CN115250185A - A method, device and related products for acquiring network resources - Google Patents

Abstract

The embodiments of the present application disclose a method, device and related products for acquiring network resources. When the security mode is activated, the network resource access request is intercepted and parsed first, so as to take a targeted sending path based on the type of resource requested to be accessed. According to the parsed data information and the configuration information in the security mode, the specific type of the resource required to be accessed by the intercepted network resource request can be determined. Determining the sending path of the request based on the resource type can improve the security of the access to the first type of resource. By starting the security mode, secure access to the first type of resources and the second type of resources is realized, and the requirements for remote acquisition of network resources are met. In addition, the technical solution does not require a VPN server to be specially configured, thereby reducing costs. For the method, device, and related products for obtaining network resources disclosed in this application, the servers involved can be formed into a blockchain, and the servers are nodes on the blockchain.

Description

A method, device and related products for acquiring network resources

technical field

The present application relates to the field of security technologies, and in particular, to a method, device and related products for acquiring network resources.

Background technique

With the increasing development of network technology and the rapid development of computer technology, the challenges to information security are becoming more and more obvious. Nowadays, the office mode is flexible, and many enterprise units allow employees to work remotely. In order to ensure the security of enterprise intranet resources and not affect the use of enterprise intranet resources by employees, a common solution is to use virtual private network (Virtual Private Network). Network, VPN) remote access technology to achieve remote office. Simply put, a VPN is the basic ability to establish a private network on a public network and encrypt communications to achieve remote access.

To use VPN remote access technology, you need to build a VPN server on the internal network of the enterprise. When employees connect to the Internet in other places, they use the corporate account information to connect to the VPN server through the Internet, and then enter the corporate intranet through the VPN server to obtain corporate intranet resources. The application of VPN remote access technology has the problem of high cost.

The high cost is mainly reflected in the high procurement cost and high maintenance cost of the enterprise. The procurement cost is high. First, a VPN server needs to be deployed. Second, the VPN products and solutions provided by different manufacturers are always incompatible, and equipment from multiple suppliers needs to be purchased. The high maintenance cost is because it is not easy for enterprises to create and deploy VPN lines. It not only involves the link configuration between the VPN server and the VPN terminal, but also needs to build the link between the VPN server and the internal service server. Safe professional technicians. Therefore, in order to obtain network resources, how to reduce costs has become an urgent technical problem to be solved in the current field.

SUMMARY OF THE INVENTION

In order to solve the above technical problems, the present application provides a method, device and related products for acquiring network resources, so as to reduce the cost of acquiring network resources.

The embodiments of the present application disclose the following technical solutions:

In a first aspect, the present application provides a method for acquiring network resources, the method comprising:

After starting safe mode, intercept and parse network resource access requests;

When it is determined that the network resource access request is a request for the first type of resource according to the configuration information of the security mode and the parsed data information, the network resource is requested from the server through the gateway; the configuration information includes the information of the first type of resource accessible in the security mode. information;

When it is determined according to the configuration information and the parsed data information that the network resource access request is a request for the second type of resource, the network resource is directly requested from the server.

In a second aspect, the present application provides a device for acquiring network resources, the device comprising:

The interception module is used to intercept network resource access requests after starting the safe mode;

The parsing module is used to parse the network resource access request intercepted by the intercepting module;

The request type determination module is used to determine the type of the network resource access request according to the configuration information of the security mode and the parsed data information;

The sending module is used for requesting the network resource from the server through the gateway when the request type determining module determines that the network resource access request is a request for the first type of resource; the configuration information includes the information of the first type of resource accessible in the security mode;

The sending module is further configured to directly request the server for network resources when the request type determining module determines that the network resource access request is a request for the second type of resources.

In a third aspect, the present application provides a computer device, the device includes a processor and a memory:

The memory is used to store the program code and transmit the program code to the processor;

The processor is configured to execute the method for acquiring network resources provided by the first aspect according to the instructions in the program code.

For the method, device, and related products for obtaining network resources disclosed in this application, the servers involved can be formed into a blockchain, and the servers are nodes on the blockchain.

In a fourth aspect, the present application provides a computer-readable storage medium, where the computer-readable storage medium is used to store a computer program, and the computer program is used to execute the method for acquiring network resources provided in the first aspect.

As can be seen from the technical solutions of the present application described above, when the security mode is activated, the user will not be allowed to obtain network resources, but the network resource access request needs to be intercepted and parsed first, so as to take targeted measures based on the type of resources requested to access. the sending path. The configuration information in the safe mode includes the information of the first type of resources that can be accessed in the safe mode. According to the parsed data information and the configuration information in the safe mode, the specific information of the resource required to be accessed by the intercepted network resource request can be determined. type. The first type of resources has stricter security access requirements than the second type of resources. Therefore, when it is determined that the network resource access request is a request for the first type of resources, the network resource access request needs to be forwarded to the gateway so that the gateway can manage and control the access request. An access channel for the first type of resource. When it is determined that the network resource access request is a request for the second type of resource, the request does not need to be forwarded to the gateway, and the network resource access request can be directly sent to the server to request the network resource.

In the technical solution of the present application, the data information of the network resource access information is obtained by parsing, the resource type requested for access is determined accordingly, and the request sending path is determined based on the resource type, which can improve the security of access to the first type of resources. By starting the security mode, secure access to the first type of resources and the second type of resources is realized, and the requirements for remote acquisition of network resources are met. In addition, the technical solution does not require a VPN server to be specially configured, thereby reducing costs.

Description of drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

1A is a schematic diagram of an application scenario of a method for acquiring network resources provided by an embodiment of the present application;

FIG. 1B is a schematic diagram of an application scenario of another method for acquiring network resources provided by an embodiment of the present application;

FIG. 2 is a schematic interface diagram of an exemplary interface of a terminal device in a security mode off state provided by an embodiment of the present application;

3 is a schematic diagram of an exemplary interface of a terminal device in a state where the security mode is enabled according to an embodiment of the present application;

FIG. 4 is a schematic diagram of an exemplary interface after the terminal device 100 performs access in a state where the security mode is off according to an embodiment of the present application;

FIG. 5 is a schematic diagram of an exemplary interface after the terminal device 100 performs access in a state where the security mode is enabled according to an embodiment of the present application;

6 is a schematic flowchart of a method for acquiring network resources provided by an embodiment of the present application;

FIG. 7 is a signaling interaction diagram for starting a security mode according to an embodiment of the present application;

FIG. 8 is a signaling interaction diagram for network resource access provided by an embodiment of the present application;

FIG. 9A is a working principle diagram of an Android VPNService provided by an embodiment of the present application;

9B is a schematic structural diagram of an apparatus for acquiring network resources according to an embodiment of the present application;

10 is a schematic structural diagram of a server provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.

Detailed ways

The embodiments of the present application will be described below with reference to the accompanying drawings.

In view of the high cost of deploying a VPN server and related lines when using the VPN remote access technology in the related art, the embodiments of the present application provide a method, device and related products for obtaining network resources to save costs. The method for acquiring network resources provided by this application can be applied to a device having data processing capability for acquiring network resources, such as a terminal device. Wherein, the terminal device may specifically be a smart phone, a desktop computer, a notebook computer, a tablet computer, a smart speaker, a smart watch, etc., but is not limited thereto. In order to facilitate understanding of the technical solutions of the present application, the following describes the method for acquiring network resources provided by the embodiments of the present application in combination with actual application scenarios.

Referring to FIG. 1A , FIG. 1A is a schematic diagram of an application scenario of a method for acquiring network resources provided by an embodiment of the present application. In the application scenario shown in FIG. 1A , the terminal device 100 and the server 200 are included. The terminal device 100 and the server 200 may be directly or indirectly connected through wired or wireless communication, which is not limited in this application.

The terminal device 100 includes a display screen, and a user interface (User Interface, UI) is displayed on the display screen. The user can see the control button displayed on the interface through the display screen, and the user can activate or deactivate the safe mode by performing a preset type of operation on the button. In practical applications, the operations of the preset types can be set according to requirements, such as clicking, sliding, etc., which are not limited here. Furthermore, the type of operation and the time of operation used to activate the safe mode may be the same or different from the type and time of operation used to turn off the safe mode.

FIG. 2 and FIG. 3 are schematic diagrams of exemplary interfaces of the terminal device 100 when the security mode is off and on, respectively, according to an embodiment of the present application. As shown in Figure 2, when the safe mode is off, the interface displays the safe mode off state, see area 2a in Figure 2, and the word "start" is displayed in the area 2b where the button is located to remind the user that by triggering the button, The safe mode of the terminal device 100 is activated at any time. As shown in Figure 3, when the safe mode is on, the interface displays the on state of the safe mode, see area 3a in Figure 3, and the word "off" is displayed in the area 3b where the button is located to remind the user that by triggering the button, Turn off the safe mode of the terminal device 100 at any time.

In the scenario shown in FIG. 1A , a gateway 201 and a business service module 202 are deployed on the server 200 . Safe mode off is mainly used to restrict the terminal device 100 from accessing the first type of resources provided by the server 200 , and safe mode is enabled to ensure the security of the terminal device 100 accessing the first type of resources provided by the server 200 . Access to the second type of resources is not restricted by enabling or disabling Safe Mode. Here, the first type of resource is a resource with higher security requirements than the second type of resource. As an example, the first type of resource is an enterprise intranet resource, such as an enterprise mailbox, an enterprise employee directory, an enterprise training video, a conference reservation portal, and the like. As an example, the second type of resources are resources other than enterprise intranet resources, such as WeChat, QQ mailbox, news pages and other non-office resources (which may also be collectively referred to as entertainment resources). In the embodiment of the present application, neither the first type resource nor the second type resource is limited.

FIG. 4 and FIG. 5 respectively show exemplary interface diagrams after the terminal device 100 performs access when the security mode is off and on. As shown in FIG. 4 , when the security mode is turned off, the user can access the entertainment website https://xw.qq.com/ by using an application such as a browser on the terminal device 100, and the corresponding content of the website will be accessed. Explicitly on the interface, page 4a shows the normally displayed second type of resource. When accessing the internal address of the enterprise http://172.17.0.10:81, the access is unsuccessful, and the interface will display an error message, see page 4b, that is, the first type of resource cannot be accessed. As shown in Figure 5, when the safe mode is activated, when employees use applications such as browsers to access the entertainment website https://xw.qq.com/ or the internal address of the enterprise http://172.17.0.10:81, they can all access , and the corresponding content of the URL will be displayed on the interface, see page 5a and page 5b respectively, that is, both the second type of resources and the first type of resources can be accessed normally.

In the application scenario shown in FIG. 1A , the terminal device 100 provides a UI interface for the user, which can display control buttons related to the security mode and access results to network resources. In addition, the terminal device 100 also plays many roles, including intercepting and parsing network resource access requests after enabling the security mode. The network resource access request may be generated based on the operation of the user of the terminal device 100 . For example, by manipulating the terminal device 100 , the user types a website to be opened in the website search bar; or, according to the settings, the user automatically jumps to the default website by opening the browser. In this embodiment of the present application, there is no restriction on the generation method of the network resource access request.

By intercepting the network resource access request and analyzing the intercepted network resource access request, the terminal device 100 can parse and obtain a variety of data information related to the network resource access request, such as the protocol type, source IP, Source port, destination IP and destination port, etc. Before starting the safe mode, the configuration information of the safe mode is pre-configured on the server 200 . It should be noted that the security mentioned in the security mode is mainly implemented by the gateway 201 in the server 200 part.

In this embodiment of the present application, the gateway 201 deployed in the server 200 is pre-established, and is used to verify the validity of the terminal device 100 when it sends an access request for the first type of resource. The gateway 201 has the right to request a business service from the business module 202 of the server 200 according to the validity check result, or to suspend the aforementioned access request. That is to say, when the access request is specifically a request for the first type of resources, the gateway 201 acts as a transfer station between the terminal device 100 and the service service module 202 . When the business service module 202 returns the business processing result (for example, the first type of resource required by the terminal device 100 ), the gateway 201 will receive it first, and forward it to the terminal device 100 through the gateway 201 . It should be noted that, in this embodiment of the present application, the number of gateways 201 is not limited.

The above configuration information is the basic data for the application of the terminal device 100 to determine whether the employee of the enterprise accesses the first type of resource or the second type of resource, and is also the communication basis between the application of the terminal device 100 and the gateway 201 . Table 1 below describes the field names and meanings in the configuration information.

Table 1 List of field names and corresponding meanings of configuration information

The configuration information of the security mode includes information related to the communication connection between the terminal device 100 and the gateway 201 in the server 200 , such as the information with the field names host and port in the above table 1; it includes the information between the terminal device 100 and the server 200 Information used to verify the legitimacy of the request, such as the information in the field named token in the above table 1; contains the restriction information that needs to be accessed through the gateway 201 to realize the access of the first type of resources, such as the information in the above table 1 with the field name whiteList , hereinafter referred to as the whitelist. The whitelist includes information of the first type of resources that the terminal device 100 can access indirectly through the gateway 201 in the security mode, and can specifically be presented in the form of a list.

It should be noted here that if the terminal device 100 obtains network resources through an IP address, dns resolution is not required; and if the terminal device 100 obtains network resources through a domain name, the domain name needs to be converted into an IP address through DNS resolution first. Then access network resources through the converted IP address. Generally speaking, the domain name of the resource within the enterprise cannot be resolved by the Internet, so it needs to be resolved locally by the application program of the terminal device 100 .

The whitelist is mentioned above. For a request to obtain network resources by IP address, the terminal device 100 can obtain the destination IP through parsing, and the whitelist contains the information of the first type of resources that the terminal device 100 can access in the security mode. (domain name or IP), therefore, the terminal device 100 can determine whether the network resource access request is a request for the first type of resources according to the configuration information of the security mode and the parsed data information. As an example, if the parsed destination IP is in the whitelist and matches a certain IP in the whitelist, it can be determined that the request is a request for the first type of resource. Conversely, if the destination IP is not in the whitelist, and the IP matching the destination IP cannot be queried from the whitelist, it can be determined that the request is not a request for the first type of resource, but a request for the second type of resource. A request, for example, is specifically a request for a certain entertainment resource.

For a request for obtaining network resources by using a domain name, the terminal device 100 may obtain the domain name used in the request by parsing the request. Thereafter, the terminal device 100 locally performs dns resolution on the domain name used in the request to obtain the destination IP. Next, when determining the requested resource type, the destination IP parsed by DNS is matched with the whitelist. If the whitelist only contains the domain name of the resource instead of the IP, in order to avoid matching errors, the configuration information of the security mode can further include a list of domain name system addresses that resolve the domain name in the whitelist. See the field names in Table 1 above. Information for dnsList. The domain names in the whitelist can be converted into address information through dnsList, which facilitates the determination of the requested resource type by combining the destination IP and the converted address information. As an example, if the parsed destination IP matches the address information obtained through dnsList, it means that the destination IP matches the whitelist successfully, and it is determined that the request is a request for the first type of resource. On the contrary, if the parsed destination IP does not match the address information obtained through dnsList, it means that the destination IP fails to match the whitelist, and it is determined that the request is a request for the second type of resource.

