send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application. The target terminal can access the target application connected to the server without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain. The target application in the intranet can be SaaS-based without modifying the original network topology, which can be easily expanded and adapted to the application scenario with a large number of target users.

本公开实施例提供了一种远程访问应用的***，参见图1，该***包括：边缘加速服务器、边缘安全服务器、管理平台和连接服务器；An embodiment of the present disclosure provides a system for remotely accessing applications. Referring to FIG. 1 , the system includes: an edge acceleration server, an edge security server, a management platform, and a connection server;

管理平台，设置为生成目标应用的应用配置信息，以及生成连接服务器对应的服务器配置信息；发送边缘加速服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接服务器的服务器配置信息，并发送连接服务器所需的服务器配置信息；The management platform is configured to generate application configuration information of the target application, and generate server configuration information corresponding to the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application, And send the server configuration information required to connect to the server;

边缘加速服务器，设置为接收目标终端发送的针对目标应用的访问请求；并根据访问请求包含的目标应用的域名，将访问请求向对应的边缘安全服务器进行发送；The edge acceleration server is configured to receive the access request sent by the target terminal for the target application; and send the access request to the corresponding edge security server according to the domain name of the target application included in the access request;

边缘安全服务器，设置为接收边缘加速服务器发送的访问请求；根据在先建立的与连接服务器的会话连接，将访问请求转发至对应的连接服务器；The edge security server is configured to receive the access request sent by the edge acceleration server; forward the access request to the corresponding connection server according to the previously established session connection with the connection server;

连接服务器，设置为接收边缘安全服务器发送的访问请求，并将访问请求转发至对应的目标应用。The connection server is set to receive the access request sent by the edge security server, and forward the access request to the corresponding target application.

在一示例性实施例中，会话连接为连接服务器至边缘安全服务器的出站连接。In an exemplary embodiment, the session connection is an outbound connection from the connection server to the edge security server.

在一示例性实施例中，该***还包括：认证中心，设置为根据访问请求携带的目标用户的身份信息，对目标用户的身份信息执行认证策略，认证策略包括身份认证策略和/或访问权限认证策略。In an exemplary embodiment, the system further includes: an authentication center, configured to implement an authentication policy on the identity information of the target user according to the identity information of the target user carried in the access request, and the authentication policy includes an identity authentication policy and/or access rights Authentication policy.

本公开的上述实施例提供的远程访问应用的***与本公开实施例提供的远程访问应用的方法出于相同的发明构思，具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The system for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .

本公开实施例还提供一种远程访问应用的装置，该装置用于执行上述任一实施例提供的远程访问应用的方法中连接服务器的操作。参见图12，该装置包括：An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of connecting to a server in the method for remotely accessing an application provided in any one of the above embodiments. Referring to Figure 12, the device includes:

获取模块601，设置为获取与连接服务器对应的至少一个边缘安全服务器的地址信息；An acquisition module 601 configured to acquire address information of at least one edge security server corresponding to the connection server;

第一建立会话模块602，设置为根据至少一个边缘安全服务器的地址信息，建立与至少一个边缘安全服务器之间的会话连接，会话连接为由连接服务器至至少一个边缘安全服务器的出站连接；The first session establishment module 602 is configured to establish a session connection with at least one edge security server according to the address information of at least one edge security server, and the session connection is an outbound connection from the connection server to at least one edge security server;

第一发送模块603，设置为基于会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将访问请求发送至目标应用；将接收到的请求响应信息向边缘安全服务器进行发送，请求响应信息由目标应用根据访问请求进行反馈。The first sending module 603 is set to be based on a session connection. If an access request for the target application forwarded by the edge security server is received, the access request is sent to the target application; the received request response information is sent to the edge security server, The request response information is fed back by the target application according to the access request.

