[go: up one dir, main page]

CN116319166A - Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium - Google Patents

Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium Download PDF

Info

Publication number
CN116319166A
CN116319166A CN202310242902.5A CN202310242902A CN116319166A CN 116319166 A CN116319166 A CN 116319166A CN 202310242902 A CN202310242902 A CN 202310242902A CN 116319166 A CN116319166 A CN 116319166A
Authority
CN
China
Prior art keywords
machine room
computer room
target
room
machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310242902.5A
Other languages
Chinese (zh)
Inventor
吴孟超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Tianyu Education Technology Co ltd
Original Assignee
Wuhan Tianyu Education Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Tianyu Education Technology Co ltd filed Critical Wuhan Tianyu Education Technology Co ltd
Priority to CN202310242902.5A priority Critical patent/CN116319166A/en
Publication of CN116319166A publication Critical patent/CN116319166A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a cross-public network multi-machine-room intranet communication method, device, equipment and storage medium, and relates to the technical field of cross-network communication, which is applied to a central machine room, and when the central machine room receives request data corresponding to a target machine room, the request data is verified based on a preset machine room information set; if verification is successful, a secure file transfer protocol (SSH) network tunnel is created, and a mapping relation between a socket of the target machine room and a socket of a target proxy server corresponding to the central machine room is built, so that other servers in the central machine room can realize communication with the target machine room through the SSH network tunnel based on the mapping relation and the socket of the target proxy server. The method and the device effectively improve the safety of communication among multiple machine rooms, and effectively reduce the difficulty and cost of communication among multiple machine rooms crossing a public network.

Description

跨公网的多机房内网通讯方法、装置、设备及存储介质Intranet communication method, device, equipment and storage medium for multiple computer rooms across public network

技术领域technical field

本申请涉及跨网通讯技术领域,特别涉及一种跨公网的多机房内网通讯方法、装置、设备及存储介质。The present application relates to the technical field of cross-network communication, and in particular to a method, device, equipment and storage medium for cross-public network multi-room intranet communication.

背景技术Background technique

目前,在实现跨公网的多机房内网通讯时,一般采用搭建专线或者购买VPN(VirtualPrivateNetwork,虚拟专用网络)服务,还有基于HTTP(HyperTextTransferProtocol,超文本传输协议)协议并通过公网完成多机房之间的业务程序通讯。虽然上述方法均能实现跨公网的多机房内网通讯,但是专线搭建方法存在开发难度大且费用高的问题,而通过HTTP协议进行公网通讯,则对业务系统的安全要求较高,且一定程度上增加了开发和维护成本。At present, when realizing the intranet communication of multiple computer rooms across the public network, it is generally used to build a dedicated line or purchase a VPN (Virtual Private Network, virtual private network) service, and based on the HTTP (HyperTextTransferProtocol, hypertext transfer protocol) protocol and complete multiple data transfers through the public network. Business program communication between computer rooms. Although the above-mentioned methods can realize multi-computer room intranet communication across the public network, the private line construction method has the problems of high development difficulty and high cost, and the public network communication through the HTTP protocol has higher security requirements for the business system, and To a certain extent, it increases the development and maintenance costs.

由此可见,如何有效实现跨公网的多机房内网通讯,以降低开发难度和成本是当前亟需解决的问题。It can be seen that how to effectively realize intranet communication of multiple computer rooms across the public network to reduce development difficulty and cost is an urgent problem to be solved at present.

发明内容Contents of the invention

本申请提供一种跨公网的多机房内网通讯方法、装置、设备及存储介质,以解决相关技术中无法有效实现低难度、低成本的跨公网的多机房内网通讯的问题。The present application provides a method, device, device and storage medium for multi-room intranet communication across a public network, so as to solve the problem in related technologies that the low-difficulty and low-cost multi-room intranet communication across a public network cannot be effectively realized.

第一方面,提供了一种跨公网的多机房内网通讯方法,所述方法应用于中心机房,所述方法包括以下步骤:In the first aspect, a method for intranet communication of multiple computer rooms across a public network is provided, the method is applied to a central computer room, and the method includes the following steps:

当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证;When receiving the corresponding request data sent by the target computer room, verifying the request data based on the preset computer room information set;

若验证成功,创建安全文件传送协议SSH网络隧道,并构建目标机房的套接字和与中心机房对应的目标代理服务器的套接字之间的映射关系,以供中心机房内的其他服务器基于所述映射关系和目标代理服务器的套接字并通过SSH网络隧道实现与目标机房之间的通讯。If the verification is successful, create a secure file transfer protocol SSH network tunnel, and build a mapping relationship between the socket of the target computer room and the socket of the target proxy server corresponding to the central computer room, so that other servers in the central computer room can The above mapping relationship and the socket of the target proxy server are used to communicate with the target computer room through the SSH network tunnel.

一些实施例中,所述请求数据包括目标机房的基础机房信息、ID号以及用于实现零信任通讯的机房权限策略。In some embodiments, the request data includes basic computer room information of the target computer room, an ID number, and a computer room authority policy for realizing zero-trust communication.

一些实施例中,所述基于预设的机房信息集合对所述请求数据进行验证,包括:In some embodiments, the verification of the request data based on the preset computer room information set includes:

从所述预设的机房信息集合中筛选出与所述目标机房的ID号对应的目标机房信息;Selecting target computer room information corresponding to the ID number of the target computer room from the preset computer room information set;

将所述目标机房信息中的基础机房信息以及机房权限策略分别与所述请求数据中的基础机房信息以及机房权限策略进行比对,得到比对结果;Comparing the basic computer room information and the computer room authority strategy in the target computer room information with the basic computer room information and the computer room authority strategy in the request data respectively, to obtain a comparison result;

若比对结果为一致,则判定验证成功;If the comparison results are consistent, it is determined that the verification is successful;

若比对结果为不一致,则判定验证失败。If the comparison result is inconsistent, it is determined that the verification fails.

一些实施例中,所述基础机房信息包括机房站点名称、机房名称、机房所对应的服务器名称、机房IP地址、机房端口号、与机房对应的SSH用户名和SSH密码以及运行于与机房对应的服务器上的业务系统名称。In some embodiments, the basic computer room information includes the site name of the computer room, the name of the computer room, the name of the server corresponding to the computer room, the IP address of the computer room, the port number of the computer room, the SSH user name and SSH password corresponding to the computer room, and the server running on the server corresponding to the computer room Business system name on .