In the scenario of this embodiment, based on the different types of resources to which the network resource access request determined by the terminal device 100 is directed, the transmission path of the network resource access request and the return path of the resource are also different. Referring to the scenario shown in FIG. 1A , the server 200 includes the aforementioned gateway 201 and also includes a business service module 202 . The business service module 202 refers to services that process business. When accessing the second type resource, the business service is the service that handles the business logic of the second type resource. When accessing resources of the first type (eg, enterprise intranet resources) through the gateway 201, the business service may also refer to a service that processes business logic for accessing the enterprise intranet resources. In the server 200, the business service module 202 may have services for processing business logic of multiple types of resources, as shown in FIG. 1; Services that handle business logic for different types of resources, respectively.

In FIG. 1A , the path ① indicated by the solid line between the terminal device 100 and the business service module 202 in the server 200 represents the communication mode of the second type of resources between the terminal device 100 and the business service module 202 . In FIG. 1A , the dotted path ② between the terminal device 100 and the gateway 201 and the dotted path ③ between the gateway 201 and the business service module 202 collectively represent the communication mode for the first type of resources.

As can be seen from the scenarios described above, when the security mode is enabled, users will not be allowed to obtain network resources, but network resource access requests need to be intercepted and parsed first, so that targeted sending paths can be taken based on the type of resources requested to be accessed. . The return path of the resource is the opposite of the previous send path. The configuration information in the safe mode includes the information of the first type of resources that can be accessed in the safe mode. According to the parsed data information and the configuration information in the safe mode, the specific information of the resource required to be accessed by the intercepted network resource request can be determined. type. The first type of resource has more stringent security access requirements than the second type of resource, so when it is determined that the network resource access request is a request for the first type of resource, the network resource access request needs to be forwarded to the gateway 201 of the server 200 In order to facilitate the gateway 201 to manage and control the access channel to the first type of resources. When it is determined that the network resource access request is a request for the second type of resources, the request does not need to be forwarded to the gateway 201, and the network resource access request is directly sent to the service service module 202 to request network resources.

In the technical solution of the present application, the data information of the network resource access information is obtained by parsing, and the resource type requested to be accessed is determined accordingly, and the transmission path of the request is determined by the resource type (see path ① and path ②+③ shown in FIG. 1A . ), which can improve the security of access to the first type of resources. Once the security mode is activated, secure access to the first type of resources and the second type of resources can be implemented to meet the requirements for remote acquisition of network resources. In addition, this technical solution does not require a VPN server to be specially configured, and only requires the terminal device 100 and the background server 200 to realize network resource access, thereby reducing costs.

In the scenario shown in FIG. 1 , the gateway 201 and the business service module 202 are deployed on the same server 200 . The present application also provides an application scenario of another method for acquiring network resources. FIG. 1B is a schematic diagram of an application scenario for another method for acquiring network resources. In the application scenario shown in FIG. 1B , different from the server 200 in FIG. 1A , the functions of the gateway 201 and the business service module 202 are implemented by different servers, such as the gateway server 301 and the business server 302 shown in FIG. 1B .

In the foregoing introduction, the functions of the terminal device 100 have been introduced in more detail, which will not be repeated here, and only the differences from the application scenario shown in FIG. 1A will be described. When the resource of the first type needs to be acquired, the terminal device 100 forwards the network resource access request to the gateway server 301, and the gateway server 301 checks the validity of the network resource access request. When the validity check passes, the gateway server 301 The service server 302 is requested for network resources. When the resource of the second type needs to be acquired, the terminal device 100 sends a network resource access request to the service server 302 to request the network resource, and the request and forwarding of the network resource does not pass through the gateway server 301 . In the scenario shown in FIG. 1B , the configuration information includes authentication information used to verify the validity of the request with the terminal device 100 and the gateway server 301 . The data information of the network resource access information is obtained by parsing, and the resource type requested to be accessed is determined accordingly, and the request sending path is determined by the resource type (refer to the path ① requesting the second type resource and path ②+③ requesting the first type shown in FIG. 1B . type one resource), which can improve the security of access to the first type resource.

In the following introduction, a method for acquiring network resources is introduced by taking the scenario shown in FIG. 1A as an example. The acquisition of network resources in the scenario shown in FIG. 1B is similar to that in FIG. 1A , and the corresponding understanding and implementation can be carried out in combination with the following description and differences in server deployment.

FIG. 6 is a schematic flowchart of a method for acquiring network resources provided by an embodiment of the present application, and the method for acquiring network resources may be applied to the terminal device in the scenario shown in FIG. 1A . As shown in Figure 6, the method includes:

S601: Turn on the safe mode.

In the method for acquiring network resources provided by the embodiments of the present application, S601 is not an operation that must be performed every time a network resource is acquired. Specifically, after performing S601 once, if the user does not operate to turn off the safe mode, the terminal device will continue to be in the safe mode in the power-on state, so each acquisition of network resources occurs when the mode is in effect. That is to say, subsequent steps S602 to S605 can be implemented multiple times without repeatedly performing the startup operation for the safe mode.

S602: Intercept and analyze the network resource access request.

The purpose of parsing the network resource access request is to obtain data information related to the network resource access request, such as the destination IP. The parsed data information has been introduced as an example above, and will not be repeated here. After the destination IP is obtained through parsing, it can be used to determine whether the network resource to be accessed belongs to the first type resource in combination with the configuration information of the security mode. That is, it is determined whether to forward to the gateway or directly to the business service module. Specifically, requests for resources of the first type need to be forwarded to the gateway first; requests other than resources of the first type, such as requests for resources of the second type, can be directly sent to the business service module.

S603: Determine whether the network resource access request is a request for the first type of resources according to the configuration information of the security mode and the parsed data information, if yes, go to S604; if not, go to S605.

Specifically, when the parsed data information is successfully matched with the configuration information, it may be determined that the network resource access request is a request for the first type of resource. When the parsed data information does not match the configuration information successfully, it may be determined that the network resource access request is a request for the second type of resource. The configuration information includes information about the first type of resources that can be accessed in safe mode. For details, see the whitelist introduced above.

S604: Forward the network resource access request to the gateway of the server, so that the gateway requests network resources from the service service module of the server.

S605: Determine that the network resource access request is a request for the second type of resources, and send the network resource access request to the service service module to directly request the service service module for network resources.

In combination with S604 to S605, in the method for acquiring network resources provided by the embodiments of the present application, the access request for the second type of resource is not processed, and the access request for the first type of resource (for example, the enterprise intranet resource) needs to go through the gateway Validity verification is performed to ensure the validity and security of the request and prevent the first type of resources from being illegally stolen. As mentioned above, the configuration information includes the authentication information of the token field, which is agreed in advance by the terminal device and the server. The authentication information can be encapsulated into the request header of the network resource access request forwarded to the gateway, so that the gateway in the server can After receiving the request, the validity is checked based on the authentication information. Only when the validity check of the network resource access request is passed by the gateway, the network resource is requested from the business service module. If the gateway verifies that the network resource access request is illegal, it can abort the access request without further requesting the service of the business service module.

It can be seen that, in the embodiment of the present application, through the setting and control of the gateway, the security of acquiring network resources is enhanced, especially the security of accessing the first type of resources is enhanced, and the risk of the first type of resources being illegally stolen is reduced. In addition, through the setting of the configuration information, the domain name or IP address of the resource required for high security access is restricted, which facilitates the determination of whether the request for obtaining the network resource needs to be forwarded. Therefore, configuration information has become another checkpoint in addition to the gateway to improve the security of resource access.

In the related technologies of remote access through VPN servers, it is often difficult for enterprises to finely manage the rights of employees to access resources within the enterprise: as long as employees have VPN account information, they can access all resource information within the enterprise, which may easily lead to data leakage within the enterprise. and other security issues. However, in the embodiment of the present application, this problem does not exist, and the reasons are as follows:

Taking the first type of resource as an example of an enterprise internal resource, as shown in Table 1, when the address of the internal enterprise resource is in the whiteList list, it indicates that the employee can access the internal enterprise resource. The configuration of this whiteList list is completed in the enterprise management background, and supports configuration for each employee. That is, after different enterprise employees log in to the terminal device 100, the configuration information pulled by the terminal device 100 is different, depending on the identity of the enterprise employee. . In this way, refined management of employees' access to internal resources of the enterprise can be achieved. That is to say, in the embodiment of the present application, the configuration information in the server may be configured specifically according to the user identity, and at the same time, individualized configuration is embodied, thereby reducing potential security risks.

For example, employee A belongs to the HR department, and the whiteList configuration is the internal resources related to human resources. If the access request matches the whitelist, employee A can access the internal resources related to human resources; employee B belongs to the technical department, and the whiteList Configuration is an internal resource related to technology development. If the access request matches the whitelist, employee B can access internal resources related to technology development. Since employee A has not allocated internal resources related to technology development, employee A cannot access the internal resources related to technology development of his company. Similarly, if the enterprise administrator does not configure HR-related internal resources for employee B, employee B cannot access HR-related internal resources either.

From the perspective of user experience, in the past technology, for security reasons, enterprises will provide an exclusive VPN terminal application for VPN connection. The general operating experience of this application will be very poor. Employees need to enter VPN account information every time they remotely access the internal network of the enterprise. When employees open the access to internal resources of the enterprise, if they need to use WeChat, news and other entertainment at this time, they also need to actively close the channel for accessing internal resources of the enterprise. As a result, the switching operation is complicated, and the process of acquiring network resources is not smooth.

If you use VPN server-related technologies to access network resources, there are security issues. First, enterprises generally purchase VPN services from third-party companies and cannot directly control the reliability and performance of the VPN, which is prone to security risks; second, the VPN servers deployed on the enterprise's internal network are easily attacked by hackers. The implementation of the technical solutions in the embodiments of the present application may be encapsulated in a software defined boundary (Software Defined Perimeter, SDP) software development kit (Software Development Kit, SDK). SDP is a new generation of network security technology architecture based on the concept of Zero Trust proposed by the International Cloud Security Alliance CSA in 2013. In view of the security of the SDP architecture, the acquisition of network resources based on the SDP software development kit has higher security than deploying a VPN server, and can reduce the security risk of acquiring intranet resources. In the embodiment of the present application, innovation is made on the basis of this architecture, and a new SDP SDK is formed. For the convenience of distinction, this toolkit is hereinafter referred to as TSDP SDK for short. Wherein, T is used as an identifier that is different from the SDP SDK in the related art.

In the TSDP SDK, it is provided to terminal applications in the form of SDK. At present, Tencent's products that integrate TSDPSDK internally include T-Sec SDP. The T-Sec SDP product implements traffic interception based on the VPNService service of the Android platform, and then matches the intercepted traffic information with the configuration information provided by the back-end server, thus realizing seamless switching between enterprise employees' leisure and entertainment and secure office work. Function. VPNService is the basic capability for application extension and VPN solution construction under the Android platform. Typically a virtual network interface is created, addresses and routing rules are configured, and the file descriptor is returned to the application. Based on the VPNService service, each application can realize the function of remote access by processing and exchanging data packets with the remote server on the tunnel. T-Sec SDP products enable:

1) Enterprise employees (ie, users of terminal devices) can actively control the switch of the security mode, see Figure 2 and Figure 3 . When the safe mode is activated, the seamless switching between leisure and entertainment and safe office can be achieved without any perception in the whole process, and there is no longer the problem of unsmooth access to different types of resources. When the safe mode is turned off, only entertainment resources can be accessed, and internal office resources of the enterprise cannot be accessed.

2) The enterprise can configure the information in the enterprise management background to realize the refined management of the internal access resources of the enterprise, and the terminal device will perform matching processing according to the information configured in the enterprise management background.

It can be seen that at a lower cost, enterprises can use T-Sec SDP products or other products integrated with TSDP SDK to ensure the security of employees' remote access to internal resources of the enterprise through terminal devices. Employees only need to use terminal devices equipped with the above products to seamlessly switch between entertainment and work. The switching access to different types of resources and the fluency of simultaneous access are greatly improved, thereby improving user experience.

It should be noted that the implementation of operations such as interception, parsing, and forwarding mentioned in the technical solutions provided in the embodiments of the present application are not limited to terminal devices on the Android platform, and can also provide remote access functions for terminal devices on other platforms to ensure multiple types of The smooth switching of resources, smooth access, and ensuring the access security of important resources. Since the core functions such as traffic interception and traffic forwarding in this technical solution are encapsulated in the TSDP SDK and can be provided to third-party companies, it is universal.

The technical solution for realizing the switching access of the two types of resources is comprehensive and complex, and specifically involves the terminal device and the server. For ease of understanding, the implementation process of acquiring network resources provided by this embodiment is described below with reference to a signaling diagram, which mainly includes: a process of starting the security mode (see FIG. 7 ) and a process of accessing network resources (see FIG. 8 ). The process of starting the safe mode may also be referred to as a process of initializing the safe mode.

Terminal equipment includes: business module and TSDP SDK module; business module includes UI layer, TSDP SDK module includes: software-defined boundary service class (abbreviation: TSDP service class), virtual private network service class (abbreviation: TVPNService service class), transmission control Protocol proxy service class (abbreviation: TcpProxyServer service class) and domain name system proxy service class (abbreviation: DnsProxy service class). Among them, the function of the letter "T" at the front of the name of the TSDP service class and the TVPNService service class is similar to that of the letter "T" in the TSDP SDK, which are used to distinguish the software-defined boundary SDP service class and the virtual private network described in the related art VPNService service class. The background server is divided into gateway and business service module.

The following introduces the TSDP service class, the TVPNService service class, the TcpProxyServer service class and the DnsProxy service class. The TSDP service class provides an external interface, allows UI layer calls, can pull the configuration and store the configuration information in the memory. Various requests are data packets in the underlying implementation, and the TVPNService service class is used to parse the data packets. The TcpProxyServer service class is used to monitor socket socket requests on the local network, read and write data packets to socket operations, and can also be used to forward data packets. The DnsProxy service class is used to resolve the domain name of network resource access requests.

Combined with the signaling interaction diagram shown in Figure 7, the process of starting the security mode includes the following operations:

S701: According to a user's triggering operation of a button on a terminal device, enable a security mode on a UI interface.

S702: Call the TSDP service class of the TSDP SDK to initialize the TSDP service class.

S703: The TSDP service class pulls the configuration information of the security mode.

