CN109067914B

CN109067914B - web service proxy method, device, equipment and storage medium

Info

Publication number: CN109067914B
Application number: CN201811100480.3A
Authority: CN
Inventors: 王健; 姜哲; 刘昭; 陈夏明; 刘汪根
Original assignee: Xinghuan Information Technology (shanghai) Co Ltd
Current assignee: Transwarp Technology Shanghai Co Ltd
Priority date: 2018-09-20
Filing date: 2018-09-20
Publication date: 2019-12-13
Anticipated expiration: 2038-09-20
Also published as: CN109067914A

Abstract

the embodiment of the invention discloses a proxy method, a proxy device, proxy equipment and a proxy storage medium for Web services. The method comprises the following steps: receiving an access request sent by a client; if the access request is determined to be a hyperlink request, redirecting the address of the hyperlink request, and returning the redirected address to the client so that the client generates a new access request; receiving the new access request sent by the client, and forwarding the new access request to a corresponding server; and receiving an access response corresponding to the new access request returned by the server, and returning the access response to the client. The technical scheme can solve the hyperlink jumping problem when the proxy gateway proxies the Web service in a general mode, and can simplify the development and configuration of the proxy gateway.

Description

web service proxy method, device, equipment and storage medium

Technical Field

The embodiment of the invention relates to the technical field of computer networks, in particular to a proxy method, a proxy device, proxy equipment and a storage medium for Web services.

Background

the reverse proxy mode is that a proxy server receives a connection request on the Internet, forwards the request to a server on an internal network, and returns a result obtained from the server to a client requesting connection on the Internet.

Common reverse proxies include Nginx, Haproxy, OpenResty and Kong, but the expansion capability of Nginx or Haproxy alone is not high, Nginx-based OpenResty uses lua scripting language to provide the capability of dynamic expansion, and Kong further builds an API gateway framework on the basis of OpenResty, so that a dynamic gateway can be conveniently established. However, Kong is only for API gateway, which is only a proxy restful API request, lacking support for Web service proxies.

Web services on the cloud often need to be aggregated and exposed to users with a unified portal, which requires a reverse proxy gateway to proxy for the Web service. Brokering of Web services suffers from a number of problems, particularly with regard to hyperlink hopping.

Web services typically return html interfaces to the user's browser, which may contain multiple hyperlinks. If the reverse proxy modifies uri (uniform resource identifier) of a hyperlink during proxy of a Web service, a user may fail to request the hyperlink by clicking on the hyperlink. And the proxy gateway as the aggregated Web service can modify the outer-inner address mapping of url thereof in the process of forwarding the http request to the backend service, and further needs to perform corresponding processing on the hyperlink in the access response returned by the backend service to avoid the occurrence of hyperlink request failure. At present, a common proxy gateway processing mode is to modify html returned to a client in Nginx, openness or Kong, and change a hyperlink address in the html into an address corresponding to the proxy gateway, but because the hyperlink has various forms, and further, rules for modifying the hyperlink by the proxy gateway also have various forms, the processing mode is difficult to generalize.

disclosure of Invention

Embodiments of the present invention provide a proxy method, apparatus, device and storage medium for a Web service, so as to solve problems occurring in a proxy Web service aggregation process of a proxy gateway, thereby simplifying development and configuration of a Web service aggregation proxy gateway.

in a first aspect, an embodiment of the present invention provides a method for proxying a Web service, including:

receiving an access request sent by a client;

if the access request is determined to be a hyperlink request, redirecting the address of the hyperlink request, and returning the redirected address to the client so that the client generates a new access request;

Receiving the new access request sent by the client, and forwarding the new access request to a corresponding server;

And receiving an access response corresponding to the new access request returned by the server, and returning the access response to the client.

in a second aspect, an embodiment of the present invention further provides a proxy apparatus for a Web service, including:

The request receiving module is used for receiving an access request sent by a client;

the redirection module is used for redirecting the address of the hyperlink request and returning the redirected address to the client to enable the client to generate a new access request if the access request is determined to be the hyperlink request;

the forwarding module is used for receiving the new access request sent by the client and forwarding the new access request to a corresponding server;

And the feedback module is used for receiving an access response corresponding to the new access request returned by the server and returning the access response to the client.

In a third aspect, an embodiment of the present invention further provides an apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the proxy method for a Web service provided in any embodiment of the present invention when executing the program.

in a fourth aspect, the embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements a proxy method for a Web service as provided in any of the embodiments of the present invention.

according to the proxy method, device, equipment and storage medium for Web services provided by the embodiment of the invention, the access request is judged after the access request sent by the user side is received, and when the access request is a hyperlink request, the hyperlink request is redirected, so that the client side generates the access request which can be directly forwarded by the proxy gateway. In the technical scheme, the proxy gateway performs universal processing when receiving the access request of the client, and directly forwards the access response returned by the server without modifying the address of the hyperlink in the html returned to the client one by one when forwarding the access response returned by the server to the client, so that the problem of hyperlink jump in proxy Web service can be solved in a universal mode, and the development and configuration of the proxy gateway can be simplified.

Drawings

fig. 1 is a flowchart of a method for proxy of a Web service according to a first embodiment of the present invention;

fig. 2 is a flowchart of a method for proxy of a Web service according to a second embodiment of the present invention;

Fig. 3 is a flowchart of a proxy method for a Web service according to a third embodiment of the present invention;

Fig. 4 is a flowchart of a method for proxy of a Web service according to a fourth embodiment of the present invention;

FIG. 5 is a flow chart of a method for directional shunting according to an embodiment of the present invention;

fig. 6 is a flowchart of a method for security authentication according to an embodiment of the present invention;

FIG. 7 is a flowchart of a method for proxying tcp/udp requests according to an embodiment of the present invention;

FIG. 8 is a flow diagram of a session association implementation provided by an embodiment of the present invention;

FIG. 9 is a flow chart of a request retry method provided by an embodiment of the invention;

FIG. 10 is a flowchart of a method of example mobility provided by an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a proxy apparatus for a Web service in a fifth embodiment of the present invention;

Fig. 12 is a schematic hardware configuration diagram of an apparatus in the sixth embodiment of the present invention.