一些实施例中,在所述当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证的步骤之前,还包括:In some embodiments, before the step of verifying the request data based on the preset computer room information set when receiving the corresponding request data sent by the target computer room, it further includes:

基于SSH接收目标机房发送的注册信息,所述注册信息包括目标机房的基础机房信息、机房ID号以及用于实现零信任通讯的机房权限策略;Based on SSH receiving the registration information sent by the target computer room, the registration information includes the basic computer room information of the target computer room, the computer room ID number and the computer room authority strategy for realizing zero-trust communication;

基于所述注册信息对目标机房进行注册处理,并将所述注册信息存储至预设的机房信息集合中。The target computer room is registered based on the registration information, and the registration information is stored in a preset computer room information set.

一些实施例中,在所述若验证成功的步骤之后,还包括:In some embodiments, after the step of if the verification is successful, it also includes:

向所述目标机房发送代理服务器地址列表,以供所述目标机房基于所述代理服务器地址列表筛选出其他机房作为新的中心机房;Sending a proxy server address list to the target computer room, so that the target computer room can filter out other computer rooms as the new central computer room based on the proxy server address list;

基于所述新的中心机房执行所述基于SSH接收目标机房发送的注册信息的步骤。The step of receiving the registration information sent by the target computer room based on SSH is performed based on the new central computer room.

一些实施例中,在所述基于预设的机房信息集合对所述请求数据进行验证的步骤之后,还包括:In some embodiments, after the step of verifying the request data based on the preset computer room information set, the method further includes:

若验证失败,则拒绝连接。If authentication fails, the connection is refused.

第二方面,提供了一种跨公网的多机房内网通讯装置,所述装置包括中心机房,其用于:In the second aspect, a multi-computer room intranet communication device across a public network is provided, the device includes a central computer room, which is used for:

当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证;When receiving the corresponding request data sent by the target computer room, verifying the request data based on the preset computer room information set;

若验证成功,创建安全文件传送协议SSH网络隧道,并构建目标机房的套接字和与中心机房对应的目标代理服务器的套接字之间的映射关系,以供中心机房内的其他服务器基于所述映射关系和目标代理服务器的套接字并通过SSH网络隧道实现与目标机房之间的通讯。If the verification is successful, create a secure file transfer protocol SSH network tunnel, and build a mapping relationship between the socket of the target computer room and the socket of the target proxy server corresponding to the central computer room, so that other servers in the central computer room can The above mapping relationship and the socket of the target proxy server are used to communicate with the target computer room through the SSH network tunnel.

第三方面,提供了一种跨公网的多机房内网通讯设备,包括:存储器和处理器,所述存储器中存储有至少一条指令,所述至少一条指令由所述处理器加载并执行,以实现前述的跨公网的多机房内网通讯方法。In a third aspect, a multi-computer room intranet communication device across a public network is provided, including: a memory and a processor, at least one instruction is stored in the memory, and the at least one instruction is loaded and executed by the processor, In order to realize the aforementioned multi-room intranet communication method across the public network.

第四方面,提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,当所述计算机程序被处理器执行时,以实现前述的跨公网的多机房内网通讯方法。In a fourth aspect, a computer-readable storage medium is provided, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the aforementioned multi-room intranet communication across the public network is realized method.

本申请提供了一种跨公网的多机房内网通讯方法、装置、设备及存储介质,其应用于中心机房,当中心机房接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证;若验证成功,创建安全文件传送协议SSH网络隧道,并构建目标机房的套接字和与中心机房对应的目标代理服务器的套接字之间的映射关系,以供中心机房内的其他服务器基于所述映射关系和目标代理服务器的套接字并通过SSH网络隧道实现与目标机房之间的通讯。本申请通过对目标机房的请求数据进行验证,并在验证通过后方能构建SSH网络隧道,以提高多机房之间通信的安全性;同时构建目标机房的IP地址、端口号与中心机房的目标代理服务器的IP地址、端口号之间的映射关系,并基于该映射关系通过目标代理服务器的IP地址、端口号在SSH网络隧道中完成与目标机房的通讯,无需进行专线搭建,也不需要通过HPPT协议进行公网通讯,有效降低了跨公网的多机房内网通讯的难度和成本。This application provides a cross-public network communication method, device, device, and storage medium for a multi-computer room intranet, which is applied to a central computer room. When the central computer room receives the corresponding request data sent by the target computer room, the The computer room information set verifies the request data; if the verification is successful, create a secure file transfer protocol SSH network tunnel, and build a mapping relationship between the socket of the target computer room and the socket of the target proxy server corresponding to the central computer room , for other servers in the central computer room to communicate with the target computer room through the SSH network tunnel based on the mapping relationship and the socket of the target proxy server. This application verifies the request data of the target computer room, and builds the SSH network tunnel after the verification is passed, so as to improve the security of communication between multiple computer rooms; at the same time, build the IP address, port number of the target computer room and the target agent of the central computer room The mapping relationship between the IP address and port number of the server, and based on the mapping relationship, complete the communication with the target computer room in the SSH network tunnel through the IP address and port number of the target proxy server, without the need for dedicated line construction or through HPPT Protocol for public network communication, which effectively reduces the difficulty and cost of multi-computer room intranet communication across the public network.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1为本申请实施例提供的一种跨公网的多机房内网通讯方法的流程示意图;FIG. 1 is a schematic flow diagram of a multi-computer room intranet communication method across a public network provided by an embodiment of the present application;

图2为本申请实施例提供的目标机房与中心机房之间的通讯原理示意图;2 is a schematic diagram of the communication principle between the target computer room and the central computer room provided by the embodiment of the present application;

图3为本申请实施例提供的一种跨公网的多机房内网通讯设备的结构示意图。FIG. 3 is a schematic structural diagram of a multi-room intranet communication device across a public network provided by an embodiment of the present application.

具体实施方式Detailed ways

为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请的一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, but not all of them. Based on the embodiments in the present application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present application.

本申请实施例提供了一种跨公网的多机房内网通讯方法、装置、设备及存储介质,其能解决相关技术中无法有效实现低难度、低成本的跨公网的多机房内网通讯的问题。The embodiment of the present application provides a cross-public network multi-room intranet communication method, device, equipment, and storage medium, which can solve the problem that the low-difficulty and low-cost cross-public network multi-room intranet communication cannot be effectively realized in related technologies The problem.