See Table 1 and related descriptions for the content of the configuration information, which is not repeated here. It should be noted that the configuration information of the safe mode at the server has already been pulled to the local terminal device before the safe mode is started. In this step, the TSDP service class specifically pulls the configuration information from the server locally.

S704: After the configuration information is successfully pulled, start the TVPNService service class according to the configuration information, and initialize the TVPNService service class.

Among them, initializing the TVPNService service class includes but is not limited to: setting the gateway's IP, Port, DNS, and intercepting applications and other information.

S705: After the TVPNService service class is successfully started, the TcpProxyServer service class is started.

S706: After the TcpProxyServer service class succeeds, the DnsProxy service class will be enabled.

S707: After all the service classes are successfully opened, the UI layer is notified through the interface, so that the UI layer can display the UI view according to the successful opening of all the service classes.

As an example implementation of S707, the state where the security mode is turned on can be displayed in the area 3a shown in FIG. 3 .

With reference to the signaling interaction diagram shown in FIG. 8 , the process of acquiring network resources includes the following operations. The execution of S801 to S806 does not distinguish the specific resource type pointed to by the access request, and S807 to S813 are for the first type of resources after S806 is executed. The specific operations for accessing, S814 to S818 are specific operations for accessing the second type of resources after S806 is executed. In FIG. 8 , an introduction is made in the signaling interaction mode of each component of the terminal device and each component of the server.

S801: Generate a network resource access request.

With reference to the foregoing description, the network resource access request may be specifically generated according to the user's operation on the terminal device. For example, the operation of entering a domain name to search, or the operation of triggering a specific button to jump to a webpage, etc., are not limited here.

S802: The TVPNService service class intercepts the network resource access request and parses the data packet of the request.

The parsed data information includes but is not limited to: the protocol type, source IP, source port, destination IP and destination port of the network resource access request.

It should be noted here that, if the access to the network resource is requested through IP, S802 can directly resolve the destination IP. However, if the access to the network resource is specifically requested through a domain name, S803 to S804 need to be executed to obtain the destination IP through DNS resolution of the domain name.

S803: When the TVPNService service class determines that the data packet is a User Datagram Protocol (UDP) packet, and the port number corresponding to the UDP packet is 53, determine that the network resource access request is a dns resolution request, and use the DnsProxy service class Perform dns resolution.

If the data packet is a UDP packet and the port number is 53, it means that the network resource is obtained through the domain name. To this end, S803 needs to be executed, and the DnsProxy service class performs dns analysis to obtain the requested IP address, that is, the destination IP. During the parsing process, the dnsList data in the configuration information can be traversed, and the matching result can be obtained by matching the dnsList. After that, S804 can be executed, and the DnsProxy service class returns the parsed destination IP to the TVPNService service class.

S804: The DnsProxy service class returns the resolved IP address corresponding to the domain name of the network resource access request to the TVPNService service class as the destination IP of the request.

In combination with the above description, if the network resource is obtained through the IP address, S803 to S804 do not need to be executed. That is to say, whether the execution of S803 to S804 is related to the access mode, rather than a link that must be executed every time a network resource request is intercepted.

In order to facilitate the monitoring of the TcpProxyServer service class and the communication between the terminal device and the gateway, the TVPNService service class needs to first send the data packets to the TcpProxyServer service class. The original destination port and destination IP do not point to the TcpProxyServer service class. Therefore, S805 needs to be performed to modify the destination port and destination IP so that the data packet can be successfully sent to the TcpProxyServer service class.

S805: The TVPNService service class determines that the data packet of the network resource access request is a Transmission Control Protocol (TCP) uplink packet, modifies the destination IP and destination port, and creates a local socket link to forward the network resource access request to the TcpProxyServer service class.

S806: After the TcpProxyServer service class monitors the socket forwarding request provided by the TVPNService service class, it obtains the destination IP from it, so as to use the destination IP to determine whether it matches the configuration information.

It should be noted that, in the initialization process, the TSDP service class pulls the configuration information, and several other service classes such as the TcpProxyServer service class and the DnsProxy service class can also obtain the configuration information.

The following describes the process of accessing the first type of resource after S806 is executed in conjunction with S807-S813.

S807: The data information parsed from the network resource access request is successfully matched with the configuration information, and a new network request is created. The request header will encapsulate the target IP and target port, as well as the token data in the configuration information, and then send it to the host of the configuration information. The gateway corresponding to the port.

Communication between the TcpProxyServer service class and the gateway is also established through network requests, and the network resource access request described in S801 cannot be reused. Therefore, a new network request needs to be created. The way to create a new network request can be the HTTP CONNECT way. A pair of host and port corresponds to a gateway. The encapsulated token data, that is, the authentication information, can be used by the gateway to verify the validity.

It should be noted that the new network request is consistent with the resource type and resource content requested by the previously described network resource access request.

S808: The gateway passes the validity check of the network request sent by the TcpProxyServer service class, and then requests the business service module for the business service.

S809: The business service module returns the result of the business service to the gateway.

S810: The gateway returns the business service result of the business service module to the TcpProxyServer service class.

S811: The TcpProxyServer service class monitors the socket network resource data returned by the gateway, determines that it is a TCP downlink packet, and modifies the source IP and source port of the TCP downlink packet to the destination IP and destination port of the aforementioned network resource access request, respectively.

The modification operation in this step corresponds to the modification operation in S805. If the modification operation in this step is not performed, the data is returned from the TcpProxyServer service class to the TVPNService service class, and the virtual network card created by the TVPNService service class will determine that the data is not the return result corresponding to the data sent before. Therefore, it will eventually lead to data not being returned to the UI layer. By modifying the source IP and source port of the TCP downlink packet to the destination IP and destination port of the aforementioned network resource access request, the TVPNService service class can accept the TCP downlink packet with the changed source IP and source port, thereby completing the smooth return of resource data.

S812: The TcpProxyServer service class returns the modified TCP downlink packet to the TVPNService service class.

S813: The TVPNService service class returns the modified TCP downlink packet to the UI layer.

When this step is specifically implemented, it can be sent to the TSDP service class first, and then sent back to the UI layer from the TSDP service class.

The following describes the process of accessing the second type of resources after S806 is executed in conjunction with S814 to S818.

S814: The TcpProxyServer service class fails to match the data information parsed by the network resource access request with the configuration information, and sends the network resource access request to the business service module.

S815: The business service module returns the result of the business service to the TcpProxyServer service class.

S816: The TcpProxyServer service class monitors the socket network resource data returned by the business service module, determines that it is a TCP downlink packet, and modifies the source IP and source port of the TCP downlink packet to the destination IP and destination port of the aforementioned network resource access request.

The execution reason of this step is basically the same as that of S811, so it will not be repeated here. Please refer to the relevant explanation and description of S811 above.

S817: The TcpProxyServer service class returns the modified TCP downlink packet to the TVPNService service class.

S818: The TVPNService service class returns the modified TCP downlink packet to the UI layer.

When this step is specifically implemented, it can be sent to the TSDP service class first, and then sent back to the UI layer from the TSDP service class.

The final UI layer can display the network resources provided by the server through the UI interface displayed on the screen of the terminal device, and the network resources match the network resource access request mentioned above.

In the above-described embodiments, the interception operation for network resource access requests is mentioned. The implementation of the interception process is exemplarily described below. In this example, the interception scheme for network resource access requests is developed based on the AndroidVPNService service. The main function is to manage and control the network request of the terminal application. The working principle diagram of Android VPNService is shown in Figure 9A.