上述地址信息为域名，第一建立会话模块602，还设置为向域名服务器发送至少一个边缘安全服务器的域名；接收由域名服务器发送的至少一个边缘安全服务器的域名对应的IP地址；根据各IP地址，分别向至少一个边缘安全服务器发送连接请求，以建立连接服务器与至少一个边缘安全服务器之间的会话连接，连接请求包含连接服务器的标识信息，以使至少一个边缘安全服务器将标识信息与对应的会话连接相关联。The above address information is a domain name, and the first session establishment module 602 is also configured to send the domain name of at least one edge security server to the domain name server; receive the IP address corresponding to the domain name of at least one edge security server sent by the domain name server; according to each IP address , respectively sending a connection request to at least one edge security server to establish a session connection between the connection server and the at least one edge security server, the connection request includes identification information of the connection server, so that at least one edge security server compares the identification information with the corresponding Session connections are associated.

获取模块601，还设置为由管理平台中获取连接服务器对应的服务器配置信息；从服务器配置信息中获取与连接服务器对应的至少一个边缘安全服务器的地址信息。The obtaining module 601 is further configured to obtain server configuration information corresponding to the connection server from the management platform; obtain address information of at least one edge security server corresponding to the connection server from the server configuration information.

上述会话连接的传输协议为加密传输协议。The transmission protocol of the above session connection is an encrypted transmission protocol.

本公开的上述实施例提供的远程访问应用的装置与本公开实施例提供的远程访问应用的方法出于相同的发明构思，具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The device for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .

本公开实施例还提供一种远程访问应用的装置，该装置用于执行上述任一实施例提供的远程访问应用的方法中边缘安全服务器的操作。参见图13，该装置包括：An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of the edge security server in the method for remotely accessing an application provided in any one of the above embodiments. Referring to Figure 13, the device includes:

第一接收模块701，设置为接收由至少一个连接服务器发送的连接请求；The first receiving module 701 is configured to receive a connection request sent by at least one connection server;

第二建立会话模块702，设置为根据连接请求，建立与至少一个连接服务器之间的会话连接；The second establishing session module 702 is configured to establish a session connection with at least one connection server according to the connection request;

第一接收模块701，还设置为接收由边缘加速服务器转发的针对目标应用的访问请求；The first receiving module 701 is also configured to receive the access request for the target application forwarded by the edge acceleration server;

第一确定模块703，设置为确定与目标应用对应的目标连接服务器；The first determining module 703 is configured to determine the target connection server corresponding to the target application;

第二发送模块704，设置为根据与目标连接服务器对应的会话连接，转发访问请求至目标连接服务器。The second sending module 704 is configured to forward the access request to the target connection server according to the session connection corresponding to the target connection server.

上述连接请求的数量为多个，连接请求中包含对应的连接服务器的标识信息；There are multiple connection requests, and the connection request includes identification information of the corresponding connection server;

第二建立会话模块702，还设置为根据多个连接请求，分别建立与至少一个连接服务器之间的会话连接，并将各标识信息与对应的会话连接相关联。The second session establishing module 702 is further configured to respectively establish a session connection with at least one connection server according to multiple connection requests, and associate each piece of identification information with the corresponding session connection.

目标连接服务器的数量为多个；第二发送模块704，还设置为根据与多个目标连接服务器的标识信息相关联的会话连接，转发访问请求至目标连接服务器。There are multiple target connection servers; the second sending module 704 is further configured to forward the access request to the target connection server according to the session connection associated with the identification information of the multiple target connection servers.

本公开实施例还提供一种远程访问应用的装置，该装置用于执行上述任一实施例提供的远程访问应用的方法中边缘加速服务器的操作。参见图14，该装置包括：An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of an edge acceleration server in the method for remotely accessing an application provided in any one of the above embodiments. Referring to Figure 14, the device includes:

第二接收模块801，设置为接收由目标终端发送的针对目标应用的访问请求，访问请求包含目标应用的域名；The second receiving module 801 is configured to receive an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;

第二确定模块802，设置为根据目标应用的域名，确定与目标应用的域名对应的边缘安全服务器的地址信息；The second determination module 802 is configured to determine the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application;

第三发送模块803，设置为根据边缘安全服务器的地址信息，转发访问请求至边缘安全服务器。The third sending module 803 is configured to forward the access request to the edge security server according to the address information of the edge security server.