参见图1和图2所示,本申请实施例提供了一种跨公网的多机房内网通讯方法,所述方法应用于中心机房,包括以下步骤:Referring to Figure 1 and Figure 2, the embodiment of the present application provides a multi-computer room intranet communication method across the public network, the method is applied to the central computer room, including the following steps:

步骤S10:当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证;其中,所述请求数据包括目标机房的基础机房信息、ID号以及用于实现零信任通讯的机房权限策略,所述基础机房信息包括机房站点名称、机房名称、机房所对应的服务器名称、机房IP地址、机房端口号、与机房对应的SSH用户名和SSH密码以及运行于与机房对应的服务器上的业务系统名称。Step S10: When receiving the corresponding request data sent by the target computer room, verify the request data based on the preset computer room information set; wherein, the request data includes the basic computer room information, ID number and user ID of the target computer room. The basic computer room information includes the computer room site name, the computer room name, the server name corresponding to the computer room, the computer room IP address, the computer room port number, the SSH user name and SSH password corresponding to the computer room, and the Name of the business system on the server corresponding to the computer room.

示范性的,可以理解的是,在实现中心机房与目标机房之间的通讯之前,将对实现通讯的前置工作进行处理。需要说明的是,目标机房的数量可根据实际需要和中心机房通讯的机房数量确定,比如有5个机房需要和中心机房通讯,则该5个机房均可作为本实施例中的目标机房。而中心机房可以同时支持多个目标机房连接,配置与通讯原理均一致,因此为了描述的简洁性,以下实施例将以其中一个目标机房与中心机房之间的通讯原理进行阐释。Exemplary, it can be understood that before realizing the communication between the central computer room and the target computer room, the pre-work for realizing the communication will be processed. It should be noted that the number of target computer rooms can be determined according to the number of computer rooms that need to communicate with the central computer room. For example, if there are 5 computer rooms that need to communicate with the central computer room, then these 5 computer rooms can all be used as the target computer rooms in this embodiment. The central computer room can support multiple target computer rooms at the same time, and the configuration and communication principles are consistent. Therefore, for the sake of simplicity of description, the following embodiments will illustrate the communication principle between one of the target computer rooms and the central computer room.

具体的,本实施例中,可先在资源管理中录入目标机房的相关机房信息,比如该机房的站点名称、机房名称、服务器名称、IP地址、端口号、SSH用户名、SSH密码、服务器上运行的业务系统名称等,然后将上述信息导入至分布式云管理平台中。同时,在分布式云管理平台的客户端信息页面录入目标机房的机房信息,并基于该机房信息为目标机房生成对应的ID号。可以理解的是,以上操作可以通过可视化控制台完成,而全流程的可视化操作将更为便捷高效。Specifically, in this embodiment, you can first enter the relevant computer room information of the target computer room in the resource management, such as the site name, computer room name, server name, IP address, port number, SSH user name, SSH password, and server name of the computer room. The name of the running business system, etc., and then import the above information into the distributed cloud management platform. At the same time, enter the computer room information of the target computer room on the client information page of the distributed cloud management platform, and generate a corresponding ID number for the target computer room based on the computer room information. It is understandable that the above operations can be completed through the visual console, and the visual operation of the whole process will be more convenient and efficient.

此外,中心机房也将基于该机房信息生成与该目标机房对应的密钥,通过该密钥可对目标机房的部署进行验证。比如,在进行目标机房部署时,可先从分布式云管理平台上已存储的机房信息中查询到目标机房的机房信息;然后登录预备部署目标机房的网桥服务的Linux服务器,并通过上述专有密钥对查询到的机房信息进行验证;若未通过验证,则停止目标机房的部署;而若通过验证,则从中心机房的Linux服务器上下载目标安装文件;将目标安装文件中的机房ID更改为目标机房ID号,再进行安装并启动目标机房程序,确保运行日志正常。可以理解的是,在进行目标机房部署时,将完成中心机房的白名单授权,并在与中心机房连通后,在中心机房的服务端配置认证和匹配,以完成唯一性身份认证。应当理解的是,第一次部署目标机房时,需要完成与中心机房之间的认证匹配,以保证后续通讯的安全稳定,避免因目标机房密钥泄漏而导致非法接入。In addition, the central computer room will also generate a key corresponding to the target computer room based on the information of the computer room, through which the deployment of the target computer room can be verified. For example, when deploying the target computer room, you can first query the computer room information of the target computer room from the stored computer room information on the distributed cloud management platform; There is a key to verify the information of the queried computer room; if the verification is not passed, the deployment of the target computer room is stopped; and if the verification is passed, the target installation file is downloaded from the Linux server in the central computer room; the computer room ID in the target installation file Change it to the ID number of the target computer room, then install and start the program of the target computer room to ensure that the running log is normal. It can be understood that when deploying the target computer room, the whitelist authorization of the central computer room will be completed, and after the connection with the central computer room, authentication and matching will be configured on the server side of the central computer room to complete the unique identity authentication. It should be understood that when the target computer room is deployed for the first time, authentication matching with the central computer room needs to be completed to ensure the security and stability of subsequent communication and avoid illegal access due to key leakage of the target computer room.

需要说明的是,本实施例提供了中心机房的SSH开源ApacheSSHD程序,并将Linux系统自带的SSHD程序作为转发连接器,且将开源JSCH(JSCH是SSH2的一个纯Java实现,允许目标对象连接到一个sshd服务器,并使用端口转发、X11转发和文件传输等等)作为客户端,还对以上开源程序进行了功能的二次开发。It should be noted that this embodiment provides the SSH open source ApacheSSHD program of the central computer room, and uses the SSHD program carried by the Linux system as a forwarding connector, and uses the open source JSCH (JSCH is a pure Java implementation of SSH2, allowing the target object to connect to an sshd server, and use port forwarding, X11 forwarding and file transfer, etc.) as the client, and also carried out secondary development of the functions of the above open source programs.

因此,当目标机房需要和中心机房通讯时,目标机房的网桥服务(即基于JSCH开发的客户端)将会通过SSH协议向中心机房的中央控制器(该中央控制器基于ApacheSSH改造)的SSH端口发送携带了自身基础机房信息、ID号以及用于实现零信任通讯的权限策略的请求数据。需要说明的是,完备的权限控制可提供安全的能力,而权限策略可包括访问权限、限速策略以及限流策略等,以上仅是实施例的呈现,具体还可根据实际需求对权限策略所包含的内容进行设置。其中,中心机房将提供统一用户管理、权限管理和策略管理等,同时封装复杂的后台操作,提供了便捷的操作平台。Therefore, when the target computer room needs to communicate with the central computer room, the bridge service of the target computer room (that is, the client developed based on JSCH) will send SSH to the central controller of the central computer room (the central controller is based on ApacheSSH transformation) through the SSH protocol. The port sends request data carrying its own basic computer room information, ID number, and permission policy for realizing zero-trust communication. It should be noted that complete permission control can provide security capabilities, and permission policies can include access permissions, rate-limiting policies, and traffic-limiting policies. Included content is set. Among them, the central computer room will provide unified user management, authority management and policy management, etc., and at the same time encapsulate complex background operations and provide a convenient operation platform.