The process of the application (Application, APP) sending network requests to the VPN gateway (gateway) and the gateway returning data to the APP are actually reciprocal, so the workflow of AndroidVPNService will be explained by taking the APP sending network requests to the gateway as an example:

1) The App uses the socket socket to send the corresponding data packet to the real network Systemnetwork of the terminal device.

2) The Android system forwards all data packets to the Local TUNinterface virtual network device through iptables (an IP packet filtering system integrated with the Linux kernel) using Network Address Translation (NAT);

3) The VPNService service of the personal App can obtain all IP packets forwarded to the Local TUN interface virtual network device by opening the /dev/tun device and reading the data on the device;

4) The VPNService service of the personal App can do some processing on the data, and then send the processed data packets through the real network device using the Protected Socket method. The final destination is VPNgateway, that is, the gateway of the background server.

From the above description, all network request data packets or network return data packets of APP will pass through the Android VPNService service, so as long as the data packets are intercepted and parsed based on the Android VpnService service, the network traffic can be intercepted.

On the basis of the method for acquiring network resources provided by the foregoing embodiments, correspondingly, the present application also provides an apparatus for acquiring network resources. The apparatus may be implemented on the terminal device 100 in the scenarios shown in FIG. 1A and FIG. 1B . The implementation of the device will be introduced and described below with reference to the accompanying drawings and embodiments.

Referring to FIG. 9B , this figure is a schematic structural diagram of an apparatus for acquiring network resources provided by an embodiment of the present application. As shown in FIG. 9B, the apparatus 900 for acquiring network resources includes:

An interception module 901, configured to intercept a network resource access request after starting the safe mode;

A parsing module 902, configured to parse the network resource access request intercepted by the intercepting module 901;

A request type determination module 903, configured to determine the type of the network resource access request according to the configuration information of the security mode and the parsed data information;

The sending module 904 is configured to request the network resource from the server through the gateway when the request type determination module 903 determines that the network resource access request is a request for the first type of resource; the configuration information includes the information available in the security mode. information on the first type of resources accessed;

The sending module 904 is further configured to request a network resource from the server when the request type determining module 903 determines that the network resource access request is a request for a second type of resource.

The device obtains the data information of the network resource access information through analysis, determines the resource type requested to be accessed, and determines the request sending path based on the resource type, which can improve the security of access to the first type of resources. Once the security mode is activated, secure access to the first type of resources and the second type of resources can be implemented to meet the requirements for remote acquisition of network resources. In addition, the technical solution does not require a VPN server to be specially configured, thereby reducing costs.

As a possible implementation, the request type determination module includes:

a first determining unit, configured to determine that the network resource access request is a request for a first type of resource when the parsed data information is successfully matched with the configuration information;

A second determining unit, configured to determine that the network resource access request is a request for a second type of resource when the parsed data information does not match the configuration information successfully.

The requested resource type is determined based on the matching between the parsed data information and the pre-acquired configuration information, which can improve the accuracy of the determined resource type, thereby ensuring access security. In addition, the configuration information can be set according to the user's identity, so it is more flexible, suitable for personalized access of users with different identities, and further improves the security of resource access.

As a possible implementation manner, the configuration information further includes: the network resource access request and the authentication information of the server;

The sending module 904 includes: a first sending unit, configured to create a new network resource according to the parsed data information when the request type determination module determines that the network resource access request is a request for a first type of resource. a network resource access request, and encapsulate the authentication information in the request header of the new network resource access request, so that the gateway can verify the validity of the network resource access request according to the authentication information;

The gateway is configured to request the network resource from the server when the validity check of the network resource access request by the gateway is passed.

Through the configuration of authentication information, the gateway can effectively verify the validity and avoid requesting business services based on illegal requests. In this way, the security of acquiring network resources is improved.

As a possible implementation manner, the device 900 for acquiring network resources is implemented by a software-defined boundary software development kit TSDP SDK; the TSDP SDK includes: software-defined boundary service class, virtual private network service class, and transmission control protocol proxy service class and domain name system proxy services;

The apparatus 900 for acquiring network resources further includes: an initialization module for starting the safe mode. The initialization module includes:

a first initialization unit, configured to call the software-defined boundary service class for initialization, and pull the configuration information through the software-defined boundary service class;

a second initialization unit, configured to enable the virtual private network service class according to the configuration information, and initialize the virtual private network service class;

a third initialization unit, configured to start the transmission control protocol proxy service class;

The fourth initialization unit is used to start the domain name system proxy service class.

Using the initialization module, before the access request arrives, the terminal device can be adjusted to be in the safe mode, so that each service class is in a workable state.

As a possible implementation manner, the initialization module of the apparatus 900 for acquiring network resources further includes:

A sending unit, configured to send the result of the successful opening of the software-defined boundary service class, the virtual private network service class, the transmission control protocol proxy service class, and the domain name system proxy service class to the user interface UI layer, so as to The UI layer is caused to display on the interface the result that the safe mode has been activated.

By notifying the UI layer, the user can observe the result that the security mode has been activated on the display screen of the terminal device, so that the user can initiate a request in real time on the basis of knowing the result, improving the efficiency of the user accessing the first type of resources.

As a possible implementation manner, the parsed data information includes: a protocol type, source IP, source port, destination IP, and destination port of the network resource access request.

As a possible implementation manner, the apparatus 900 for acquiring network resources further includes:

The first modification module is configured to, before matching the parsed data information with the configuration information, when the virtual private network service class determines that the data packet of the network resource access request is a transmission control protocol TCP uplink packet When , modify the destination IP and the destination port through the virtual private network service class;

A link creation module for creating a local socket link according to the destination IP and destination port modified by the first modification module;

a forwarding module, configured to forward the network resource access request created by the link creation module to the transmission control protocol proxy service class;

The monitoring module is configured to obtain the destination IP from the socket forwarding request provided by the virtual private network service class, so as to use the destination IP to determine whether it matches the configuration information.

By modifying the destination IP and destination port, the access request can be forwarded to the transmission control protocol proxy service class, thereby facilitating the transmission control protocol proxy service class to perform monitoring work related to the request.

As a possible implementation manner, the monitoring module of the apparatus 900 for acquiring network resources is further configured to monitor the socket network resource data returned by the gateway or the business service module (for the scenario shown in FIG. 1B , monitoring the gateway server or business services The socket network resource data returned by the server);

The apparatus 900 for acquiring network resources further includes:

A second modification module, configured to modify the source IP and source port of the TCP downlink packet to the destination IP and the source port when the transmission control protocol proxy service class determines that the socket network resource data is a TCP downlink packet destination port;

The first return module is used for the transmission control protocol proxy service class to return the modified TCP downlink packet to the virtual private network service class, so as to return to the software-defined boundary service class through the virtual private network service class, and then Return from the software-defined boundary service class to the UI layer of the user interface, so that the UI layer displays the network resources provided by the server on the interface.

Through the modification of the second module, the disapproval of the returned result by the virtual private network service class is avoided. Ensure the smooth transmission of the requested data resources.

As a possible implementation manner, the configuration information further includes: a domain name system list, where the domain name system list includes IP addresses corresponding to domain names of the first type of resources accessible in the security mode;

The parsing module 902 of the apparatus 900 for acquiring network resources includes:

A parsing and determining unit, configured to determine the network when the virtual private network service class parsing determines that the data packet of the network resource access request is a user data packet protocol UDP packet, and the port number corresponding to the UDP packet is 53 The resource access request is a DNS resolution request;

a traversal unit, used for the domain name system proxy service class to traverse the domain name system list according to the UDP packet;

The returning unit is configured to return the IP address to the virtual private network service class as the destination IP after the traversing unit finds the IP address corresponding to the domain name of the network resource access request.