Detailed Description

the present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.

before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.

example one

Fig. 1 is a flowchart of a proxy method for a Web service according to an embodiment of the present invention, which is applicable to processing a hyperlink jump problem when a reverse proxy gateway proxies the Web service, and the method can be executed by a proxy device for a Web service according to an embodiment of the present invention, the proxy device can be implemented in a software and/or hardware manner, and can be generally integrated in a proxy server in a cloud, and the proxy server can specifically be a KONG-based reverse proxy server.

The basic mode of the KONG proxy gateway for proxy Web service is that a connection request on the Internet sent by a user at a client is received, the connection request is forwarded to a back-end service inside a cloud, and after a resource returned by the back-end service is obtained, the corresponding resource is forwarded to the user of the corresponding client. In the process of KONG proxy Web service, the problem of whether the hyperlink can jump correctly is involved, and in order to solve the problem, as shown in fig. 1, the method of this embodiment specifically includes:

And S110, receiving an access request sent by the client.

Specifically, the access request may be an http (hypertext transfer protocol) request, which refers to a request message from the client to the server, and when the browser sends a request to the Web server, it transmits a data block, that is, request information, to the Web server, where the http request information mainly includes two parts: a request header (including the request method and uri protocol/version) and a request body.

the access request can be divided into a hyperlink request and a non-hyperlink request according to whether the access request is based on a hyperlink of another access request, wherein the hyperlink request refers to the http request is from an html interface hyperlink corresponding to the http request, and correspondingly, the non-hyperlink request has no hyperlink relation with any html interface.

S120, if the access request is determined to be the hyperlink request, redirecting the address of the hyperlink request, and returning the redirected address to the client so that the client generates a new access request.

a hyperlink is essentially part of a web page, which is an element that allows connection between the hyperlink and other web pages or sites, and thus has the problem of address jump. If the KONG proxy gateway judges that the access request is a hyperlink request after receiving the access request sent by the client, the KONG proxy gateway cannot directly forward the access request to a corresponding back-end server to acquire a corresponding resource, the request address of the access request needs to be redirected, and the access request after the address redirection can be the access request directly forwarded by the KONG proxy gateway.

Before judging whether the http request is a hyperlink request, the KONG proxy gateway can also match the http request with an API pre-configured by the KONG proxy gateway, and if the http request can be successfully matched with the pre-configured API, the uri based on the http request can be matched with the pre-configured API, the KONG proxy gateway can directly forward the http request to an address of an internal back-end service pointed by the matching API so as to obtain a corresponding resource returned by the back-end service.

the API refers to an entity in the KONG proxy gateway, that is, a matching rule, and for example, the following configuration is an API in the KONG proxy gateway.

{

"name":"my-api",

"upstream_url":"http://my-api.com",

"hosts":["example.com","service.com"],

"uris":["/foo","/bar"],

"methods":["GET"]

}

taking the http request "curl-XGET- -header 'HOST: example. com" http:// KONG:8000/foo' "(curl is used to send an http request), the http request is first sent to the KONG proxy gateway, uri of the http request is/foo, HOST is set inside the http header as example, and the request mode is GET, thus just matching" uri "," HOSTs ", and" methods "in the API. After determining that the http request is successfully matched with the API, the KONG proxy gateway forwards the http request to an address http:// my-api.com pointed by "upstream _ url" in the API, which is usually an address of a back-end service, that is, the KONG proxy gateway forwards the http request to the corresponding back-end service for processing.

If the KONG proxy gateway determines that the http request cannot be successfully matched with any pre-configured API, judging whether the http request is a hyperlink request, and if the http request is determined to be a non-hyperlink request, only judging the http request as request failure and not acquiring resources returned by the back-end service. And if the http request is determined to be a hyperlink request, redirecting the address of the hyperlink request.

As an optional implementation manner of this embodiment, when the access request is an http request, if it is determined that the access request is a hyperlink request, the address of the hyperlink request may be redirected, specifically:

If the fact that the application program interface API matched with the http request does not exist is determined, whether an http refer field is included in the head of the http request is judged; if yes, determining the http request as a hyperlink request; and determining a new url according to the uniform resource locator url in the http request and the url in the http request received last time, and taking the new url as the redirected url.

the method comprises the steps that a header of an http request usually comprises an http referrer field, wherein the http field is used for indicating that the http request is from a hyperlink of a page corresponding to the http field, and further the KONG proxy gateway can determine whether the http request is a hyperlink request according to whether the http referrer field is included in the request header, and after the http request is determined to be the hyperlink request, an address of the hyperlink request is redirected, wherein the redirection mode is to modify the url of the hyperlink request, specifically, the url of the hyperlink request is modified according to the url of the hyperlink request and the url (namely the url of the page from which the hyperlink request is received by the KONG proxy gateway) in the http request sent by the same client at the last time, and the modified url can point to the address of the hyperlink request through the address of the source page of the hyperlink request.

Specifically, determining a new url according to the url in the http request and the url in the http request received last time includes:

and determining a new url according to the url in the http request and the url stored in the http referrer field contained in the http request header.

