[go: up one dir, main page]

CN113905013B - A method for realizing IP address transparent transmission in cluster network - Google Patents

A method for realizing IP address transparent transmission in cluster network Download PDF

Info

Publication number
CN113905013B
CN113905013B CN202111270772.3A CN202111270772A CN113905013B CN 113905013 B CN113905013 B CN 113905013B CN 202111270772 A CN202111270772 A CN 202111270772A CN 113905013 B CN113905013 B CN 113905013B
Authority
CN
China
Prior art keywords
address
load balancing
ssl
balancing module
proxy server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111270772.3A
Other languages
Chinese (zh)
Other versions
CN113905013A (en
Inventor
朱振中
陈威
马玉喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koal Software Co ltd
Original Assignee
Koal Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koal Software Co ltd filed Critical Koal Software Co ltd
Priority to CN202111270772.3A priority Critical patent/CN113905013B/en
Publication of CN113905013A publication Critical patent/CN113905013A/en
Application granted granted Critical
Publication of CN113905013B publication Critical patent/CN113905013B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2528Translation at a proxy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开的一种面向集群网络实现IP地址透传的方法,其在SSL硬件代理服务器上将SSL硬件进行卸载并修改成终端设备的IP地址和端口,实现源IP地址透传,在负载均衡模块上实现对应用服务器的负载、IP地址透传和根据源MAC路由回包等功能。本发明通过集群网络的SSL卸载和IP地址透传,应用服务器只需要将默认路由指向负载均衡,不需要做其他任何修改即可获取终端设备的IP地址和端口信息,在实际用户访问的数据包流转中,用户终端发起的源IP一直不变,目标IP地址在经过SSL网关和负载均衡时进行转换,可满足金融、证券、期货等行业的大并发、高稳定性的要求,同时又能满足监管要求。

The present invention discloses a method for realizing IP address transparent transmission for cluster network, which unloads SSL hardware on SSL hardware proxy server and modifies it into IP address and port of terminal device, realizes source IP address transparent transmission, realizes load and IP address transparent transmission of application server and functions such as packet return according to source MAC route on load balancing module. The present invention uses SSL unloading and IP address transparent transmission of cluster network, and the application server only needs to point the default route to load balancing, and does not need to make any other modification to obtain IP address and port information of terminal device. In the data packet flow of actual user access, the source IP initiated by the user terminal remains unchanged, and the target IP address is converted when passing through SSL gateway and load balancing, which can meet the requirements of large concurrency and high stability in finance, securities, futures and other industries, and can also meet regulatory requirements.

Description

一种面向集群网络实现IP地址透传的方法A method for implementing IP address transparent transmission in cluster network

技术领域Technical Field

本发明涉及计算机网络通信技术领域,尤其涉及一种面向集群网络实现IP地址透传的方法。The present invention relates to the technical field of computer network communication, and in particular to a method for implementing IP address transparent transmission in a cluster network.

背景技术Background technique

在金融、证券等涉及到国计民生的关键行业,为了保护敏感数据在传送过程中的安全,一般采用SSL进行加密传输。信息化同时给金融监管带来了极大的威胁,各类攻击层出不穷,因此金融监管要求所有的应用服务器必须能够对接入的用户身份、终端IP和端口等信息进行监管审计。In key industries such as finance and securities that are related to the national economy and people's livelihood, SSL is generally used for encrypted transmission to protect the security of sensitive data during transmission. Informatization has also brought great threats to financial supervision, and various attacks have emerged in an endless stream. Therefore, financial supervision requires that all application servers must be able to conduct supervision and audit of information such as user identity, terminal IP and port access.

通常情况下在应用服务器上直接部署SSL对外提供服务,此种方法应用服务器可以直接获取终端接入的用户身份、终端IP和端口等信息。但是,此种方案将核心服务直接暴露于互联网中,此时很容易遭到网络攻击。同时,SSL加解密会大量消耗应用服务器的计算资源,导致操作页面卡顿。针对此问题,一般解决方法是采用专用的网关硬件进行SSL卸载,然后再转发到应用服务器上,实现SSL卸载与应用服务器处理逻辑的松耦合。Usually, SSL is directly deployed on the application server to provide external services. In this way, the application server can directly obtain the user identity, terminal IP, port and other information of the terminal access. However, this solution directly exposes the core service to the Internet, which is very vulnerable to network attacks. At the same time, SSL encryption and decryption will consume a lot of computing resources of the application server, causing the operation page to freeze. To address this problem, the general solution is to use dedicated gateway hardware to offload SSL, and then forward it to the application server, so as to achieve loose coupling between SSL offloading and application server processing logic.

专用SSL硬件卸载数据包后会同时做SNAT和DNAT,即数据包的源地址和目标地址均会修改。应用服务器检测到的数据包源地址是SSL硬件地址,而非客户端的真实IP地址,从而导致应用服务器无法直接获取终端IP和端口信息。After the dedicated SSL hardware unloads the data packet, it will perform SNAT and DNAT at the same time, that is, the source address and destination address of the data packet will be modified. The source address of the data packet detected by the application server is the SSL hardware address, not the real IP address of the client, which makes it impossible for the application server to directly obtain the terminal IP and port information.

如果应用服务器要获取终端IP信息,通常有以下几种方法:If the application server wants to obtain the terminal IP information, there are usually the following methods:

1.对于基于B/S架构的应用程序经SSL硬件卸载后将终端信息通过cookie注入或X-Forward-For等方式传递给应用服务器,应用服务器通过读取http协议中的cookie或header信息获取终端地址和端口信息。此种方案对于C/S框架的应用程序则无能为力。1. For applications based on B/S architecture, after being unloaded by SSL hardware, the terminal information is passed to the application server through cookie injection or X-Forward-For, and the application server obtains the terminal address and port information by reading the cookie or header information in the http protocol. This solution is powerless for applications based on C/S framework.

2.对于C/S应用程序,经过SSL硬件卸载后通过Proxy Protocol(rfc6967)方式将终端信息传递给应用服务器。Proxy Protocol是在TCP协议中添加一个头部信息来方便地传递客户端信息,其本质是在三次握手结束后由SSL硬件设备上的代理服务在后端连接中插入一个携带了原始连接四元组信息的数据包。此种方案需要对应用服务器进行改造,不方便推广。2. For C/S applications, after being unloaded by SSL hardware, the terminal information is passed to the application server through the Proxy Protocol (rfc6967). The Proxy Protocol adds a header information to the TCP protocol to facilitate the transmission of client information. Its essence is that after the three-way handshake is completed, the proxy service on the SSL hardware device inserts a data packet carrying the original connection four-tuple information into the backend connection. This solution requires the application server to be modified and is not convenient for promotion.

3.通过TOA获取客户端真实IP地址。为了将客户端IP地址传递给服务器,SSL卸载后将客户端IP地址和端口PORT在转发时放入了自定义的tcp option字段中。此种方案需要应用服务器修改内核才能获取终端的IP地址和端口PORT,对应用环境和开发人员要求较高,不方便推广。3. Obtain the real IP address of the client through TOA. In order to pass the client IP address to the server, after SSL unloading, the client IP address and port PORT are placed in the custom tcp option field when forwarding. This solution requires the application server to modify the kernel to obtain the terminal's IP address and port PORT, which has high requirements on the application environment and developers and is not easy to promote.

4.客户端通过SSL握手协议获取自身IP地址和端口PORT(常用于内网终端获取相应互联网接入的源IP和PORT信息),通过私有协议将自身IP地址和端口PORT信息发送到服务端。此种方案涉及到应用协议改造,不方便推广。4. The client obtains its own IP address and port PORT through the SSL handshake protocol (commonly used for intranet terminals to obtain the source IP and PORT information of the corresponding Internet access), and sends its own IP address and port PORT information to the server through a private protocol. This solution involves application protocol modification and is not convenient for promotion.

为此,本申请人经过有益的探索和研究,找到了解决上述问题的方法,下面将要介绍的技术方案便是在这种背景下产生的。Therefore, the applicant has found a solution to the above-mentioned problem through beneficial exploration and research, and the technical solution to be introduced below is produced in this context.

发明内容Summary of the invention

本发明针对背景技术存在的缺陷和不足,基于高并发网络,提出了一种面向集群网络实现IP地址透传的方法,此种方法经SSL卸载后伪装成用户的IP和端口向后端应用服务器发起连接,应用服务器不需要做任何改动即可获取终端接入信息,此发明可广泛应用于B/S和C/S业务,可满足金融、证券等高并发网络金融监管要求。In view of the defects and shortcomings of the background technology, the present invention proposes a method for realizing IP address transparent transmission for cluster networks based on high-concurrency networks. After SSL unloading, this method disguises itself as the user's IP and port to initiate a connection to the back-end application server. The application server can obtain terminal access information without making any changes. This invention can be widely used in B/S and C/S services, and can meet the financial supervision requirements of high-concurrency networks such as finance and securities.

SSL卸载是一个典型的CPU密集型运算设备,采用专用硬件设备进行SSL卸载可以分析所有网络数据,获得完整的威胁防护,抵御网络攻击,从而提高应用程序的性能。通常情况下为了整个项目方案的高并发和高可用性会将SSL硬件设备进行集群化部署,以便提高整体SSL卸载性能和应用服务器对外提供服务的稳定性。而负载均衡一般只是用于流量分发,耗费计算资源不多,可以单台部署。SSL offloading is a typical CPU-intensive computing device. Using dedicated hardware devices for SSL offloading can analyze all network data, obtain complete threat protection, resist network attacks, and thus improve the performance of applications. Usually, for the high concurrency and high availability of the entire project solution, SSL hardware devices will be deployed in clusters to improve the overall SSL offloading performance and the stability of the application server's external services. Load balancing is generally only used for traffic distribution, consumes little computing resources, and can be deployed on a single unit.

本发明所要解决的技术问题是应用服务只需要将默认路由指向负载均衡,不需要再做任何其他定制修改即可获取终端IP和端口。The technical problem to be solved by the present invention is that the application service only needs to point the default route to the load balancing, and no other customized modifications are required to obtain the terminal IP and port.

本发明所要解决的技术问题可以采用如下技术方案来实现:The technical problem to be solved by the present invention can be achieved by adopting the following technical solutions:

一种面向集群网络实现IP地址透传的方法,包括以下步骤:A method for implementing IP address transparent transmission for a cluster network includes the following steps:

终端设备向SSL硬件代理服务器发送连接请求;The terminal device sends a connection request to the SSL hardware proxy server;

SSL硬件代理服务器根据终端设备发送的连接请求获取终端设备的IP地址和端口信息;The SSL hardware proxy server obtains the IP address and port information of the terminal device according to the connection request sent by the terminal device;

SSL硬件代理服务器将SSL硬件进行卸载处理,并伪装成终端设备的IP地址和端口信息向负载均衡模块发送连接请求;The SSL hardware proxy server unloads the SSL hardware and disguises itself as the IP address and port information of the terminal device to send a connection request to the load balancing module;

负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器;After receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server;

应用服务器根据负载均衡模块转发的连接请求获取IP地址、端口信息及用户身份信息,并进行相关操作生成数据包,再按照默认路由将生成的数据包回包至负载均衡模块;The application server obtains the IP address, port information and user identity information according to the connection request forwarded by the load balancing module, performs relevant operations to generate data packets, and then returns the generated data packets to the load balancing module according to the default route;

负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器;以及The load balancing module returns the packet to the source-initiated SSL hardware proxy server based on the policy routing, source IP address, and MAC address; and

源发起的SSL硬件代理服务器接收负载均衡模块回包的数据包,并根据策略路由查找相应的SOCKET连接和对数据包进行SSL加密处理,再根据查找到的SOCKET连接将加密处理后的数据包回包至发起连接的终端设备。The source-initiated SSL hardware proxy server receives the data packets returned by the load balancing module, searches for the corresponding SOCKET connection according to the policy routing, performs SSL encryption on the data packets, and then returns the encrypted data packets to the terminal device that initiated the connection according to the found SOCKET connection.

在本发明的一个优选实例中,所述负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器,包括以下步骤:In a preferred embodiment of the present invention, after the load balancing module receives the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server, including the following steps:

负载均衡模块接收SSL硬件代理服务器伪装成终端设备发起的连接请求,并将MAC地址与源IP、端口进行记录;以及The load balancing module receives the connection request initiated by the SSL hardware proxy server disguised as a terminal device, and records the MAC address, source IP, and port; and

负载均衡模块伪装成终端设备的IP地址和端口信息向应用服务器发送SSL硬件代理服务器伪装成终端设备发起的连接请求。The load balancing module disguises itself as the IP address and port information of the terminal device and sends a connection request initiated by the SSL hardware proxy server disguised as the terminal device to the application server.