第二确定模块802，还设置为检测访问请求中是否携带目标用户的身份信息；根据检测结果，对目标用户的身份信息执行认证策略；若目标用户的身份信息通过认证策略的认证，则根据目标应用的域名，确定与目标应用的域名对应的边缘安全服务器的地址信息。上述认证策略包括身份认证策略和/或访问权限认证策略。The second determination module 802 is also configured to detect whether the access request carries the identity information of the target user; according to the detection result, implement an authentication strategy for the identity information of the target user; if the identity information of the target user passes the authentication of the authentication strategy, then according to the target The domain name of the application determines the address information of the edge security server corresponding to the domain name of the target application. The foregoing authentication policies include identity authentication policies and/or access right authentication policies.

本公开实施例还提供一种远程访问应用的装置，该装置用于执行上述任一实施例提供的远程访问应用的方法中管理平台的操作。参见图15，该装置包括：An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to execute the operations of the management platform in the method for remotely accessing an application provided in any one of the above embodiments. Referring to Figure 15, the device includes:

生成模块901，设置为生成连接服务器对应的服务器配置信息，服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息；生成目标应用对应的应用配置信息，应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种；The generation module 901 is configured to generate server configuration information corresponding to the connection server, the server configuration information at least includes the identification information of the connection server and the address information of the edge security server corresponding to the connection server; generates the application configuration information corresponding to the target application, the application configuration information Including at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy;

第四发送模块902，设置为发送连接服务器所需的服务器配置信息；发送边缘加速服务器所需的目标应用的应用配置信息以及与目标应用相关联的连接服务器的服务器配置信息。The fourth sending module 902 is configured to send the server configuration information required by the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.

本公开实施方式还提供一种电子设备，以执行上述远程访问应用的方法。请参考图16，其示出了本公开的一些实施方式所提供的一种电子设备的示意图。如图16所示，电子设备10包括：处理器1000，存储器1001，总线1002和通信接口1003，所述处理器1000、通信接口1003和存储器1001通过总线1002连接；所述存储器1001中存储有可在所述处理器1000上运行的计算机程序，所述处理器1000运行所述计算机程序时执行本公开前述任一实施方式所提供的远程访问应用的方法。Embodiments of the present disclosure also provide an electronic device to execute the above method for remotely accessing an application. Please refer to FIG. 16 , which shows a schematic diagram of an electronic device provided by some embodiments of the present disclosure. As shown in Figure 16, the electronic device 10 includes: a processor 1000, a memory 1001, a bus 1002 and a communication interface 1003, the processor 1000, the communication interface 1003 and the memory 1001 are connected through the bus 1002; A computer program running on the processor 1000, when the processor 1000 runs the computer program, executes the method for remotely accessing an application provided in any one of the foregoing implementations of the present disclosure.

其中，存储器1001可能包含高速随机存取存储器(RAM：Random Access Memory)，也可能还包括非不稳定的存储器(non-volatile memory)，例如至少一个磁盘存储器。通过至少一个通信接口1003(可以是有线或者无线)实现该***网元与至少一个其他网元之间的通信连接，可以使用互联网、广域网、本地网、城域网等。Wherein, the memory 1001 may include a high-speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is realized through at least one communication interface 1003 (which may be wired or wireless), and Internet, wide area network, local network, metropolitan area network, etc. can be used.

总线1002可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。其中，存储器1001用于存储程序，所述处理器1000在接收到执行指令后，执行所述程序，前述本公开实施例任一实施方式揭示的所述远程访问应用的方法可以应用于处理器1000中，或者由处理器1000实现。The bus 1002 may be an ISA bus, a PCI bus or an EISA bus, etc. The bus can be divided into address bus, data bus, control bus and so on. Wherein, the memory 1001 is used to store a program, and the processor 1000 executes the program after receiving an execution instruction, and the method for remotely accessing an application disclosed in any implementation manner of the foregoing embodiments of the present disclosure can be applied to the processor 1000 in, or implemented by the processor 1000.

处理器1000可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过处理器1000中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1000可以是通用处理器，包括中央处理器(Central Processing Unit，简称CPU)、网络处理器(Network Processor，简称NP)等；还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本公开实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1001，处理器1000读取存储器1001中的信息，结合其硬件完成上述方法的步骤。The processor 1000 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1000 or instructions in the form of software. The above-mentioned processor 1000 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Various methods, steps and logic block diagrams disclosed in the embodiments of the present disclosure may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 1001, and the processor 1000 reads the information in the memory 1001, and completes the steps of the above method in combination with its hardware.