The url stored in the http referrer field included in the http request header is the url in the http request sent by the same client received by the KONG proxy gateway last time, namely the url of the page from which the hyperlink request originates, and the url stored in the http referrer field included in the http request header and the url in the http request are spliced together to be used as a redirected url (new url). At this time, the KONG broker gateway returns 307 a redirection message to the client (307 redirection is used to indicate that the client request has not been processed, and the client should re-initiate the request based on the new url), and after receiving 307 the redirection message, the client generates a new access request based on the received new url and re-sends the new access request to the KONG broker gateway.

for example, the url in the http request is http://172.16.3.234:8000/assets/images. bg. jpg, wherein http://172.16.3.234:8000 is the url address of the KONG proxy gateway, and the url stored in the http referrer field in the header of the http request is http://172.16.3.234: 8000/ignoror, which is the url of the page from which the http request originates.

the KONG proxy gateway redirects the url in the http request, modifying its url "http:// 172.16.3.234:8000/assets/images/bg. jpg" to:

“http://172.16.3.234:8000/ignitor/assets/images/bg.jpg”。

The modification process is substantially to add uri '/ignoror ' in url stored in http referrer field to url in http request, because uri '/ignoror ' client last accesses uri of KONG proxy gateway, and KONG proxy gateway has API matching with this uri, so that url address of KONG proxy gateway, uri '/ignoror ' of last access to KONG proxy gateway and uri '/assets/images/bg.

S130, receiving a new access request sent by the client, and forwarding the new access request to the corresponding server.

The server is used for providing the back-end service, forwarding the back-end service to the corresponding server, and equivalently forwarding the back-end service to the corresponding back-end service so as to acquire the resource returned by the corresponding back-end service.

the KONG proxy gateway receives a new http request initiated by the client based on a new url, the new http request can be matched with a pre-configured API, and the KONG proxy gateway can forward the new http request to an address of a back-end service pointed by the matched API, so that the corresponding back-end service is subjected to service processing.

and S140, receiving an access response corresponding to the new access request returned by the server, and returning the access response to the client.

and after receiving the new http request, the server performs corresponding Web service processing, and returns an access response corresponding to the new http request through the KONG proxy gateway, specifically, a response resource corresponding to the new http request, wherein the access response also exists in a form of a response header + a response text.

in the proxy method for Web services provided by this embodiment, the KONG proxy gateway determines an http request sent by a client, and if the http request can be matched with a preconfigured API, the http request can be directly forwarded to a corresponding backend service, and if the http request cannot be matched with the preconfigured API, the hyperlink request is redirected when the access request is a hyperlink request, so that the client generates a new http request that can be directly forwarded. In the technical scheme, the KONG proxy gateway can perform universal processing when receiving the access request of the client, and when the access response returned by the server is forwarded to the client, the KONG proxy gateway can directly forward the access response without modifying the address of the hyperlink in the html returned to the client one by one, so that the problem of hyperlink jump during proxy Web service can be solved in a universal mode, and the development and configuration of the proxy gateway can be simplified.

Example two

Fig. 2 is a flowchart of a proxy method for Web services according to a second embodiment of the present invention, which is embodied based on the foregoing embodiment, and as shown in fig. 2, the method of the present embodiment specifically includes:

S210, the KONG proxy gateway receives the http request sent by the client.

And S220, judging whether the API matched with the http request exists by the KONG proxy gateway, if not, executing S230, and if so, executing S270.

and S230, judging whether the http request head comprises an http refer field or not by the KONG proxy gateway, if so, executing S240, and if not, executing S290.

and S240, the KONG proxy gateway determines the redirected url according to the url in the http request and the url stored in the http referrer field contained in the http request header.

s250, the KONG broker gateway returns the redirected url to the client to cause the client to generate a new http request.

the client generates a new http request based on the redirected url, and an API matched with the new http request exists in the KONG proxy gateway, which is described in detail in the foregoing embodiment and is not described herein again.

And S260, the KONG proxy gateway receives the new http request sent by the client.

And S270, the KONG proxy gateway forwards the http request to a server corresponding to the matched API.

S280, the KONG proxy gateway receives the resource corresponding to the http request returned by the server side and returns the resource to the client side.

And S290, determining that the http request fails by the KONG proxy gateway, and returning a request failure prompt to the client.

the present embodiment is not described in detail, please refer to the previous embodiments in detail.

in the technical scheme, the KONG proxy gateway realizes the redirection of the hyperlink request by using the http referrer field contained in the http request head, so that the hyperlink jumping problem involved in the proxy Web service is solved, and the development and configuration of the KONG proxy gateway are simplified.

EXAMPLE III

On the basis of the foregoing embodiment, the proxy method for Web services provided by this embodiment further includes: and if the address in the target access response is determined to be the internal address of the server, mapping the internal address to an external address accessible by the client, wherein the target access response is an access response corresponding to the hyperlink request or the non-hyperlink request.

KONG proxy gateways involve the problem of internal address to external address translation when proxying Web services, internal addresses referring to backend services internal addresses and external addresses referring to addresses accessible to clients. Especially in a containerized cloud, the access between the backend services often uses internal addresses, and after the internal addresses are exposed to the client, the internal addresses are actually invalid addresses for the client, because the direct contact with the client is a KONG proxy gateway instead of the backend services behind the KONG proxy gateway.

one of the most common application scenarios is the Centralized Authentication Service (CAS), which is a single sign-on protocol for the world wide web that aims to allow one user to access multiple applications, but only to provide credentials (e.g., username and password) once.

When single sign-on is carried out on the CAS, the back-end service needs to transmit the service address to other back-end services in a callback mode, the jump between the back-end services is completed in a redirection mode, and the service addresses cannot be external addresses accessible to clients, so that the clients cannot access the addresses.

In order to solve the above problem, the proxy method for Web services provided in this embodiment may further map the internal address into an external address accessible by the client when the address in the target access response corresponding to the access request is the internal address of the server.

as an optional implementation manner of this embodiment, if it is determined that the address in the target access response is the server internal address, the internal address may be mapped to an external address accessible by the client, specifically: and if the address in the target access response is determined to be the redirection address and the API matched with the access response exists, determining that the address in the target access response is the internal address of the server, replacing the url of the server contained in the target address with the url of the proxy gateway, and forming an external address accessible by the client, wherein the target address is the address in the target access response.

As shown in fig. 3, taking an example that the access request is an http request and the target access response is an http response corresponding to the http request, the method of this embodiment may be executed by the KONG proxy gateway, and specifically includes:

And S310, receiving an http request sent by the client.