在本发明的一个优选实施例中,所述负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器,包括以下步骤:In a preferred embodiment of the present invention, the load balancing module returns a packet to the source-initiated SSL hardware proxy server according to the policy routing, source IP address and MAC address, including the following steps:

负载均衡模块根据策略路由将接收到的数据包路由至lo端口;The load balancing module routes the received data packets to the lo port according to the policy routing;

负载均衡模块根据策略路由从相应的连接队列里面查找相应的SOCKET连接;以及The load balancing module searches for the corresponding SOCKET connection from the corresponding connection queue according to the policy routing; and

负载均衡模块根据策略路由连接查找前端连接对应的MAC地址,并根据MAC地址将数据包回包到源发起的SSL硬件代理服务器。The load balancing module searches for the MAC address corresponding to the front-end connection based on the policy routing connection, and sends the data packet back to the source-initiated SSL hardware proxy server based on the MAC address.

由于采用了如上技术方案,本发明的有益效果在于:本发明在SSL硬件代理服务器上将SSL硬件进行卸载并修改成终端设备的IP地址和端口,实现源IP地址透传,在负载均衡模块上实现对应用服务器的负载、IP地址透传和根据源MAC路由回包等功能。本发明通过集群网络的SSL卸载和IP地址透传,应用服务器只需要将默认路由指向负载均衡,不需要做其他任何修改即可获取终端设备的IP地址和端口信息,在实际用户访问的数据包流转中,用户终端发起的源IP一直不变,目标IP地址在经过SSL网关和负载均衡时进行转换,可满足金融、证券、期货等行业的大并发、高稳定性的要求,同时又能满足监管要求。Due to the adoption of the above technical solution, the beneficial effects of the present invention are: the present invention unloads the SSL hardware on the SSL hardware proxy server and modifies it into the IP address and port of the terminal device, realizes the transparent transmission of the source IP address, and realizes the functions of the load of the application server, the transparent transmission of the IP address, and the return packet according to the source MAC route on the load balancing module. The present invention uses the SSL unloading and IP address transparent transmission of the cluster network. The application server only needs to point the default route to the load balancing, and does not need to make any other modifications to obtain the IP address and port information of the terminal device. In the data packet flow of the actual user access, the source IP initiated by the user terminal remains unchanged, and the target IP address is converted when passing through the SSL gateway and load balancing, which can meet the requirements of large concurrency and high stability in the financial, securities, futures and other industries, while meeting the regulatory requirements.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是本发明的网络拓扑示意图。FIG. 1 is a schematic diagram of a network topology of the present invention.

图2是本发明的流程示意图。FIG. 2 is a schematic diagram of the process of the present invention.

图3是本发明的IP地址和端口信息在经过SSL硬件代理服务器和负载均衡模块时的变化情况。FIG. 3 shows the changes of the IP address and port information of the present invention when passing through the SSL hardware proxy server and the load balancing module.

具体实施方式Detailed ways

为了使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解,下面结合具体图示,进一步阐述本发明。In order to make the technical means, creative features, objectives and effects achieved by the present invention easy to understand, the present invention is further explained below with reference to specific diagrams.

网络拓扑参见图1,SSL硬件代理服务器200做集群自负载或ospf等方式对外提供服务,SSL卸载后使用终端设备100的IP地址和端口向后端的负载均衡模块300发起连接,负载均衡模块300实现对应用的负载和根据源IP地址、端口信息和MAC地址实现原路返回。应用服务器只需要将默认路由指向负载均衡模块,不需要再做任何其他定制修改即可获取终端设备的IP地址和端口信息。负载均衡在此处的作用主要是流量分配和原路返回。See Figure 1 for the network topology. The SSL hardware proxy server 200 provides services to the outside world by cluster self-load or ospf. After SSL unloading, it uses the IP address and port of the terminal device 100 to initiate a connection to the back-end load balancing module 300. The load balancing module 300 implements the load of the application and returns the original path according to the source IP address, port information and MAC address. The application server only needs to point the default route to the load balancing module, and no other customization is required to obtain the IP address and port information of the terminal device. The role of load balancing here is mainly traffic distribution and original path return.

参见图2并结合图3,图中给出的是一种面向集群网络实现IP地址透传的方法,包括以下步骤:Referring to FIG. 2 and FIG. 3 , a method for implementing IP address transparent transmission for a cluster network is provided, comprising the following steps:

步骤S10,终端设备向SSL硬件代理服务器发送连接请求。Step S10: The terminal device sends a connection request to the SSL hardware proxy server.

步骤S20,SSL硬件代理服务器根据终端设备发送的连接请求获取终端设备的IP地址和端口信息。Step S20, the SSL hardware proxy server obtains the IP address and port information of the terminal device according to the connection request sent by the terminal device.

步骤S30,SSL硬件代理服务器将SSL硬件进行卸载处理,并伪装成终端设备的IP地址和端口信息向负载均衡模块发送连接请求。Step S30, the SSL hardware proxy server unloads the SSL hardware and sends a connection request to the load balancing module disguised as the IP address and port information of the terminal device.

步骤S40,负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器。Step S40: After receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server.

步骤S50,应用服务器根据负载均衡模块转发的连接请求获取IP地址、端口信息及用户身份信息,并进行相关操作生成数据包,再按照默认路由将生成的数据包回包至负载均衡模块。Step S50, the application server obtains the IP address, port information and user identity information according to the connection request forwarded by the load balancing module, performs relevant operations to generate a data packet, and then returns the generated data packet to the load balancing module according to the default route.

步骤S60,负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器。Step S60: The load balancing module returns the packet to the source-initiated SSL hardware proxy server according to the policy routing, source IP address and MAC address.

步骤S70,源发起的SSL硬件代理服务器接收负载均衡模块回包的数据包,并根据策略路由查找相应的SOCKET连接和对数据包进行SSL加密处理,再根据查找到的SOCKET连接将加密处理后的数据包回包至发起连接的终端设备。Step S70, the source-initiated SSL hardware proxy server receives the data packet returned by the load balancing module, searches for the corresponding SOCKET connection according to the policy routing, performs SSL encryption on the data packet, and then returns the encrypted data packet to the terminal device that initiated the connection according to the found SOCKET connection.

在步骤S40中,负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器,包括以下步骤:In step S40, after receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server, including the following steps:

步骤S41,负载均衡模块接收SSL硬件代理服务器伪装成终端设备发起的连接请求,并将MAC地址与源IP、端口进行记录;Step S41, the load balancing module receives a connection request initiated by the SSL hardware proxy server disguised as a terminal device, and records the MAC address, source IP, and port;

步骤S42,负载均衡模块伪装成终端设备的IP地址和端口信息向应用服务器发送SSL硬件代理服务器伪装成终端设备发起的连接请求。Step S42, the load balancing module disguises itself as the IP address and port information of the terminal device and sends a connection request initiated by the SSL hardware proxy server disguised as the terminal device to the application server.

在步骤S60中,负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器,包括以下步骤:In step S60, the load balancing module returns the packet to the source-initiated SSL hardware proxy server according to the policy routing, source IP address and MAC address, including the following steps:

步骤S61,负载均衡模块根据策略路由将接收到的数据包路由至LO端口;Step S61, the load balancing module routes the received data packet to the LO port according to the policy routing;

步骤S62,负载均衡模块根据策略路由从相应的连接队列里面查找相应的SOCKET连接;Step S62, the load balancing module searches for the corresponding SOCKET connection from the corresponding connection queue according to the policy routing;

步骤S63,负载均衡模块根据策略路由连接查找前端连接对应的MAC地址,并根据MAC地址将数据包回包到源发起的SSL硬件代理服务器。Step S63, the load balancing module searches for the MAC address corresponding to the front-end connection according to the policy routing connection, and returns the data packet to the source-initiated SSL hardware proxy server according to the MAC address.

本发明在SSL硬件代理服务器上将SSL硬件进行卸载并修改成终端设备的IP地址和端口,实现源IP地址透传,在负载均衡模块上实现对应用服务器的负载、IP地址透传和根据源MAC路由回包等功能。本发明通过集群网络的SSL卸载和IP地址透传,应用服务器只需要将默认路由指向负载均衡,不需要做其他任何修改即可获取终端设备的IP地址和端口信息,在实际用户访问的数据包流转中,用户终端发起的源IP一直不变,目标IP地址在经过SSL网关和负载均衡时进行转换,可满足金融、证券、期货等行业的大并发、高稳定性的要求,同时又能满足监管要求。The present invention unloads SSL hardware on an SSL hardware proxy server and modifies it into the IP address and port of a terminal device, realizes transparent transmission of the source IP address, and realizes functions such as transparent transmission of the load and IP address of the application server and packet return according to the source MAC route on the load balancing module. The present invention uses SSL unloading and IP address transparent transmission of a cluster network, and the application server only needs to point the default route to the load balancing, and does not need to make any other modifications to obtain the IP address and port information of the terminal device. In the data packet flow of actual user access, the source IP initiated by the user terminal remains unchanged, and the target IP address is converted when passing through the SSL gateway and load balancing, which can meet the requirements of large concurrency and high stability in the financial, securities, futures and other industries, while meeting regulatory requirements.

以上显示和描述了本发明的基本原理和主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention. It should be understood by those skilled in the art that the present invention is not limited to the above embodiments. The above embodiments and descriptions are only for explaining the principles of the present invention. Without departing from the spirit and scope of the present invention, the present invention may have various changes and improvements, which fall within the scope of the present invention to be protected. The scope of protection of the present invention is defined by the attached claims and their equivalents.

Claims (1)

1.一种面向集群网络实现IP地址透传的方法,其特征在于,包括以下步骤:1. A method for implementing IP address transparent transmission for a cluster network, characterized by comprising the following steps: 终端设备向SSL硬件代理服务器发送连接请求;The terminal device sends a connection request to the SSL hardware proxy server; SSL硬件代理服务器根据终端设备发送的连接请求获取终端设备的IP地址和端口信息;The SSL hardware proxy server obtains the IP address and port information of the terminal device according to the connection request sent by the terminal device; SSL硬件代理服务器将SSL硬件进行卸载处理,并伪装成终端设备的IP地址和端口信息向负载均衡模块发送连接请求;The SSL hardware proxy server unloads the SSL hardware and disguises itself as the IP address and port information of the terminal device to send a connection request to the load balancing module; 负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器;After receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server; 应用服务器根据负载均衡模块转发的连接请求获取IP地址、端口信息及用户身份信息,并进行相关操作生成数据包,再按照默认路由将生成的数据包回包至负载均衡模块;The application server obtains the IP address, port information and user identity information according to the connection request forwarded by the load balancing module, performs relevant operations to generate data packets, and then returns the generated data packets to the load balancing module according to the default route; 负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器;以及The load balancing module returns the packet to the source-initiated SSL hardware proxy server based on the policy routing, source IP address, and MAC address; and 源发起的SSL硬件代理服务器接收负载均衡模块回包的数据包,并根据策略路由查找相应的SOCKET连接和对数据包进行SSL加密处理,再根据查找到的SOCKET连接将加密处理后的数据包回包至发起连接的终端设备;The source-initiated SSL hardware proxy server receives the data packets returned by the load balancing module, searches for the corresponding SOCKET connection according to the policy routing, performs SSL encryption on the data packets, and then returns the encrypted data packets to the terminal device that initiated the connection according to the found SOCKET connection; 所述负载均衡模块接收到SSL硬件代理服务器发送的连接请求后,将该连接请求转发至应用服务器,包括以下步骤:After receiving the connection request sent by the SSL hardware proxy server, the load balancing module forwards the connection request to the application server, including the following steps: 负载均衡模块接收SSL硬件代理服务器伪装成终端设备发起的连接请求,并将MAC地址与源IP、端口进行记录;以及The load balancing module receives the connection request initiated by the SSL hardware proxy server disguised as a terminal device, and records the MAC address, source IP, and port; and 负载均衡模块伪装成终端设备的IP地址和端口信息向应用服务器发送SSL硬件代理服务器伪装成终端设备发起的连接请求;The load balancing module disguises itself as the IP address and port information of the terminal device and sends a connection request to the application server disguised as the connection request initiated by the SSL hardware proxy server as the terminal device; 所述负载均衡模块根据策略路由、源IP地址和MAC地址回包至源发起的SSL硬件代理服务器,包括以下步骤:The load balancing module returns the packet to the source-initiated SSL hardware proxy server according to the policy routing, source IP address and MAC address, including the following steps: 负载均衡模块根据策略路由将接收到的数据包路由至lo端口;The load balancing module routes the received data packets to the lo port according to the policy routing; 负载均衡模块根据策略路由从相应的连接队列里面查找相应的SOCKET连接;以及The load balancing module searches for the corresponding SOCKET connection from the corresponding connection queue according to the policy routing; and 负载均衡模块根据策略路由连接查找前端连接对应的MAC地址,并根据MAC地址将数据包回包到源发起的SSL硬件代理服务器。The load balancing module searches for the MAC address corresponding to the front-end connection based on the policy routing connection, and sends the data packet back to the source-initiated SSL hardware proxy server based on the MAC address.
CN202111270772.3A 2021-10-29 2021-10-29 A method for realizing IP address transparent transmission in cluster network Active CN113905013B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111270772.3A CN113905013B (en) 2021-10-29 2021-10-29 A method for realizing IP address transparent transmission in cluster network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111270772.3A CN113905013B (en) 2021-10-29 2021-10-29 A method for realizing IP address transparent transmission in cluster network

Publications (2)

Publication Number Publication Date
CN113905013A CN113905013A (en) 2022-01-07
CN113905013B true CN113905013B (en) 2024-05-28

Family

ID=79027024

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111270772.3A Active CN113905013B (en) 2021-10-29 2021-10-29 A method for realizing IP address transparent transmission in cluster network

Country Status (1)

Country Link
CN (1) CN113905013B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865480A (en) * 2022-11-30 2023-03-28 中国农业银行股份有限公司 Information processing method, device, equipment and storage medium
CN116582365B (en) * 2023-07-12 2023-09-26 北京亿赛通科技发展有限责任公司 Network traffic safety control method and device and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102771085A (en) * 2009-12-23 2012-11-07 思杰系统有限公司 System and method for transparent end-to-end cache redirection
CN106506700A (en) * 2016-12-28 2017-03-15 北京优帆科技有限公司 A kind of transparent proxy method of load equalizer and SiteServer LBS
WO2018120800A1 (en) * 2016-12-29 2018-07-05 华为技术有限公司 Load balancing method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102771085A (en) * 2009-12-23 2012-11-07 思杰系统有限公司 System and method for transparent end-to-end cache redirection
CN106506700A (en) * 2016-12-28 2017-03-15 北京优帆科技有限公司 A kind of transparent proxy method of load equalizer and SiteServer LBS
WO2018120800A1 (en) * 2016-12-29 2018-07-05 华为技术有限公司 Load balancing method, device and system

Also Published As

Publication number Publication date
CN113905013A (en) 2022-01-07

Similar Documents

Publication Publication Date Title
US10284526B2 (en) Efficient SSL/TLS proxy
US9954902B1 (en) Secure proxy
CN114641968B (en) Method and system for effective network protection of mobile devices
US10171590B2 (en) Accessing enterprise communication systems from external networks
US11088948B1 (en) Correlating network flows in a routing service for full-proxy network appliances
US9634957B2 (en) Systems and methods for reducing server resources associated with a client connection
US8799641B1 (en) Secure proxying using network intermediaries
US20220272072A1 (en) Reduction and acceleration of a deterministic finite automaton
US11310149B1 (en) Routing bidirectional flows in a stateless routing service
US10015205B1 (en) Techniques for traffic capture and reconstruction
US20250141854A1 (en) Efficient SSL/TLS Proxy
CN113905013B (en) A method for realizing IP address transparent transmission in cluster network
EP4300915A1 (en) Hostname based reverse split tunnel with wildcard support
US20230171194A1 (en) Customized tuple definition for hashing at a network appliance routing service
US11012524B2 (en) Remote socket splicing system
Xiao et al. Snatch: Online streaming analytics at the network edge
US12284209B2 (en) Bridging between client and server devices using proxied network metrics
TWI818187B (en) A system for forming a demilitarized zone (dmz)
US20180115624A1 (en) Methods and devices for enhancing privacy of users of a cloud-based service
CN119728141A (en) Method and device for generating client executable actions through TLS parameters
Hsu et al. The design and implementation of a lightweight CoAP-based IoT framework with smart contract security guarantee
CN113726917B (en) Domain name determination method, device and electronic device
CN106355101A (en) Transparent file encryption and decryption system and method for simple storage services
CN118509252B (en) Encrypted traffic mirror image outgoing method and device
CN118631719A (en) Data transmission method and device, electronic device and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
OL01 Intention to license declared
OL01 Intention to license declared