As a possible implementation manner, the first type of resource is an enterprise intranet resource, and the second type of resource is another resource other than the enterprise intranet resource.

In this implementation manner, the access security to the intranet resources of the enterprise is guaranteed, and the two types of resources can be accessed by switching or at the same time, the operation is smoother, and the user experience is improved.

As a possible implementation manner, the apparatus 900 for acquiring network resources further includes:

The access denial module is used to deny access to the first type of resources when the security mode is turned off.

As a possible implementation manner, the startup and shutdown of the safe mode are implemented through buttons displayed on the interface by the UI layer of the user interface. User-friendly viewing and control.

The embodiment of the present application further provides a computer device, and the computer device provided by the embodiment of the present application will be introduced below from the perspective of hardware materialization.

Referring to FIG. 10, FIG. 10 is a schematic structural diagram of a server provided by an embodiment of the present application. The server 1400 may vary greatly due to different configurations or performance, and may include one or more central processing units (CPUs) 1422 (eg, one or more processors) and memory 1432, one or more storage media 1430 (eg, one or more mass storage devices) storing applications 1442 or data 1444. Among them, the memory 1432 and the storage medium 1430 may be short-term storage or persistent storage. The program stored in the storage medium 1430 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the server. Furthermore, the central processing unit 1422 may be configured to communicate with the storage medium 1430 to execute a series of instruction operations in the storage medium 1430 on the server 1400 .

Server 1400 may also include one or more power supplies 1426, one or more wired or wireless network interfaces 1450, one or more input and output interfaces 1458, and/or, one or more operating systems 1441, such as Windows Server™, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM and so on.

The steps performed by the server in the above embodiment may be based on the server structure shown in FIG. 10 . The server may be the server 200 shown in FIG. 1A or the gateway server 301 shown in FIG. 1B . The operations performed by 1422 in the server are described below with the scenario shown in FIG. 1A .

Among them, the CPU 1422 is used to perform the following steps:

When the network resource access request sent by the terminal device is a request for the first type of resources, the network resource access request is checked for validity through the gateway; when the validity check is passed, the business service module is requested for business services; through the gateway Receive the result returned by the business service module, and return the result to the terminal device.

The CPU 1422 is also used to perform the following steps:

When the network resource access request sent by the terminal device is a request for resources of the second type, the request is processed by the service service module, and the processing result is returned to the terminal device.

For the method for obtaining network resources described above, the embodiments of the present application further provide a terminal device for obtaining network resources, so that the above method for obtaining network resources can be implemented and applied in practice.

Referring to FIG. 11 , FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of the present application. For the convenience of description, only the parts related to the embodiments of the present application are shown, and the specific technical details are not disclosed, please refer to the method part of the embodiments of the present application. The terminal device can be any terminal device including a mobile phone, a tablet computer, a personal digital assistant (Personal Digital Assistant, PDA for short), etc. The terminal device is a mobile phone as an example:

FIG. 11 is a block diagram showing a partial structure of a mobile phone related to a terminal device provided by an embodiment of the present application. Referring to FIG. 11 , the mobile phone includes: a radio frequency (Radio Frequency, RF for short) circuit 1510, a memory 1520, an input unit 1530, a display unit 1540, a sensor 1550, an audio circuit 1560, a wireless fidelity (wireless fidelity, WiFi for short) module 1570, The processor 1580, the power supply 1590 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 11 does not constitute a limitation on the mobile phone, and may include more or less components than the one shown, or combine some components, or arrange different components.

The following describes the various components of the mobile phone in detail with reference to Figure 11:

The RF circuit 1510 can be used for receiving and sending signals during the process of sending and receiving information or talking. In particular, after receiving the downlink information of the base station, it is processed by the processor 1580; in addition, it sends the designed uplink data to the base station. Generally, the RF circuit 1510 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, LNA for short), a duplexer, and the like. In addition, RF circuitry 1510 may also communicate with networks and other devices via wireless communications. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM for short), General Packet Radio Service (GPRS for short), Code Division Multiple Access (Code Division Multiple Access) Division Multiple Access (CDMA for short), Wideband Code Division Multiple Access (WCDMA for short), Long Term Evolution (LTE for short), email, Short Messaging Service (Short Messaging Service, SMS for short), etc.

The memory 1520 may be used to store software programs and modules, and the processor 1580 implements various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 1520 . The memory 1520 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an application program (such as a sound playback function, an image playback function, etc.) required for at least one function, and the like; Data created by the use of the mobile phone (such as audio data, phone book, etc.), etc. Additionally, memory 1520 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The input unit 1530 may be used for receiving inputted numerical or character information, and generating key signal input related to user setting and function control of the mobile phone. Specifically, the input unit 1530 may include a touch panel 1531 and other input devices 1532 . The touch panel 1531, also known as a touch screen, can collect the user's touch operations on or near it (such as the user's finger, stylus, etc., any suitable object or accessory on or near the touch panel 1531). operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 1531 may include two parts, a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it to the touch controller. To the processor 1580, and can receive the command sent by the processor 1580 and execute it. In addition, the touch panel 1531 can be realized by various types of resistive, capacitive, infrared, and surface acoustic waves. Besides the touch panel 1531 , the input unit 1530 may also include other input devices 1532 . Specifically, other input devices 1532 may include, but are not limited to, one or more of physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, joysticks, and the like.

The display unit 1540 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit 1540 may include a display panel 1541 . Optionally, the display panel 1541 may be configured in the form of a liquid crystal display (LCD for short), an organic light-emitting diode (OLED for short). Further, the touch panel 1531 may cover the display panel 1541. When the touch panel 1531 detects a touch operation on or near it, it transmits it to the processor 1580 to determine the type of the touch event, and then the processor 1580 determines the type of the touch event according to the touch event. Type provides corresponding visual output on display panel 1541. Although in FIG. 11, the touch panel 1531 and the display panel 1541 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the touch panel 1531 and the display panel 1541 can be integrated to form a Realize the input and output functions of the mobile phone.

The cell phone may also include at least one sensor 1550, such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1541 according to the brightness of the ambient light, and the proximity sensor may turn off the display panel 1541 and/or when the mobile phone is moved to the ear. or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in all directions (usually three axes), and can detect the magnitude and direction of gravity when it is stationary. games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. Repeat.

The audio circuit 1560, the speaker 1561, and the microphone 1562 can provide an audio interface between the user and the mobile phone. The audio circuit 1560 can convert the received audio data into an electrical signal, and transmit it to the speaker 1561, and the speaker 1561 converts it into a sound signal for output; on the other hand, the microphone 1562 converts the collected sound signal into an electrical signal, which is converted by the audio circuit 1560 After receiving, it is converted into audio data, and then the audio data is output to the processor 1580 for processing, and then sent to, for example, another mobile phone through the RF circuit 1510, or the audio data is output to the memory 1520 for further processing.

WiFi is a short-distance wireless transmission technology. The mobile phone can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 1570. It provides users with wireless broadband Internet access. Although FIG. 11 shows the WiFi module 1570, it can be understood that it is not a necessary component of the mobile phone, and can be completely omitted as required within the scope of not changing the essence of the invention.

The processor 1580 is the control center of the mobile phone, using various interfaces and lines to connect various parts of the entire mobile phone, by running or executing the software programs and/or modules stored in the memory 1520, and calling the data stored in the memory 1520. Various functions of the mobile phone and processing data, so as to monitor the mobile phone as a whole. Optionally, the processor 1580 may include one or more processing units; preferably, the processor 1580 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 1580.

The mobile phone also includes a power supply 1590 (such as a battery) that supplies power to various components. Preferably, the power supply can be logically connected to the processor 1580 through a power management system, so as to manage charging, discharging, and power consumption management functions through the power management system.

Although not shown, the mobile phone may also include a camera, a Bluetooth module, and the like, which will not be repeated here.

In this embodiment of the present application, the memory 1520 included in the mobile phone may store program codes, and transmit the program codes to the processor.

The processor 1580 included in the mobile phone can execute the method for acquiring network resources provided by the foregoing embodiments according to the instructions in the program code.

For the method, device, and related products for obtaining network resources disclosed in this application, the servers involved can be formed into a blockchain, and the servers are nodes on the blockchain.

Embodiments of the present application further provide a computer-readable storage medium for storing a computer program, where the computer program is used to execute the method for acquiring network resources provided by the foregoing embodiments.

Embodiments of the present application also provide a computer program product or computer program, where the computer program product or computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the method for acquiring network resources provided in various optional implementation manners of the foregoing aspects.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments can be completed by program instructions related to hardware, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the execution includes: The steps of the above method embodiment; and the aforementioned storage medium may be at least one of the following media: read-only memory (English: read-only memory, abbreviation: ROM), RAM, magnetic disk or optical disk and other various storage media medium of program code.

It should be noted that each embodiment in this specification is described in a progressive manner, and the same and similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. place. In particular, for the device and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for related parts. The device and system embodiments described above are only schematic, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

The above is only a specific embodiment of the present application, but the protection scope of the present application is not limited to this. Substitutions should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (15)

1. a method for obtaining network resources, is characterized in that, comprises: After starting safe mode, intercept and parse network resource access requests; When it is determined according to the configuration information of the security mode and the parsed data information that the network resource access request is a request for the first type of resource, the network resource is requested from the server through the gateway; the configuration information includes the security mode information on accessible first-type resources; When it is determined according to the configuration information and the parsed data information that the network resource access request is a request for resources of the second type, the network resource is directly requested from the server. 2. The method according to claim 1, wherein The determining according to the configuration information of the security mode and the parsed data information that the network resource access request is a request for the first type of resource includes: When the parsed data information is successfully matched with the configuration information, determine that the network resource access request is a request for a first-type resource; The determining according to the configuration information and the parsed data information that the network resource access request is a request for the second type of resources includes: When the parsed data information fails to match the configuration information, it is determined that the network resource access request is a request for a second type of resource. 3. The method according to claim 1, wherein the server is a service server, and the gateway is deployed on the gateway server; The configuration information further includes: the authentication information of the network resource access request and the gateway server; The requesting network resources from the server through the gateway includes: A new network resource access request is created according to the parsed data information, and the authentication information is encapsulated in the request header of the new network resource access request, so that the gateway server can use the authentication information to The network resource access request is checked for validity; When the validity check of the network resource access request by the gateway server is passed, a network resource is requested from the service server. 4. The method according to claim 1, wherein the gateway is also deployed on the server, and the server is further deployed with a business service module, and the business service module is used to provide business services; The configuration information further includes: the network resource access request and the authentication information of the server; The requesting network resources from the server through the gateway includes: A new network resource access request is created according to the parsed data information, and the authentication information is encapsulated in the request header of the new network resource access request, so that the gateway can use the authentication information to Check the validity of the above-mentioned network resource access request; When the validity check of the network resource access request is passed by the gateway, the gateway requests network resources from the service service module. 5. The method according to claim 1, wherein the method is implemented by a software-defined boundary software development kit TSDP SDK; the TSDP SDK comprises: software-defined boundary service class, virtual private network service class, transmission control Protocol proxy service class and domain name system proxy service class; The booting in safe mode includes: calling the software-defined boundary service class for initialization, and pulling the configuration information through the software-defined boundary service class; Enable the virtual private network service class according to the configuration information, and initialize the virtual private network service class; Open the transmission control protocol proxy service class; Open the domain name system proxy service class. 6. The method of claim 5, further comprising: Send the result that the software-defined boundary service class, the virtual private network service class, the transmission control protocol proxy service class, and the domain name system proxy service class are successfully opened to the user interface UI layer, so that the UI layer The result that the safe mode has been activated is displayed on the interface. 7 . The method according to claim 5 , wherein the parsed data information comprises: a protocol type, source IP, source port, destination IP and destination port of the network resource access request. 8 . 8. The method of claim 7, wherein Before matching the parsed data information with the configuration information, the method further includes: When the virtual private network service class determines that the data packet of the network resource access request is a transmission control protocol TCP uplink packet, the virtual private network service class modifies the destination IP and the destination port to create a local socket link forwarding the network resource access request to the transmission control protocol proxy service class; After the transmission control protocol proxy service class monitors the socket forwarding request provided by the virtual private network service class, the destination IP is obtained therefrom, so as to use the destination IP to determine whether it matches the configuration information. 9. The method according to claim 8, wherein after requesting network resources from the server, the method further comprises: The transmission control protocol proxy service class monitors the returned socket network resource data; When the transmission control protocol proxy service class determines that the socket network resource data is a TCP downlink packet, modify the source IP and source port of the TCP downlink packet to the destination IP and the destination port; The transmission control protocol proxy service class returns the modified TCP downlink packet to the virtual private network service class, so as to be returned to the software-defined boundary service class through the virtual private network service class, and then from the software-defined boundary service class. The class returns to the UI layer of the user interface, so that the UI layer displays the network resources provided by the server on the interface. 10 . The method according to claim 8 , wherein the configuration information further comprises: a domain name system list, wherein the domain name system list includes IP addresses corresponding to domain names of the first type of resources accessible in the security mode. 11 . address; After the interception of the network resource access request, the method further includes: When the virtual private network service class analysis determines that the data packet of the network resource access request is a user data packet protocol UDP packet, and the port number corresponding to the UDP packet is 53, it is determined that the network resource access request is a domain name system Parse the request; The domain name system proxy service class traverses the domain name system list according to the UDP packet, and after finding the IP address corresponding to the domain name of the network resource access request, returns the IP address to the virtual machine as the destination IP. Private network service class. The method according to any one of claims 1-10, wherein the first type of resource is an enterprise intranet resource, and the second type of resource is another resource other than the enterprise intranet resource. 12. The method according to any one of claims 1-10, further comprising: When the security mode is turned off, access to the first type of resource is denied. 13. A device for acquiring network resources, comprising: The interception module is used to intercept network resource access requests after starting the safe mode; a parsing module for parsing the network resource access request intercepted by the interception module; a request type determination module, configured to determine the type of the network resource access request according to the configuration information of the security mode and the parsed data information; A sending module, configured to request a network resource from a server through a gateway when the request type determination module determines that the network resource access request is a request for a first type of resource; the configuration information includes the access request in the security mode. Information on the first type of resource; The sending module is further configured to directly request the server for network resources when the request type determining module determines that the network resource access request is a request for a second type of resource. 14. A computer device, characterized in that the device comprises a processor and a memory: the memory is used to store program code and transmit the program code to the processor; The processor is configured to execute the method for acquiring network resources according to any one of claims 1-12 according to the instructions in the program code. 15. A computer-readable storage medium, wherein the computer-readable storage medium is used to store a computer program, and the computer program is used to execute the method for acquiring network resources according to any one of claims 1-12.

Images