And S320, judging whether an API matched with the http request exists, if not, executing S330, and if so, executing S360.

And S330, judging whether the http request is a hyperlink request, if so, executing S340, and if not, executing S3120.

S340, redirecting the address of the hyperlink request, and returning the redirected address to the client so that the client generates a new http request.

The redirection process of the KONG proxy gateway for the address of the hyperlink request is described in detail in the foregoing embodiments, and is not described herein again.

And S350, receiving the new http request sent by the client.

and S360, forwarding the http request to a server corresponding to the matched API.

And S370, receiving an http response corresponding to the http request returned by the server.

The http response is similar to the http request and mainly consists of two parts, namely a response header and a response body, wherein a location field is arranged in the response header of the http response, and an internal address is usually stored in the location field.

And S380, judging whether the address in the http response is a redirection address, if so, executing S390, and if not, executing S3110.

The KONG proxy gateway judges whether the address in the http response is a redirection address or not, specifically judges according to a location field in a response header of the http response, and if the location field is empty, indicates that the address is not redirected, i.e. the KONG proxy gateway does not need to map an internal address to an external address; if the location field is not empty, the address is indicated to be redirected, and if the API matched with the http response exists, the address in the http response can be determined to be an internal address, and the KONG proxy gateway is required to map the internal address to an external address.

And S390, judging whether an API matched with the http response exists, if so, executing S3100, and if not, executing S3110.

The KONG proxy gateway can map the internal address in the location field into an external address when determining that the API matched with the http response exists, and does not need the KONG proxy gateway to map the internal address into the external address when determining that the API matched with the http response does not exist or the address in the http response is the external address, or can not perform additional operation because the matched API does not exist when the address in the http response is the internal address, and then only can directly return the http response to the client. The method of matching judgment is the same as the foregoing embodiment, and is not described herein again.

And S3100, replacing the url of the server side contained in the address in the http response with the url of the KONG proxy gateway to form an external address accessible by the client side.

And S3110, returning the http response to the client.

and S3120, determining that the http request fails, and returning a request failure prompt to the client.

For example, the response header in the http response returned by the backend A service has a location field, the content of the location field indicates the url of the backend B service, and the url of the backend B service is the internal address thereof, for example, http:// B: 8080/haha. The KONG proxy gateway judges whether a matched API can point to B by using uri '/haha' of the back-end B service, if yes, the internal address in the location field is modified to http:// KONG:8000/haha, namely the url '// http:// B: 8080' of the service end is replaced by url 'http:// KONG: 8000' of the KONG proxy gateway, the client can initiate an http request to the KONG proxy gateway based on the modified address http:// KONG:8000/haha, the KONG proxy gateway is matched to the API based on the uri '/haha', further finds the internal address of the back-end B service and forwards the http request, and the client can acquire resource information corresponding to the http request.

in the technical scheme, the KONG proxy gateway determines the mapping relationship from the internal address to the external address by capturing the redirection address, and further returns an http response including the external address accessible by the client to the user. The KONG broker gateway solves the problem of internal to external address translation involved in brokering Web services in a generic manner, and also simplifies the development and configuration of the KONG broker gateway.

example four

On the basis of the foregoing embodiment, the proxy method for Web services provided by this embodiment further includes: and if the target access response is determined to contain the cookie information, modifying the address contained in the cookie information, wherein the target access response is an access response corresponding to the hyperlink request or the non-hyperlink request.

The problem of address modification of cookie information is also involved when the KONG proxy gateway proxies the Web service, for example, when the CAS performs single sign-on, the cookie information is used for recording login information of a user, an address contained in the cookie information generated by the back-end service is an internal address of the back-end service, and the KONG proxy gateway proxies needs to modify the address contained in the cookie information to avoid the problem of cookie information invalidation.

in order to solve the above problem, the proxy method for Web services provided in this embodiment may further modify an address included in the cookie information when the target access response corresponding to the access request includes the cookie information, so that a file in the modified address path has an authority to read the cookie information.

as an optional implementation manner of this embodiment, if it is determined that the target access response includes cookie information, modifying an address included in the cookie information, specifically: and if the target access response is determined to contain the cookie information and an API (application programming interface) matched with the target access response exists, adding the address contained in the cookie information to the subpath information of the hyperlink request or the non-hyperlink request. Wherein a hyperlink request or a non-hyperlink request corresponds to the target access response.

As shown in fig. 4, taking an example that the access request is an http request and the target access response is an http response corresponding to the http request, the method of this embodiment may be executed by the KONG proxy gateway, and specifically includes:

and S410, receiving an http request sent by the client.

and S420, judging whether an API matched with the http request exists, if not, executing S430, and if so, executing S460.

And S430, judging whether the http request is a hyperlink request, if so, executing S440, and if not, executing S4120.

S440, redirecting the address of the hyperlink request, and returning the redirected address to the client so that the client generates a new http request.

and S450, receiving the new http request sent by the client.

And S460, forwarding the http request to a server corresponding to the matched API.

And S470, receiving an http response corresponding to the http request returned by the server.

the http response is similar to the http request and mainly comprises two parts, namely a response header and a response body, wherein a set-cookie field is arranged in the response header of the http response and indicates that cookie information exists, and the value of the set-cookie field is an address contained in the cookie information and is usually an internal address.

And S480, judging whether cookie information is included in the http response, if so, executing S490, and if not, executing S4110.

The KONG proxy gateway judges whether the http response comprises cookie information or not, specifically judges through a set-cookie field in a response header of the http response, and indicates that the http response does not comprise the cookie information if the set-cookie field is empty, namely the KONG proxy gateway is not required to execute modification operation; if the set-cookie field is not empty, the http response comprises cookie information, if an API (application programming interface) matched with the http response exists, an address contained in the cookie information is an internal address of a back-end service, and the KONG proxy gateway is required to modify the address contained in the cookie information.

And S490, judging whether an API matched with the http response exists, if so, executing S4100, and if not, executing S4110.

the KONG proxy gateway may modify the internal address in the set-cookie field only when determining that there is an API matching the http response, and may only directly return the http response to the client without performing additional operations when determining that there is no API matching the http response. The method of matching judgment is the same as the foregoing embodiment, and is not described herein again.

s4100, adding the http requested subpath information to the address contained in the cookie information.

s4110, returning the http response to the client.

s4120, determining that the http request fails, and returning a request failure prompt to the client.

for example, if the browser accesses http:// $ Kong _ url:8000/test/wj, url of the http request is http:// $ Kong _ url:8000/test/wj, the http:// wj of the backend service may be routed through the Kong proxy gateway, a set-cookie field is provided in a response header of an http response returned after the backend service processing, that is, cookie information is included, a path in the set-cookie field is/wj, and/wj is an address of a certain backend service, and is not suitable for the Kong proxy gateway to return the http response directly to the client. The KONG proxy gateway judges whether a matched API can point to the http request or not, and if the matched API is determined to exist, the address in the set-cookie field is modified to be/test/wj; the path in the set-cookie field is modified to be/test/wj, that is, the subpath information (sub-path information) of the http request is added into the cookie information, and then the client receives http response cookie information, and files in the address directory included in the cookie information all have the right to read the cookie information, so that cookie information invalidation is avoided.

in the technical scheme, the KONG proxy gateway modifies the address contained in the cookie information when determining the address as the internal address by capturing the address, so as to avoid the cookie information from being invalid. The KONG proxy gateway solves the problem of modifying the address of the cookie information involved in the proxy Web service process in a general way, avoids the problem of cookie information invalidation caused by the fact that the address contained in the cookie information is an internal address, and also simplifies the development and configuration of the KONG proxy gateway.

On the basis of the foregoing embodiment, optionally, the method may further provide a function of directional diversion, and specifically, the method further includes: if the API matched with the request exists, judging whether the source address information in the head of the http request is in the address information of the white list; if yes, forwarding the http request to a server of the first version matched with the API; and if not, forwarding the http request to a server side of the second version matched with the API.

Specifically, the process that the http request can be sent to the servers of the two versions may be a directional offloading process, as shown in fig. 5, a directional offloading method provided in an embodiment of the present invention may include:

judging whether the http request has a corresponding API;

If the http request has a corresponding API, judging whether the CIDR of the source address in the http request is in a white list or not;

if yes, forwarding the http request to a service version A corresponding to the matched API;

and if not, forwarding the http request to the service version B corresponding to the matched API.

In the micro-service architecture, a directional offload function is usually required to be implemented to support the canary publishing function.

The KONG broker gateway may implement directed forking based on classless address (CIDR) in the client source address. The KONG broker gateway may use uri, host, method as the key for routing. The method provided by the embodiment of the invention is that the CIDR of the source address of the http request is added to a white list (whitelist) of the API in advance, if the CIDR of the source address of the http request is in the white list, the KONG proxy gateway forwards the http request to a first service version A (or a service end of the first version), and if the source address of the http request is not in the CIDRs white list, the KONG proxy gateway forwards the http request to a second service version B (or a service end of the second version). Therefore, the http request is forwarded to the services of different versions according to the source address information in the http request, and directional shunting can be achieved.

The added field information of the API rule of the service version a and the service version B may be:

{

name:“test”

uri:[‘/foo’]

whitelist:[10.11.6.100/24]

upstream_url:http://serviceA:port

}

{

name:“test”

uri:[‘/foo’]

upstream_url:http://serviceB:port

}

on the basis of the foregoing embodiment, optionally, the method may further include: if determining that an API (application program interface) matched with the http request exists, analyzing identification information in the http request, and sending the identification information to a back-end authentication center; wherein the identification information comprises a user name, a password and/or token information; and when receiving a message of successful authentication sent by the back-end authentication center, forwarding the http request to a server pointed by the matching API.

Specifically, the above-mentioned security authentication process is shown in fig. 6, and the method for security authentication provided in the embodiment of the present invention includes:

judging whether the http request has a corresponding API;

And if so, analyzing the user name, the password and/or the token information in the http request, sending the user name, the password and/or the token information to an authentication center at the back end, and forwarding the http request to a service end corresponding to the matched API when receiving a message of successful authentication sent by the service center at the back end.

If the corresponding API does not exist in the http request, rejecting the http request; and when the message of authentication failure sent by the back-end service center is not received, rejecting the http request.

among them, the backend web service generally needs security authentication. When the KONG proxy gateway proxies the http request, the related information of the http request needs to be sent to the back-end authentication center for related authentication. When the http request passes the verification, the client sending the http request can perform the relevant request operation. And when the KONG agent gateway acts on each http request, analyzing the information such as the tenant name, the user name, the password or the access _ token carried in the header information of the http request, sending the information to an authentication center at the rear end for safety authentication, and when the http request passes the verification, distributing the http request to the server.

Therefore, by authenticating the http request, when the http request passes the authentication, the http request is sent to the corresponding server, and the KONG proxy gateway serves as a proxy entrance to provide a safety authentication process, so that the safety authentication process can be simplified, and the safety of the network can be improved.

the embodiment of the invention also provides a tcp/udp data proxy method, which comprises the following steps:

adding an upstream configuration through a management API (application program interface), wherein the upstream is a tcp/udp service address;

If a tcp/udp request is received, judging whether an upstream corresponding to the tcp/udp request exists or not through port information of the tcp/udp request;

and if so, sending the tcp/udp request to a tcp/udp service pointed to the back end by the upstream.