当中央控制器接收到该请求数据时,将通过预存储的目标机房的相关机房信息对该请求数据进行核对,以此判定是否需要创建SSH协议网络隧道来实现与目标机房的连接。由此可见,所有跨公网机房在进行内网通讯之前,都需要经过授权和通讯策略限制,以达到零信任的技术和安全要求。When the central controller receives the request data, it will check the request data with the pre-stored information of the relevant computer room of the target computer room, so as to determine whether it is necessary to create an SSH protocol network tunnel to realize the connection with the target computer room. It can be seen that all cross-public network computer rooms need to go through authorization and communication policy restrictions before intranet communication, so as to meet the technical and security requirements of zero trust.

进一步的,在所述当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证的步骤之前,还包括:Further, before the step of verifying the request data based on the preset computer room information set when receiving the corresponding request data sent by the target computer room, it also includes:

基于SSH接收目标机房发送的注册信息,所述注册信息包括目标机房的基础机房信息、机房ID号以及用于实现零信任通讯的机房权限策略;Based on SSH receiving the registration information sent by the target computer room, the registration information includes the basic computer room information of the target computer room, the computer room ID number and the computer room authority strategy for realizing zero-trust communication;

基于所述注册信息对目标机房进行注册处理,并将所述注册信息存储至预设的机房信息集合中。The target computer room is registered based on the registration information, and the registration information is stored in a preset computer room information set.

示范性的,本实施例中,在目标机房与中心机房通讯之前,目标机房的网桥服务也将通过SSH协议向中心机房的中央控制器的SSH端口发送携带了自身基础机房信息、ID号以及权限策略的注册信息;当中央控制器接收到注册信息后,将对目标机房进行注册处理,并将注册信息存储至中央控制器的配置中心内,即将所有目标机房的注册信息均存储至配置中心,以在配置中心中形成机房信息集合。Exemplary, in this embodiment, before the target computer room communicates with the central computer room, the bridge service of the target computer room will also send the SSH port of the central controller of the central computer room through the SSH protocol, carrying its own basic computer room information, ID number and The registration information of the authority policy; when the central controller receives the registration information, it will register the target computer room and store the registration information in the configuration center of the central controller, that is, store the registration information of all target computer rooms in the configuration center , to form a computer room information collection in the configuration center.

进一步的,所述基于预设的机房信息集合对所述请求数据进行验证,包括:Further, the verification of the request data based on the preset computer room information set includes:

从所述预设的机房信息集合中筛选出与所述目标机房的ID号对应的目标机房信息;Selecting target computer room information corresponding to the ID number of the target computer room from the preset computer room information set;

将所述目标机房信息中的基础机房信息以及机房权限策略分别与所述请求数据中的基础机房信息以及机房权限策略进行比对,得到比对结果;Comparing the basic computer room information and the computer room authority strategy in the target computer room information with the basic computer room information and the computer room authority strategy in the request data respectively, to obtain a comparison result;

若比对结果为一致,则判定验证成功;If the comparison results are consistent, it is determined that the verification is successful;

若比对结果为不一致,则判定验证失败。If the comparison result is inconsistent, it is determined that the verification fails.

示范性的,在本实施例中,中心机房的中央控制器接收到目标机房的网桥服务发送的请求数据包后,将基于配置中心中已存储的目标机房的相关机房信息来对该请求数据中的机房ID、机房IP、机房随机端口和密钥以及零信任的权限策略等信息进行核对,在确认所有数据均一致有效后,则判定验证成功;否则判定验证失败。Exemplarily, in this embodiment, after the central controller of the central computer room receives the request data packet sent by the bridge service of the target computer room, it will process the request data based on the relevant computer room information of the target computer room stored in the configuration center. Check the information such as the computer room ID, computer room IP, computer room random port and key, and zero-trust permission policy in the computer room. After confirming that all data are consistent and valid, the verification is judged to be successful; otherwise, the verification is judged to have failed.

步骤S20:若验证成功,创建安全文件传送协议SSH网络隧道,并构建目标机房的套接字和与中心机房对应的目标代理服务器的套接字之间的映射关系,以供中心机房内的其他服务器基于所述映射关系和目标代理服务器的套接字并通过SSH网络隧道实现与目标机房之间的通讯。Step S20: If the verification is successful, create a secure file transfer protocol SSH network tunnel, and build a mapping relationship between the socket of the target computer room and the socket of the target proxy server corresponding to the central computer room, for other users in the central computer room The server realizes the communication with the target computer room through the SSH network tunnel based on the mapping relationship and the socket of the target proxy server.

示范性的,本实施例中,在请求数据被验证成功后,将创建SSH协议网络隧道,可以理解的是,接入分布式云的所有机房,都可以通过中心机房的统一页面完成任意机房之间的隧道建立,以实现任意机房之间的跨公网的机房内网程序通讯;同时构建目标机房的套接字(即IP地址和端口号)和与中心机房对应的目标代理服务器的套接字之间的映射关系,即将目标机房的网桥服务指定的IP地址和端口号与中心机房网络控制器的代理服务器的随机端口(其范围为1024-65000)进行绑定,并通过中央控制器将目标机房指定的IP地址、端口号及网络控制器对应的代理服务器的IP地址和端口号存储至中央控制器的配置中心,即将上述映射关系存储至配置中心,使得中心机房的其他服务器可通过网络控制器的代理服务器IP地址和端口号完成与目标机房的服务器IP地址和端口号之间的通讯。Exemplarily, in this embodiment, after the request data is verified successfully, an SSH protocol network tunnel will be created. It can be understood that all computer rooms connected to the distributed cloud can complete the connection between any computer room through the unified page of the central computer room. To establish a tunnel between any computer rooms to realize internet program communication between any computer rooms across the public network; at the same time, construct the socket of the target computer room (that is, the IP address and port number) and the socket of the target proxy server corresponding to the central computer room The mapping relationship between words is to bind the IP address and port number specified by the bridge service of the target computer room with the random port (the range of which is 1024-65000) of the proxy server of the network controller of the central computer room, and through the central controller Store the IP address and port number specified by the target computer room and the IP address and port number of the proxy server corresponding to the network controller to the configuration center of the central controller, that is, store the above mapping relationship to the configuration center, so that other servers in the central computer room can pass The proxy server IP address and port number of the network controller complete the communication with the server IP address and port number of the target computer room.

