WO2018018640A1

WO2018018640A1 - Information interaction method, device and system

Info

Publication number: WO2018018640A1
Application number: PCT/CN2016/092436
Authority: WO
Inventors: 陈华东
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-07-29
Filing date: 2016-07-29
Publication date: 2018-02-01
Anticipated expiration: 2019-01-29

Abstract

Provided are an information interaction method, device and system, relating to the technical field of communications. The method comprises: a source server receiving a session password acquisition request sent by a proxy server; the source server determining whether to allow the proxy of the proxy server; and when it is determined that the proxy of the proxy server is allowed, the source server sending a session password to the proxy server, wherein the session password is a session password appointed by the source server and a client during the process of establishing a hyper text transfer protocol over secure socket layer (HTTPS) connection, and the session password is used for triggering the proxy server to provide an HTTPS service for the client. The problem in the relevant art that when a source server needs to firstly pre-send a session password to a proxy server, session password leakage is easily caused where there are more proxy servers is solved, and the effect of improving the security of a session password is achieved.

Description

Information interaction method, device and system

Technical field

本发明涉及通信技术领域，特别涉及一种信息交互方法、装置及系统。The present invention relates to the field of communications technologies, and in particular, to an information interaction method, apparatus, and system.

Background technique

为了保证互联网中数据传输的安全，较多网站采用安全超文本传输协议(英文：hyper text transfer protocol over secure socket layer，HTTPS)。在客户端与源服务器建立连接的过程中，客户端和源服务器利用安全套接层(英文：secure sockets layer，SSL)握手协议来约定会话密码，源服务器和客户端分别利用约定的会话密码对传输内容进行加密，来保证源服务器与客户端之间数据传输的安全。In order to ensure the security of data transmission on the Internet, more websites use the hypertext transfer protocol over secure socket layer (HTTPS). During the process of establishing a connection between the client and the source server, the client and the source server use a secure sockets layer (SSL) handshake protocol to agree on the session password, and the source server and the client respectively transmit using the agreed session password pair. The content is encrypted to ensure the security of data transmission between the source server and the client.

相关技术中，为了实现代理服务器代替源服务器为客户端提供HTTPS服务，在源服务器和代理服务器之间建立安全通道。在源服务器信任代理服务器安全的情况下，源服务器将会话密码通过安全通道发送至代理服务器。代理服务器在接收到会话密码后，利用会话密码对客户端发送的HTTPS报文进行解析得到HTTPS报文内容，并确定出与HTTPS报文内容所对应的HTTPS服务数据。然后，代理服务器利用会话密码对HTTPS服务数据进行加密，将加密后的HTTPS服务数据发送至客户端，为客户端提供HTTPS服务。In the related art, in order to implement a proxy server instead of a source server to provide an HTTPS service for a client, a secure channel is established between the source server and the proxy server. In the case where the source server trusts the proxy server, the source server sends the session password to the proxy server over a secure channel. After receiving the session password, the proxy server uses the session password to parse the HTTPS packet sent by the client to obtain the HTTPS packet content, and determines the HTTPS service data corresponding to the HTTPS packet content. Then, the proxy server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the client to provide an HTTPS service for the client.

在实现本发明的过程中，发明人发现相关技术至少存在以下问题：源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露。In the process of implementing the present invention, the inventors have found that the related art has at least the following problem: the source server needs to send the session password to the proxy server in advance, and in the case where there are many proxy servers, the session password is easily leaked.

发明内容Summary of the invention

为了解决相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，本发明实施例提供了一种信息交互方法、装置及系统。所述技术方案如下：In order to solve the problem that the source server needs to send the session password to the proxy server in advance in the related art, in the case that there are many proxy servers, the session password is easily leaked. The embodiment of the present invention provides an information interaction method, device and system. The technical solution is as follows:

第一方面，提供了一种信息交互方法，应用于源服务器中，该方法包括：接收代理服务器发送的会话密码获取请求；判定是否允许所述代理服务器代理；在判定允许所述代理服务器代理时，向所述代理服务器发送会话密码，所述会话密码是所述源服务器和客户端在建立HTTPS连接的过程中约定的会话密码，所述会话密码用于触发所述代理服务器为所述客户端提供HTTPS服务。由于源服务器在接收到代理服务器发送的会话密码获取请求时，源服务器判定是否允许该代理服务器代理，在判定允许该代理服务器代理时，源服务器向该代理服务器发送会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In a first aspect, an information interaction method is provided, which is applied to a source server, the method comprising: receiving a session password acquisition request sent by a proxy server; determining whether the proxy server proxy is allowed; and determining that the proxy server proxy is allowed Sending a session password to the proxy server. The session password is a session password agreed by the source server and the client in establishing an HTTPS connection, and the session password is used to trigger the proxy server to provide an HTTPS service for the client. The source server determines whether to allow the proxy server proxy when receiving the session password acquisition request sent by the proxy server. When determining that the proxy proxy is allowed, the source server sends the session password to the proxy server, which solves the related art. The source server needs to send the session password to the proxy server in advance. In the case of a large number of proxy servers, the problem of session password leakage is easily caused, and the security of the session password is improved.

结合第一方面，在第一方面的第一种可能的实现中，所述判定是否允许所述代理服务器代理，包括：从所述会话密码获取请求中获取参考信息，所述参考信息至少包括代理服务器的信息、所述会话密码获取请求中包含的客户端的信息以及所述源服务器的本地状态中的至少一种；根据参考信息以及所述源服务器的本地策略确定是否允许所述代理服务器代理，得到第一判定结果，其中，所述第一判定结果为允许所述代理服务器代理，或需要基于HTTPS报文内容判定是否允许所述代理服务器代理，或禁止所述代理服务器代理。In conjunction with the first aspect, in a first possible implementation of the first aspect, the determining whether to allow the proxy server proxy comprises: obtaining reference information from the session password acquisition request, the reference information including at least an agent At least one of information of the server, information of the client included in the session password acquisition request, and a local state of the source server; determining whether to allow the proxy server proxy according to the reference information and the local policy of the source server, A first determination result is obtained, wherein the first determination result is that the proxy server agent is allowed, or whether the proxy server proxy is allowed to be based on the content of the HTTPS message or the proxy proxy is prohibited.

结合第一方面或者第一方面的第一种可能的实现，在第二种可能的实现中，所述根据参考信息以及所述源服务器的本地策略确定是否允许所述代理服务器代理，得到第一判定结果，包括：获取所述源服务器所建立的HTTPS连接的数量，当所述数量大于第一预定阈值时，将所述第一判定结果确定为允许所述代理服务器代理；或者，获取所述源服务器的负荷率，当所述负荷率大于第二预定阈值时，将所述第一判定结果确定为允许所述代理服务器代理。With reference to the first aspect or the first possible implementation of the first aspect, in a second possible implementation, the determining, according to the reference information and the local policy of the source server, whether to allow the proxy server proxy to obtain the first The determining result includes: acquiring the number of HTTPS connections established by the source server, determining, when the quantity is greater than the first predetermined threshold, the first determination result to allow the proxy server proxy; or acquiring the The load rate of the source server, when the load rate is greater than a second predetermined threshold, determining the first determination result to allow the proxy server proxy.

结合第一方面、第一方面的第一种可能的实现或者第一方面的第二种可能的实现，在第三种可能的实现中，所述根据参考信息以及所述源服务器的本地策略确定是否允许所述代理服务器代理，得到第一判定结果，包括：获取所述源服务器限定的黑名单和/或白名单；当所述参考信息包含的信息位于所述白名单时，则将所述第一判定结果确定为允许所述代理服务器代理；或者，当所述参考信息包含位于所述黑名单的信息时，则将所述第一判定结果确定为禁止所述代理服务器代理；或者，当所述参考信息包含的信息未位于所述白名单且未位于所述黑名单时，则将所述第一判定结果确定为需要基于HTTPS报文内容判定是否允许所述代理服务器代理，其中，所述参考信息包含的信息包括所述代理服务器的信息和所述客户端的信息中的至少一种。With reference to the first aspect, the first possible implementation of the first aspect, or the second possible implementation of the first aspect, in a third possible implementation, the determining according to the reference information and the local policy of the source server Whether the proxy server agent is allowed to obtain the first determination result includes: obtaining a blacklist and/or a whitelist defined by the source server; and when the information included in the reference information is located in the whitelist, Determining, by the first determination result, that the proxy server agent is allowed; or, when the reference information includes information located in the blacklist, determining the first determination result as disabling the proxy server proxy; or, when When the information included in the reference information is not located in the white list and is not located in the blacklist, determining the first determination result that it is required to determine whether to allow the proxy server proxy based on the HTTPS message content, where The information contained in the reference information includes at least one of information of the proxy server and information of the client.

结合第一方面、第一方面的第一种可能的实现或者第一方面的第二种可能的实现或者第一方面的第三种可能的实现，在第四种可能的实现中，所述方法还包括：当所述第一判定结果为允许所述代理服务器代理时，向所述代理服务器发送与所述客户端约定的会话密码；或者，当所述第一判定结果为需要基于HTTPS报文内容判定是否允许所述代理服务器代理时，等待接收所述代理服务器透传的所述客户端发送的HTTPS报文，在接收到所述代理服务器透传的所述客户端发送的HTTPS报文后，根据接收到的所述HTTPS报文判定是否允许所述代理服务器，在判定允许所述代理服务器代理时，向所述代理服务器发送与所述客户端约定的会话密码。由于在第一判定结果为允许代理服务器代理或为需要基于HTTPS报文内容判定否允许代理服务器代理时，向代理服务器发送会话密码，使得代理服务器能够利用会话密码代替源服务器向客户端提供HTTPS服务。Combining the first aspect, the first possible implementation of the first aspect or the second possibility of the first aspect Or a third possible implementation of the first aspect, in a fourth possible implementation, the method further comprising: when the first determination result is to allow the proxy server proxy, to the proxy server Sending a session password agreed with the client; or, when the first determination result is that it is determined whether to allow the proxy server proxy based on the content of the HTTPS packet, waiting to receive the client transparently transmitted by the proxy server Sending an HTTPS message, after receiving the HTTPS message sent by the client transparently transmitted by the proxy server, determining whether to allow the proxy server according to the received HTTPS message, and determining that the proxy is allowed When the server proxyes, the session password agreed with the client is sent to the proxy server. Since the session password is sent to the proxy server when the first determination result is to allow the proxy server proxy or to determine whether to allow the proxy proxy based on the HTTPS message content, the proxy server can use the session password instead of the source server to provide the HTTPS service to the client. .

结合第一方面、第一方面的第一种可能的实现或者第一方面的第二种可能的实现或者第一方面的第三种可能的实现或者第一方面的第四种可能的实现，在第五种可能的实现中，在所述根据接收到的所述HTTPS报文判定是否允许所述代理服务器之后，所述方法还包括：在判定禁止所述代理服务器代理时，向所述代理服务器发送用于指示禁止所述代理服务器代理的第二判定结果，所述第二判定结果用于触发所述代理服务器删除已缓存的所述客户端的HTTPS报文。在第二判定结果为禁止代理服务器代理时，向代理服务器发送用于指示禁止代理服务器代理的第二判定结果，代理服务器在接收到第二判定结果后，成为源服务器和客户端之间的透明代理，在源服务器和客户端之间透传数据，以便源服务器能够向客户端提供HTTPS服务。With reference to the first aspect, the first possible implementation of the first aspect or the second possible implementation of the first aspect or the third possible implementation of the first aspect or the fourth possible implementation of the first aspect, In a fifth possible implementation, after the determining, according to the received HTTPS message, whether the proxy server is allowed, the method further includes: when determining to prohibit the proxy server proxy, to the proxy server Sending a second determination result indicating that the proxy server agent is prohibited, and the second determination result is used to trigger the proxy server to delete the cached HTTPS message of the client. When the second determination result is that the proxy server agent is prohibited, the second determination result indicating that the proxy server proxy is prohibited is sent to the proxy server, and after receiving the second determination result, the proxy server becomes transparent between the source server and the client. The proxy transparently transmits data between the source server and the client so that the source server can provide the HTTPS service to the client.

第二方面，提供了一种信息交互方法，应用于代理服务器中，该方法包括：接收客户端发送的用于请求建立HTTPS连接的建立请求；向源服务器发送会话密码获取请求，所述会话密码获取请求用于触发所述源服务器判定是否允许所述代理服务器代理；在所述源服务器允许所述代理服务器代理时，从所述源服务器获取所述源服务器和所述客户端在建立所述HTTPS连接过程中约定的会话密码；利用所述会话密码为所述客户端提供HTTPS服务。由于向源服务器发送会话密码获取请求，会话密码获取请求触发源服务器实时判断是否允许代理服务器代理，在源服务器允许代理服务器代理的情况下，代理服务器可从源服务器获取会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。The second aspect provides an information interaction method, which is applied to a proxy server, where the method includes: receiving a setup request sent by a client for requesting to establish an HTTPS connection; and sending a session password acquisition request to the source server, where the session password is Obtaining a request for triggering the source server to determine whether to permit the proxy server proxy; when the source server allows the proxy server proxy, obtaining the source server and the client from the source server are establishing the The session password agreed upon in the HTTPS connection process; the HTTPS service is provided to the client by using the session password. Because the session password acquisition request is sent to the source server, the session password acquisition request triggers the source server to determine whether to allow the proxy server proxy in real time. In the case that the source server allows the proxy server proxy, the proxy server can obtain the session password from the source server, and the related technology is solved. The medium source server needs to send the session password to the proxy server in advance. In the case of a large number of proxy servers, the session password is easily leaked. The effect of improving session password security is achieved.

结合第二方面，在第二方面的第一种可能的实现中，所述从所述源服务器获取所述源服务器和所述客户端在建立所述HTTPS连接过程中约定的会话密码，包括：接收所述源服务器发送的所述会话密码，所述会话密码是所述源服务器判定允许所述代理服务器代理且与所述客户端约定所述会话密码后发送的；或者，将接收到的所述客户端发送的HTTPS报文透传给所述源服务器，接收所述源服务器发送的所述会话密码，所述会话密码是所述源服务器接收到所述HTTPS报文后，根据所述HTTPS报文内容判定允许所述代理服务器代理时发送的。With reference to the second aspect, in a first possible implementation of the second aspect, the obtaining, by the source server, the session password that is agreed between the source server and the client in establishing the HTTPS connection, includes: Receiving the session password sent by the source server, where the session password is sent after the source server determines to allow the proxy server proxy and the session password is agreed with the client; or, the received session The HTTPS packet sent by the client is transparently transmitted to the source server, and the session password is sent by the source server. The session password is obtained by the source server after receiving the HTTPS packet according to the HTTPS. The message content is determined to be sent when the proxy server is allowed to proxy.

结合第二方面或者第二方面的第一种可能的实现，在第二种可能的实现中，所述方法还包括：在所述向所述源服务器发送会话密码获取请求之后，所述方法还包括：接收所述源服务器发送的第一判定结果，所述第一判定结果是所述源服务器在接收到所述会话密码获取请求后，判定是否允许所述代理服务器代理时得到的第一判定结果；当所述第一判定结果为允许所述代理服务器代理或为需要基于HTTPS报文内容确定是否允许所述代理服务器代理时，缓存接收到的所述客户端发送的HTTPS报文。通过在第一判定结果为允许代理服务器代理或为需要基于HTTPS报文内容确定是否允许代理服务器代理时，对接收到的客户端发送的HTTPS报文进行了缓存，以便后续代理服务器在接收到源服务器所发送的会话密码时，利用该会话密码解析HTTPS报文，为客户端提供HTTPS服务。With reference to the second aspect or the first possible implementation of the second aspect, in a second possible implementation, the method further includes: after the sending the session password acquisition request to the source server, the method further The method includes: receiving a first determination result sent by the source server, where the first determination result is a first determination that is obtained when the source server determines whether to allow the proxy server proxy after receiving the session password acquisition request As a result, when the first determination result is that the proxy server agent is allowed to determine whether to allow the proxy server proxy based on the HTTPS message content, the received HTTPS packet sent by the client is cached. By determining whether to allow the proxy server proxy based on the content of the HTTPS message in the first determination result, the HTTPS message sent by the received client is cached, so that the subsequent proxy server receives the source. When the session password is sent by the server, the HTTPS message is parsed by the session password to provide the HTTPS service for the client.

结合第二方面、第二方面的第一种可能的实现或者第二方面的第二种可能的实现，在第三种可能的实现中，在所述将接收到的所述客户端发送的HTTPS报文透传给所述源服务器之后，所述方法还包括：接收所述源服务器发送的第二判定结果，所述第二判定结果是所述源服务器接收到所述HTTPS报文后，根据所述HTTPS报文内容判定是否允许所述代理服务器代理时得到的；当所述第二判定结果为禁止所述代理服务器代理时，删除已缓存的所述客户端发送的HTTPS报文。在第二判定结果为禁止代理服务器代理时，对已缓存的HTTPS报文进行了删除，节省了代理服务器的存储空间。With reference to the second aspect, the first possible implementation of the second aspect, or the second possible implementation of the second aspect, in a third possible implementation, the HTTPS sent by the client to be received After the packet is transparently transmitted to the source server, the method further includes: receiving a second determination result sent by the source server, where the second determination result is that the source server receives the HTTPS packet, according to the The content of the HTTPS message is determined whether the proxy server is allowed to be obtained. When the second determination result is that the proxy proxy is disabled, the cached HTTPS packet sent by the client is deleted. When the second determination result is that the proxy server proxy is disabled, the cached HTTPS packet is deleted, which saves the storage space of the proxy server.

结合第二方面、第二方面的第一种可能的实现或者第二方面的第二种可能的实现或者第二方面的第三种可能的实现，在第四种可能的实现中，所述从所述源服务器获取所述源服务器和所述客户端在建立所述HTTPS连接过程中约定的会话密码，包括：根据本地策略确定是否需要启动代理协商流程，在需要启动代理协商流程时，从所述源服务器获取所述源服务器和所述客户端在建立所述HTTPS连接过程中约定的会话密码；所述方法还包括：当所述第一判定结果为禁止所述代理服务器代理且包括禁止所述代理服务器代理的原因信息时，利用所述原因信息更新所述本地策略。With reference to the second aspect, the first possible implementation of the second aspect, or the second possible implementation of the second aspect, or the third possible implementation of the second aspect, in a fourth possible implementation, the slave Obtaining, by the source server, the source server and the client during a process of establishing the HTTPS connection The session password includes: determining whether the agent negotiation process needs to be started according to the local policy, and acquiring, when the agent negotiation process needs to be started, acquiring, by the source server, the source server and the client in the process of establishing the HTTPS connection The session password; the method further comprising: updating the local policy with the cause information when the first determination result is that the proxy server agent is prohibited and the reason information of the proxy server agent is prohibited.

第三方面，提供了一种信息交互装置，应用于源服务器，所述装置包括：接收单元，用于接收代理服务器发送的会话密码获取请求；执行单元，用于判定是否允许所述代理服务器代理；发送单元，用于在判定允许所述代理服务器代理时，向所述代理服务器发送会话密码，所述会话密码是所述源服务器和客户端在建立HTTPS连接的过程中约定的会话密码，所述会话密码用于触发所述代理服务器为所述客户端提供HTTPS服务。The third aspect provides an information interaction apparatus, which is applied to a source server, where the apparatus includes: a receiving unit, configured to receive a session password acquisition request sent by the proxy server; and an execution unit, configured to determine whether the proxy server proxy is allowed a sending unit, configured to send a session password to the proxy server when determining that the proxy server agent is allowed, the session password being a session password agreed by the source server and the client in establishing an HTTPS connection, The session password is used to trigger the proxy server to provide an HTTPS service for the client.

结合第三方面，在第三方面的第一种可能的实现中，所述执行单元，还用于从所述会话密码获取请求中获取参考信息，所述参考信息至少包括代理服务器的信息、所述会话密码获取请求中包含的客户端的信息以及所述源服务器的本地状态中的至少一种；所述执行单元，根据参考信息以及所述源服务器的本地策略确定是否允许所述代理服务器代理，得到第一判定结果，其中，所述第一判定结果为允许所述代理服务器代理，或需要基于HTTPS报文内容判定是否允许所述代理服务器代理，或禁止所述代理服务器代理。With reference to the third aspect, in a first possible implementation of the third aspect, the performing unit is further configured to obtain reference information from the session password obtaining request, where the reference information includes at least information of a proxy server, Determining at least one of information of a client included in the session password acquisition request and a local state of the source server; the execution unit determining whether to allow the proxy server proxy according to the reference information and a local policy of the source server, A first determination result is obtained, wherein the first determination result is that the proxy server agent is allowed, or whether the proxy server proxy is allowed to be based on the content of the HTTPS message or the proxy proxy is prohibited.

结合第三方面，在第三方面的第一种可能的实现中，在第二种可能的实现中，所述执行单元，还用于：获取所述源服务器所建立的HTTPS连接的数量，当所述数量大于第一预定阈值时，将所述第一判定结果确定为允许所述代理服务器代理；或者，获取所述源服务器的负荷率，当所述负荷率大于第二预定阈值时，将所述第一判定结果确定为允许所述代理服务器代理。With reference to the third aspect, in a first possible implementation of the third aspect, in a second possible implementation, the executing unit is further configured to: acquire the number of HTTPS connections established by the source server, when When the quantity is greater than the first predetermined threshold, determining the first determination result to allow the proxy server agent; or acquiring the load rate of the source server, when the load rate is greater than a second predetermined threshold, The first determination result is determined to allow the proxy server proxy.

结合第三方面、第三方面的第一种可能的实现或者第三方面的第二种可能的实现，在第三种可能的实现中，所述执行单元，还用于：获取所述源服务器限定的黑名单和/或白名单；当所述参考信息包含的信息位于所述白名单时，则将所述第一判定结果确定为允许所述代理服务器代理；或者，当所述参考信息包含位于所述黑名单的信息时，则将所述第一判定结果确定为禁止所述代理服务器代理；或者，当所述参考信息包含的信息未位于所述白名单且未位于所述黑名单时，则将所述第一判定结果确定为需要基于HTTPS报文内容判定是否允许所述代理服务器代理，其中，所述参考信息包含的信息包括所述代理服务器的信息和所述客户端的信息中的至少一种。With reference to the third aspect, the first possible implementation of the third aspect, or the second possible implementation of the third aspect, in a third possible implementation, the execution unit is further configured to: acquire the source server a defined blacklist and/or whitelist; when the information contained in the reference information is located in the whitelist, determining the first determination result to allow the proxy server proxy; or, when the reference information includes When the information of the blacklist is located, the first determination result is determined to prohibit the proxy server proxy; or when the information included in the reference information is not located in the whitelist and is not located in the blacklist Determining, by the first determination result, that it is required to determine whether to allow the proxy server proxy based on the content of the HTTPS message, wherein the information included in the reference information includes the proxy service At least one of information of the device and information of the client.

结合第三方面、第三方面的第一种可能的实现或者第三方面的第二种可能的实现或者第三方面的第三种可能的实现，在第四种可能的实现中，所述发送单元，还用于：当所述第一判定结果为允许所述代理服务器代理时，向所述代理服务器发送与所述客户端约定的会话密码；或者，当所述第一判定结果为需要基于HTTPS报文内容判定是否允许所述代理服务器代理时，等待接收所述代理服务器透传的所述客户端发送的HTTPS报文，在接收到所述代理服务器透传的所述客户端发送的HTTPS报文后，根据接收到的所述HTTPS报文判定是否允许所述代理服务器，在判定允许所述代理服务器代理时，向所述代理服务器发送与所述客户端约定的会话密码。With reference to the third aspect, the first possible implementation of the third aspect, or the second possible implementation of the third aspect, or the third possible implementation of the third aspect, in a fourth possible implementation, the transmitting And a unit, configured to: when the first determination result is that the proxy server agent is allowed, send a session password agreed with the client to the proxy server; or, when the first determination result is required to be based on When the HTTPS message content determines whether the proxy server proxy is allowed, waiting to receive the HTTPS packet sent by the client transparently transmitted by the proxy server, and receiving the HTTPS sent by the client transparently transmitted by the proxy server After the message, it is determined whether the proxy server is allowed according to the received HTTPS message, and when it is determined that the proxy server agent is allowed, the session password agreed with the client is sent to the proxy server.

结合第三方面、第三方面的第一种可能的实现或者第三方面的第二种可能的实现或者第三方面的第三种可能的实现或者第三方面的第四种可能的实现，在第五种可能的实现中，所述发送单元，还用于在判定禁止所述代理服务器代理时，向所述代理服务器发送用于指示禁止所述代理服务器代理的第二判定结果，所述第二判定结果用于触发所述代理服务器删除已缓存的所述客户端的HTTPS报文。With reference to the third aspect, the first possible implementation of the third aspect or the second possible implementation of the third aspect or the third possible implementation of the third aspect or the fourth possible implementation of the third aspect, In a fifth possible implementation, the sending unit is further configured to: when determining that the proxy server proxy is disabled, send a second determination result to the proxy server for indicating that the proxy proxy is prohibited, The second determination result is used to trigger the proxy server to delete the cached HTTPS message of the client.

第四方面，提供了一种信息交互装置，应用于代理服务器中，所述装置包括：接收单元，用于接收客户端发送的用于请求建立HTTPS连接的建立请求；发送单元，用于向源服务器发送会话密码获取请求，所述会话密码获取请求用于触发所述源服务器判定是否允许所述代理服务器代理；执行单元，用于在所述源服务器允许所述代理服务器代理时，从所述源服务器获取所述源服务器和所述客户端在建立所述HTTPS连接过程中约定的会话密码；所述执行单元，还用于利用所述会话密码为所述客户端提供HTTPS服务。The fourth aspect provides an information interaction apparatus, which is applied to a proxy server, where the apparatus includes: a receiving unit, configured to receive a setup request sent by a client for requesting to establish an HTTPS connection; and a sending unit, configured to send to the source The server sends a session password acquisition request, the session password acquisition request is used to trigger the source server to determine whether to permit the proxy server proxy, and an execution unit is configured to: when the source server allows the proxy server proxy, The source server obtains the session password agreed by the source server and the client in establishing the HTTPS connection; the execution unit is further configured to provide the client with an HTTPS service by using the session password.

结合第四方面，在第四方面的第一种可能的实现中，所述装置还包括：所述接收单元，用于向所述源服务器发送会话密码获取请求；所述接收单元，还用于接收所述源服务器发送的所述会话密码，所述会话密码是所述源服务器判定允许所述代理服务器代理且与所述客户端约定所述会话密码后发送的；或者，所述接收单元，还用于将接收到的所述客户端发送的HTTPS报文透传给所述源服务器，接收所述源服务器发送的所述会话密码，所述会话密码是所述源服务器接收到所述HTTPS报文后，根据所述HTTPS报文内容判定允许所述代理服务器代理时发送的。 With reference to the fourth aspect, in a first possible implementation of the fourth aspect, the device further includes: the receiving unit, configured to send a session password acquisition request to the source server; the receiving unit is further configured to: Receiving the session password sent by the source server, where the session password is sent after the source server determines to allow the proxy server proxy and the session password is agreed with the client; or, the receiving unit, And the method further comprises: transmitting, by the source server, the HTTPS message sent by the client to the source server, and receiving the session password sent by the source server, where the session password is that the source server receives the HTTPS After the message is received, it is determined according to the content of the HTTPS message that the proxy server is allowed to be sent.

结合第四方面或者第四方面的第一种可能的实现，在第二种可能的实现中，所述接收单元，还用于接收所述源服务器发送的第一判定结果，所述第一判定结果是所述源服务器在接收到所述会话密码获取请求后，判定是否允许所述代理服务器代理时得到的第一判定结果；所述执行单元，还用于当所述第一判定结果为允许所述代理服务器代理或为需要基于HTTPS报文内容确定是否允许所述代理服务器代理时，缓存接收到的所述客户端发送的HTTPS报文。With reference to the fourth aspect, or the first possible implementation of the fourth aspect, in a second possible implementation, the receiving unit is further configured to receive a first determination result sent by the source server, where the first determination is The result is that the source server determines, after receiving the session password acquisition request, whether to allow the proxy server to obtain the first determination result; the execution unit is further configured to: when the first determination result is allowed The proxy server proxy or caches the received HTTPS packet sent by the client when it is determined whether to allow the proxy server proxy based on the HTTPS message content.

结合第四方面、第四方面的第一种可能的实现或者第四方面的第二种可能的实现，在第三种可能的实现中，所述接收单元，还用于接收所述源服务器发送的第二判定结果，所述第二判定结果是所述源服务器接收到所述HTTPS报文后，根据所述HTTPS报文内容判定是否允许所述代理服务器代理时得到的；所述执行单元，还用于当所述第二判定结果为禁止所述代理服务器代理时，删除已缓存的所述客户端发送的HTTPS报文。With reference to the fourth aspect, the first possible implementation of the fourth aspect, or the second possible implementation of the fourth aspect, in a third possible implementation, the receiving unit is further configured to receive the source server to send a second determination result, the second determination result is obtained when the source server receives the HTTPS message, and determines whether to allow the proxy server proxy according to the content of the HTTPS message; And when the second determination result is that the proxy server proxy is disabled, deleting the cached HTTPS packet sent by the client.

结合第四方面、第四方面的第一种可能的实现或者第四方面的第二种可能的实现或者第四方面的第三种可能的实现，在第四种可能的实现中，所述执行单元，还用于根据本地策略确定是否需要启动代理协商流程，在需要启动代理协商流程时，从所述源服务器获取在所述HTTPS连接建立过程中所述源服务器与所述客户端约定的会话密码；所述执行单元，还用于当所述第一判定结果为禁止所述代理服务器代理且包括禁止所述代理服务器代理的原因信息时，利用所述原因信息更新所述本地策略。With reference to the fourth aspect, the first possible implementation of the fourth aspect, or the second possible implementation of the fourth aspect, or the third possible implementation of the fourth aspect, in a fourth possible implementation, the performing And the unit is further configured to determine, according to the local policy, whether to start the proxy negotiation process, and when the proxy negotiation process needs to be started, obtain, from the source server, the session agreed by the source server and the client during the HTTPS connection establishment process. The execution unit is further configured to update the local policy by using the reason information when the first determination result is that the proxy server proxy is prohibited and the cause information of the proxy proxy is prohibited.

第五方面，提供了一种代理服务器，该代理服务器包括：处理器、与处理器相连的存储器、发射器和接收器，存储器用于存储一个或者一个以上的指令，这些指令被配置为由处理器执行，处理器通过执行存储器中的指令用于实现上述第一方面中提供的信息交互方法。In a fifth aspect, a proxy server is provided, the proxy server comprising: a processor, a memory coupled to the processor, a transmitter and a receiver, the memory for storing one or more instructions configured to be processed Executing, the processor is configured to implement the information interaction method provided in the above first aspect by executing instructions in the memory.

第六方面，提供了一种源服务器，该源服务器包括：处理器、与处理器相连的存储器、发射器和接收器，存储器用于存储一个或者一个以上的指令，这些指令被配置为由处理器执行，处理器通过执行存储器中的指令用于实现上述第二方面中提供的信息交互方法。In a sixth aspect, a source server is provided, the source server comprising: a processor, a memory coupled to the processor, a transmitter, and a receiver, the memory for storing one or more instructions configured to be processed Executing, the processor is configured to implement the information interaction method provided in the second aspect above by executing instructions in the memory.

第七方面，提供了一种信息交互系统，所述信息交互系统包括：代理服务器和源服务器，所述代理服务器包括如第三方面提供的应用于源服务器的信息交互装置和如第四方面提供的应用于代理服务器的信息交互装置。 In a seventh aspect, an information interaction system is provided, the information interaction system comprising: a proxy server and a source server, the proxy server comprising an information interaction device applied to the source server as provided by the third aspect, and the fourth aspect is provided An information interaction device applied to a proxy server.

DRAWINGS

为了更清楚地说明本发明实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in light of the inventive work.

图1是本发明一示例性实施例提供的信息交互系统的结构示意图；1 is a schematic structural diagram of an information interaction system according to an exemplary embodiment of the present invention;

图2是本发明一示例性实施例提供的代理服务器的结构示意图；2 is a schematic structural diagram of a proxy server according to an exemplary embodiment of the present invention;

图3是本发明一示例性实施例提供的源服务器的结构示意图；FIG. 3 is a schematic structural diagram of a source server according to an exemplary embodiment of the present invention; FIG.

图4是本发明一示例性实施例提供的信息交互方法的流程图；FIG. 4 is a flowchart of an information interaction method according to an exemplary embodiment of the present invention;

图5是本发明另一示例性实施例提供的信息交互方法的流程图；FIG. 5 is a flowchart of an information interaction method according to another exemplary embodiment of the present invention; FIG.

图6A是本发明再一示例性实施例提供的信息交互方法的流程图；FIG. 6A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention; FIG.

图6B是本发明再一示例性实施例提供的源服务器允许代理服务器代理HTTPS服务的方法的流程图；6B is a flowchart of a method for a source server to allow a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention;

图7A是本发明再一示例性实施例提供的信息交互方法的流程图；FIG. 7A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention; FIG.

图7B是本发明再一示例性实施例提供的源服务器基于HTTPS报文内容判定允许代理服务器代理方法的流程图；FIG. 7B is a flowchart of a method for determining a proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention; FIG.

图8A是本发明再一示例性实施例提供的信息交互方法的流程图；FIG. 8A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention; FIG.

图8B是本发明再一示例性实施例提供的源服务器基于HTTPS报文内容判定禁止代理服务器代理方法的流程图；FIG. 8B is a flowchart of a method for determining a proxy proxy prohibition proxy based on HTTPS packet content according to another exemplary embodiment of the present invention; FIG.

图9A是本发明再一示例性实施例提供的信息交互方法的流程图；FIG. 9A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention; FIG.

图9B是本发明再一示例性实施例提供的源服务器禁止代理服务器代理HTTPS服务的方法的流程图；9B is a flowchart of a method for a source server to prohibit a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention;

图9C是本发明再一示例性实施例提供的源服务器在判断是否允许代理服务器代理的流程图；FIG. 9C is a flowchart of determining, by a source server, whether to allow a proxy server proxy according to still another exemplary embodiment of the present invention; FIG.

图10是本发明一个示例性实施例提供的信息交互装置的结构示意图；FIG. 10 is a schematic structural diagram of an information interaction apparatus according to an exemplary embodiment of the present invention; FIG.

图11是本发明另一个示例性实施例提供的信息交互装置的结构示意图。FIG. 11 is a schematic structural diagram of an information interaction apparatus according to another exemplary embodiment of the present invention.

detailed description

为使本发明的目的、技术方案和优点更加清楚，下面将结合附图对本发明实施方式作进一步地详细描述。 The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

请参考图1，其示出了本发明一示例性实施例提供的信息交互系统的结构示意图，该信息交互系统包括代理服务器120和源服务器140。Please refer to FIG. 1 , which is a schematic structural diagram of an information interaction system according to an exemplary embodiment of the present invention. The information interaction system includes a proxy server 120 and a source server 140.

代理服务器120是具备数据缓存功能的设备。代理服务器120可以是缓存服务器，也可以是具备数据缓存功能的网关，还可以是具备数据缓存功能的路由器以及其他具备数据缓存功能的设备。The proxy server 120 is a device having a data caching function. The proxy server 120 may be a cache server, a gateway with a data cache function, a router with a data cache function, and other devices with a data cache function.

代理服务器120与源服务器140建立通信连接。The proxy server 120 establishes a communication connection with the source server 140.

源服务器140是提供网络数据的服务器计算机系统，通常是多台服务器的集群，每台服务器用于实现一个或一个以上的功能模块。The source server 140 is a server computer system that provides network data, typically a cluster of multiple servers, each of which is used to implement one or more functional modules.

可选的，该信息交互系统还可以包括客户端160、路由设备180、Optionally, the information interaction system may further include a client 160, a routing device 180,

客户端160与路由设备180建立通信连接。其中，路由设备180可以是路由器，还可以是网关，比如公用数据网网关(public data network gate way，PGW)网关，通用分组无线服务技术支持节点(gateway GPRS support bode，GGSN)网关等等。Client 160 establishes a communication connection with routing device 180. The routing device 180 can be a router, and can also be a gateway, such as a public data network gate (PGW) gateway, a gateway GPRS support bode (GGSN) gateway, and the like.

路由设备180为客户端160配置客户端160与代理服务器120之间的策略路由，以便客户端160能够通过上述策略路由至代理服务器120。Routing device 180 configures policy routing between client 160 and proxy server 120 for client 160 so that client 160 can route to proxy server 120 via the above-described policies.

路由设备180通常将距离路由设备180较近的代理服务器确定为代理服务器120，代理服务器120与路由设备180建立通信连接。Routing device 180 typically determines a proxy server that is closer to routing device 180 as proxy server 120, which establishes a communication connection with routing device 180.

请参考图2，其示出了本发明一示例性实施例提供的代理服务器120的结构示意图。该代理服务器120包括：处理器21、网络接口22和存储器23。Referring to FIG. 2, a schematic structural diagram of a proxy server 120 according to an exemplary embodiment of the present invention is shown. The proxy server 120 includes a processor 21, a network interface 22, and a memory 23.

处理器21包括一个或者一个以上处理核心，处理器21通过运行软件程序以及模块，从而执行各种功能应用以及数据处理。The processor 21 includes one or more processing cores, and the processor 21 executes various functional applications and data processing by running software programs and modules.

网络接口22可以为多个，其中一部分网络接口22用于与源服务器140进行通信。There may be multiple network interfaces 22, some of which are used to communicate with the source server 140.

存储器23与处理器21相连，比如，存储器23可以通过总线与处理器21相连；存储器23可用于存储软件程序以及模块。The memory 23 is coupled to the processor 21, for example, the memory 23 can be coupled to the processor 21 via a bus; the memory 23 can be used to store software programs and modules.

存储器23可以存储至少一个功能所需的应用程序模块24，应用程序模块24可以包含发送模块241、执行模块242以及接收模块243等。The memory 23 can store an application module 24 required for at least one function, and the application module 24 can include a transmitting module 241, an executing module 242, a receiving module 243, and the like.

这里的发送模块241、执行模块242以及接收模块243可以执行图4、图6A、图6B、图7A、图7B、图8A、图8B、图9A和图9B中的相应步骤，具体参见对图4、图6A、图6B、图7A、图7B、图8A、图8B、图9A和图9B 的描述。Here, the sending module 241, the executing module 242, and the receiving module 243 can perform the corresponding steps in FIG. 4, FIG. 6A, FIG. 6B, FIG. 7A, FIG. 7B, FIG. 8A, FIG. 8B, FIG. 9A, and FIG. 4. Fig. 6A, Fig. 6B, Fig. 7A, Fig. 7B, Fig. 8A, Fig. 8B, Fig. 9A and Fig. 9B description of.

存储器23可以由任何类型的易失性或非易失性存储设备或者它们的组合实现，如静态随机存取存储器(英文：static random access memory，SRAM)，电可擦除可编程只读存储器(英文：electrically erasable programmable read-only memory，EEPROM)，可擦除可编程只读存储器(英文：erasable programmable read only memory，EPROM)，可编程只读存储器(英文：programmable read only memory，PROM)，只读存储器(英文：read only memory image，ROM)，磁存储器，快闪存储器，磁盘或光盘。The memory 23 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read only memory ( English: electrically erasable programmable read-only memory (EEPROM), erasable programmable read only memory (EPROM), programmable read only memory (English: programmable read only memory, PROM), only Read memory (English: read only memory image, ROM), magnetic memory, flash memory, disk or optical disk.

本领域技术人员可以理解，图1中所示出的代理服务器120的结构并不构成对代理服务器120的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件布置。It will be understood by those skilled in the art that the structure of the proxy server 120 shown in FIG. 1 does not constitute a limitation to the proxy server 120, and may include more or less components than those illustrated, or combine some components, or different. Parts layout.

请参考图3，其示出了本发明一示例性实施例提供的源服务器140的结构示意图。该源服务器140包括：处理器31、网络接口32和存储器33。Please refer to FIG. 3, which is a schematic structural diagram of a source server 140 according to an exemplary embodiment of the present invention. The source server 140 includes a processor 31, a network interface 32, and a memory 33.

处理器31包括一个或者一个以上处理核心，处理器31通过运行软件程序以及模块，从而执行各种功能应用以及数据处理。The processor 31 includes one or more processing cores, and the processor 31 executes various functional applications and data processing by running software programs and modules.

网络接口32可以为多个，其中一部分网络接口32用于与代理服务器120进行通信。There may be multiple network interfaces 32, some of which are used to communicate with the proxy server 120.

存储器33与处理器31相连，比如，存储器33可以通过总线与处理器31相连；存储器33可用于存储软件程序以及模块。The memory 33 is coupled to the processor 31. For example, the memory 33 can be coupled to the processor 31 via a bus; the memory 33 can be used to store software programs and modules.

存储器33可以存储至少一个功能所需的应用程序模块34，应用程序模块34可以包含发送模块341、执行模块342以及接收模块343等。The memory 33 can store an application module 34 required for at least one function, and the application module 34 can include a transmitting module 341, an executing module 342, a receiving module 343, and the like.

这里的发送模块341、执行模块342以及接收模块343可以执行图5、图6A、图6B、图7A、图7B、图8A、图8B、图9A和图9B中的相应步骤，具体参见对图5、图6A、图6B、图7A、图7B、图8A、图8B、图9A和图9B的描述。Here, the sending module 341, the executing module 342, and the receiving module 343 can perform the corresponding steps in FIG. 5, FIG. 6A, FIG. 6B, FIG. 7A, FIG. 7B, FIG. 8A, FIG. 8B, FIG. 9A and FIG. 5. Description of FIGS. 6A, 6B, 7A, 7B, 8A, 8B, 9A, and 9B.

存储器33可以由任何类型的易失性或非易失性存储设备或者它们的组合实现，如SRAM、EEPROM、EPROM、PROM、ROM、磁存储器、快闪存储器、磁盘或光盘。Memory 33 can be implemented by any type of volatile or non-volatile storage device, or a combination thereof, such as SRAM, EEPROM, EPROM, PROM, ROM, magnetic memory, flash memory, magnetic disk, or optical disk.

本领域技术人员可以理解，图1中所示出的源服务器140的结构并不构成对源服务器140的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件布置。It will be understood by those skilled in the art that the structure of the source server 140 shown in FIG. 1 does not constitute a limitation of the source server 140, and may include more or less components than those illustrated, or may combine some parts. Pieces, or different parts arrangement.

实施例一，请参考图4，其示出了本发明一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的代理服务器120中来举例说明，由如图1所示的代理服务器120的处理器21执行下述步骤，该方法包括以下几个步骤：Embodiment 1, please refer to FIG. 4, which shows a flowchart of an information interaction method provided by an exemplary embodiment of the present invention. This embodiment is exemplified by the information interaction method used in the proxy server 120 shown in FIG. 1. The processor 21 of the proxy server 120 shown in FIG. 1 performs the following steps, and the method includes the following steps. :

步骤401，接收客户端发送的用于请求建立HTTPS连接的建立请求。Step 401: Receive an establishment request sent by the client to request to establish an HTTPS connection.

步骤402，向源服务器发送会话密码获取请求，该会话密码获取请求用于触发源服务器判定是否允许代理服务器代理。Step 402: Send a session password acquisition request to the source server, where the session password acquisition request is used to trigger the source server to determine whether to allow the proxy server proxy.

步骤403，在源服务器允许该代理服务器代理时，从源服务器获取源服务器和客户端在建立HTTPS连接过程中约定的会话密码。Step 403: When the source server allows the proxy server proxy, obtain the session password agreed by the source server and the client during the establishment of the HTTPS connection from the source server.

步骤404，利用会话密码为客户端提供HTTPS服务。Step 404, using the session password to provide an HTTPS service for the client.

综上所述，本实施例提供的信息交互的方法，通过向源服务器发送会话密码获取请求，会话密码获取请求触发源服务器实时判断是否允许代理服务器代理，在源服务器允许代理服务器代理的情况下，代理服务器可从源服务器获取会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided in this embodiment sends a session password acquisition request to the source server, and the session password acquisition request triggers the source server to determine whether to allow the proxy server proxy in real time, in the case that the source server allows the proxy server proxy. The proxy server can obtain the session password from the source server, and solves the problem that the source server needs to send the session password to the proxy server in advance in the related art. In the case that there are many proxy servers, the session password is easily leaked, and the session password is improved. The effect of security.

实施例二，请参考图5，其示出了本发明另一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的源服务器140中来举例说明，由如图1所示的源服务器140的处理器31执行下述步骤，该方法包括以下几个步骤：Embodiment 2 Please refer to FIG. 5, which shows a flowchart of an information interaction method provided by another exemplary embodiment of the present invention. This embodiment uses the information interaction method for the source server 140 shown in FIG. 1 as an example. The processor 31 of the source server 140 shown in FIG. 1 performs the following steps, and the method includes the following steps. :

步骤501，接收代理服务器发送的会话密码获取请求。Step 501: Receive a session password acquisition request sent by the proxy server.

步骤502，判定是否允许该代理服务器代理。Step 502: Determine whether the proxy server agent is allowed.

步骤503，在判定允许该代理服务器代理时，向该代理服务器发送会话密码，该会话密码是源服务器和客户端在建立HTTPS连接的过程中约定的会话密码，会话密码用于触发该代理服务器为客户端提供HTTPS服务。Step 503, when it is determined that the proxy server agent is allowed, sending a session password to the proxy server, where the session password is a session password agreed by the source server and the client in establishing an HTTPS connection, and the session password is used to trigger the proxy server as The client provides an HTTPS service.

综上所述，本实施例提供的信息交互的方法，通过在接收到代理服务器发送的会话密码获取请求时，源服务器动态判定是否允许该代理服务器代理，在判定允许该代理服务器代理时，源服务器向该代理服务器发送会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided by this embodiment is: when receiving the session password acquisition request sent by the proxy server, the source server dynamically determines whether the proxy server proxy is allowed, and when determining that the proxy proxy is allowed, the source The server sends a session password to the proxy server to resolve In the related art, the source server needs to send the session password to the proxy server in advance, and in the case where there are many proxy servers, the problem of the session password is easily leaked, and the effect of improving the security of the session password is achieved.

实施例三，当源服务器允许代理服务器代理HTTPS服务时，源服务器将会话密码通过安全通道发送至代理服务器。代理服务器在接收到会话密码后，利用会话密码为客户端提供HTTPS服务。以下结合图6A对本发明提供的信息交互方法进行说明。In the third embodiment, when the source server allows the proxy server to proxy the HTTPS service, the source server sends the session password to the proxy server through the secure channel. After receiving the session password, the proxy server uses the session password to provide the client with an HTTPS service. The information interaction method provided by the present invention will be described below with reference to FIG. 6A.

请参考图6A，其示出了本发明再一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 6A, which shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention. This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:

步骤601，代理服务器接收客户端发送的用于请求建立HTTPS连接的建立请求，根据本地策略确定是否需要启动代理协商流程。Step 601: The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.

当客户端需要通过HTTPS协议访问网络数据时，客户端需要与源服务器建立HTTPS连接。可选的，客户端向代理服务器发送客户问候消息Client Hello，将Client Hello可作为建立HTTPS连接的建立请求。当代理服务器接收到客户端发送的Client Hello时，代理服务器根据本地策略确定是否需要启动代理协商流程。When the client needs to access network data through the HTTPS protocol, the client needs to establish an HTTPS connection with the source server. Optionally, the client sends a client hello message Client Hello to the proxy server, and the client Hello can be used as an establishment request for establishing an HTTPS connection. When the proxy server receives the Client Hello sent by the client, the proxy server determines whether it needs to start the proxy negotiation process according to the local policy.

在客户端与源服务器建立HTTPS连接的过程中，客户端和利用SSL握手协议与源服务器来约定会话密码。In the process of establishing an HTTPS connection between the client and the source server, the client and the source server use the SSL handshake protocol to agree on the session password.

具体的，与客户端建立通信连接的路由设备为客户端配置路由策略，使得客户端发送的SSL握手消息按照策略路由发送至源服务器的代理服务器。由代理服务器在客户端与源服务器之间透传SSL握手消息，以便客户端与源服务器完成会话密码的约定并建立HTTPS连接。Specifically, the routing device that establishes a communication connection with the client configures a routing policy for the client, so that the SSL handshake message sent by the client is sent to the proxy server of the source server according to the policy route. The SSL handshake message is transparently transmitted between the client and the source server by the proxy server, so that the client completes the session password agreement with the source server and establishes an HTTPS connection.

具体的，路由设备根据网页浏览端口的端口号443、目的地址白/黑名单等配置好策略路由。其中，目的地址白名单为可以作为策略路由的路由器名单，目的地址黑名单为禁止作为策略路由的路由器名单。Specifically, the routing device configures the policy routing according to the port number 443 of the web browsing port and the white/black list of the destination address. The destination address whitelist is a list of routers that can be used as policy routes. The destination address blacklist is a list of routers that are prohibited as policy routes.

需要说明的一点是，客户端利用SSL握手协议与源服务器约定会话密码的方法，是本领域普通技术人员所能够实现的，本实施例在此不对客户端与源服务器之间的SSL握手过程进行赘述。It should be noted that the method for the client to use the SSL handshake protocol to stipulate the session password with the source server is implemented by a person skilled in the art. In this embodiment, the SSL handshake process between the client and the source server is not performed. Narration.

代理协商流程是由代理服务器启动的，是代理服务器向源服务器询问是否允许代理服务器代理(是否允许代理服务器代替源服务器向客户端提供HTTPS服务)的流程。具体的，代理服务器根据本地策略确定是否需要启动代理协商流程。其中，本地策略至少包括协商白名单、协商黑名单以及该代理服务器的本地状态中的任意一种。The proxy negotiation process is initiated by the proxy server, and the proxy server asks the source server whether The process that allows the proxy server proxy (whether or not the proxy server is allowed to replace the source server to provide HTTPS services to the client). Specifically, the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy. The local policy includes at least one of a negotiation whitelist, a negotiation blacklist, and a local state of the proxy server.

其中，协商白名单为允许该代理服务器代理HTTPS服务的源服务器名单，协商白名单为禁止该代理服务器代理HTTPS服务的源服务器名单。The negotiated whitelist is a list of source servers that allow the proxy server to proxy the HTTPS service, and the negotiated whitelist is a list of source servers that prohibit the proxy server from proxying the HTTPS service.

举例来讲，当源服务器位于协商白名单中时，表明该源服务器可能会允许该代理服务器代理自己的HTTPS服务。所以，在源服务器位于协商白名单中时，代理服务器可以启动代理协商流程，询问服务器是否允许该代理服务器代理。For example, when the source server is in the negotiated whitelist, it indicates that the source server may allow the proxy server to proxy its own HTTPS service. Therefore, when the source server is in the negotiated whitelist, the proxy server can initiate a proxy negotiation process to ask the server whether to allow the proxy proxy.

再举例来讲，当源服务器位于协商黑名单中时，则表明该源服务器禁止该代理服务器代理自己的HTTPS服务。所以，在源服务器位于协商白名单中时，代理服务器可不启动代理协商流程，直接成为客户端与源服务器之间的透明代理，在客户端与源服务器之间进行数据透传。由源服务器向客户端提供HTTPS服务。具体的，代理服务器从源服务器获取HTTPS服务数据，并将HTTPS服务数据透传至客户端。For another example, when the source server is in the negotiation blacklist, it indicates that the source server prohibits the proxy server from proxying its own HTTPS service. Therefore, when the source server is in the negotiation whitelist, the proxy server may not initiate the proxy negotiation process, and directly becomes a transparent proxy between the client and the source server, and transparently transmit data between the client and the source server. The HTTPS service is provided by the source server to the client. Specifically, the proxy server obtains the HTTPS service data from the source server, and transparently transmits the HTTPS service data to the client.

再举例来讲，本地状态可以为代理服务器的运行状态。比如，当代理服务器正在处理的业务较多时，为避免代理服务器的负载过大，则可以不启动协商流程。代理服务器可直接成为客户端与源服务器之间的透明代理，在客户端与源服务器之间进行数据透传。由源服务器向客户端提供HTTPS服务。具体的，代理服务器从源服务器获取HTTPS服务数据，并将HTTPS服务数据透传至客户端。For another example, the local state can be the running state of the proxy server. For example, when the proxy server is processing more services, in order to avoid overloading the proxy server, the negotiation process may not be started. The proxy server can directly become a transparent proxy between the client and the source server, and transparently transmit data between the client and the source server. The HTTPS service is provided by the source server to the client. Specifically, the proxy server obtains the HTTPS service data from the source server, and transparently transmits the HTTPS service data to the client.

在实际实现时，可制定多个代理服务器的本地策略来确定是否需要启动代理协商流程，不同的实现场景下本地策略所包含的策略可能会不同，根据不同的本地策略来确定需要启动代理协商流程的方法可能也会不同，这里就不再一一赘述，具体可根据实际情况确定。In the actual implementation, a local policy of multiple proxy servers may be established to determine whether the proxy negotiation process needs to be started. The policies included in the local policies may be different in different implementation scenarios, and the proxy negotiation process needs to be started according to different local policies. The method may be different, and will not be repeated here, depending on the actual situation.

步骤602，在需要启动代理协商流程时，代理服务器向源服务器发送会话密码获取请求。Step 602: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.

具体的，在代理服务器根据本地策略确定需要启动代理协商流程后，检测代理服务器与源服务器之间是否已经建立安全通道。Specifically, after the proxy server determines that the proxy negotiation process needs to be started according to the local policy, it is detected whether a secure channel has been established between the proxy server and the source server.

当代理服务器与源服务器之间已经建立安全通道时，代理服务器通过安全通道向源服务器发送会话密码获取请求。When a secure channel has been established between the proxy server and the source server, the proxy server passes security. The channel sends a session password acquisition request to the source server.

当代理服务器与源服务器之间未建立安全通道时，在代理服务器与源服务器之间建立安全通道，代理服务器通过安全通道向源服务器发送会话密码获取请求。需要说明的一点是，建立安全通道的方法为本领域普通技术人员所能够实现的，本实施例对此不再赘述。When a secure channel is not established between the proxy server and the source server, a secure channel is established between the proxy server and the source server, and the proxy server sends a session password acquisition request to the source server through the secure channel. It should be noted that the method for establishing a secure channel can be implemented by those skilled in the art, and details are not described herein.

步骤603，源服务器接收代理服务器发送的会话密码获取请求，判定是否允许代理服务器代理。Step 603: The source server receives a session password acquisition request sent by the proxy server, and determines whether the proxy server proxy is allowed.

具体的，从会话密码获取请求中获取参考信息，源服务器根据参考信息以及该源服务器的本地策略确定是否允许代理服务器代理，得到第一判定结果。第一判定结果为允许代理服务器代理，或需要基于HTTPS报文内容判定是否允许代理服务器代理，或禁止代理服务器代理。Specifically, the reference information is obtained from the session password acquisition request, and the source server determines whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain the first determination result. The first decision result is to allow the proxy server proxy, or to determine whether to allow the proxy proxy based on the HTTPS message content, or to disable the proxy proxy.

其中，HTTPS报文为客户端发出的HTTPS服务请求，这里所讲的参考信息至少包括代理服务器的信息、客户端的信息、源服务器的本地状态以及源服务器的本地策略中的至少一种。在实际实现时，源服务器还可结合其他参考信息来判定是否允许代理服务器代理。The HTTPS message is an HTTPS service request sent by the client. The reference information mentioned herein includes at least one of the information of the proxy server, the information of the client, the local state of the source server, and the local policy of the source server. In actual implementation, the source server may also use other reference information to determine whether to allow proxy proxy.

举例来讲，当源服务器对代理服务器的安全信任度比较高时，源服务器可不考虑其他参考信息直接允许代理服务器代理，则得到第一判定结果为允许代理服务器代理。For example, when the security trust of the source server to the proxy server is relatively high, the source server may directly allow the proxy server proxy without considering other reference information, and the first determination result is that the proxy server proxy is allowed.

再举例来讲，当源服务器对代理服务器的安全信任度较低时，源服务器需要根据代理服务器所请求代理的内容(客户端发送的HTTPS报文内容)进一步确定是否允许代理服务器代理，此时第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理。For another example, when the security trust of the source server to the proxy server is low, the source server needs to further determine whether to allow the proxy server proxy according to the content of the proxy requested by the proxy server (the content of the HTTPS packet sent by the client). The first determination result is that it is necessary to determine whether to allow the proxy server proxy based on the HTTPS message content.

再举例来讲，当源服务器不信任代理服务器时，源服务器可以禁止代理服务器代理，则得到的第一判定结果为禁止代理服务器代理。For another example, when the source server does not trust the proxy server, the source server may disable the proxy server proxy, and the first determination result is to disable the proxy server proxy.

在实际实现时，源服务器可根据多种参考信息以确定出第一判定结果，不同的实现场景所采取的参考信息可能会不同，根据不同参考信息确定出第一判断结果的方法也可能会不同，这里就不再一一赘述，具体的可根据实际情况确定。In actual implementation, the source server may determine the first determination result according to multiple reference information, and the reference information adopted by different implementation scenarios may be different, and the method for determining the first determination result according to different reference information may also be different. Here, we will not repeat them one by one, and the specific ones can be determined according to actual conditions.

源服务器在确定出第一判定结果后，将第一判定结果通过安全通道发送至代理服务器。相应的，代理服务器接收源服务器发送的第一判定结果。当代理服务器接收到的第一判断结果为允许代理服务器代理时，代理服务器缓存接收到的客户端发送的HTTPS报文，等待接收源服务器发送的会话密码。可选的，将客户端发送的HTTPS报文透传给源服务器。After determining the first determination result, the source server sends the first determination result to the proxy server through the secure channel. Correspondingly, the proxy server receives the first determination result sent by the source server. When the first judgment result received by the proxy server is to allow the proxy server proxy, the proxy server cache receives The HTTPS packet sent by the client is waiting to receive the session password sent by the source server. Optionally, the HTTPS packet sent by the client is transparently transmitted to the source server.

其中，需要说明的一点是，在客户端与源服务器建立HTTPS连接后，客户端利用会话密码向代理服务器发送HTTPS报文。相应的，在客户端与源服务器建立HTTPS连接后，代理服务器从客户端接收到了HTTPS报文。One point to note is that after the client establishes an HTTPS connection with the source server, the client uses the session password to send an HTTPS message to the proxy server. Correspondingly, after the client establishes an HTTPS connection with the source server, the proxy server receives the HTTPS message from the client.

步骤604，源服务器在判定允许代理服务器代理时，向代理服务器发送会话密码。Step 604: The source server sends a session password to the proxy server when determining that the proxy server proxy is allowed.

具体的，源服务器将会话密码通过安全通道发送至代理服务器。Specifically, the source server sends the session password to the proxy server through a secure channel.

步骤605，代理服务器接收源服务器发送的会话密码，利用会话密码为客户端提供HTTPS服务。Step 605: The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.

具体的，代理服务器在接收到源服务器发送的会话密码后，利用会话密码解析HTTPS报文得到HTTPS报文内容。代理服务器在本地缓存中查询与HTTPS报文内容所对应的HTTPS服务数据。也即，代理服务器查询本地缓存中是否存储客户端所请求的HTTPS服务数据。Specifically, after receiving the session password sent by the source server, the proxy server uses the session password to parse the HTTPS packet to obtain the HTTPS packet content. The proxy server queries the HTTPS service data corresponding to the HTTPS message content in the local cache. That is, the proxy server queries whether the HTTPS service data requested by the client is stored in the local cache.

若代理服务器本地缓存中有客户端所请求的HTTPS服务数据，代理服务器利用会话密码对HTTPS服务数据进行加密，并将加密后的HTTPS服务数据发送至客户端。这样实现了代理服务器为客户端提供HTTPS服务。If there is HTTPS service data requested by the client in the local cache of the proxy server, the proxy server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the client. This enables the proxy server to provide HTTPS services to the client.

若代理服务器本地缓存中未存储客户端所请求的HTTPS服务数据，则将从客户端获取到的到HTTPS报文透传给源服务器。源服务器利用会话密码解析HTTPS报文，为客户端提供HTTPS服务数据。具体的，源服务器利用会话密码对HTTPS服务数据进行加密，将加密后的HTTPS服务数据发送至代理服务器。代理服务器在接收到源服务器发送的加密HTTPS服务数据后，将加密HTTPS服务数据透传给客户端。同时，代理服务器根据缓存策略确定是否将HTTPS服务数据在本地缓存中进行存储。If the HTTPS service data requested by the client is not stored in the local cache of the proxy server, the HTTPS packet obtained from the client is transparently transmitted to the source server. The source server uses the session password to parse HTTPS packets to provide HTTPS service data to the client. Specifically, the source server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the proxy server. After receiving the encrypted HTTPS service data sent by the source server, the proxy server transparently transmits the encrypted HTTPS service data to the client. At the same time, the proxy server determines whether to store the HTTPS service data in the local cache according to the caching policy.

在实际实现时，可根据多种缓存策略来确定是否对HTTPS服务数据进行存储，比如，当HTTPS服务数据被客户端获取的次数达到第三预定阈值时，代理服务器将HTTPS服务数据在本地缓存中进行存储。不同的实现场景下缓存策略所包含的策略可能会不同，且根据不同的缓存策略判断是否将HTTPS服务数据在本地缓存中进行存储的方法可能也会不同，这里就不再一一赘述，具体可根据实际情况确定。In actual implementation, the HTTPS service data may be stored according to a plurality of cache policies. For example, when the number of times the HTTPS service data is acquired by the client reaches a third predetermined threshold, the proxy server stores the HTTPS service data in the local cache. Store. The policies included in the caching policy may be different in different implementation scenarios. The method for judging whether to store HTTPS service data in the local cache may be different according to different caching policies. According to the actual situation.

综上所述，本实施例提供的信息交互的方法，通过在每一次客户端与源服务器建立HTTPS连接的过程中，源服务器动态判断是否允许代理服务器代理，在源服务器允许代理服务器代理的情况下，代理服务器从源服务器获取会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided by this embodiment is provided by each client and source service. During the process of establishing an HTTPS connection, the source server dynamically determines whether the proxy server proxy is allowed. In the case that the source server allows the proxy server proxy, the proxy server obtains the session password from the source server, and solves the related problem that the source server needs the session password. It is sent to the proxy server in advance. When there are many proxy servers, it is easy to cause the session password to leak, and the effect of improving the security of the session password is achieved.

通过在第一判定结果为允许代理服务器代理时，源服务器向代理服务器发送会话密码，使得代理服务器能够利用会话密码代替源服务器向客户端提供HTTPS服务。By sending the session password to the proxy server when the first decision results in the proxy server permission, the proxy server can use the session password instead of the source server to provide the HTTPS service to the client.

通过在第一判定结果为允许代理服务器代理时，代理服务器对接收到的客户端发送的HTTPS报文进行了缓存。以便后续代理服务器在接收到源服务器发送的会话密码时，利用该会话密码解析HTTPS报文，为客户端提供HTTPS服务。The proxy server caches the HTTPS message sent by the received client when the first determination result is that the proxy server is allowed to proxy. In order for the subsequent proxy server to receive the session password sent by the source server, the session password is used to resolve the HTTPS message, and the client is provided with the HTTPS service.

实施例四，在一种可能的实现中，结合客户端与源服务器建立HTTPS连接的流程，对源服务器允许代理服务器进行代理时，代理服务器从源服务器获取会话密码的过程进行举例说明。Embodiment 4 In a possible implementation, the process of establishing an HTTPS connection between the client and the source server is combined with the process of obtaining the session password from the source server when the source server allows the proxy server to proxy.

请参考图6B，其示出了本发明再一示例性实施例提供的源服务器允许代理服务器代理HTTPS服务的方法流程图。本实施例以该源服务器允许代理服务器代理HTTPS服务的方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 6B, which illustrates a flow chart of a method for a source server to allow a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention. In this embodiment, the method in which the source server allows the proxy server to proxy the HTTPS service is used in the information interaction system shown in FIG. 1 , and the method includes the following steps:

客户端与源服务器建立HTTPS连接，可通过以下几个子步骤实现。The client establishes an HTTPS connection with the source server, which can be implemented through the following sub-steps.

步骤606a1，客户端向代理服务器发送客户端问候消息Client Hello。In step 606a1, the client sends a client hello message Client Hello to the proxy server.

步骤606a2，代理服务器将客户端问候消息Client Hello透传给源服务器。In step 606a2, the proxy server transparently transmits the client hello message Client Hello to the source server.

步骤606b1，源服务器向代理服务器发送服务器问候消息Server Hello。In step 606b1, the source server sends a server hello message Server Hello to the proxy server.

步骤606b2，代理服务器将服务器问候消息Server Hello透传给客户端。In step 606b2, the proxy server transparently transmits the server hello message Server Hello to the client.

步骤606c1，源服务器向代理服务器发送证书certificate。In step 606c1, the source server sends a certificate certificate to the proxy server.

步骤606c2，代理服务器将证书certificate透传给客户端。In step 606c2, the proxy server transparently transmits the certificate certificate to the client.

步骤606d1，源服务器向代理服务器发送服务器问候结束Server Hello Done消息。In step 606d1, the source server sends a server hello to the proxy server to end the Server Hello Done message.

步骤606d2，代理服务器将服务器问候结束Server Hello Done消息透传给客户端。 In step 606d2, the proxy server transparently transmits the server hello end Server Hello Done message to the client.

步骤606e1，客户端向代理服务器发送客户端密钥交换Client Key Exchange。In step 606e1, the client sends a client key exchange Client Key Exchange to the proxy server.

步骤606e2，代理服务器将客户端密钥交换Client Key Exchange透传给源服务器。In step 606e2, the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.

步骤606fl，客户端向代理服务器发送密码变更声明Change Cipher Spec。In step 606fl, the client sends a password change statement Change Cipher Spec to the proxy server.

步骤606f2，代理服务器将密码变更声明Change Cipher Spec透传给源服务器。In step 606f2, the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.

步骤606g1，客户端向服务器发送结束Finished消息。In step 606g1, the client sends an end Finished message to the server.

步骤606g2，代理服务器将结束Finished消息透传给源服务器。In step 606g2, the proxy server will end the Passed message to the source server.

步骤606hl，源服务器向代理服务器发送密码变更声明Change Cipher Spec。In step 606hl, the source server sends a password change statement Change Cipher Spec to the proxy server.

步骤606h2，代理服务器将密码变更声明Change Cipher Spec透传给客户端。In step 606h2, the proxy server transparently transmits the password change statement Change Cipher Spec to the client.

步骤606i1，源服务器向代理服务器发送结束Finished消息。In step 606i1, the source server sends an end Finished message to the proxy server.

步骤606i2，代理服务器将结束Finished消息透传给客户端。In step 606i2, the proxy server will end the Passed message to the client.

上述各个子步骤是客户端与源服务器建立HTTPS连接时需要的流程，客户端与源服务器建立HTTPS的连接流程为本领域普通技术人员均能够实现的，本实施例对客户端与源服务器建立HTTPS连接过程所涉及的各个子步骤不再进行赘述。The foregoing sub-steps are the processes required for the client to establish an HTTPS connection with the source server. The process of establishing the HTTPS connection between the client and the source server can be implemented by a person skilled in the art. In this embodiment, the HTTPS is established between the client and the source server. The various sub-steps involved in the connection process are not described again.

步骤607，代理服务器根据本地策略确定是否需要启动代理协商流程。Step 607: The proxy server determines, according to the local policy, whether the agent negotiation process needs to be started.

步骤607的说明可参见步骤601的解释说明，此处不再赘述。For the description of step 607, refer to the explanation of step 601, and details are not described herein again.

可选的，在代理服务器接收到客户端发送的Client Hello时，代理服务器根据本地策略确定是否需要启动代理协商流程。Optionally, when the proxy server receives the Client Hello sent by the client, the proxy server determines, according to the local policy, whether the proxy negotiation process needs to be started.

步骤608，在需要启动代理协商流程时，代理服务器通过安全通道向源服务器发送会话密码获取请求。Step 608: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.

步骤608的说明可参见步骤602的解释说明，此处不再赘述。For the description of step 608, refer to the explanation of step 602, and details are not described herein again.

步骤609，源服务器接收代理服务器发送的会话密码获取请求，判定是否允许代理服务器代理，得到第一判定结果。Step 609: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.

步骤608的说明可参见步骤603的解释说明，此处不再赘述。For the description of step 608, refer to the explanation of step 603, and details are not described herein again.

步骤610，源服务器将第一判定结果通过安全通道发送至代理服务器。In step 610, the source server sends the first determination result to the proxy server through the secure channel.

步骤611，当代理服务器接收到的第一判定结果为允许代理服务器代理时，代理服务器等待接收源服务器所发送的会话密码。Step 611, when the first determination result received by the proxy server is to allow the proxy server proxy, The proxy server waits to receive the session password sent by the source server.

可选的，当代理服务器接收到的第一判定结果为允许代理服务器代理时，利用安全通道向源服务器发送确认已接收到第一判定结果的消息。Optionally, when the first determination result received by the proxy server is to allow the proxy server proxy, the secure channel is used to send a message to the source server confirming that the first determination result has been received.

需要说明的一点是步骤607至步骤611的执行与步骤606中的各个子步骤(除步骤606a1)的执行不分先后顺序。但是，步骤607至步骤611的执行需要按照先后顺序进行执行，步骤606中各个子步骤的执行一般按照上述流程的先后顺序。It should be noted that the execution of steps 607 to 611 and the execution of each sub-step in step 606 (except step 606a1) are in no particular order. However, the execution of steps 607 to 611 needs to be performed in sequential order, and the execution of each sub-step in step 606 is generally performed in the order of the above-mentioned processes.

步骤612，客户端向代理服务器发送HTTPS报文。In step 612, the client sends an HTTPS message to the proxy server.

在客户端与源服务器建立HTTPS连接后，客户端向代理服务器发送HTTPS报文。具体的，在客户端接收到代理服务器发送的Finished消息后，客户端向代理服务器发送HTTPS报文。After the client establishes an HTTPS connection with the source server, the client sends an HTTPS packet to the proxy server. Specifically, after the client receives the Finished message sent by the proxy server, the client sends an HTTPS packet to the proxy server.

可选的，当代理服务器接收到HTTPS报文且未接收到源服务器发送的会话密码时，将HTTPS报文透传给源服务器。Optionally, when the proxy server receives the HTTPS packet and does not receive the session password sent by the source server, the proxy sends the HTTPS packet to the source server.

步骤613，源服务器通过安全通道向代理服务器发送会话密码。In step 613, the source server sends the session password to the proxy server through the secure channel.

需要说明的一点是，步骤612和步骤613的执行顺序不分先后，具体执行顺序根据实际情况确定。It should be noted that the execution order of step 612 and step 613 is in no particular order, and the specific execution order is determined according to actual conditions.

步骤614，代理服务器接收源服务器发送的会话密码，利用会话密码为客户端提供HTTPS服务。Step 614: The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.

具体的，代理服务器利用会话密码解析HTTPS报文，确定本地缓存是否存在对应的HTTPS服务数据。当本地缓存是不存在对应的HTTPS服务数据时，代理服务器将客户端发送的HTTPS报文透传给源服务器，由源服务器利用会话密码解析HTTPS报文向客户端提供HTTPS服务。Specifically, the proxy server parses the HTTPS packet by using the session password, and determines whether the corresponding HTTPS service data exists in the local cache. When the local cache does not have the corresponding HTTPS service data, the proxy server transparently transmits the HTTPS message sent by the client to the source server, and the source server uses the session password to parse the HTTPS message to provide the HTTPS service to the client.

当本地缓存是存在对应的HTTPS服务数据时，代理服务器利用会话密码解析HTTPS报文为客户端提供HTTPS服务。具体的，利用会话密码解析HTTPS报文为客户端提供HTTPS服务可参见步骤605的说明，此处不再赘述。When the local cache has the corresponding HTTPS service data, the proxy server uses the session password to parse the HTTPS message to provide the HTTPS service to the client. Specifically, the HTTPS packet is parsed by the session password to provide the HTTPS service for the client. For details, refer to the description of step 605, and details are not described herein.

需要说明的一点是，当代理服务器不需要启动协商流程时，代理服务器成为客户端与源服务器之间的透明代理，在客户端与源服务器之间进行数据透传，由源服务器为客户端提供HTTPS服务。It should be noted that when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission. HTTPS service.

综上所述，本实施例提供的信息交互的方法，代理服务器通过动态协商从源服务器获取会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided by the embodiment, the proxy server obtains the session password from the source server through dynamic negotiation, and solves the related problem that the source server needs to send the session password to the proxy server in advance, and the proxy server has more In the case of a problem, it is easy to cause a session password to be leaked. The effect of improving session password security is achieved.

实施例五，当源服务器需要基于HTTPS报文内容判定是否允许代理服务器代理，源服务器从代理服务器获取HTTPS报文。在源服务器基于HTTPS报文内容判定允许代理服务器代理HTTPS服务的情况下，源服务器将会话密码发送至代理服务器，以便代理服务器利用会话密码为客户端提供HTTPS服务。以下结合图7A对本发明提供的信息交互方法进行说明。In the fifth embodiment, when the source server needs to determine whether to allow the proxy server proxy based on the content of the HTTPS packet, the source server obtains the HTTPS packet from the proxy server. In the case where the source server determines that the proxy server is allowed to proxy the HTTPS service based on the HTTPS message content, the source server sends the session password to the proxy server, so that the proxy server provides the HTTPS service to the client by using the session password. The information interaction method provided by the present invention will be described below with reference to FIG. 7A.

请参考图7A，其示出了本发明再一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 7A, which shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention. This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:

步骤701，代理服务器接收客户端发送的用于请求建立HTTPS连接的建立请求，根据本地策略确定是否需要启动代理协商流程。Step 701: The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.

步骤702，在需要启动代理协商流程时，代理服务器向源服务器发送会话密码获取请求。Step 702: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.

步骤703，源服务器接收代理服务器发送的会话密码获取请求，根据参考信息确定是否允许代理服务器代理，得到第一判定结果。Step 703: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains a first determination result.

步骤701至步骤703的说明可参见步骤601至步骤603的解释说明，此处不再赘述。For the description of the steps 701 to 703, refer to the explanation of the steps 601 to 603, and details are not described herein again.

步骤704，当第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，源服务器将第一判定结果发送至代理服务器，等待接收代理服务器透传的客户端发送的HTTPS报文。Step 704: When the first determination result is that it is determined whether the proxy server proxy is allowed based on the content of the HTTPS packet, the source server sends the first determination result to the proxy server, and waits for the HTTPS packet sent by the client transparently received by the proxy server.

具体的，源服务器利用安全通道将第一判定结果发送至代理服务器。Specifically, the source server sends the first determination result to the proxy server by using a secure channel.

步骤705，当代理服务器接收到的第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，代理服务器缓存接收到的客户端发送的HTTPS报文，并将客户端发送的HTTPS报文透传给源服务器。Step 705: When the first determination result received by the proxy server is that it is determined whether to allow the proxy server proxy based on the HTTPS packet content, the proxy server caches the received HTTPS packet sent by the client, and sends the HTTPS packet sent by the client. The text is transmitted to the source server.

在客户端与源服务器建立HTTPS连接后，客户端向代理服务器发送HTTPS报文。也就是说，在客户端与源服务器建立HTTPS连接后，代理服务器能够接收到客户端发送的HTTPS报文。After the client establishes an HTTPS connection with the source server, the client sends an HTTPS packet to the proxy server. That is, after the client establishes an HTTPS connection with the source server, the proxy server can receive the HTTPS packet sent by the client.

当代理服务器接收到的第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，将接收到的客户端发送的HTTPS报文进行缓存。以便源服务器在基于HTTPS报文内容判定允许代理服务器代理的情况下，代理服务器接收到源服务器发送的会话密码后，利用会话密码为客户端提供HTTPS服务。同时，代理服务器将HTTPS报文透传给源服务器，以便源服务器解析HTTPS报文确定出HTTPS报文内容，基于HTTPS报文内容判定是否允许代理服务器代理。When the first determination result received by the proxy server is that it is determined whether to allow the proxy server proxy based on the content of the HTTPS packet, the received HTTPS packet sent by the client is cached. So that the source server determines that the proxy server proxy is allowed based on the HTTPS message content. After receiving the session password sent by the source server, the server uses the session password to provide the client with an HTTPS service. At the same time, the proxy server transparently transmits the HTTPS packet to the source server, so that the source server parses the HTTPS packet to determine the content of the HTTPS packet, and determines whether to allow the proxy server proxy based on the content of the HTTPS packet.

步骤706，源服务器在接收到代理服务器透传的客户端发送的HTTPS报文后，根据接收到的HTTPS报文判定是否允许代理服务器。Step 706: After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether the proxy server is allowed according to the received HTTPS packet.

具体的，源服务器通过安全通道接收代理服务器透传的HTTPS报文，利用会话密码解析HTTPS报文确定出HTTPS报文内容。源服务器在获知HTTPS报文内容后，根据HTTPS报文内容确定是否允许代理服务器，得到第二判定结果。Specifically, the source server receives the HTTPS packet transparently transmitted by the proxy server through the secure channel, and uses the session password to parse the HTTPS packet to determine the content of the HTTPS packet. After the source server learns the content of the HTTPS packet, it determines whether the proxy server is allowed according to the content of the HTTPS packet, and obtains the second determination result.

举例来讲，源服务器获知HTTPS报文内容为用户账号A的银行账户情况，银行业务禁止由代理服务器代理，则源服务器基于HTTPS报文内容判定出禁止代理服务器代理。For example, if the source server knows that the content of the HTTPS message is the bank account of the user account A, and the banking service is prohibited by the proxy server, the source server determines that the proxy server proxy is prohibited based on the content of the HTTPS message.

再举例来讲，源服务器获知HTTPS报文内容为小说资源下载，小说业务可以由代理服务器代理，则源服务器基于HTTPS报文内容判定出允许代理服务器代理。For another example, the source server learns that the content of the HTTPS message is a novel resource download, and the novel service may be proxyed by the proxy server, and the source server determines that the proxy server proxy is allowed based on the content of the HTTPS message.

在实际实现时，根据HTTPS报文内容确定是否允许代理服务器的方法有多种，本实施例对此不进行赘述，具体的可根据实际情况确定。In the actual implementation, the method for determining whether to allow the proxy server according to the content of the HTTPS packet is not described in detail in this embodiment, and the specific method may be determined according to actual conditions.

步骤707，源服务器在判定允许代理服务器代理时，向代理服务器发送与客户端约定的会话密码。Step 707: The source server sends a session password agreed with the client to the proxy server when determining that the proxy server proxy is allowed.

具体的，源服务器利用安全通道向代理服务器发送与客户端约定的会话密码。Specifically, the source server sends a session password agreed with the client to the proxy server by using a secure channel.

步骤708，代理服务器接收源服务器发送的会话密码，利用会话密码为客户端提供HTTPS服务。Step 708: The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.

步骤708的说明可参见步骤605的说明，此处不再赘述。For the description of step 708, refer to the description of step 605, and details are not described herein again.

综上所述，本实施例提供的信息交互的方法，通过在每一次客户端与源服务器建立HTTPS连接的过程中，源服务器动态判断是否允许代理服务器代理，在源服务器允许代理服务器代理的情况下，代理服务器从源服务器获取会话密码，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided by this embodiment is that, in each process of establishing an HTTPS connection between the client and the source server, the source server dynamically determines whether the proxy server proxy is allowed, and the proxy server proxy is allowed on the source server. Next, the proxy server obtains the session secret from the source server. The code solves the problem that the source server needs to send the session password to the proxy server in advance in the related art, and in the case that there are many proxy servers, the problem of the session password is easily leaked, and the effect of improving the security of the session password is achieved.

通过在第一判定结果为需要基于HTTPS报文内容判定否允许代理服务器代理时，源服务器向代理服务器发送会话密码，使得代理服务器能够利用会话密码代替源服务器向客户端提供HTTPS服务。The source server sends the session password to the proxy server by determining whether the proxy server proxy is allowed based on the HTTPS message content in the first determination result, so that the proxy server can use the session password instead of the source server to provide the HTTPS service to the client.

通过在第一判定结果为需要基于HTTPS报文内容确定是否允许代理服务器代理时，代理服务器对接收到的客户端发送的HTTPS报文进行了缓存。以便后续代理服务器在接收到源服务器发送的会话密码时，利用该会话密码解析HTTPS报文，为客户端提供HTTPS服务。The proxy server caches the HTTPS message sent by the received client by determining whether the proxy server proxy is allowed based on the content of the HTTPS message. In order for the subsequent proxy server to receive the session password sent by the source server, the session password is used to resolve the HTTPS message, and the client is provided with the HTTPS service.

通过在源服务器需要根据HTTPS报文内容判定是否允许代理服务器代理时，向源服务器发送HTTPS报文，以便于源服务器根据HTTPS报文内容判定是否允许代理服务器代理。When the source server needs to determine whether to allow the proxy server proxy according to the HTTPS message content, the HTTPS packet is sent to the source server, so that the source server determines whether to allow the proxy server proxy according to the content of the HTTPS packet.

实施例六，在一种可能的实现中，结合客户端与源服务器建立HTTPS连接的流程，对源服务器基于HTPPS报文内容允许代理服务器进行代理时，代理服务器从源服务器获取会话密码的过程进行举例说明。Embodiment 6 In a possible implementation, the process of establishing an HTTPS connection between the client and the source server is combined with the process of obtaining the session password from the source server when the source server allows the proxy server to proxy based on the content of the HTPPS message. for example.

请参考图7B，其示出了本发明再一示例性实施例提供的源服务器基于HTTPS报文内容判定允许代理服务器代理方法的流程图。本实施例以该源服务器需要基于HTTPS报文内容判定允许代理服务器代理方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 7B, which is a flowchart of a method for determining a proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention. In this embodiment, the source server needs to determine that the proxy server proxy method is used in the information interaction system shown in FIG. 1 based on the HTTPS packet content, and the method includes the following steps:

步骤709a1，客户端向代理服务器发送客户端问候消息Client Hello。In step 709a1, the client sends a client hello message Client Hello to the proxy server.

步骤709a2，代理服务器将客户端问候消息Client Hello透传给源服务器。In step 709a2, the proxy server transparently transmits the client hello message Client Hello to the source server.

步骤709b1，源服务器向代理服务器发送服务器问候消息Server Hello。In step 709b1, the source server sends a server hello message Server Hello to the proxy server.

步骤709b2，代理服务器将服务器问候消息Server Hello透传给客户端。In step 709b2, the proxy server transparently transmits the server hello message Server Hello to the client.

步骤709c1，源服务器向代理服务器发送证书certificate。In step 709c1, the source server sends a certificate certificate to the proxy server.

步骤709c2，代理服务器将证书certificate透传给客户端。In step 709c2, the proxy server transparently transmits the certificate certificate to the client.

步骤709d1，源服务器向代理服务器发送服务器问候结束Server Hello Done消息。In step 709d1, the source server sends a server hello to the proxy server to end the Server Hello Done message.

步骤709d2，代理服务器将服务器问候结束Server Hello Done消息透传给客户端。Step 709d2, the proxy server transparently transmits the server hello end Server Hello Done message to Client.

步骤709e1，客户端向代理服务器发送客户端密钥交换Client Key Exchange。In step 709e1, the client sends a client key exchange Client Key Exchange to the proxy server.

步骤709e2，代理服务器将客户端密钥交换Client Key Exchange透传给源服务器。In step 709e2, the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.

步骤709f1，客户端向代理服务器发送密码变更声明Change Cipher Spec。In step 709f1, the client sends a password change statement Change Cipher Spec to the proxy server.

步骤709f2，代理服务器将密码变更声明Change Cipher Spec透传给源服务器。In step 709f2, the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.

步骤709g1，客户端向服务器发送结束Finished消息。In step 709g1, the client sends an end Finished message to the server.

步骤709g2，代理服务器将结束Finished消息透传给源服务器。In step 709g2, the proxy server will end the Passed message to the source server.

步骤709h1，源服务器向代理服务器发送密码变更声明Change Cipher Spec。In step 709h1, the source server sends a password change statement Change Cipher Spec to the proxy server.

步骤709h2，代理服务器将密码变更声明Change Cipher Spec透传给客户端。In step 709h2, the proxy server transparently transmits the password change statement Change Cipher Spec to the client.

步骤709i1，源服务器向代理服务器发送结束Finished消息。In step 709i1, the source server sends an end Finished message to the proxy server.

步骤709i2，代理服务器将结束Finished消息透传给客户端。In step 709i2, the proxy server will end the Passed message to the client.

上述子步骤描述的是客户端与源服务器建立HTTPS连接，客户端与源服务器建立HTTPS连接为本领域普通技术人员所能实现的，本实施例对客户端与源服务器建立HTTPS连接过程所涉及的各个子步骤不再进行赘述。The foregoing sub-steps describe that the client establishes an HTTPS connection with the source server, and the client establishes an HTTPS connection with the source server, which is implemented by a person skilled in the art. In this embodiment, the HTTPS connection process between the client and the source server is involved. Each substep will not be described again.

步骤710，代理服务器根据本地策略确定是否需要启动代理协商流程。In step 710, the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.

步骤710的说明可参见步骤601的解释说明，此处不再赘述。For the description of step 710, refer to the explanation of step 601, and details are not described herein again.

步骤710的说明可参见步骤602的解释说明，此处不再赘述。For the description of step 710, refer to the explanation of step 602, and details are not described herein again.

步骤711，在需要启动代理协商流程时，代理服务器通过安全通道向源服务器发送会话密码获取请求。Step 711: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.

步骤712，源服务器接收代理服务器发送的会话密码获取请求，根据参考信息确定是否允许代理服务器代理，得到第一判定结果。Step 712: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains the first determination result.

步骤712的说明可参见步骤603的解释说明，此处不再赘述。For the description of step 712, refer to the explanation of step 603, and details are not described herein again.

步骤713，将第一判定结果通过安全通道发送至代理服务器。Step 713, the first determination result is sent to the proxy server through the secure channel.

步骤714，当代理服务器接收到的第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，缓存接收到的客户端发送的HTTPS报文。Step 714, when the first determination result received by the proxy server is required to be based on the HTTPS message When the content of the proxy server is allowed to be determined, the received HTTPS packet sent by the client is cached.

步骤715，将客户端发送的HTTPS报文透传给源服务器。Step 715: The HTTPS packet sent by the client is transparently transmitted to the source server.

步骤714和步骤715的说明可参见步骤705的解释说明，此处不再赘述。For the description of step 714 and step 715, refer to the explanation of step 705, and details are not described herein again.

步骤716，源服务器在接收到代理服务器透传的客户端发送的HTTPS报文后，根据接收到的HTTPS报文判定是否允许代理服务器，得到第二判定结果，将第二判定结果发送至代理服务器。Step 716: After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether to allow the proxy server according to the received HTTPS packet, obtains a second determination result, and sends the second determination result to the proxy server. .

其中，第二判定结果为允许代理服务器代理，或者禁止代理服务器代理。The second determination result is that the proxy server proxy is allowed, or the proxy proxy is prohibited.

步骤716的说明可参见步骤706的解释说明，此处不再赘述。For the description of step 716, refer to the explanation of step 706, and details are not described herein again.

步骤717，当第二判定结果为允许代理服务器代理时，源服务向代理服务器发送与客户端约定的会话密码。Step 717: When the second determination result is that the proxy server agent is allowed, the source service sends the session password agreed with the client to the proxy server.

可选的，当第二判定结果为允许代理服务器代理时，源服务器利用安全通道向代理服务器发送第二判定结果。当代理服务器接收到的第二判定结果为允许代理服务器代理时，向源服务器发送确认已接收到第二判定结果的消息。Optionally, when the second determination result is that the proxy server proxy is allowed, the source server sends the second determination result to the proxy server by using the secure channel. When the second determination result received by the proxy server is to allow the proxy server proxy, a message is sent to the source server confirming that the second determination result has been received.

步骤718，代理服务器接收源服务器发送的会话密码，利用会话密码为客户端提供HTTPS服务。Step 718: The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.

利用会话密码解析HTTPS报文为客户端提供HTTPS服务可参见步骤614的说明，此处不再赘述。For the HTTPS service to be used to resolve the HTTPS packet by using the session password, refer to the description of step 614, and details are not described herein.

综上所述，本实施例提供的信息交互的方法，代理服务器通过动态协商从源服务器获取会话密码，源服务器基于HTTPS报文内容判定是否允许代理服务器代理，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, in the method for information interaction provided by the embodiment, the proxy server obtains the session password from the source server through dynamic negotiation, and the source server determines whether to allow the proxy server proxy based on the content of the HTTPS message, and solves the problem that the source server needs to be related in the related art. The session password is sent to the proxy server in advance. In the case of a large number of proxy servers, the problem of session password leakage is easily caused, and the security of the session password is improved.

实施例七，当源服务器需要基于HTTPS报文内容判定是否允许代理服务器代理，从代理服务器获取HTTPS报文。源服务器根据HTTPS报文内容确定是否允许代理服务器代理。在源服务器基于HTTPS报文内容判定禁止代理服务器代理HTTPS服务时，由源服务器会话密码为客户端提供HTTPS服务。以下结合图8A对本发明提供的信息交互方法进行说明。 In the seventh embodiment, when the source server needs to determine whether to allow the proxy server proxy based on the content of the HTTPS packet, the HTTPS packet is obtained from the proxy server. The source server determines whether to allow the proxy server proxy based on the HTTPS message content. When the source server determines to prohibit the proxy server proxy HTTPS service based on the HTTPS message content, the source server session password provides the client with an HTTPS service. The information interaction method provided by the present invention will be described below with reference to FIG. 8A.

请参考图8A，其示出了本发明再一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 8A, which shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention. This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:

步骤801，代理服务器接收客户端发送的用于请求建立HTTPS连接的建立请求，根据本地策略确定是否需要启动代理协商流程。Step 801: The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.

步骤802，在需要启动代理协商流程时，代理服务器向源服务器发送会话密码获取请求。Step 802: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.

步骤803，源服务器接收代理服务器发送的会话密码获取请求，根据参考信息确定是否允许代理服务器代理，得到第一判定结果。Step 803: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains the first determination result.

步骤801至步骤803的说明可参见步骤601至步骤603的解释说明，此处不再赘述。For the description of the steps 801 to 803, refer to the explanation of the steps 601 to 603, and details are not described herein again.

步骤804，当第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，源服务器将第一判定结果发送至代理服务器，等待接收代理服务器透传的客户端发送的HTTPS报文。Step 804: When the first determination result is that it is determined whether the proxy server proxy is allowed to be based on the content of the HTTPS packet, the source server sends the first determination result to the proxy server, and waits for the HTTPS packet sent by the client transparently received by the proxy server.

步骤805，当代理服务器接收到的第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，代理服务器缓存接收到的客户端发送的HTTPS报文，并将客户端发送的HTTPS报文透传给源服务器。Step 805: When the first determination result received by the proxy server is that it is required to determine whether to allow the proxy server proxy based on the HTTPS packet content, the proxy server caches the received HTTPS packet sent by the client, and sends the HTTPS packet sent by the client. The text is transmitted to the source server.

步骤805的说明可参见步骤705的解释说明，此处不再赘述。For the description of step 805, refer to the explanation of step 705, and details are not described herein again.

步骤806，源服务器在接收到代理服务器透传的客户端发送的HTTPS报文后，根据接收到的HTTPS报文判定是否允许代理服务器代理。Step 806: After receiving the HTTPS message sent by the client transparently transmitted by the proxy server, the source server determines whether to allow the proxy server proxy according to the received HTTPS packet.

步骤805的说明可参见步骤706的解释说明，此处不再赘述。For the description of step 805, refer to the explanation of step 706, and details are not described herein again.

步骤807，在源服务器判定禁止代理服务器代理时，源服务器向代理服务器发送用于指示禁止代理服务器代理的第二判定结果，向客户端提供HTTPS服务。Step 807: When the source server determines that the proxy server proxy is disabled, the source server sends a second determination result indicating that the proxy proxy is prohibited to the proxy server, and provides the HTTPS service to the client.

其中，第二判定结果为允许代理服务器代理，或者禁止代理服务器代理，是源服务器根据接收到的HTTPS报文判定是否允许代理服务器代理得到的。The second determination result is that the proxy server proxy is allowed, or the proxy proxy is prohibited. The source server determines whether the proxy proxy is allowed according to the received HTTPS packet.

步骤808，当代理服务器接收到第二判定结果为禁止代理服务器代理时，将客户端的HTTPS报文发送至源服务器，删除已缓存的客户端的HTTPS报文。Step 808: When the proxy server receives the second determination result that the proxy server proxy is disabled, the HTTPS packet of the client is sent to the source server, and the HTTPS packet of the cached client is deleted.

当代理服务器在接收到第二判定结果为禁止代理服务器代理时，向源服务器发送确认已接收到第二判定结果的消息。源服务器在接收到代理服务器发送的确认已接收到第二判定结果的消息，源服务器获知此次代理协商流程已结束。此后，当源服务器再次接收到代理服务器发送的HTTPS报文时，则源服务器利用会话密码为客户端提供HTTPS服务。其中，代理服务器成为客户端和源服务器之间的透明代理，在客户端和源服务器之间进行数据透传。When the proxy server receives the second determination result as disabling the proxy server proxy, it sends a message to the source server confirming that the second determination result has been received. The source server is sending a proxy server The confirmation has received the message of the second determination result, and the source server is informed that the agent negotiation process has ended. Thereafter, when the source server receives the HTTPS message sent by the proxy server again, the source server uses the session password to provide the HTTPS service to the client. Among them, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server.

综上所述，本实施例提供的信息交互的方法，通过动态协商从源服务器获取会话密码，源服务器基于HTTPS报文内容判定是否允许代理服务器代理，解决了相关技术中源服务器需要将会话密码预先发送给代理服务器，在代理服务器较多的情况下，容易导致会话密码泄露的问题，达到了提高会话密码安全性的效果。In summary, the method for information interaction provided in this embodiment obtains a session password from a source server through dynamic negotiation, and the source server determines whether to allow a proxy server proxy based on the content of the HTTPS packet, and solves the problem that the source server needs to use the session password in the related art. It is sent to the proxy server in advance. When there are many proxy servers, it is easy to cause the session password to leak, and the effect of improving the security of the session password is achieved.

通过在第二判定结果为禁止代理服务器代理时，向代理服务器发送用于指示禁止代理服务器代理的第二判定结果，代理服务器在接收到第二判定结果后，成为源服务器和客户端之间的透明代理，在源服务器和客户端之间透传数据，以便源服务器能够向客户端提供HTTPS服务。When the second determination result is that the proxy server proxy is disabled, the second determination result indicating that the proxy server proxy is prohibited is sent to the proxy server, and after receiving the second determination result, the proxy server becomes between the source server and the client. A transparent proxy that transparently passes data between the source server and the client so that the source server can provide HTTPS services to the client.

通过在第二判定结果为禁止代理服务器代理时，代理服务器对已缓存的HTTPS报文进行了删除，节省了代理服务器的存储空间。When the second determination result is that the proxy server proxy is disabled, the proxy server deletes the cached HTTPS packet, which saves the storage space of the proxy server.

实施例八，在一种可能的实现中，结合客户端与源服务器建立HTTPS连接的流程，对源服务器基于HTPPS报文内容禁止代理服务器进行代理时，由源服务器为客户端提供HTTPS服务的过程进行举例说明。In a possible implementation, in a possible implementation, the process of establishing an HTTPS connection between the client and the source server, and the process of providing the HTTPS service by the source server to the client when the source server prohibits the proxy server based on the HTPPS packet content Give an example.

结合图8B，其示出了本发明再一示例性实施例提供的源服务器基于HTTPS报文内容判定禁止代理服务器代理方法的流程图。本实施例以该源服务器基于HTTPS报文内容判定禁止代理服务器代理方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：8B is a flowchart showing a method for determining a proxy proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention. In this embodiment, the source server determines that the proxy proxy proxy proxy method is used in the information interaction system shown in FIG. 1 based on the HTTPS packet content. The method includes the following steps:

步骤809a1，客户端向代理服务器发送客户端问候消息Client Hello。In step 809a1, the client sends a client hello message Client Hello to the proxy server.

步骤809a2，代理服务器将客户端问候消息Client Hello透传给源服务器。In step 809a2, the proxy server transparently transmits the client hello message Client Hello to the source server.

步骤809b1，源服务器向代理服务器发送服务器问候消息Server Hello。In step 809b1, the source server sends a server hello message Server Hello to the proxy server.

步骤809b2，代理服务器将服务器问候消息Server Hello透传给客户端。 In step 809b2, the proxy server transparently transmits the server hello message Server Hello to the client.

步骤809c1，源服务器向代理服务器发送证书certificate。In step 809c1, the source server sends a certificate certificate to the proxy server.

步骤809c2，代理服务器将证书certificate透传给客户端。In step 809c2, the proxy server transparently transmits the certificate certificate to the client.

步骤809d1，源服务器向代理服务器发送服务器问候结束Server Hello Done消息。In step 809d1, the source server sends a server hello to the proxy server to end the Server Hello Done message.

步骤809d2，代理服务器将服务器问候结束Server Hello Done消息透传给客户端。In step 809d2, the proxy server transparently transmits the server hello end Server Hello Done message to the client.

步骤809e1，客户端向代理服务器发送客户端密钥交换Client Key Exchange。In step 809e1, the client sends a client key exchange Client Key Exchange to the proxy server.

步骤809e2，代理服务器将客户端密钥交换Client Key Exchange透传给源服务器。In step 809e2, the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.

步骤809f1，客户端向代理服务器发送密码变更声明Change Cipher Spec。In step 809f1, the client sends a password change statement Change Cipher Spec to the proxy server.

步骤809f2，代理服务器将密码变更声明Change Cipher Spec透传给源服务器。In step 809f2, the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.

步骤809g1，客户端向服务器发送结束Finished消息。In step 809g1, the client sends an end Finished message to the server.

步骤809g2，代理服务器将结束Finished消息透传给源服务器。In step 809g2, the proxy server will end the Passed message to the source server.

步骤809h1，源服务器向代理服务器发送密码变更声明Change Cipher Spec。In step 809h1, the source server sends a password change statement Change Cipher Spec to the proxy server.

步骤809h2，代理服务器将密码变更声明Change Cipher Spec透传给客户端。In step 809h2, the proxy server transparently transmits the password change statement Change Cipher Spec to the client.

步骤809i1，源服务器向代理服务器发送结束Finished消息。In step 809i1, the source server sends an end Finished message to the proxy server.

步骤809i2，代理服务器将结束Finished消息透传给客户端。In step 809i2, the proxy server will end the Passed message to the client.

步骤810，代理服务器根据本地策略确定是否需要启动代理协商流程。In step 810, the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.

步骤810的说明可参见步骤601的解释说明，此处不再赘述。For the description of step 810, refer to the explanation of step 601, and details are not described herein again.

步骤810的说明可参见步骤602的解释说明，此处不再赘述。For the description of step 810, refer to the explanation of step 602, and details are not described herein again.

步骤811，在需要启动代理协商流程时，代理服务器通过安全通道向源服务器发送会话密码获取请求。 Step 811: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.

步骤812，源服务器接收代理服务器发送的会话密码获取请求，判定是否允许代理服务器代理，得到第一判定结果。Step 812: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.

步骤812的说明可参见步骤603的解释说明，此处不再赘述。For the description of step 812, refer to the explanation of step 603, and details are not described herein again.

步骤813，将第一判定结果通过安全通道发送至代理服务器。In step 813, the first determination result is sent to the proxy server through the secure channel.

步骤814，当代理服务器接收到的第一判定结果为需要基于HTTPS报文内容判定是否允许代理服务器代理时，缓存接收到的客户端发送的HTTPS报文。Step 814: When the first determination result received by the proxy server is that it is required to determine whether to allow the proxy server proxy based on the content of the HTTPS packet, the HTTPS packet sent by the received client is cached.

步骤815，将客户端发送的HTTPS报文透传给源服务器。Step 815: The HTTPS packet sent by the client is transparently transmitted to the source server.

步骤814和步骤815的说明可参见步骤705的解释说明，此处不再赘述。For the description of step 814 and step 815, refer to the explanation of step 705, and details are not described herein again.

步骤816，源服务器在接收到代理服务器透传的客户端发送的HTTPS报文后，根据接收到的HTTPS报文判定是否允许代理服务器，得到第二判定结果。Step 816: After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether the proxy server is allowed according to the received HTTPS packet, and obtains a second determination result.

步骤816的说明可参见步骤706的解释说明，此处不再赘述。For the description of step 816, refer to the explanation of step 706, and details are not described herein again.

步骤817，当代理服务器接收到第二判定结果为禁止代理服务器代理时，将已缓存的客户端的HTTPS报文透传给源服务器后，删除已缓存的客户端的HTTPS报文。Step 817: When the proxy server receives the second determination result that the proxy server proxy is disabled, the HTTPS packet of the cached client is transparently transmitted to the source server, and the HTTPS packet of the cached client is deleted.

可选的，当第二判定结果为禁止代理服务器代理时，源服务器利用安全通道向代理服务器发送第二判定结果。当代理服务器接收到的第二判定结果为禁止代理服务器代理时，向源服务器发送确认已接收到第二判定结果的消息。Optionally, when the second determination result is that the proxy server proxy is disabled, the source server sends the second determination result to the proxy server by using the secure channel. When the second determination result received by the proxy server is to disable the proxy server proxy, a message is sent to the source server confirming that the second determination result has been received.

步骤818，源服务器接收代理服务器发送的HTTPS报文，利用会话密码解析HTTPS报文为客户端提供HTTPS服务。In step 818, the source server receives the HTTPS packet sent by the proxy server, and uses the session password to parse the HTTPS packet to provide the HTTPS service for the client.

综上所述，本实施例提供的信息交互的方法，通过动态协商从源服务器获取会话密码，当源服务器基于HTTPS报文内容判定禁止代理服务器代理，仍然由源服务器为客户端提供HTTPS服务，代理服务器成为客户端和源服务器之间的透明代理。In summary, the method for information interaction provided in this embodiment obtains a session password from a source server through dynamic negotiation. When the source server determines to prohibit the proxy server proxy based on the content of the HTTPS packet, the source server still provides the HTTPS service for the client. The proxy server becomes a transparent proxy between the client and the source server.

实施例九，当源服务器禁止代理服务器代理HTTPS服务时，由代理服务器利用会话密码为客户端提供HTTPS服务。以下结合图9A对本发明提供的信息交互方法进行说明。 In the ninth embodiment, when the source server prohibits the proxy server from proxying the HTTPS service, the proxy server provides the HTTPS service to the client by using the session password. The information interaction method provided by the present invention will be described below with reference to FIG. 9A.

请参考图9A，其示出了本发明再一示例性实施例提供的信息交互方法的流程图。本实施例以该信息交互方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：Please refer to FIG. 9A, which shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention. This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:

步骤901，代理服务器接收客户端发送的用于请求建立HTTPS连接的建立请求，根据本地策略确定是否需要启动代理协商流程。Step 901: The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.

步骤902，在需要启动代理协商流程时，代理服务器向源服务器发送会话密码获取请求。Step 902: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.

步骤903，源服务器接收代理服务器发送的会话密码获取请求，判定是否允许代理服务器代理，得到第一判定结果。Step 903: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.

步骤901至步骤903的说明可参见步骤601至步骤603的解释说明，此处不再赘述。For the description of the steps 901 to 903, refer to the explanation of the steps 601 to 603, and details are not described herein again.

步骤904，源服务器将第一判定结果发送给代理服务器。In step 904, the source server sends the first determination result to the proxy server.

可选的，源服务器在判定禁止代理服务器代理时，向代理服务器发送第一判定结果以及禁止代理服务器代理的原因信息。Optionally, when determining that the proxy server proxy is disabled, the source server sends the first determination result to the proxy server and the reason information of the proxy server proxy.

相应的，当代理服务器接收到的第一判定结果为禁止代理服务器代理且禁止代理服务器代理的原因信息，利用原因信息更新代理服务器的本地策略。举例来讲，代理服务器将禁止代理的源服务器确定为协商黑名单。Correspondingly, when the first determination result received by the proxy server is the reason information for disabling the proxy server proxy and prohibiting the proxy server proxy, the local information of the proxy server is updated by using the cause information. For example, the proxy server will block the source server of the proxy from being determined to be a blacklist.

步骤905，当代理服务器接收到的第一判定结果为禁止代理服务器代理，代理服务器成为客户端与源服务器之间的透明代理，在客户端与源服务器之间进行数据透传。Step 905: When the first determination result received by the proxy server is prohibiting the proxy server proxy, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server.

具体的，代理服务器在接收到禁止代理服务器代理的第一判定结果后，成为客户端与源服务器之间的透明代理。具体的，代理服务器将客户端发送的HTTPS报文发送至源服务器，由源服务器将HTTPS服务数据发送至代理服务器，代理服务器将HTTPS服务数据透传给客户端。Specifically, after receiving the first determination result of prohibiting the proxy server proxy, the proxy server becomes a transparent proxy between the client and the source server. Specifically, the proxy server sends the HTTPS packet sent by the client to the source server, and the source server sends the HTTPS service data to the proxy server, and the proxy server transparently transmits the HTTPS service data to the client.

可选的，源服务器在判定禁止代理服务器代理后，将禁止代理服务器代理的第一判定结果以及禁止代理服务器代理的原因。而当代理服务器接收第一判定结果为禁止代理服务器代理且包括禁止代理服务器代理的原因信息时，利用原因信息更新本地策略。Optionally, after determining that the proxy server proxy is disabled, the source server prohibits the first determination result of the proxy server proxy and the reason for prohibiting the proxy server proxy. When the proxy server receives the first determination result as disabling the proxy server proxy and including the reason information for disabling the proxy server proxy, the local policy is updated with the cause information.

举例来讲，源服务器禁止代理服务器代理的原因是源服务器不信任该代理服务器，则代理服务器可将源服务器作为协商黑名单保存至代理服务器的本地策略。 For example, if the source server prohibits the proxy server proxy because the source server does not trust the proxy server, the proxy server can save the source server as a negotiated blacklist to the proxy server's local policy.

实施例十，在一种可能的实现中，结合客户端与源服务器建立HTTPS连接的流程，对源服务器禁止代理服务器进行代理时，源服务器为客户端提供HTTPS服务的过程进行举例说明。In a possible implementation, in a possible implementation, the process of establishing an HTTPS connection between the client and the source server is combined with the process of the source server providing the HTTPS service to the client when the source server prohibits the proxy server from being proxyed.

结合图9B，其示出了本发明再一示例性实施例提供的源服务器禁止代理服务器代理HTTPS服务的方法的流程图。本实施例以该信息交互方法用于如图1所示的信息交互系统中来举例说明，该方法包括以下几个步骤：9B, a flowchart of a method for a source server to prohibit a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention is shown. This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:

步骤909a1，客户端向代理服务器发送客户端问候消息Client Hello。In step 909a1, the client sends a client hello message Client Hello to the proxy server.

步骤909a2，代理服务器将客户端问候消息Client Hello透传给源服务器。In step 909a2, the proxy server transparently transmits the client hello message Client Hello to the source server.

步骤909b1，源服务器向代理服务器发送服务器问候消息Server Hello。In step 909b1, the source server sends a server hello message Server Hello to the proxy server.

步骤909b2，代理服务器将服务器问候消息Server Hello透传给客户端。In step 909b2, the proxy server transparently transmits the server hello message Server Hello to the client.

步骤909c1，源服务器向代理服务器发送证书certificate。In step 909c1, the source server sends a certificate certificate to the proxy server.

步骤909c2，代理服务器将证书certificate透传给客户端。In step 909c2, the proxy server transparently transmits the certificate certificate to the client.

步骤909d1，源服务器向代理服务器发送服务器问候结束Server Hello Done消息。In step 909d1, the source server sends a server hello to the proxy server to end the Server Hello Done message.

步骤909d2，代理服务器将服务器问候结束Server Hello Done消息透传给客户端。In step 909d2, the proxy server transparently transmits the server hello end Server Hello Done message to the client.

步骤909e1，客户端向代理服务器发送客户端密钥交换Client Key Exchange。In step 909e1, the client sends a client key exchange Client Key Exchange to the proxy server.

步骤909e2，代理服务器将客户端密钥交换Client Key Exchange透传给源服务器。In step 909e2, the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.

步骤909f1，客户端向代理服务器发送密码变更声明Change Cipher Spec。 In step 909f1, the client sends a password change statement Change Cipher Spec to the proxy server.

步骤909f2，代理服务器将密码变更声明Change Cipher Spec透传给源服务器。In step 909f2, the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.

步骤909g1，客户端向服务器发送结束Finished消息。In step 909g1, the client sends an end Finished message to the server.

步骤909g2，代理服务器将结束Finished消息透传给源服务器。In step 909g2, the proxy server will end the Passed message to the source server.

步骤909h1，源服务器向代理服务器发送密码变更声明Change Cipher Spec。In step 909h1, the source server sends a password change statement Change Cipher Spec to the proxy server.

步骤909h2，代理服务器将密码变更声明Change Cipher Spec透传给客户端。In step 909h2, the proxy server transparently transmits the password change statement Change Cipher Spec to the client.

步骤909i1，源服务器向代理服务器发送结束Finished消息。In step 909i1, the source server sends an end Finished message to the proxy server.

步骤909i2，代理服务器将结束Finished消息透传给客户端。In step 909i2, the proxy server will end the Passed message to the client.

步骤910，代理服务器根据本地策略确定是否需要启动代理协商流程。In step 910, the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.

步骤910的说明可参见步骤601的解释说明，此处不再赘述。For the description of the step 910, refer to the explanation of the step 601, and details are not described herein again.

步骤911，在需要启动代理协商流程时，代理服务器通过安全通道向源服务器发送会话密码获取请求。Step 911: When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.

步骤912，源服务器接收代理服务器发送的会话密码获取请求，判定是否允许代理服务器代理，得到第一判定结果。Step 912: The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.

步骤912的说明可参见步骤603的解释说明，此处不再赘述。For the description of step 912, refer to the explanation of step 603, and details are not described herein again.

步骤913，将第一判定结果通过安全通道发送至代理服务器。In step 913, the first determination result is sent to the proxy server through the secure channel.

步骤914，当代理服务器接收到的第一判定结果为禁止代理服务器代理时，成为客户端与源服务器之间的透明代理。Step 914: When the first determination result received by the proxy server is to disable the proxy server proxy, it becomes a transparent proxy between the client and the source server.

本步骤的说明可参见步骤905，此处不再赘述。For the description of this step, refer to step 905, and details are not described herein again.

可选的，当代理服务器接收到禁止代理服务器代理的第一判定结果后，代理服务器向源服务器发送确认已接收到第一判定结果的消息。Optionally, after the proxy server receives the first determination result of disabling the proxy server proxy, the proxy server sends a message to the source server confirming that the first determination result has been received.

综上所述，本实施例提供的信息交互的方法，通过将禁止代理服务器代理的原因信息来更新代理服务器的本地策略，以便后续过程中直接不启动代理协商流程，提高代理协商的效率。In summary, the method for information interaction provided in this embodiment updates the local policy of the proxy server by prohibiting the cause information of the proxy server proxy, so that the proxy association is not directly started in the subsequent process. Business process to improve the efficiency of agent negotiation.

另外，源服务器在判断是否允许代理服务器代理，可通过如图9C所示的几个步骤实现。In addition, the source server determines whether to allow the proxy server proxy, which can be implemented by several steps as shown in FIG. 9C.

步骤915，从会话密码获取请求中获取参考信息，该参考信息至少包括代理服务器的信息、会话密码获取请求中包含的客户端的信息以及源服务器的本地状态中的至少一种。Step 915: Obtain reference information from the session password acquisition request, where the reference information includes at least one of information of the proxy server, information of the client included in the session password acquisition request, and a local state of the source server.

这里所讲的代理服务器信息为唯一标识代理服务器的信息，比如，代理服务器的信息可以为代理服务器的标识；再比如，代理服务器的信息可以为代理服务器的互联网协议(英文：internet protocol，IP)地址。The proxy server information mentioned here is information that uniquely identifies the proxy server. For example, the information of the proxy server may be the identifier of the proxy server; for example, the information of the proxy server may be the internet protocol of the proxy server (English: internet protocol, IP) address.

这里所讲的客户端信息为唯一标识客户端的信息，比如，客户端的信息可以为客户端的标识；再比如，客户端的信息可以为客户端的IP地址。The client information mentioned here is information that uniquely identifies the client. For example, the information of the client may be the identifier of the client; for example, the information of the client may be the IP address of the client.

步骤916，根据参考信息以及源服务器的本地策略确定是否允许该代理服务器代理，得到第一判定结果。Step 916, determining whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain a first determination result.

本步骤可以通过以下几种可能的实施方式实现。This step can be implemented by the following possible implementations.

在第一种可能的实施方式中，获取源服务器所建立的HTTPS连接的数量，当该数量大于第一预定阈值时，将第一判定结果确定为允许代理服务器代理。In a first possible implementation manner, the number of HTTPS connections established by the source server is obtained, and when the number is greater than the first predetermined threshold, the first determination result is determined to be a proxy server proxy.

一般来讲，第一预定阈值由系统开发人员设定，且用于判定源服务器的本地状态。当源服务器所建立的HTTPS连接的数量大于第一预定阈值时，认为源服务器承载的HTTPS服务较多，可由代理服务器代替源服务器为客户端提供HTTPS服务以减轻源服务器的负荷，将第一判定结果确定为允许代理服务器代理。Generally, the first predetermined threshold is set by the system developer and is used to determine the local state of the source server. When the number of HTTPS connections established by the source server is greater than the first predetermined threshold, it is considered that the source server carries more HTTPS services, and the proxy server may provide the HTTPS service for the client instead of the source server to reduce the load of the source server, and the first determination is performed. The result is determined to allow the proxy server proxy.

在第二种可能的实施方式中，获取源服务器的负荷率，当该负荷率大于第二预定阈值时，将第一判定结果确定为允许代理服务器代理。In a second possible implementation manner, a load rate of the source server is obtained, and when the load rate is greater than a second predetermined threshold, the first determination result is determined to be a proxy server proxy.

一般来讲，第二预定阈值由系统开发人员设定，且用于判定源服务器的本地状态。当服务器的负荷率大于第二预定阈值时，认为源服务器负荷较大，可由代理服务器代替源服务器为客户端提供HTTPS服务以减轻源服务器的负荷，将第一判定结果确定为允许代理服务器代理。In general, the second predetermined threshold is set by the system developer and is used to determine the local state of the source server. When the load rate of the server is greater than the second predetermined threshold, the source server is considered to be heavily loaded, and the proxy server may provide the HTTPS service to the client instead of the source server to reduce the load of the source server, and determine the first determination result as the proxy server proxy.

在第三种可能的实施方式中，获取源服务器限定的黑名单和/或白名单，当参考信息包含的信息位于白名单时，则将第一判定结果确定为允许代理服务器代理。 In a third possible implementation manner, the blacklist and/or whitelist defined by the source server is obtained, and when the information included in the reference information is in the whitelist, the first determination result is determined to be the proxy server proxy.

其中，黑名单至少包括代理服务器黑名单和客户端黑名单中的任意一种，白名单至少包括代理服务器白名单和客户端白名单中的任意一种。The blacklist includes at least one of a proxy server blacklist and a client blacklist, and the whitelist includes at least one of a proxy server whitelist and a client whitelist.

在第四种可能的实施方式中，获取源服务器限定的黑名单和/或白名单，当参考信息包含位于黑名单的信息时，则将第一判定结果确定为禁止代理服务器代理。In a fourth possible implementation manner, the source server defines a blacklist and/or a whitelist. When the reference information includes the information in the blacklist, the first determination result is determined to be a proxy proxy proxy.

在第五种可能的实施方式中，当参考信息包含的信息未位于白名单且未位于黑名单时，则将第一判定结果确定为需要基于HTTPS报文内容判定是否允许代理服务器代理。In a fifth possible implementation manner, when the information included in the reference information is not in the white list and is not in the blacklist, the first determination result is determined to be determined whether the proxy server proxy is allowed to be based on the HTTPS message content.

可选的，将实施例三、四、五以及六中代理服务器所执行的步骤可利用编程语言实现，并将编程语言封装成软件开发工具包，则代理服务器直接调用该软件开发工具包即可实现上述信息交互方法。将实施例三、四、五以及六中源服务器所执行的步骤利用编程语言实现，并将编程语言封装成软件开发工具包，则源服务器直接调用该软件开发工具包即可实现上述信息交互方法。Optionally, the steps performed by the proxy server in the third, fourth, fifth, and sixth embodiments may be implemented in a programming language, and the programming language is packaged into a software development toolkit, and the proxy server directly invokes the software development toolkit. Implement the above information interaction method. The steps performed by the source servers in the third, fourth, fifth and sixth embodiments are implemented in a programming language, and the programming language is packaged into a software development toolkit, and the source server directly invokes the software development toolkit to implement the above information interaction method. .

请参考图10，其示出了本发明一个实施例提供的信息交互装置的框图。该信息交互装置可以通过软件、硬件或者两者的结合实现成为代理服务器的全部或者一部分。本实施例以该装置用于如图1所示的代理服务器120中来举例说明，该信息交互装置可以包括：发送单元1010和执行单元1020。Please refer to FIG. 10, which is a block diagram of an information interaction apparatus according to an embodiment of the present invention. The information interaction device can be implemented as all or part of the proxy server by software, hardware or a combination of both. This embodiment is exemplified by the apparatus used in the proxy server 120 shown in FIG. 1. The information interaction apparatus may include: a sending unit 1010 and an executing unit 1020.

发送单元1010，用于实现上述步骤401功能。The sending unit 1010 is configured to implement the foregoing step 401 function.

执行单元1020，用于实现上述步骤402功能。The executing unit 1020 is configured to implement the foregoing step 402 function.

可选地，该信息交互装置还包括：接收单元1030。Optionally, the information interaction device further includes: a receiving unit 1030.

在实施例三中，发送单元1010用于执行步骤602，执行单元1020用于执行步骤601，接收单元1030用于执行步骤604和605。In the third embodiment, the sending unit 1010 is configured to perform step 602, the executing unit 1020 is configured to perform step 601, and the receiving unit 1030 is configured to perform steps 604 and 605.

在实施例四中，发送单元1010用于执行步骤608，执行单元1020用于执行步骤607、步骤611和步骤614，接收单元1030用于执行步骤612和步骤614。In the fourth embodiment, the sending unit 1010 is configured to perform step 608, the executing unit 1020 is configured to perform step 607, step 611, and step 614, and the receiving unit 1030 is configured to perform step 612 and step 614.

在实施例五中，发送单元1010用于执行步骤702和步骤705，执行单元1020用于执行步骤701和步骤708，接收单元1030用于执行步骤705。In the fifth embodiment, the sending unit 1010 is configured to perform step 702 and step 705, the executing unit 1020 is configured to perform step 701 and step 708, and the receiving unit 1030 is configured to perform step 705.

在实施例六中，发送单元1010用于执行步骤711和步骤715，执行单元1020用于执行步骤710、步骤714和步骤718，接收单元1030用于执行步骤714。 In the sixth embodiment, the sending unit 1010 is configured to perform step 711 and step 715, the executing unit 1020 is configured to perform step 710, step 714 and step 718, and the receiving unit 1030 is configured to perform step 714.

在实施例七中，发送单元1010用于执行步骤802和步骤805，执行单元1020用于执行步骤801和步骤808，接收单元1030用于执行步骤808。In the seventh embodiment, the sending unit 1010 is configured to perform step 802 and step 805, the executing unit 1020 is configured to perform step 801 and step 808, and the receiving unit 1030 is configured to perform step 808.

在实施例八中，发送单元1010用于执行步骤811和步骤815，执行单元1020用于执行步骤810和步骤814，接收单元1030用于执行步骤814。In the eighth embodiment, the sending unit 1010 is configured to perform step 811 and step 815, the executing unit 1020 is configured to perform step 810 and step 814, and the receiving unit 1030 is configured to perform step 814.

在实施例九中，发送单元1010用于执行步骤902，执行单元1020用于执行步骤901和步骤904，接收单元1030用于执行步骤904。In the ninth embodiment, the sending unit 1010 is configured to perform step 902, the executing unit 1020 is configured to perform step 901 and step 904, and the receiving unit 1030 is configured to perform step 904.

在实施例十中，发送单元1010用于执行步骤910，执行单元1020用于执行步骤911，接收单元1030用于执行步骤914。In the tenth embodiment, the sending unit 1010 is configured to perform step 910, the executing unit 1020 is configured to perform step 911, and the receiving unit 1030 is configured to perform step 914.

发送单元1010由图2所示代理服务器120的发送模块执行，执行单元1020由图2所示代理服务器120的执行模块执行，接收单元1030由图2所示代理服务器120的接收模块执行。The transmitting unit 1010 is executed by the transmitting module of the proxy server 120 shown in FIG. 2, the executing unit 1020 is executed by the executing module of the proxy server 120 shown in FIG. 2, and the receiving unit 1030 is executed by the receiving module of the proxy server 120 shown in FIG. 2.

相关细节可结合参考上述方法实施例。Related details can be combined with reference to the above method embodiments.

请参考图11，其示出了本发明一个实施例提供的信息交互装置的框图。该信息交互装置可以通过软件、硬件或者两者的结合实现成为用户设备的全部或者一部分。本实施例以该装置用于如图1所示的源服务器140中来举例说明，该信息交互装置可以包括：接收单元1110、执行单元1120和发送单元1130。Please refer to FIG. 11, which is a block diagram of an information interaction apparatus according to an embodiment of the present invention. The information interaction device can be implemented as all or part of the user equipment by software, hardware or a combination of both. This embodiment is illustrated by using the apparatus in the source server 140 shown in FIG. 1. The information interaction apparatus may include: a receiving unit 1110, an executing unit 1120, and a sending unit 1130.

接收单元1110，用于实现上述步骤501功能。The receiving unit 1110 is configured to implement the foregoing step 501 function.

执行单元1120，用于实现上述步骤502功能。The executing unit 1120 is configured to implement the foregoing step 502 function.

发送单元1130，用于实现上述步骤503功能。The sending unit 1130 is configured to implement the foregoing step 503 function.

可选地，在实施例三中，接收单元1110用于执行步骤603，执行单元1120用于执行步骤603，发送单元1130用于执行步骤604。Optionally, in the third embodiment, the receiving unit 1110 is configured to perform step 603, the executing unit 1120 is configured to perform step 603, and the sending unit 1130 is configured to perform step 604.

在实施例四中，接收单元1110用于执行步骤609，执行单元1120用于执行步骤609，发送单元1130用于执行步骤613和步骤610。In the fourth embodiment, the receiving unit 1110 is configured to perform step 609, the executing unit 1120 is configured to perform step 609, and the sending unit 1130 is configured to perform step 613 and step 610.

在实施例五中，接收单元1110用于执行步骤706，执行单元1120用于执行步骤706，发送单元1130用于执行步骤704和步骤707。In the fifth embodiment, the receiving unit 1110 is configured to perform step 706, the executing unit 1120 is configured to perform step 706, and the sending unit 1130 is configured to perform step 704 and step 707.

在实施例六中，接收单元1110用于执行步骤712，执行单元1120用于执行步骤712和步骤716，发送单元1130用于执行步骤713和步骤717。In the sixth embodiment, the receiving unit 1110 is configured to perform step 712, the executing unit 1120 is configured to perform step 712 and step 716, and the sending unit 1130 is configured to perform step 713 and step 717.

在实施例七中，接收单元1110用于执行步骤806，执行单元1120用于执行步骤806，发送单元1130用于执行步骤804和步骤807。 In the seventh embodiment, the receiving unit 1110 is configured to perform step 806, the executing unit 1120 is configured to perform step 806, and the sending unit 1130 is configured to perform step 804 and step 807.

在实施例八中，接收单元1110用于执行步骤815和步骤817，执行单元1120用于执行步骤812、步骤816和步骤818，发送单元1130用于执行步骤813。In the eighth embodiment, the receiving unit 1110 is configured to perform step 815 and step 817, the executing unit 1120 is configured to perform step 812, step 816, and step 818, and the sending unit 1130 is configured to perform step 813.

在实施例九中，接收单元1110用于执行步骤903，执行单元1120用于执行步骤903，发送单元1130用于执行步骤904。In the ninth embodiment, the receiving unit 1110 is configured to perform step 903, the executing unit 1120 is configured to perform step 903, and the sending unit 1130 is configured to perform step 904.

在实施例十中，接收单元1110用于执行步骤912，执行单元1120用于执行步骤912，发送单元1130用于执行步骤913。In the tenth embodiment, the receiving unit 1110 is configured to perform step 912, the executing unit 1120 is configured to perform step 912, and the sending unit 1130 is configured to perform step 913.

接收单元1110由图3所示源服务器140的接收模块执行，执行单元1120由图3所示源服务器140的执行模块执行，发送单元1130由图3所示源服务器140的发送模块执行。The receiving unit 1110 is executed by the receiving module of the source server 140 shown in FIG. 3, the executing unit 1120 is executed by the executing module of the source server 140 shown in FIG. 3, and the transmitting unit 1130 is executed by the transmitting module of the source server 140 shown in FIG.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成，也可以通过程序来指令相关的硬件完成，所述的程序可以存储于一种计算机可读存储介质中，上述提到的存储介质可以是只读存储器，磁盘或光盘等。A person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium. The storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

以上所述仅为本发明的较佳实施例，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。 The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

An information interaction method is characterized in that it is applied to a source server, and the method includes:

Receiving a session password acquisition request sent by the proxy server;

Determining whether the proxy server agent is allowed;

When determining that the proxy server agent is allowed, sending a session password to the proxy server, the session password being a session password agreed by the source server and the client in establishing a secure hypertext transfer protocol HTTPS connection, The session password is used to trigger the proxy server to provide an HTTPS service for the client.

The method according to claim 1, wherein said determining whether to permit said proxy server proxy comprises:

Obtaining reference information from the session password acquisition request, where the reference information includes at least one of information of a proxy server, information of a client included in the session password acquisition request, and a local state of the source server;

Determining whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain a first determination result,

The first determination result is that the proxy server agent is allowed, or it is required to determine whether to allow the proxy server proxy based on the HTTPS message content, or to prohibit the proxy server proxy.

The method according to claim 2, wherein the determining, according to the reference information and the local policy of the source server, whether to allow the proxy server proxy to obtain the first determination result comprises:

Acquiring the number of HTTPS connections established by the source server, and determining, when the quantity is greater than a first predetermined threshold, the first determination result to allow the proxy server proxy;

or,

Obtaining a load rate of the source server, and determining, when the load rate is greater than a second predetermined threshold, the first determination result to allow the proxy server proxy.

The method according to claim 2, wherein the determining, based on the reference information and the local policy of the source server, whether to allow the proxy server proxy to obtain a first determination result, include:

Obtaining a blacklist and/or a whitelist defined by the source server;

When the information included in the reference information is located in the white list, determining the first determination result to allow the proxy server agent; or

When the reference information includes information located in the blacklist, determining the first determination result as disabling the proxy server proxy; or

When the information included in the reference information is not located in the white list and is not located in the blacklist, determining the first determination result as determining whether to allow the proxy server proxy based on the HTTPS message content,

The information included in the reference information includes at least one of information of the proxy server and information of the client.

The method according to claim 2, wherein the sending the session password to the proxy server comprises:

Sending, to the proxy server, a session password agreed with the client when the first determination result is that the proxy server agent is allowed; or

When the first determination result is that it is required to determine whether to allow the proxy server proxy based on the HTTPS message content, waiting to receive the HTTPS packet sent by the client transparently transmitted by the proxy server, and receiving the proxy server After the HTTPS message sent by the client is transparently transmitted, determining whether to allow the proxy server according to the received HTTPS message, and sending the proxy server to the proxy server when determining that the proxy server proxy is allowed The session password agreed by the client.

The method according to claim 5, wherein after the determining, according to the received HTTPS message, whether the proxy server is allowed, the method further comprises:

And sending, to the proxy server, a second determination result indicating that the proxy server is prohibited from being activated, and the second determination result is used to trigger the proxy server to delete the cached HTTPS packet of the client.

An information interaction method is characterized in that it is applied to a proxy server, and the method includes:

Receiving an establishment request sent by the client for requesting establishment of a secure hypertext transfer protocol HTTPS connection;

Sending a session password acquisition request to the source server, where the session password acquisition request is used to trigger the source server to determine whether to permit the proxy server proxy;

Obtaining, from the source server, a session password agreed by the source server and the client in establishing the HTTPS connection process when the source server allows the proxy server proxy;

The client is provided with an HTTPS service using the session password.

The method according to claim 7, wherein the obtaining, by the source server, the session password agreed by the source server and the client during the establishment of the HTTPS connection comprises:

Receiving the session password sent by the source server, where the session password is sent after the source server determines that the proxy server proxy is allowed and the session password is agreed with the client;

or,

Transmitting the received HTTPS packet sent by the client to the source server, and receiving the session password sent by the source server, where the session password is after the source server receives the HTTPS packet. And determining, according to the content of the HTTPS message, that the proxy server is allowed to be sent.

The method according to claim 7, wherein after the sending a session password acquisition request to the source server, the method further comprises:

Receiving a first determination result sent by the source server, where the first determination result is a first determination result obtained by the source server after determining whether to allow the proxy server proxy after receiving the session password acquisition request;

When the first determination result is that the proxy server agent is allowed to determine whether to allow the proxy server proxy based on the HTTPS message content, the received HTTPS packet sent by the client is cached.

The method according to claim 8 or 9, wherein after the transparently transmitting the received HTTPS message sent by the client to the source server, the method further comprises:

Receiving a second determination result sent by the source server, where the second determination result is obtained after the source server receives the HTTPS message, and determines whether to allow the proxy server proxy according to the content of the HTTPS message. ;

Deleting the cached guest when the second determination result is that the proxy server agent is disabled HTTPS packet sent by the client.

The method according to claim 8, wherein the obtaining, by the source server, the session password agreed by the source server and the client during the establishment of the HTTPS connection comprises:

Determining, according to the local policy, whether the proxy negotiation process needs to be started, and when the proxy negotiation process needs to be started, obtaining, by the source server, the session password agreed by the source server and the client in establishing the HTTPS connection process;

The method further includes:

And when the first determination result is that the proxy server proxy is prohibited and the reason information of the proxy proxy is prohibited, the local policy is updated by using the cause information.

An information interaction device is characterized in that it is applied to a source server, and the device includes:

a receiving unit, configured to receive a session password acquisition request sent by the proxy server;

An execution unit, configured to determine whether the proxy server agent is allowed;

a sending unit, configured to send a session password to the proxy server when determining that the proxy server agent is allowed, the session password being agreed by the source server and the client in establishing a secure hypertext transfer protocol HTTPS connection a session password, the session password being used to trigger the proxy server to provide an HTTPS service for the client.

The device according to claim 12, characterized in that

The execution unit is further configured to obtain reference information from the session password acquisition request, where the reference information includes at least information of a proxy server, information of a client included in the session password acquisition request, and locality of the source server. At least one of the states;

The executing unit determines whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain a first determination result,

The apparatus according to claim 13, wherein the execution unit is further configured to:

Obtaining the number of HTTPS connections established by the source server, when the quantity is greater than the first predetermined At the threshold, determining the first determination result to allow the proxy server proxy;

or,

Obtaining a blacklist and/or a whitelist defined by the source server;

The device according to claim 13, wherein the sending unit is further configured to:

The device of claim 16 wherein:

The sending unit is further configured to: when determining that the proxy server agent is prohibited, send a second determination result indicating that the proxy server proxy is prohibited, and the second determination result is used to trigger the The proxy server deletes the cached HTTPS message of the client.

An information interaction device is characterized in that it is applied to a proxy server, and the device includes:

a receiving unit, configured to receive a setup request sent by the client for requesting establishment of a secure hypertext transfer protocol HTTPS connection;

a sending unit, configured to send a session password obtaining request to the source server, where the session password obtaining request is used to trigger the source server to determine whether to permit the proxy server proxy;

An execution unit, configured to acquire, from the source server, a session password agreed by the source server and the client in establishing the HTTPS connection process when the source server allows the proxy server proxy;

The execution unit is further configured to provide the client with an HTTPS service by using the session password.

The device of claim 18, wherein

The receiving unit is further configured to receive the session password sent by the source server, where the session password is sent after the source server determines that the proxy server is allowed to be authorized and the session password is agreed with the client. ;

or,

The receiving unit is further configured to transparently transmit the received HTTPS packet sent by the client to the source server, and receive the session password sent by the source server, where the session password is the source server. After receiving the HTTPS message, it is determined according to the content of the HTTPS message that the proxy server is allowed to send.

The device of claim 18, wherein

The receiving unit is further configured to receive a first determination result sent by the source server, where the first determination result is that the source server determines whether to allow the proxy server proxy after receiving the session password acquisition request. The first judgment result obtained at the time;

The execution unit is further configured to: when the first determination result is that the proxy server agent is allowed to be used, or if it is determined whether the proxy server proxy is allowed to be based on the content of the HTTPS packet, the cache is sent by the client. HTTPS message.

Device according to claim 18 or 19, characterized in that

The receiving unit is further configured to receive a second determination result sent by the source server, where the second The determination result is obtained when the source server receives the HTTPS message, and determines whether to allow the proxy server proxy according to the content of the HTTPS message;

The execution unit is further configured to: when the second determination result is that the proxy server proxy is disabled, delete the cached HTTPS packet sent by the client.

The device of claim 18, wherein

The execution unit is further configured to determine, according to the local policy, whether to start the proxy negotiation process, and when the proxy negotiation process needs to be started, obtain, by the source server, the source server and the client in the process of establishing the HTTPS connection The agreed session password;

The execution unit is further configured to update the local policy by using the reason information when the first determination result is that the proxy server proxy is prohibited and the cause information of the proxy proxy is prohibited.

An information interaction system, characterized in that the information interaction system comprises: a proxy server and a source server,

The source server includes the information interaction device according to any one of claims 12 to 17;

The proxy server includes the information interaction device according to any one of claims 18 to 22.