本公开实施例提供的电子设备与本公开实施例提供的远程访问应用的方法出于相同的发明构思，具有与其采用、运行或实现的方法相同的有益效果。The electronic device provided by the embodiment of the present disclosure is based on the same inventive concept as the method for remotely accessing an application provided by the embodiment of the present disclosure, and has the same beneficial effect as the method adopted, operated or implemented.

本公开实施方式还提供一种与前述实施方式所提供的远程访问应用的方法对应的计算机可读存储介质，请参考图17，其示出的计算机可读存储介质为光盘30，其上存储有计算机程序(即程序产品)，所述计算机程序在被处理器运行时，会执行前述任意实施方式所提供的远程访问应用的方法。Embodiments of the present disclosure also provide a computer-readable storage medium corresponding to the method for remotely accessing an application provided in the foregoing embodiments. Please refer to FIG. A computer program (that is, a program product). When the computer program is run by a processor, it will execute the method for remotely accessing an application provided in any of the foregoing implementation manners.

需要说明的是，所述计算机可读存储介质的例子还可以包括，但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他光学、磁性存储介质，在此不再一一赘述。It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random Access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other optical and magnetic storage media will not be repeated here.

本公开的上述实施例提供的计算机可读存储介质与本公开实施例提供的远程访问应用的方法出于相同的发明构思，具有与其存储的应用程序所采用、运行或实现的方法相同的有益效果。The computer-readable storage medium provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the method adopted, run or implemented by the stored application program .

需要说明的是：It should be noted:

在此处所提供的说明书中，说明了大量具体细节。然而，能够理解，本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中，并未详细示出公知的结构和技术，以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present disclosure may be practiced without these specific details. In some instances, well-known structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地，应当理解，为了精简本公开并帮助理解各个发明方面中的一个或多个，在上面对本公开的示例性实施例的描述中，本公开的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而，并不应将该公开的方法解释成反映如下示意图：即所要求保护的本公开要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说，如下面的权利要求书所反映的那样，发明方面在于少于前面公开的单个实施例的所有特征。因此，遵循具体实施方式的权利要求书由此明确地并入该具体实施方式，其中每个权利要求本身都作为本公开的单独实施例。Similarly, it should be appreciated that in the above description of example embodiments of the disclosure, in order to streamline the disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the disclosure are sometimes grouped together into a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting a schematic representation that the claimed disclosure requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this disclosure.

此外，本领域的技术人员能够理解，尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征，但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如，在下面的权利要求书中，所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the present disclosure. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

以上所述，仅为本公开的具体实施方式，但本公开的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本公开揭露的技术范围内，可轻易想到的变化或替换，都应涵盖在本公开的保护范围之内。因此，本公开的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the present disclosure, but the scope of protection of the present disclosure is not limited thereto, any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present disclosure, should be covered within the protection scope of the present disclosure. Therefore, the protection scope of the present disclosure should be determined by the protection scope of the claims.

工业实用性Industrial Applicability

Claims

一种远程访问应用的方法，应用于连接服务器，所述连接服务器与至少一个目标应用相关联，包括：A method for remotely accessing an application, applied to a connection server, the connection server being associated with at least one target application, comprising:

获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息；Obtain address information of at least one edge security server corresponding to the connection server;

根据所述至少一个边缘安全服务器的地址信息，建立与所述至少一个边缘安全服务器之间的会话连接，所述会话连接为由所述连接服务器至所述至少一个边缘安全服务器的出站连接；Establishing a session connection with the at least one edge security server according to the address information of the at least one edge security server, where the session connection is an outbound connection from the connection server to the at least one edge security server;

基于所述会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将所述访问请求发送至所述目标应用；Based on the session connection, if an access request for the target application forwarded by the edge security server is received, send the access request to the target application;

将接收到的请求响应信息向所述边缘安全服务器进行发送，所述请求响应信息由所述目标应用根据所述访问请求进行反馈。Send the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.
根据权利要求1所述的方法，其中，所述地址信息为域名，所述根据所述至少一个边缘安全服务器的地址信息，建立与所述至少一个边缘安全服务器之间的会话连接，包括：The method according to claim 1, wherein the address information is a domain name, and establishing a session connection with the at least one edge security server according to the address information of the at least one edge security server includes:

向域名服务器发送所述至少一个边缘安全服务器的域名解析请求；sending the domain name resolution request of the at least one edge security server to the domain name server;

接收由所述域名服务器发送的所述至少一个边缘安全服务器的域名对应的IP地址；receiving the IP address corresponding to the domain name of the at least one edge security server sent by the domain name server;

根据至少一个所述IP地址，分别向所述至少一个边缘安全服务器发送连接请求，以建立所述连接服务器与所述至少一个边缘安全服务器之间的会话连接，所述连接请求包含所述连接服务器的标识信息，以使所述至少一个边缘安全服务器将所述标识信息与对应的会话连接相关联。According to at least one of the IP addresses, respectively send a connection request to the at least one edge security server to establish a session connection between the connection server and the at least one edge security server, the connection request includes the connection server identification information, so that the at least one edge security server associates the identification information with the corresponding session connection.
根据权利要求1所述的方法，其中，所述获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息，包括：The method according to claim 1, wherein said acquiring address information of at least one edge security server corresponding to said connection server comprises:

由管理平台中获取所述连接服务器对应的服务器配置信息；Obtaining server configuration information corresponding to the connection server from the management platform;

从所述服务器配置信息中获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息。Obtain address information of at least one edge security server corresponding to the connection server from the server configuration information.
根据权利要求1所述的方法，其中，所述会话连接的传输协议为加密传输协议；The method according to claim 1, wherein the transmission protocol of the session connection is an encrypted transmission protocol;

和/或and / or

所述会话连接建立在443端口上。The session connection is established on port 443.
一种远程访问应用的方法，应用于边缘安全服务器，包括：A method for remotely accessing an application, applied to an edge security server, comprising:

接收由至少一个连接服务器发送的连接请求；receiving a connection request sent by at least one connection server;

根据所述连接请求，建立与所述至少一个连接服务器之间的会话连接；establishing a session connection with the at least one connection server according to the connection request;

接收由边缘加速服务器转发的针对目标应用的访问请求，确定与所述目标应用对应的目标连接服务器；receiving the access request for the target application forwarded by the edge acceleration server, and determining the target connection server corresponding to the target application;

根据与所述目标连接服务器对应的会话连接，转发所述访问请求至所述目标连接服务器。Forwarding the access request to the target connection server according to the session connection corresponding to the target connection server.
根据权利要求5中所述的方法，其中，所述连接请求的数量为多个，所述连接请求中包含对应的连接服务器的标识信息；The method according to claim 5, wherein the number of the connection requests is multiple, and the connection requests include the identification information of the corresponding connection server;

根据所述连接请求，建立与所述至少一个连接服务器之间的会话连接，包括：According to the connection request, establishing a session connection with the at least one connection server includes:

根据多个所述连接请求，分别建立与所述至少一个连接服务器之间的会话连接，并将多个所述标识信息与对应的会话连接相关联。Establishing session connections with the at least one connection server respectively according to the plurality of connection requests, and associating the plurality of identification information with the corresponding session connections.
根据权利要求5所述的方法，其中，所述目标连接服务器的数量为多个；所述根据与所述目标连接服务器对应的会话连接，转发所述访问请求至所述目标连接服务器，包括：The method according to claim 5, wherein there are multiple target connection servers; forwarding the access request to the target connection server according to the session connection corresponding to the target connection server comprises:

根据与多个所述目标连接服务器的标识信息相关联的会话连接，转发所述访问请求至所述目标连接服务器。Forwarding the access request to the target connection server according to the session connections associated with the identification information of the plurality of target connection servers.
一种远程访问应用的方法，应用于边缘加速服务器，包括：A method for remotely accessing an application, applied to an edge acceleration server, comprising:

接收由目标终端发送的针对目标应用的访问请求，所述访问请求包含所述目标应用的域名；receiving an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;

根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息；According to the domain name of the target application, determine the address information of the edge security server corresponding to the domain name of the target application;