比如,当中心机房的中央控制器接收到请求数据后,将在分布式云管理平台的中心机房服务端节点运行状态页面中,搜索目标机房的ID号,并核对目标机房发送的请求数据,在确认无误后,激活连接;而在激活成功后,目标机房与中心机房的网络隧道被打通;此时,可在中心机房的服务端页面中,通过点击获取代理服务器地址来触发生成与网络控制器对应的代理服务器的随机端口的地址,以使得中心机房中的其他服务器可通过该代理服务器地址在SSH网络隧道中完成与目标机房的服务器通讯。需要说明的是,中心机房需要建立新的代理地址时,可通过触发响应模式并通过可视化控制台的操作实现。For example, when the central controller of the central computer room receives the request data, it will search for the ID number of the target computer room on the running status page of the server node of the central computer room on the distributed cloud management platform, and check the request data sent by the target computer room. After confirming that it is correct, activate the connection; and after the activation is successful, the network tunnel between the target computer room and the central computer room is opened; at this time, you can click to obtain the proxy server address on the server page of the central computer room to trigger the generation and network controller The address of the random port of the corresponding proxy server, so that other servers in the central computer room can complete the server communication with the target computer room in the SSH network tunnel through the proxy server address. It should be noted that when the central computer room needs to establish a new proxy address, it can be realized by triggering the response mode and through the operation of the visual console.

具体的,假设中心机房的代理服务器IP地址为X1、端口号为Y1,配置中心存储了X1、Y1与X2、Y2之间的映射关系,其中,X2为目标机房的IP地址,Y2为目标机房的端口号;当中心机房的其他服务器需要和目标机房进行通讯时,则其他服务器将会把请求数据发送至IP地址为X1且端口号为Y1的代理服务器,然后通过该代理服务器将请求数据发送至IP地址X2且端口号为Y2的目标机房,以实现该其他服务器与目标机房的通讯。由此可见,在中心机房服务端,通过权限控制和策略限制以及可视化页面获取需要通讯的目标机房地址(其可以为IP地址+端口号或域名)的隧道代理地址(其可以为固定IP地址+随机端口号),之后通过该隧道代理地址完成跨机房通讯。Specifically, assuming that the IP address of the proxy server in the central computer room is X1 and the port number is Y1, the configuration center stores the mapping relationship between X1, Y1 and X2, Y2, where X2 is the IP address of the target computer room, and Y2 is the target computer room port number; when other servers in the central computer room need to communicate with the target computer room, the other servers will send the request data to the proxy server with IP address X1 and port number Y1, and then send the request data through the proxy server to the target computer room with IP address X2 and port number Y2, so as to realize the communication between the other server and the target computer room. It can be seen that, on the server side of the central computer room, the tunnel agent address (which can be a fixed IP address+ Random port number), and then complete the cross-computer room communication through the tunnel proxy address.

进一步的,在所述基于预设的机房信息集合对所述请求数据进行验证的步骤之后,还包括:Further, after the step of verifying the request data based on the preset computer room information set, it further includes:

若验证失败,则拒绝连接。If authentication fails, the connection is refused.

示范性的,本实施例中,中心机房的中央控制器接收到目标机房的网桥服务发送的请求数据包后,基于配置中心中已存储的目标机房的相关机房信息来对该请求数据中的机房ID、机房IP、机房随机端口和密钥以及零信任的权限策略等信息进行核对,在确认数据不一致后,则判定验证失败,此时中心机房将直接拒绝连接。而目标机房则可通过错误日志记录“拒绝连接”来确认其与中心机房未完成连接。Exemplarily, in this embodiment, after the central controller of the central computer room receives the request data packet sent by the bridge service of the target computer room, based on the relevant computer room information of the target computer room stored in the configuration center, the Information such as computer room ID, computer room IP, computer room random port and key, and zero-trust authority policy are checked. After confirming that the data is inconsistent, it is determined that the verification has failed. At this time, the central computer room will directly reject the connection. The target computer room can confirm that it has not completed the connection with the central computer room by recording "connection refused" in the error log.

进一步的,在所述若验证成功的步骤之后,还包括:Further, after the step if the verification is successful, it also includes:

向所述目标机房发送代理服务器地址列表,以供所述目标机房基于所述代理服务器地址列表筛选出其他机房作为新的中心机房;Sending a proxy server address list to the target computer room, so that the target computer room can filter out other computer rooms as the new central computer room based on the proxy server address list;

基于所述新的中心机房执行所述基于SSH接收目标机房发送的注册信息的步骤。The step of receiving the registration information sent by the target computer room based on SSH is performed based on the new central computer room.

示范性的,本实施例中,中心机房在基于配置中心中已存储的目标机房的相关机房信息对目标机房发送的请求数据进行核对并确认验证成功后,不仅会创建目标机房与中心机房之间的SSH网络隧道,同时还会向目标机房发送代理服务器地址列表;可以理解的是,该代理服务器地址列表中的各个IP地址分别代表了其他机房对应的代理服务器的IP地址。此外,本实施例中的每个目标机房的网桥服务均具备网络控制器的能力,以为其他机房的服务器提供代理服务器IP地址+端口号的映射,实现目标机房到其他机房的通讯;同时目标机房的网桥服务在启动时会初始化所有代理通道,并提供定时任务保障掉线重连和安全校验等。Exemplarily, in this embodiment, after the central computer room checks the request data sent by the target computer room based on the relevant computer room information of the target computer room stored in the configuration center and confirms that the verification is successful, it will not only create a link between the target computer room and the central computer room At the same time, the proxy server address list will be sent to the target computer room; it can be understood that each IP address in the proxy server address list represents the IP address of the corresponding proxy server in other computer rooms. In addition, the network bridge service of each target computer room in this embodiment has the ability of network controller to provide the mapping of proxy server IP address + port number for the servers in other computer rooms, so as to realize the communication from the target computer room to other computer rooms; at the same time, the target The network bridge service in the computer room will initialize all proxy channels when it starts, and provide scheduled tasks to ensure disconnection reconnection and security verification.

因此,当目标机房需要与代理服务器地址列表中IP地址所对应的机房进行通讯时,那么对于目标机房而言,该代理服务器地址列表中IP地址所对应的机房将成为其新的中心机房,此时新的中心机房与目标机房之间的通讯流程、原理与前述的通讯流程、原理相同,为了描述的简洁性,在此不再赘述。Therefore, when the target computer room needs to communicate with the computer room corresponding to the IP address in the proxy server address list, then for the target computer room, the computer room corresponding to the IP address in the proxy server address list will become its new central computer room. The communication flow and principle between Shixin's central computer room and the target computer room are the same as those mentioned above, and will not be repeated here for the sake of brevity.