Specifically, the KONG proxy gateway may support tcp/udp protocol, and proxy the proxy tcp/udp request, as shown in fig. 7, the method for proxying the tcp/udp request provided in the embodiment of the present invention includes:

judging whether the received tcp/udp request has a corresponding upstream;

If yes, judging whether tcp/udp service corresponding to the upstream exists;

Sending the tcp/udp request to a tcp/udp service at the back end pointed by the upstream;

If there is no upstream corresponding to the tcp/udp request or there is no backend tcp/udp service corresponding to the upstream, a failure is returned.

in the prior art, the KONG proxy gateway does not support tcp/udp data proxy, and the embodiment of the present invention may implement tcp/udp 4-layer proxy through a specific function module (ngx _ stream _ lua _ module, which may receive configuration information of tcp/udp).

The upstream configuration can be dynamically added through a management API of the KONG proxy gateway, wherein the upstream configuration comprises the corresponding relation between tcp/udp requests and upstream and the corresponding relation between upstream and tcp/udp services at the rear end. Therefore, by adding the upstream configuration, when a tcp/udp request is received, the request can be forwarded to a back-end service address corresponding to the upstream, the tcp/udp request can be dynamically proxied, and the data proxy capability of the KONG proxy gateway is expanded.

on the basis of the embodiment, when the server side runs on a container cloud of kubernets; optionally, the method may further include: if the fact that the API matched with the http request exists is determined, and the format of the upstream _ url field information of the matched API is a preset format, inquiring a pre-established service-pod list according to the upstream _ url field information; determining a target pod from the at least one pod and forwarding the http request to the target pod according to a session ID or a client identifier carried by the http request; wherein, the upstream _ url field information includes service information, namespace information and pod (backend instance) information.

Specifically, the KONG proxy gateway monitors endpoints information of kubernetes by starting an independent service, and establishes a service-pod list through the acquired endpoints information. Wherein the service corresponds to at least one pod. When the KONG proxy gateway serves as a proxy, if the address of the kubbernees service is directly adopted as the upstream url of the http request, the KONG proxy gateway randomly distributes the http request to the corresponding posts, so that the httpssession is repeatedly established.

Thus, when configuring an API, the upstream url needs to use a special pattern, and does not directly use the service address of kubernets. The style only needs to contain service information, namespace, or port information of kubernets. For example, it may be http:// $ namespace. $ serviceName. $ port. The KONG proxy gateway monitors endpoints (pods) list information of the kubernets and automatically establishes a corresponding service-pod list at the same time. When the KONG proxy gateway proxies the http request, if an API matched with the http request exists and the format of upstream _ url field information of the matched API is a preset format, searching a service-pod list according to the upstream _ url field information, finding at least one corresponding pod, using a session ID or a client identifier carried by the http request as a parameter of a set function, determining a target pod from the at least one pod by the output of the set function, and forwarding the http request to the target pod. Therefore, the http requests of the same session are distributed to the same pod, and repeated login of the http requests of the same session is avoided.

For example, when a user clicks a related link on the same webpage, the http request of the same session can be considered to be sent, the http request sent for multiple times when the same webpage is clicked can be used as the same session, and the http request of the same session is forwarded to the same pod, so that the problem of repeated login is avoided.

the above process may also be a session affinity (session affinity) implementation process, and the specific method is as shown in fig. 8, and determines whether an API matching the http request exists;

If yes, judging whether the upstream url of the API is in a preset format or not;

if yes, searching a service-pod list through the upstream url of the API, and determining a corresponding pod;

And forwarding the http request of the same session to the same pod.

Therefore, by setting the format of the upstream stream url of the http request, establishing a service-pod list and forwarding the http request of the same session to the same pod, the problem of repeated login caused by session failure can be avoided.

On the basis of the above embodiment, before returning the access response to the client, the method may further include: a specific method of requesting retry is shown in fig. 9, and includes:

judging whether the access request is a GET/HEAD/OPTION request or not;

If yes, judging whether the access returned status code is 500/503/502/504, and if not, directly returning.

if the access returned status code is 500/503/502/504, judging whether the request sending times exceed the set times; if not, directly returning;

If the request sending times do not exceed the set times, the access request is retransmitted; if the request sending times exceed the set times, directly returning;

wherein GET, HEAD and OPTION are http protocol request modes. GET: requesting the specified page information and returning the entity body. HEAD: only the header of the page is requested. OPTIONS: allowing the client to view the performance of the server.

the status code 500 refers to an internal error of the server, and the status code 503 refers to a status that the service is unavailable. The status code 502 is an error gateway on the server and is therefore invalid. The status code 504 refers to a timeout, i.e., the issued request does not reach the gateway.

Therefore, whether the access response is abnormal or not is determined by the response return status code aiming at the GET/HEAD/OPTION request, and if the access response is abnormal, the access request is retransmitted to obtain normal response information.

On the basis of the above embodiment, the server includes at least one backend instance; optionally, forwarding the access request to the corresponding server may include: forwarding the http request to a corresponding back-end instance;

optionally, receiving an access response returned by the server may include: and receiving an access response returned by the back-end instance.

correspondingly, optionally, before returning the access response to the client, the method may further include:

Method of moving back-end instances. The method specifically comprises the following steps:

if the access response is determined to be an abnormal response, counting the number of times of the abnormal response of the back-end instance;

If the abnormal response times exceed a first set threshold, moving the rear-end example to a grey list, and reducing the priority of the rear-end example; and if the abnormal response times of the rear-end example in the grey list exceed a second set threshold value, moving the rear-end example to a black list.

Optionally, after the moving the backend instance to the blacklist, the method further includes:

If the time of the back-end example in the blacklist reaches the set time, moving the back-end example to the grey list; and if the normal response times of the rear-end example in the grey list reach a third set threshold, the priority of the rear-end example is adjusted upwards.

The abnormal response may be a return response with a status code of 4XX/5 XX. Wherein, when the status code is 4XX, it means a request error. When the status code is 5XX, it means a server error. The above method can also be applied when the response times out.

the back-end instances in the grey list may be selected, that is, the instances may be accessed, but the priority of the back-end instances in the black list is lower than that of the back-end instances in the white list, and the priority may be understood as the priority of the back-end instances to be accessed, but the higher the priority is, the access is prioritized.

The back-end instance in the blacklist is not selected, that is, the back-end instance in the blacklist is not accessed, but the time of the back-end instance in the blacklist can be set, and when the set time is exceeded, the back-end instance is removed from the blacklist.

Specifically, the method for moving the instance may specifically be: as shown in fig. 10, an example moving method provided in the embodiment of the present invention includes:

Judging whether the state code of the http access response is 4XX/5XX, if so, adding 1 to the frequency of access failure on the original basis,

when the number of access failures exceeds a first set threshold, moving the corresponding target pod to a grey list, and adjusting the priority of the target pod downwards; and if the subsequent abnormal response times of the target pod exceed a second set threshold, adding the target pod into a blacklist, and setting the timeout set time for the target pod.

when the time of the target pod in the blacklist exceeds the set time, adding the target pod into the grey list;

And if the normal response times of the target pod in the grey list reach a second set threshold value, moving the target pod into the white list.

The number of abnormal responses may be understood as the number of accesses.

Therefore, the corresponding pod is moved through the abnormal response times, so that the influence of the low-efficiency pod on the access efficiency can be avoided, and the overall access efficiency is improved.

EXAMPLE five

fig. 11 is a schematic structural diagram of a proxy apparatus for Web services according to a fifth embodiment of the present invention, which is applicable to processing a hyperlink jumping problem when a reverse proxy gateway proxies a Web service, and the apparatus can be implemented in a software and/or hardware manner, and can be generally integrated in a proxy server in a cloud, where the proxy server can be specifically a KONG-based reverse proxy server.

as shown in fig. 11, the proxy device of the Web service specifically includes: a request receiving module 510, a redirection module 520, a forwarding module 530, and a feedback module 540. Wherein,

A request receiving module 510, configured to receive an access request sent by a client;

A redirection module 520, configured to redirect an address of the hyperlink request if it is determined that the access request is the hyperlink request, and return the redirected address to the client, so that the client generates a new access request;

a forwarding module 530, configured to receive the new access request sent by the client, and forward the new access request to a corresponding server;

And a feedback module 540, configured to receive an access response corresponding to the new access request and returned by the server, and return the access response to the client.

In the proxy device for Web services provided by this embodiment, the KONG proxy gateway determines an http request sent by a client, and if the http request can be matched with a preconfigured API, the http request may be directly forwarded to a corresponding backend service, and if the http request cannot be matched with the preconfigured API, the hyperlink request is redirected when the access request is a hyperlink request, so that the client generates a new http request that can be directly forwarded. In the technical scheme, the KONG proxy gateway can perform universal processing when receiving the access request of the client, and when the access response returned by the server is forwarded to the client, the KONG proxy gateway can directly forward the access response without modifying the address of the hyperlink in the html returned to the client one by one, so that the problem of hyperlink jump during proxy Web service can be solved in a universal mode, and the development and configuration of the proxy gateway can be simplified.

Specifically, the access request is an http request, and the redirection module 520 specifically includes: the system comprises a hyperlink request judging unit and a redirection unit, wherein the hyperlink request judging unit is used for judging whether an http refer field is included in the head of the http request or not if the fact that an Application Program Interface (API) matched with the http request does not exist, and if the fact that the http refer field is included in the head of the http request is confirmed, the http request is determined to be the hyperlink request;

And the redirection unit is used for determining a new url according to the uniform resource locator url in the http request and the url in the http request received last time, and taking the new url as the redirected url.

further, the redirection unit is specifically configured to determine a new url according to the url in the http request and the url stored in the http referrer field included in the http request header.

Specifically, the proxy device for the Web service further includes: and the internal and external address mapping module is used for mapping the internal address into an external address accessible by the client if the address in the target access response is determined to be the internal address of the server, wherein the target access response is an access response corresponding to a hyperlink request or a non-hyperlink request.

Specifically, the proxy device for the Web service further includes: and the cookie information address modification module is used for modifying the address contained in the cookie information if the cookie information is determined to be contained in the target access response, wherein the target access response is an access response corresponding to the hyperlink request or the non-hyperlink request.

Further, the internal and external address mapping module is specifically configured to, if it is determined that an address in the target access response is a redirection address and an API matching the access response exists, determine that the address in the target access response is the server-side internal address, replace a url of the server side included in the target address with a url of a proxy gateway, and form an external address accessible by the client, where the target address is the address in the target access response.

Further, the cookie information address modification module is specifically configured to add an address contained in the cookie information as the subpath information of the hyperlink request or the non-hyperlink request if it is determined that the cookie information is contained in the target access response and an API matching the target access response exists.

Further, the forwarding module 530 is configured to:

if the API matched with the request exists, judging whether the source address information in the head of the http request is in the address information of the white list;

If yes, forwarding the http request to a server of the first version matched with the API;

And if not, forwarding the http request to a server side of the second version matched with the API.

Optionally, the forwarding module 530 is further configured to

if determining that an API (application program interface) matched with the http request exists, analyzing identification information in the http request, and sending the identification information to a back-end authentication center; wherein the identification information comprises a user name, a password and/or token information;

And when receiving a message of successful authentication sent by the back-end authentication center, forwarding the http request to a server pointed by the matching API.

further, the server side runs on a container cloud of kubernets;

the forwarding module 530 is further configured to, if it is determined that an API matching the http request exists and the format of the upstream _ url field information of the matching API is a preset format, query a pre-established service-pod list according to the upstream _ url field information, and determine at least one pod corresponding to the service end;

Determining a target pod from the at least one pod according to a session ID or a client identifier carried by the http request, and forwarding the http request to the target pod; wherein, the upstream _ url field information comprises service information, namespace information and pod information.

further, the server comprises at least one backend instance;

forwarding the access request to a corresponding server, including: forwarding the http request to a corresponding back-end instance;

Receiving an access response returned by the server, wherein the access response comprises: receiving an access response returned by the back-end instance;

Correspondingly, before returning the access response to the client, the method further includes:

if the abnormal response times exceed a first set threshold, moving the rear-end example to a grey list, and reducing the priority of the rear-end example;

And if the abnormity of the rear-end example in the grey list sequentially exceeds a second set threshold value, moving the rear-end example to a black list.

further, after the moving the backend instance to the blacklist, the method further includes:

If the time of the back-end example in the blacklist reaches the set time, moving the back-end example to the grey list;

and if the normal response times of the rear-end example in the grey list reach a third set threshold, the priority of the rear-end example is adjusted upwards.

The proxy device of the Web service can execute the proxy method of the Web service provided by any embodiment of the invention, and has the corresponding functional module and the beneficial effect of the proxy method of the Web service.

EXAMPLE six

fig. 12 is a schematic diagram of a hardware structure of an apparatus according to a sixth embodiment of the present invention, and as shown in fig. 12, the apparatus includes:

one or more processors 610, one processor 610 being exemplified in fig. 12;

A memory 620;

the apparatus may further include: an input device 630 and an output device 640.

The processor 610, the memory 620, the input device 630 and the output device 640 of the apparatus may be connected by a bus or other means, and fig. 12 illustrates the connection by a bus as an example.

the memory 620, which is a non-transitory computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the proxy method of a Web service in the embodiments of the present invention (e.g., the request receiving module 510, the redirecting module 520, the forwarding module 530, and the feedback module 540 shown in fig. 5). The processor 610 executes various functional applications of the computer device and data processing by running software programs, instructions and modules stored in the memory 620, that is, a proxy method of a Web service implementing the above-described method embodiments.

the memory 620 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 620 optionally includes memory located remotely from processor 610, which may be connected to the terminal device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The input means 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. The output device 640 may include a display device such as a display screen.

EXAMPLE seven

An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, perform a method for brokering Web services, the method including:

receiving an access request sent by a client;

Optionally, the computer-executable instructions, when executed by a computer processor, may be further configured to implement a technical solution of a proxy method for a Web service provided in any embodiment of the present invention.

From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

It should be noted that, in the embodiment of the proxy apparatus for Web services, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A method for brokering Web services, comprising:

Receiving an access request sent by a client;

If the access request is an http request, if it is determined that an Application Program Interface (API) matched with the http request does not exist, judging whether an http refer field is included in a header of the http request or not; if yes, determining the http request as a hyperlink request;

Determining a new url according to the uniform resource locator url in the http request and the url in the http request received last time, and taking the new url as the redirected url; and returning the redirected address to the client so that the client generates a new http request;

Receiving the new http request sent by the client, and forwarding the new http request to a corresponding server; the new http request is forwarded to a server corresponding to the matched API;

receiving an access response corresponding to the new http request returned by the server, and returning the access response to the client;

if the address in the target access response is determined to be the redirection address and the API matched with the access response exists, determining that the address in the target access response is the internal address of the server, replacing the url of the server contained in the target address with the url of the proxy gateway, and forming an external address accessible by the client, wherein the target address is the address in the target access response; the target access response is an access response corresponding to a hyperlink request or a non-hyperlink request;

If the API matched with the http request exists and the format of the upstream _ url field information of the matched API is a preset format, inquiring a pre-established service-list according to the upstream _ url field information, and determining at least one pod corresponding to the service end;

Determining a target pod from the at least one pod according to a session ID or a client identifier carried by the http request, and forwarding the http request to the target pod; wherein, the upstream _ url field information comprises service information, namespace information and pod information;

Wherein the server comprises at least one instance;

If the abnormity of the rear-end example in the grey list sequentially exceeds a second set threshold value, moving the rear-end example to a black list;

2. the method of claim 1, wherein determining a new url from a uniform resource locator url in the http request and a url in a last received http request comprises:

3. the method of claim 1 or 2, further comprising:

And if the target access response is determined to contain the cookie information, modifying the address contained in the cookie information, wherein the target access response is an access response corresponding to the hyperlink request or the non-hyperlink request.

4. The method of claim 3, wherein if the address contained in the cookie information in the target access response is determined to be the server-side internal address, modifying the address contained in the cookie information comprises:

and if the target access response is determined to contain the cookie information and an API (application programming interface) matched with the target access response exists, adding the subpath information of the hyperlink request or the non-hyperlink request to the address contained in the cookie information.

5. The method of claim 1, further comprising:

6. The method of claim 1, further comprising:

7. a proxy mechanism for Web services, comprising:

The redirection module is used for judging whether an http refer field is included in the head of the http request if the access request is the http request and the application program interface API matched with the http request does not exist; if yes, determining the http request as a hyperlink request;

Determining a new url according to the uniform resource locator url in the http request and the url in the http request received last time, taking the new url as a redirected url, and returning the redirected address to the client so that the client generates a new access request;

The forwarding module is used for receiving the new http request sent by the client and forwarding the new http request to a corresponding server; the new http request is forwarded to a server corresponding to the matched API;

The feedback module is used for receiving an access response corresponding to the new http request returned by the server and returning the access response to the client;

The internal and external address mapping module is used for determining that the address in the target access response is a redirection address and an API (application program interface) matched with the access response exists, determining that the address in the target access response is an internal address of a server, replacing a url of the server contained in the target address with a url of a proxy gateway and forming an external address accessible by a client, wherein the target address is the address in the target access response; the target access response is an access response corresponding to a hyperlink request or a non-hyperlink request;

Wherein the server runs on a container cloud of kubernets,

The forwarding module is further used for querying a pre-established service-pod list according to the upstream _ url field information and determining at least one pod corresponding to the service end if the API matched with the http request is determined to exist and the format of the upstream _ url field information of the matched API is a preset format;

Wherein the server comprises at least one backend instance;

8. a proxy server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-6 when executing the program.

9. a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.