根据所述边缘安全服务器的地址信息，转发所述访问请求至所述边缘安全服务器。forwarding the access request to the edge security server according to the address information of the edge security server.
根据权利要求8所述的方法，其中，所述根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息，包括：The method according to claim 8, wherein, according to the domain name of the target application, determining the address information of the edge security server corresponding to the domain name of the target application comprises:

检测所述访问请求中是否携带目标用户的身份信息；Detecting whether the access request carries the identity information of the target user;

根据检测结果，对所述目标用户的身份信息执行与所述检测结果对应的认证策略；Execute an authentication policy corresponding to the detection result on the identity information of the target user according to the detection result;

若所述目标用户的身份信息通过所述认证策略的认证，则根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息。If the identity information of the target user passes the authentication of the authentication policy, then according to the domain name of the target application, determine the address information of the edge security server corresponding to the domain name of the target application.
根据权利要求9所述的方法，其中，所述认证策略包括身份认证策略和/或访问权限认证策略。The method according to claim 9, wherein the authentication policy comprises an identity authentication policy and/or an access authority authentication policy.
一种远程访问应用的方法，应用于管理平台，包括：A method for remotely accessing an application, applied to a management platform, comprising:

生成连接服务器对应的服务器配置信息，所述服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息；Generate server configuration information corresponding to the connection server, where the server configuration information at least includes identification information of the connection server and address information of an edge security server corresponding to the connection server;

生成目标应用对应的应用配置信息，所述应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种；Generate application configuration information corresponding to the target application, where the application configuration information includes at least one of the domain name of the target application, a back-to-source address, identification information of an associated connection server, an identity authentication policy, and an access control policy;

发送所述连接服务器所需的服务器配置信息；Send the server configuration information required to connect to the server;

发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息。Sending the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
一种远程访问应用的***，包括：管理平台、边缘加速服务器、边缘安全服务器和连接服务器；A system for remotely accessing applications, including: a management platform, an edge acceleration server, an edge security server, and a connection server;

管理平台，设置为生成目标应用的应用配置信息，以及生成连接服务器对应的服务器配置信息；发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息，并发送所述连接服务器所需的服务器配置信息；The management platform is configured to generate the application configuration information of the target application, and generate the server configuration information corresponding to the connection server; send the application configuration information of the target application required by the edge acceleration server and the connection server associated with the target application Server configuration information, and send the server configuration information required to connect to the server;

边缘加速服务器，设置为接收目标终端发送的针对目标应用的访问请求；并根据所述访问请求包含的目标应用的域名，将所述访问请求向对应的边缘安全服务器进行发送；The edge acceleration server is configured to receive the access request sent by the target terminal for the target application; and send the access request to the corresponding edge security server according to the domain name of the target application included in the access request;

边缘安全服务器，设置为接收所述边缘加速服务器发送的所述访问请求；根据在先建立的与连接服务器的会话连接，将所述访问请求转发至对应的连接服务器；The edge security server is configured to receive the access request sent by the edge acceleration server; forward the access request to the corresponding connection server according to the previously established session connection with the connection server;

连接服务器，设置为接收所述边缘安全服务器发送的所述访问请求，并将所述访问请求转发至对应的目标应用。The connection server is configured to receive the access request sent by the edge security server, and forward the access request to a corresponding target application.
根据权利要求12所述的***，其中，所述会话连接为所述连接服务器至所述边缘安全服务器的出站连接。The system of claim 12, wherein the session connection is an outbound connection from the connection server to the edge security server.
根据权利要求12所述的***，所述***还包括：The system of claim 12, further comprising:

认证中心，设置为根据所述访问请求携带的目标用户的标识信息获取所述目标用户的身份信息，以使所述边缘加速服务器根据所述目标用户的身份信息和认证策略对所述目标用户进行认证，所述认证策略包括身份认证策略和/或访问权限认证策略。The authentication center is configured to obtain the identity information of the target user according to the identification information of the target user carried in the access request, so that the edge acceleration server performs authentication on the target user according to the identity information of the target user and an authentication policy. Authentication, where the authentication policy includes an identity authentication policy and/or an access right authentication policy.
一种远程访问应用的装置，应用于连接服务器，包括：A device for remotely accessing applications, used to connect to a server, comprising:

获取模块，设置为获取与所述连接服务器对应的至少一个边缘安全服务器的地址信息；An acquisition module configured to acquire address information of at least one edge security server corresponding to the connection server;

建立会话模块，设置为根据所述至少一个边缘安全服务器的地址信息，建立与所述至少一个边缘安全服务器之间的会话连接，所述会话连接为由所述连接服务器至所述至少一个边缘安全服务器的出站连接；Establishing a session module, configured to establish a session connection with the at least one edge security server according to the address information of the at least one edge security server, the session connection is from the connection server to the at least one edge security server outbound connections to the server;

发送模块，设置为基于所述会话连接，若接收到由边缘安全服务器转发的针对目标应用的访问请求，将所述访问请求发送至所述目标应用；将接收到的请求响应信息向所述边缘安全服务器进行发送，所述请求响应信息由所述目标应用根据所述访问请求进行反馈。The sending module is configured to send the access request to the target application if an access request for the target application forwarded by the edge security server is received based on the session connection; and send the received request response information to the edge The security server sends it, and the request response information is fed back by the target application according to the access request.
一种远程访问应用的装置，应用于边缘安全服务器，包括：A device for remotely accessing applications, applied to an edge security server, comprising:

接收模块，设置为接收由至少一个连接服务器发送的连接请求；A receiving module configured to receive a connection request sent by at least one connection server;

建立会话模块，设置为根据所述连接请求，建立与所述至少一个连接服务器之间的会话连接；Establishing a session module, configured to establish a session connection with the at least one connection server according to the connection request;

所述接收模块，还设置为接收由边缘加速服务器转发的针对目标应用的访问请求；The receiving module is also configured to receive the access request for the target application forwarded by the edge acceleration server;

确定模块，设置为确定与所述目标应用对应的目标连接服务器；A determining module, configured to determine a target connection server corresponding to the target application;

发送模块，设置为根据与所述目标连接服务器对应的会话连接，转发所述访问请求至所述目标连接服务器。A sending module, configured to forward the access request to the target connection server according to the session connection corresponding to the target connection server.
一种远程访问应用的装置，应用于边缘加速服务器，包括：A device for remotely accessing applications, applied to an edge acceleration server, comprising:

接收模块，设置为接收由目标终端发送的针对目标应用的访问请求，所述访问请求包含所述目标应用的域名；The receiving module is configured to receive an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;

确定模块，设置为根据所述目标应用的域名，确定与所述目标应用的域名对应的边缘安全服务器的地址信息；The determination module is configured to determine the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application;

发送模块，设置为根据所述边缘安全服务器的地址信息，转发所述访问请求至所述边缘安全服务器。A sending module, configured to forward the access request to the edge security server according to the address information of the edge security server.
一种远程访问应用的装置，应用于管理平台，包括：A device for remotely accessing applications, applied to a management platform, comprising:

生成模块，设置为生成连接服务器对应的服务器配置信息，所述服务器配置信息至少包括连接服务器的标识信息和与连接服务器对应的边缘安全服务器的地址信息；生成目标应用对应的应用配置信息，所述应用配置信息包括目标应用的域名、回源地址、相关联的连接服务器的标识信息、身份认证策略以及访问权限控制策略中的至少一种；The generation module is configured to generate server configuration information corresponding to the connection server, the server configuration information at least including the identification information of the connection server and the address information of the edge security server corresponding to the connection server; generating application configuration information corresponding to the target application, the The application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication strategy, and the access control strategy;

发送模块，设置为发送所述连接服务器所需的服务器配置信息；发送边缘加速服务器所需的所述目标应用的应用配置信息以及与所述目标应用相关联的连接服务器的服务器配置信息。The sending module is configured to send the server configuration information required by the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
一种电子设备，包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序，其中，所述处理器运行所述计算机程序以实现如权利要求1-11任一项所述的方法。An electronic device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor runs the computer program to implement any of claims 1-11 one of the methods described.
一种计算机可读存储介质，其上存储有计算机程序，其中，所述程序被处理器执行实现如权利要求1-11中任一项所述的方法。A computer-readable storage medium, on which a computer program is stored, wherein the program is executed by a processor to implement the method according to any one of claims 1-11.