比如,假设代理服务器地址列表中包括IP地址X3、IP地址X4、IP地址X5,当目标机房需要和与IP地址X3对应的机房通讯,那么与IP地址X3对应的机房将成为目标机房所需通讯的新的中心机房。由此可见,中心机房提供了目标机房到多个其他机房之间的隧道代理,并生成目标机房到其他机房之间的代理地址,使得在目标机房内可以完成到其他机房的跨机房内网程序通讯。For example, assuming that the proxy server address list includes IP address X3, IP address X4, and IP address X5, when the target computer room needs to communicate with the computer room corresponding to IP address X3, then the computer room corresponding to IP address X3 will become the target computer room. new central computer room. It can be seen that the central computer room provides a tunnel proxy between the target computer room and multiple other computer rooms, and generates proxy addresses between the target computer room and other computer rooms, so that the cross-computer room intranet program to other computer rooms can be completed in the target computer room communication.

综上,本实施例通过对ApacheSSHD进行二次开发,并基于JSCH进行封装,实现客户端(即目标机房)与服务端(即中心机房)之间的专有认证和匹配,并基于LinuxSSHD服务的SSH协议隧道,实现多个跨公网机房内的程序内网通讯,保障安全通讯的同时提供完备的策略控制,为分布式云中的应用、运维、管理、研发等提供便捷安全的运行环境,有效降低了跨公网的多机房内网通讯的难度和成本。To sum up, this embodiment implements the proprietary authentication and matching between the client (i.e., the target computer room) and the server (ie, the central computer room) through the secondary development of ApacheSSHD and encapsulation based on JSCH, and based on the LinuxSSHD service The SSH protocol tunnel realizes the intranet communication of programs in multiple cross-public network computer rooms, provides complete policy control while ensuring secure communication, and provides a convenient and safe operating environment for applications, operation and maintenance, management, and research and development in distributed clouds. , which effectively reduces the difficulty and cost of multi-computer room intranet communication across the public network.

本申请实施例还提供了一种跨公网的多机房内网通讯装置,所述装置包括中心机房,其用于:The embodiment of the present application also provides a multi-computer room intranet communication device across the public network, the device includes a central computer room, which is used for:

当接收到目标机房发送的与其对应的请求数据时,基于预设的机房信息集合对所述请求数据进行验证;When receiving the corresponding request data sent by the target computer room, verifying the request data based on the preset computer room information set;

若验证成功,创建安全文件传送协议SSH网络隧道,并构建目标机房的套接字和与中心机房对应的目标代理服务器的套接字之间的映射关系,以供中心机房内的其他服务器基于所述映射关系和目标代理服务器的套接字并通过SSH网络隧道实现与目标机房之间的通讯。If the verification is successful, create a secure file transfer protocol SSH network tunnel, and build a mapping relationship between the socket of the target computer room and the socket of the target proxy server corresponding to the central computer room, so that other servers in the central computer room can The above mapping relationship and the socket of the target proxy server are used to communicate with the target computer room through the SSH network tunnel.

进一步的,所述请求数据包括目标机房的基础机房信息、ID号以及用于实现零信任通讯的机房权限策略。Further, the request data includes basic computer room information of the target computer room, an ID number, and a computer room authority policy for realizing zero-trust communication.

进一步的,所述中心机房具体用于:Further, the central computer room is specifically used for:

从所述预设的机房信息集合中筛选出与所述目标机房的ID号对应的目标机房信息;Selecting target computer room information corresponding to the ID number of the target computer room from the preset computer room information set;

将所述目标机房信息中的基础机房信息以及机房权限策略分别与所述请求数据中的基础机房信息以及机房权限策略进行比对,得到比对结果;Comparing the basic computer room information and the computer room authority strategy in the target computer room information with the basic computer room information and the computer room authority strategy in the request data respectively, to obtain a comparison result;

若比对结果为一致,则判定验证成功;If the comparison results are consistent, it is determined that the verification is successful;

若比对结果为不一致,则判定验证失败。If the comparison result is inconsistent, it is determined that the verification fails.

进一步的,所述基础机房信息包括机房站点名称、机房名称、机房所对应的服务器名称、机房IP地址、机房端口号、与机房对应的SSH用户名和SSH密码以及运行于与机房对应的服务器上的业务系统名称。Further, the basic computer room information includes the site name of the computer room, the name of the computer room, the server name corresponding to the computer room, the IP address of the computer room, the port number of the computer room, the SSH user name and SSH password corresponding to the computer room, and the server running on the server corresponding to the computer room. Business system name.

进一步的,所述中心机房还用于:Further, the central computer room is also used for:

基于SSH接收目标机房发送的注册信息,所述注册信息包括目标机房的基础机房信息、机房ID号以及用于实现零信任通讯的机房权限策略;Based on SSH receiving the registration information sent by the target computer room, the registration information includes the basic computer room information of the target computer room, the computer room ID number and the computer room authority strategy for realizing zero-trust communication;

基于所述注册信息对目标机房进行注册处理,并将所述注册信息存储至预设的机房信息集合中。The target computer room is registered based on the registration information, and the registration information is stored in a preset computer room information set.

进一步的,所述中心机房还用于:Further, the central computer room is also used for:

向所述目标机房发送代理服务器地址列表,以供所述目标机房基于所述代理服务器地址列表筛选出其他机房作为新的中心机房;Sending a proxy server address list to the target computer room, so that the target computer room can filter out other computer rooms as the new central computer room based on the proxy server address list;

基于所述新的中心机房执行所述基于SSH接收目标机房发送的注册信息的步骤。The step of receiving the registration information sent by the target computer room based on SSH is performed based on the new central computer room.

进一步的,所述中心机房还用于:若验证失败,则拒绝连接。Further, the central computer room is also used for: rejecting the connection if the verification fails.

需要说明的是,所属本领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的装置和各单元的具体工作过程,可以参考前述跨公网的多机房内网通讯方法实施例中的对应过程,在此不再赘述。It should be noted that those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described device and each unit can be implemented by referring to the aforementioned multi-computer room intranet communication method across the public network The corresponding process in the example will not be repeated here.

上述实施例提供的装置可以实现为一种计算机程序的形式,该计算机程序可以在如图3所示的跨公网的多机房内网通讯设备上运行。The apparatus provided by the above embodiments can be implemented in the form of a computer program, and the computer program can run on the multi-room intranet communication device across the public network as shown in FIG. 3 .

本申请实施例还提供了一种跨公网的多机房内网通讯设备,包括:通过系统总线连接的存储器、处理器和网络接口,存储器中存储有至少一条指令,至少一条指令由处理器加载并执行,以实现前述的跨公网的多机房内网通讯方法的全部步骤或部分步骤。The embodiment of the present application also provides a multi-computer room intranet communication device across the public network, including: a memory connected through a system bus, a processor, and a network interface, at least one instruction is stored in the memory, and at least one instruction is loaded by the processor and execute to realize all or part of the steps of the aforementioned multi-computer room intranet communication method across the public network.

其中,网络接口用于进行网络通信,如发送分配的任务等。本领域技术人员可以理解,图3中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Wherein, the network interface is used for network communication, such as sending assigned tasks and the like. Those skilled in the art can understand that the structure shown in Figure 3 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation to the computer equipment on which the solution of the application is applied. The specific computer equipment can be More or fewer components than shown in the figures may be included, or some components may be combined, or have a different arrangement of components.

处理器可以是CPU,还可以是其他通用处理器、数字信号处理器(DigitalSignalProcessor,DSP)、专用集成电路(ApplicationSpecificIntegratedCircuit,ASIC)、现场可编程逻辑门阵列(FieldProgrammable GateArray,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件分立硬件组件等。通用处理器可以是微处理器,或者该处理器也可以是任何常规的处理器等,处理器是计算机装置的控制中心,利用各种接口和线路连接整个计算机装置的各个部分。The processor can be a CPU, or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable logic gate arrays (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device discrete hardware components, etc. The general-purpose processor can be a microprocessor, or the processor can also be any conventional processor, etc. The processor is the control center of the computer device, and uses various interfaces and lines to connect various parts of the entire computer device.

存储器可用于存储计算机程序和/或模块,处理器通过运行或执行存储在存储器内的计算机程序和/或模块,以及调用存储在存储器内的数据,实现计算机装置的各种功能。存储器可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如视频播放功能、图像播放功能等)等;存储数据区可存储根据手机的使用所创建的数据(比如视频数据、图像数据等)等。此外,存储器可以包括高速随存取存储器,还可以包括非易失性存储器,例如硬盘、内存、插接式硬盘、智能存储卡(SmartMediaCard,SMC)、安全数字(Securedigital,SD)卡、闪存卡(FlashCard)、至少一个磁盘存储器件、闪存器件或其他易失性固态存储器件。The memory can be used to store computer programs and/or modules, and the processor implements various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and calling data stored in the memory. The memory can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, at least one application program required by a function (such as a video playback function, an image playback function, etc.); The data created by the use (such as video data, image data, etc.) and the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, internal memory, plug-in hard disk, smart memory card (SmartMediaCard, SMC), secure digital (Securedigital, SD) card, flash memory card (FlashCard), at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时,实现前述的跨公网的多机房内网通讯方法的全部步骤或部分步骤。The embodiment of the present application also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, all or part of the steps of the above-mentioned multi-computer room intranet communication method across a public network are realized.

本申请实施例实现前述的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法的步骤。其中,计算机程序包括计算机程序代码,计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。计算机可读介质可以包括:能够携带计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(Read-Onlymemory,ROM)、随机存取存储器(RandomAccessmemory,RAM)、电载波信号、电信信号以及软件分发介质等。需要说明的是,计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括电载波信号和电信信号。The embodiment of the present application realizes all or part of the aforementioned processes, and it can also be completed by instructing related hardware through a computer program. The computer program can be stored in a computer-readable storage medium. When the computer program is executed by a processor, it can realize steps in each of the above methods. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory (Read-Only memory, ROM), random access memory (RandomAccessmemory, RAM), electrical carrier signals, telecommunication signals, and software distribution media. It should be noted that the content contained in computer readable media may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, computer readable media does not include Electrical carrier signals and telecommunication signals.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、服务器或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, servers or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, as used herein, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or system comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or system. Without further limitations, an element defined by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system comprising that element.

以上所述仅是本申请的具体实施方式,使本领域技术人员能够理解或实现本申请。对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所申请的原理和新颖特点相一致的最宽的范围。The above descriptions are only specific implementation manners of the present application, so that those skilled in the art can understand or implement the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, the present application will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features claimed herein.

Claims (10)

1. The method is characterized by being applied to a central machine room, and comprises the following steps:
when receiving request data corresponding to a target machine room, verifying the request data based on a preset machine room information set;
if verification is successful, a secure file transfer protocol (SSH) network tunnel is created, and a mapping relation between a socket of the target machine room and a socket of a target proxy server corresponding to the central machine room is built, so that other servers in the central machine room can realize communication with the target machine room through the SSH network tunnel based on the mapping relation and the socket of the target proxy server.
2. The method for multi-machine-room intranet communication across a public network according to claim 1, wherein: the request data comprises basic machine room information of the target machine room, an ID number and a machine room authority policy for realizing zero-trust communication.
3. The method for multi-machine-room intranet communication across public networks according to claim 2, wherein the verifying the request data based on the preset machine room information set comprises:
screening target machine room information corresponding to the ID number of the target machine room from the preset machine room information set;
comparing the basic machine room information and the machine room authority policy in the target machine room information with the basic machine room information and the machine room authority policy in the request data respectively to obtain a comparison result;
if the comparison results are consistent, judging that the verification is successful;
if the comparison result is inconsistent, judging that verification fails.
4. The method for multi-machine-room intranet communication across a public network according to claim 2, wherein: the basic machine room information comprises a machine room site name, a machine room name, a server name corresponding to the machine room, a machine room IP address, a machine room port number, an SSH user name and an SSH password corresponding to the machine room and a service system name running on a server corresponding to the machine room.
5. The method for multi-machine-room intranet communication across public networks according to claim 1, wherein before the step of verifying the request data based on a preset machine room information set when receiving the request data corresponding to the request data sent by the target machine room, the method further comprises:
receiving registration information sent by a target machine room based on SSH, wherein the registration information comprises basic machine room information of the target machine room, machine room ID number and machine room authority policy for realizing zero-trust communication;
and carrying out registration processing on the target machine room based on the registration information, and storing the registration information into a preset machine room information set.
6. The method for multi-machine-room intranet communication across a public network of claim 5, further comprising, after said step of verifying:
sending a proxy server address list to the target machine room so that the target machine room screens out other machine rooms as new central machine rooms based on the proxy server address list;
and executing the step of receiving the registration information sent by the target machine room based on the SSH based on the new central machine room.
7. The method for multi-machine-room intranet communication across public networks according to claim 1, further comprising, after the step of verifying the request data based on the preset machine room information set:
if the verification fails, the connection is refused.
8. The utility model provides a stride many rooms intranet communication device of public network which characterized in that, the device includes central computer lab, it is used for:
when receiving request data corresponding to a target machine room, verifying the request data based on a preset machine room information set;
if verification is successful, a secure file transfer protocol (SSH) network tunnel is created, and a mapping relation between a socket of the target machine room and a socket of a target proxy server corresponding to the central machine room is built, so that other servers in the central machine room can realize communication with the target machine room through the SSH network tunnel based on the mapping relation and the socket of the target proxy server.
9. A cross-public-network multi-machine-room intranet communication device, comprising: a memory and a processor, the memory storing at least one instruction that is loaded and executed by the processor to implement the cross-public-network multi-machine-room intranet communication method of any one of claims 1-7.
10. A computer-readable storage medium, characterized by: the computer readable storage medium stores a computer program which, when executed by a processor, implements the multi-machine-room intranet communication method of any one of claims 1 to 7 across a public network.
CN202310242902.5A 2023-03-14 2023-03-14 Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium Pending CN116319166A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310242902.5A CN116319166A (en) 2023-03-14 2023-03-14 Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310242902.5A CN116319166A (en) 2023-03-14 2023-03-14 Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116319166A true CN116319166A (en) 2023-06-23

Family

ID=86830096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310242902.5A Pending CN116319166A (en) 2023-03-14 2023-03-14 Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116319166A (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110137809A1 (en) * 2009-12-03 2011-06-09 CIMonitor, Inc. Establishing secure tunnels for customer support
US20150295890A1 (en) * 2014-04-15 2015-10-15 Calix, Inc. System and method for secure network communications
CN106170008A (en) * 2016-05-17 2016-11-30 北京畅游天下网络技术有限公司 A kind of inter-network means of communication, device and load equalizer
CN106330479A (en) * 2015-06-16 2017-01-11 中兴通讯股份有限公司 A device operation and maintenance method and system
CN108769279A (en) * 2018-04-11 2018-11-06 北京富邦智慧物联科技有限公司 Intranet fire fighting monitoring video access methods and system based on ssh reverse tunnels
CN109462655A (en) * 2018-11-30 2019-03-12 北京奇安信科技有限公司 A kind of network remote assistance method, system, electronic equipment and medium
CN110365663A (en) * 2019-06-28 2019-10-22 北京淇瑀信息科技有限公司 An access method, device and electronic equipment between isolated clusters
CN110808874A (en) * 2019-10-25 2020-02-18 北京大米科技有限公司 Cross-machine-room service monitoring method and device, storage medium and server
CN112929429A (en) * 2021-01-27 2021-06-08 长沙市到家悠享网络科技有限公司 Request processing method, device and equipment
US20210409403A1 (en) * 2020-06-25 2021-12-30 Microsoft Technology Licensing, Llc Service to service ssh with authentication and ssh session reauthentication
CN113872957A (en) * 2021-09-24 2021-12-31 上海幻电信息科技有限公司 Intranet equipment connection method and system based on SSH reverse tunnel
CN115361383A (en) * 2022-08-10 2022-11-18 广州市百果园网络科技有限公司 Network command processing method, device, equipment and storage medium
CN115361271A (en) * 2022-07-27 2022-11-18 深圳市潮流网络技术有限公司 SSH server switching and connecting method, cloud server and storage medium

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110137809A1 (en) * 2009-12-03 2011-06-09 CIMonitor, Inc. Establishing secure tunnels for customer support
US20150295890A1 (en) * 2014-04-15 2015-10-15 Calix, Inc. System and method for secure network communications
CN106330479A (en) * 2015-06-16 2017-01-11 中兴通讯股份有限公司 A device operation and maintenance method and system
CN106170008A (en) * 2016-05-17 2016-11-30 北京畅游天下网络技术有限公司 A kind of inter-network means of communication, device and load equalizer
CN108769279A (en) * 2018-04-11 2018-11-06 北京富邦智慧物联科技有限公司 Intranet fire fighting monitoring video access methods and system based on ssh reverse tunnels
CN109462655A (en) * 2018-11-30 2019-03-12 北京奇安信科技有限公司 A kind of network remote assistance method, system, electronic equipment and medium
CN110365663A (en) * 2019-06-28 2019-10-22 北京淇瑀信息科技有限公司 An access method, device and electronic equipment between isolated clusters
CN110808874A (en) * 2019-10-25 2020-02-18 北京大米科技有限公司 Cross-machine-room service monitoring method and device, storage medium and server
US20210409403A1 (en) * 2020-06-25 2021-12-30 Microsoft Technology Licensing, Llc Service to service ssh with authentication and ssh session reauthentication
CN112929429A (en) * 2021-01-27 2021-06-08 长沙市到家悠享网络科技有限公司 Request processing method, device and equipment
CN113872957A (en) * 2021-09-24 2021-12-31 上海幻电信息科技有限公司 Intranet equipment connection method and system based on SSH reverse tunnel
CN115361271A (en) * 2022-07-27 2022-11-18 深圳市潮流网络技术有限公司 SSH server switching and connecting method, cloud server and storage medium
CN115361383A (en) * 2022-08-10 2022-11-18 广州市百果园网络科技有限公司 Network command processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US8843998B2 (en) Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures
US11489872B2 (en) Identity-based segmentation of applications and containers in a dynamic environment
JP5009303B2 (en) Peer-to-peer remediation
JP2023541599A (en) Service communication methods, systems, devices and electronic equipment
EP1942629B1 (en) Method and system for object-based multi-level security in a service oriented architecture
US9781096B2 (en) System and method for out-of-band application authentication
US12166823B2 (en) Bare-metal connection storage method and system, and apparatus
US20050267954A1 (en) System and methods for providing network quarantine
CN106911648B (en) A kind of environment isolation method and equipment
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
WO2015143651A1 (en) Network function virtualization-based certificate configuration method, apparatus and system
KR20110040691A (en) Apparatus and method for managing network resources
CN107181720A (en) A kind of method and device of software definition networking SDN secure communications
JP2015053674A (en) Method for securely accessing a network from a personal device, personal device, network server, and access point
WO2023197942A1 (en) Public cloud extension method, device, system and storage medium
CN103944716A (en) User authentication method and device
JP3746782B2 (en) Network system
US20230267180A1 (en) Method for collaborative management of licenses across industrial sectors
CN115412294A (en) Platform service-based access method and device, storage medium, and electronic device
CN116319166A (en) Cross-public-network multi-machine-room intranet communication method, device, equipment and storage medium
CN104917750B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN114884771B (en) Identity network construction method, device and system based on zero trust concept
WO2025025489A1 (en) Access control method, apparatus, and system for edge resource pool, and communication device
CN115967623B (en) Device management method, device, electronic device, and storage medium
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination