WO2018059578A1 - Https acceleration method and system based on content distribution network - Google Patents
Https acceleration method and system based on content distribution network Download PDFInfo
- Publication number
- WO2018059578A1 WO2018059578A1 PCT/CN2017/104806 CN2017104806W WO2018059578A1 WO 2018059578 A1 WO2018059578 A1 WO 2018059578A1 CN 2017104806 W CN2017104806 W CN 2017104806W WO 2018059578 A1 WO2018059578 A1 WO 2018059578A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- session
- https
- unified
- client
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- the embodiment of the invention relates to a website optimization method, and in particular to a content distribution network (CDN)-based HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) acceleration method and system.
- CDN content distribution network
- HTTPS Hyper Text Transfer Protocol over Secure Socket Layer
- HTTPS security protocol is a security-oriented HTTP channel.
- SSL layer By adding an SSL layer under HTTP, transmission encryption can be implemented to prevent important data such as user data and transaction data from being stolen.
- HTTPS plays a key role in protecting user privacy and preventing traffic hijacking. But at the same time, HTTPS will also reduce user access speed and increase the computing resource consumption of the web server.
- SSL Secure Sockets Layer
- SSL has two main types of handshakes, one based on RSA and one based on Deiffie-Hellman (DH).
- the public key algorithms of RSA and DH use a lot of CPU processing power and are the slowest part of the handshake.
- a laptop can perform hundreds of RSA encryptions per second, compared to approximately 10 million symmetric encryption AES per second.
- the main task of this phase is to negotiate the session key, which is usually a symmetric key, which will be applied throughout the corresponding session; at the same time, the encryption and signature of the SSL handshake itself is included in the certificate.
- a symmetric key that uses this asymmetric key to consume more computing resources than a symmetric key.
- the server's processor is responsible for the initial key exchange of each session and subsequent data encryption and decryption. This intensive computing process puts the server under great pressure and greatly reduces other transaction processing capabilities. Therefore, the software-based SSL implementation is only applicable to scenarios that manage a small amount of SSL traffic.
- the CDN network is characterized by a small node size and a small number of servers per node. However, CDN nodes are distributed more and are geographically divergent. HTTPS acceleration in CDN networks, software-based SSL implementation can not meet the acceleration needs.
- the SSL acceleration board can effectively share the pressure of the server CPU to handle SSL transactions.
- One or more coprocessors are used to implement SSL computing. These coprocessors may use general-purpose CPUs or custom ASIC chips and RISC instruction set chips.
- a server with an SSL acceleration board is assigned to complete the handshake, encryption and decryption process, which wastes resources and has a high stand-alone management cost.
- each server must have a unique digital certificate, so many certificates are easy to leak, there are security issues.
- the SSL acceleration device is an independent device embedded in the SSL acceleration board, decrypts the encrypted traffic, and sends the decrypted data information to the background server; in the opposite direction, it is responsible for encrypting the plaintext data sent by the background server. Forward it to the client; the SSL acceleration device terminates the SSL session, and the backend server can be completely freed for data services or running applications, but the overall cost of the SSL acceleration device is not an ideal alternative.
- the embodiment of the invention provides an HTTPS acceleration method and system based on a content distribution network, which adopts an SSL acceleration board solution, and solves the problem that the performance of the software-based SSL implementation is under pressure and the transaction processing capability is inefficient; and the SSL is accelerated.
- the board is deployed on the server of the edge node of the CDN network to implement centralized management of the certificate, and an SSL acceleration board can serve multiple clients for encryption and decryption, which solves the problem that each acceleration board is only bound to a specific client request. The problem of wasted resources and high management costs.
- the content distribution network-based HTTPS acceleration method includes: the content distribution network includes a content distribution network CDN network management center located in a central part, and a domain name system DNS redirection analysis center, and multiple CDN network edges located at an edge portion a node and a source server located at the back end; each CDN network edge node respectively deploys a session & cache server at the front end and a unified authentication server at the back end;
- the HTTPS acceleration method includes:
- Step 1 The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;
- Step 2 During the handshake process, the assigned session & cache server is responsible for HTTPS session management.
- the session & cache server interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and returns the interaction result to the client;
- Step 3 After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
- the method may further include: providing a user certificate and a private key on the unified verification server, integrating at least one SSL acceleration board, and one or more unified verification servers corresponding to one user certificate, and the unified verification server is set to process plus Decrypt.
- the above method may further include: if there are multiple clients, mapping each client to a unified authentication server through the session & cache server.
- the method may further include: linearly deploying the proportion of the unified verification server with the traffic, linearly expanding the unified verification server, and inserting at least one SSL acceleration board on each unified verification server.
- the method may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
- the embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location.
- the HTTPS acceleration system includes the following units:
- the HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
- the three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs three-way handshake with the client; the three-way handshake processing unit is set to execute: during the handshake process, the allocation is performed.
- the good session & cache server is responsible for HTTPS session management.
- the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.
- the HTTPS access response unit is set to execute: after the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if The data can be cached and obtained directly at the session & cache server. If it is non-cacheable, it is obtained from the source server.
- the system may further include: a user certificate and a private key are provided on the unified verification server, and at least one SSL acceleration board is integrated, and one or more unified verification servers correspond to a user certificate, and the unified verification server is set to process plus Decrypt.
- the system may further include: the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
- the above system may further include: the proportion of the unified verification server is linearly distributed with the traffic, and the unified verification server is linearly expanded, and each unified verification server is plugged with at least one SSL acceleration board.
- the above system may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
- the embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
- the unified authentication server can perform encryption and decryption work by plugging in the SSL acceleration board. It can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate scheme and Cloudflare keyless-SSL scheme.
- the embodiments of the present invention can effectively support; realize the interaction with the front-end server at the edge node, reduce the round-trip RTT between servers, and improve the efficiency.
- the SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
- FIG. 1 is a schematic diagram of client access according to an embodiment of the present invention.
- An embodiment of the present invention provides an HTTPS acceleration method based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located in a central portion, a plurality of CDN network edge nodes located at an edge portion, and a source located at the back end. server.
- the central part of the CDN network management center and the DNS redirection analysis center are responsible for global load balancing, and the equipment system is installed in the management center equipment room.
- the CDN network edge node is a carrier for CDN distribution. It is mainly composed of a cache (Cache) and a load balancer. Each CDN network edge node deploys a session & cache at the front end and a unified authentication server (UAS) at the back end. Among them, the session & cache server is provided with multiple, responsible for HTTPS session management, and interacts with the back-end unified authentication server; after the interaction is completed, the role is changed to a cache server to provide CDN services for the client. In an optional example, the session & cache server performs the above functions using the configured OpenSSL and Nginx software.
- the unified authentication server is provided with multiple user certificates and private keys, and integrates several SSL acceleration boards (such as Intel or NAVIMN), which is the main processing server for user encryption and decryption.
- SSL acceleration board the single card throughput can usually reach 20Gbps, and the 1024-bit RSA and 2048-bit RSA are encrypted and decrypted, and the processing rates are 35K-200Kqps and 6K-35Kqps, respectively.
- the unified authentication server can be run on Linux (RedHat/CentOS, Debian and Ubuntu, and others), other Unix operating systems (including FreeBSD) and Microsoft Windows servers.
- each unified authentication server can be shared, that is, multiple unified authentication servers can use the same certificate, or one unified authentication server can correspond to one user certificate.
- the unified authentication server is stateless, allowing the client to use off-the-shelf hardware and deploying a uniform authentication server scale with traffic; by running multiple unified authentication servers and load balancing through DNS, The customer's site can be kept highly available.
- the source server contains cacheable data and non-cacheable data.
- the cacheable data is used to update the cache with the session & cache server.
- the non-cacheable data is used by the client after establishing a session with the edge node.
- the HTTPS acceleration method of the embodiment of the present invention includes the following steps:
- Step 1 The client initiates HTTPS access, and allocates a corresponding session & cache server through the front-end load balancing to initiate a three-way handshake (RSA/DH) process.
- the client is a network terminal user and may use the current popular browsing. (Chrome, Firefox, IE, etc.) browse the webpage, the client 1, the client 2, and the client 3 in the figure respectively refer to the client representative access of different websites to accelerate the customer, such as Sina, Tencent, Netease, etc. Different websites accelerate customers;
- Step 2 During the handshake process, the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate (depending on different implementations), and returns the interaction result to the client; for multiple clients, The session & cache server maps each client to a unified authentication server, so that each client shares the hardware acceleration capability of the unified authentication server;
- Step 3 After the handshake process is completed, the session & cache server performs the cache service to provide the CDN service for the client, and the client normally uses the CDN service. For the data requested by the client, if the data is cacheable, the server directly at the edge node Get, if it is non-cacheable data, get it from the source server.
- Step 4 The number of unified authentication servers can be deployed linearly with the proportion of the traffic.
- the unified authentication server can be linearly extended, and at least one SSL acceleration board is inserted into each server to cope with the larger Scale SSL transaction processing requirements; or form an active/standby to handle fault handling.
- the embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location.
- the HTTPS acceleration system includes the following units:
- the HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
- the three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;
- the three-way handshake processing unit is set to execute: during the handshake process, the assigned session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encryption and decryption of the private key and the user certificate, and interacts with each other.
- the result is returned to the client; if there are multiple clients, each client is mapped to a unified authentication server through the session & cache server, so that each client shares the hardware acceleration capability of the unified authentication server.
- the HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
- the unified authentication server is provided with a user certificate and a private key, and integrates a plurality of SSL acceleration boards, one or more unified authentication servers corresponding to one user certificate, the unified verification server is set to handle encryption and decryption;
- the number can be distributed with the linearity of the traffic to the proportion of the unified authentication server.
- the unified authentication server can be linearly extended, and several SSL acceleration boards are inserted into each server to cope with the larger-scale SSL transaction processing requirements; or Form the master and backup to deal with the fault handling.
- the embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
- the unified authentication server can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate.
- the scheme, the keyless-SSL scheme of Cloudflare, etc. can be effectively supported by the embodiments of the present invention; the interaction with the front-end server at the edge node is realized, the round-trip RTT between servers is reduced, and the efficiency is improved.
- the SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
- computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer.
- communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
- the embodiment of the present invention uses the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server reduces the load and deploys the SSL acceleration board to the unified verification server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Embodiments of the present invention disclose an HTTPS acceleration method and system based on a content distribution network. The method comprises: step 1), a client end initiating an HTTPS access request to a CDN network border node, and the CND network border node allocating in balance a session and buffer server via a front-end load to perform three handshakes with the client end; step 2), during the handshaking process, the allocated session and buffer server performing HTTPS session management, and simultaneously performing interaction, by means of a private key and encryption/decryption of a user certificate, with a centralized authentication server, and returning a result of the interaction to the client end; and step 3), after completing the handshaking process, the session and buffer server launching a buffer service to provide the client end with a CDN service, wherein, if data requested by the client end is bufferable, the data is acquired directly from the session and buffer server, and if the data requested by the client end is non-bufferable, the data is acquired from a source server.
Description
本申请要求在2016年9月30日提交中国专利局、申请号为201610873442.6、发明名称为“一种基于内容分发网络的HTTPS加速方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610873442.6, entitled "A HTTPS Acceleration Method and System Based on Content Distribution Network", filed on September 30, 2016, the entire contents of which are incorporated by reference. Combined in this application.
本发明实施例涉及一种网站优化方法,具体涉及一种基于内容分发网络(ContentDeliveryNetwork,CDN)的HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer)加速方法和系统。The embodiment of the invention relates to a website optimization method, and in particular to a content distribution network (CDN)-based HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) acceleration method and system.
HTTPS安全协议是以安全为目标的HTTP通道,通过在HTTP下加入SSL层,能够实现传输加密,避免用户数据、交易数据等重要数据被窃取。HTTPS在保护用户隐私和防止流量劫持方面发挥着非常关键的作用。但与此同时,HTTPS也会降低用户访问速度,增加网站服务器的计算资源消耗。The HTTPS security protocol is a security-oriented HTTP channel. By adding an SSL layer under HTTP, transmission encryption can be implemented to prevent important data such as user data and transaction data from being stolen. HTTPS plays a key role in protecting user privacy and preventing traffic hijacking. But at the same time, HTTPS will also reduce user access speed and increase the computing resource consumption of the web server.
在SSL会话中,计算量最大的部分是安全套接层(Secure Sockets Layer,SSL)握手阶段,SSL有两种主要的握手类型,一种是基于RSA,一种是基于Deiffie-Hellman(DH)。RSA和DH的公钥算法使用了很多CPU的处理能力且是握手中最慢的部分。一个笔记本电脑上可以每秒进行几百次RSA加密,对比每秒大约一千万次对称加密AES。这个阶段的主要工作是协商会话密钥,该密钥通常是对称密钥,将被贯穿应用于相应的会话过程中;与此同时,SSL握手本身的加密和签名则是包含在证书中的非对称密钥,使用这种非对称密钥比对称密钥对计算资源的消耗更大。In the SSL session, the most computationally intensive part is the Secure Sockets Layer (SSL) handshake phase. SSL has two main types of handshakes, one based on RSA and one based on Deiffie-Hellman (DH). The public key algorithms of RSA and DH use a lot of CPU processing power and are the slowest part of the handshake. A laptop can perform hundreds of RSA encryptions per second, compared to approximately 10 million symmetric encryption AES per second. The main task of this phase is to negotiate the session key, which is usually a symmetric key, which will be applied throughout the corresponding session; at the same time, the encryption and signature of the SSL handshake itself is included in the certificate. A symmetric key that uses this asymmetric key to consume more computing resources than a symmetric key.
基于软件的SSL实现,服务器的处理器负责各个会话初始的密钥交换以及后续的数据加解密,这种密集的计算过程会使服务器承受极大的压力,使得其他事务处理能力大大降低。因此基于软件的SSL实现,只适用于管理少量SSL流量的场景;而CDN网络的特点,是节点规模小,每个节点的服务器数量较少,然而CDN节点分布较多,呈地理性发散分布。在CDN网络中做HTTPS加速,基于软件的SSL实现明显不能满足加速需求。Based on the software-based SSL implementation, the server's processor is responsible for the initial key exchange of each session and subsequent data encryption and decryption. This intensive computing process puts the server under great pressure and greatly reduces other transaction processing capabilities. Therefore, the software-based SSL implementation is only applicable to scenarios that manage a small amount of SSL traffic. The CDN network is characterized by a small node size and a small number of servers per node. However, CDN nodes are distributed more and are geographically divergent. HTTPS acceleration in CDN networks, software-based SSL implementation can not meet the acceleration needs.
基于上述现状,CDN厂商提出了基于硬件的SSL加速方案,如SSL加速板卡
或SSL加速设备。Based on the above situation, CDN vendors have proposed hardware-based SSL acceleration solutions, such as SSL acceleration boards.
Or SSL acceleration device.
SSL加速板卡能够有效分担服务器CPU处理SSL事务的压力,一个或多个协处理器用于实现SSL计算,这些协处理器可能采用通用CPU,也可能采用定制的ASIC芯片和RISC指令集芯片。但是,对每个客户访问,都要分配一个插接有SSL加速板卡的服务器完成握手、加解密过程,浪费资源的同时,单机管理成本也高。另外,每台服务器上必须具备唯一性数字证书,这么多证书容易泄露,存在安全问题。The SSL acceleration board can effectively share the pressure of the server CPU to handle SSL transactions. One or more coprocessors are used to implement SSL computing. These coprocessors may use general-purpose CPUs or custom ASIC chips and RISC instruction set chips. However, for each customer access, a server with an SSL acceleration board is assigned to complete the handshake, encryption and decryption process, which wastes resources and has a high stand-alone management cost. In addition, each server must have a unique digital certificate, so many certificates are easy to leak, there are security issues.
其次,SSL加速设备是嵌入SSL加速板卡的独立设备,对加密流量进行解密,并将解过密的数据信息发送给后台服务器;在相反方向上,负责加密由后台服务器发来的明文数据再将其转发给客户端;SSL加速设备终结了SSL会话,后台服务器可以完全被释放出来用于数据服务或者运行应用程序,但是SSL加速设备整体成本偏高,并不是一个理想的替代方案。Secondly, the SSL acceleration device is an independent device embedded in the SSL acceleration board, decrypts the encrypted traffic, and sends the decrypted data information to the background server; in the opposite direction, it is responsible for encrypting the plaintext data sent by the background server. Forward it to the client; the SSL acceleration device terminates the SSL session, and the backend server can be completely freed for data services or running applications, but the overall cost of the SSL acceleration device is not an ideal alternative.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提出一种基于内容分发网络的HTTPS加速方法和系统,采用SSL加速板卡方案,解决了基于软件的SSL实现的性能承受压力大、事务处理能力低效的问题;并将SSL加速板卡部署在CDN网络边缘节点的服务器上,对证书实现集中式管理,且一张SSL加速板卡能够服务多个客户进行加解密工作,解决了每个加速板卡只绑定特定客户端请求的资源浪费、管理成本高的问题。The embodiment of the invention provides an HTTPS acceleration method and system based on a content distribution network, which adopts an SSL acceleration board solution, and solves the problem that the performance of the software-based SSL implementation is under pressure and the transaction processing capability is inefficient; and the SSL is accelerated. The board is deployed on the server of the edge node of the CDN network to implement centralized management of the certificate, and an SSL acceleration board can serve multiple clients for encryption and decryption, which solves the problem that each acceleration board is only bound to a specific client request. The problem of wasted resources and high management costs.
本发明实施例提供的基于内容分发网络的HTTPS加速方法,包括:该内容分发网络包括位于中心部分的内容分发网络CDN网管中心和域名系统DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;The content distribution network-based HTTPS acceleration method provided by the embodiment of the present invention includes: the content distribution network includes a content distribution network CDN network management center located in a central part, and a domain name system DNS redirection analysis center, and multiple CDN network edges located at an edge portion a node and a source server located at the back end; each CDN network edge node respectively deploys a session & cache server at the front end and a unified authentication server at the back end;
该HTTPS加速方法包括:The HTTPS acceleration method includes:
步骤1:客户端向CDN网络边缘节点发起HTTPS访问请求;CDN网络边缘节点通过前端的负载均衡分配一台会话&缓存服务器与客户端进行三次握手;Step 1: The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;
步骤2:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,
该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;Step 2: During the handshake process, the assigned session & cache server is responsible for HTTPS session management.
The session & cache server interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and returns the interaction result to the client;
步骤3:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是为可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
上述方法还可包括:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The method may further include: providing a user certificate and a private key on the unified verification server, integrating at least one SSL acceleration board, and one or more unified verification servers corresponding to one user certificate, and the unified verification server is set to process plus Decrypt.
上述方法还可包括:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The above method may further include: if there are multiple clients, mapping each client to a unified authentication server through the session & cache server.
上述方法还可包括:将统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接至少一个SSL加速板卡。The method may further include: linearly deploying the proportion of the unified verification server with the traffic, linearly expanding the unified verification server, and inserting at least one SSL acceleration board on each unified verification server.
上述方法还可包括:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The method may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
本发明实施例还同时提供一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;The embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location. The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end;
该HTTPS加速系统包括如下单元:The HTTPS acceleration system includes the following units:
HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求;The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;三次握手处理单元,设置为执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs three-way handshake with the client; the three-way handshake processing unit is set to execute: during the handshake process, the allocation is performed. The good session & cache server is responsible for HTTPS session management. The session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.
HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是
可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if
The data can be cached and obtained directly at the session & cache server. If it is non-cacheable, it is obtained from the source server.
上述系统还可包括:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The system may further include: a user certificate and a private key are provided on the unified verification server, and at least one SSL acceleration board is integrated, and one or more unified verification servers correspond to a user certificate, and the unified verification server is set to process plus Decrypt.
上述系统还可包括:所述三次握手处理单元还设置为执行如下操作:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The system may further include: the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
上述系统还可包括:所述统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接有至少一个SSL加速板卡。The above system may further include: the proportion of the unified verification server is linearly distributed with the traffic, and the unified verification server is linearly expanded, and each unified verification server is plugged with at least one SSL acceleration board.
上述系统还可包括:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The above system may further include: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form an active/standby relationship.
本发明实施例有效地结合SSL加速板卡和CDN网络边缘节点各自的技术优势,具有以下优点:The embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
(1)使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。(1) Using the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server can reduce the load and deploy the SSL acceleration board to the unified authentication server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.
(2)使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大节省了成本。(2) Using an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to one pair of N, which greatly saves costs for CDN vendors.
(3)从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。(3) From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.
(4)统一验证服务器除了通过插SSL加速板卡做加解密工作,还可以根据客户的不同需求情况,在统一验证服务器上部署软件,如CDN服务器申请证书方案、Cloudflare的keyless-SSL方案等,本发明实施例都能有效支持;在实现与前端服务器同在边缘节点的交互,减少了服务器间往返RTT,提高了效率。(4) The unified authentication server can perform encryption and decryption work by plugging in the SSL acceleration board. It can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate scheme and Cloudflare keyless-SSL scheme. The embodiments of the present invention can effectively support; realize the interaction with the front-end server at the edge node, reduce the round-trip RTT between servers, and improve the efficiency.
(5)SSL加速板卡可以在边缘统一验证服务器集群中线性扩展,以增加其事务处理能力,不影响集中管理,也节省了扩容成本。
(5) The SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明实施例的示意性实施例及其说明用于解释本发明实施例,并不构成对本发明实施例的不当限定。在附图中:The accompanying drawings are intended to provide a further understanding of the embodiments of the embodiments of the invention Improper limitations. In the drawing:
图1为本发明实施例的客户端访问示意图。FIG. 1 is a schematic diagram of client access according to an embodiment of the present invention.
现结合附图和具体实施方式对本发明实施例进一步说明。The embodiments of the present invention will be further described with reference to the drawings and specific embodiments.
本发明实施例提供一种基于内容分发网络的HTTPS加速方法,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器。An embodiment of the present invention provides an HTTPS acceleration method based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located in a central portion, a plurality of CDN network edge nodes located at an edge portion, and a source located at the back end. server.
中心部分的CDN网管中心和DNS重定向解析中心负责全局负载均衡,设备系统安装在管理中心机房。The central part of the CDN network management center and the DNS redirection analysis center are responsible for global load balancing, and the equipment system is installed in the management center equipment room.
CDN网络边缘节点为CDN分发的载体,主要由缓存(Cache)和负载均衡器等组成,各CDN网络边缘节点分别部署了位于前端的会话&缓存和位于后端的统一验证服务器(UAS)。其中,会话&缓存服务器设有多个,负责HTTPS会话管理,并与后端统一验证服务器交互;完成交互后,则转变角色为缓存服务器,为客户提供CDN服务。在一个可选的例子中,该会话&缓存服务器使用配置的OpenSSL和Nginx软件完成上述功能。统一验证服务器设有多个,其含用户证书、私钥,集成了若干SSL加速板卡(如Intel或者NAVIMN),是用户加解密的主要处理服务器。对SSL加速板卡,其单卡吞吐量通常可以达到20Gbps,对1024位RSA和2048位RSA加解密,其处理速率分别为35K-200Kqps和6K-35Kqps。统一验证服务器可以是在Linux上运行(RedHat/CentOS、Debian和Ubuntu,和其他的),其他的Unix操作系统(包含FreeBSD)和微软Windows服务器。各统一验证服务器上的用户证书可共享,也就是说多个统一验证服务器可以使用同一个证书,也可以是各统一验证服务器对应一个用户证书。统一验证服务器是无状态的、允许客户端使用现成的硬件,并随着流量线性部署统一验证服务器的比例;通过运行多个统一验证服务器和通过DNS的负载均衡,
客户的站点可以被保持高可用的。The CDN network edge node is a carrier for CDN distribution. It is mainly composed of a cache (Cache) and a load balancer. Each CDN network edge node deploys a session & cache at the front end and a unified authentication server (UAS) at the back end. Among them, the session & cache server is provided with multiple, responsible for HTTPS session management, and interacts with the back-end unified authentication server; after the interaction is completed, the role is changed to a cache server to provide CDN services for the client. In an optional example, the session & cache server performs the above functions using the configured OpenSSL and Nginx software. The unified authentication server is provided with multiple user certificates and private keys, and integrates several SSL acceleration boards (such as Intel or NAVIMN), which is the main processing server for user encryption and decryption. For the SSL acceleration board, the single card throughput can usually reach 20Gbps, and the 1024-bit RSA and 2048-bit RSA are encrypted and decrypted, and the processing rates are 35K-200Kqps and 6K-35Kqps, respectively. The unified authentication server can be run on Linux (RedHat/CentOS, Debian and Ubuntu, and others), other Unix operating systems (including FreeBSD) and Microsoft Windows servers. The user certificates on each unified authentication server can be shared, that is, multiple unified authentication servers can use the same certificate, or one unified authentication server can correspond to one user certificate. The unified authentication server is stateless, allowing the client to use off-the-shelf hardware and deploying a uniform authentication server scale with traffic; by running multiple unified authentication servers and load balancing through DNS,
The customer's site can be kept highly available.
源服务器包含可缓存数据和不可缓存数据,可缓存数据用于与会话&缓存服务器更新缓存,不可缓存数据在客户端与边缘节点建立会话后回源使用。The source server contains cacheable data and non-cacheable data. The cacheable data is used to update the cache with the session & cache server. The non-cacheable data is used by the client after establishing a session with the edge node.
基于内容分发网络,结合图1的示意图,本发明实施例的HTTPS加速方法包括如下步骤:Based on the content distribution network, in conjunction with the schematic diagram of FIG. 1, the HTTPS acceleration method of the embodiment of the present invention includes the following steps:
步骤1:客户端发起HTTPS访问,通过前端的负载均衡,分配一台对应的会话&缓存服务器,发起三次握手(RSA/DH)过程;其中,客户端为网络终端用户,可能采用当下流行的浏览器(Chrome、Firefox、IE等)浏览网页,图中的客户端1、客户端2、客户端3,分别指不同网站加速客户的客户端代表访问,如分别指新浪网、腾讯网、网易等不同网站加速客户;Step 1: The client initiates HTTPS access, and allocates a corresponding session & cache server through the front-end load balancing to initiate a three-way handshake (RSA/DH) process. The client is a network terminal user and may use the current popular browsing. (Chrome, Firefox, IE, etc.) browse the webpage, the client 1, the client 2, and the client 3 in the figure respectively refer to the client representative access of different websites to accelerate the customer, such as Sina, Tencent, Netease, etc. Different websites accelerate customers;
步骤2:握手过程中,该会话&缓存服务器就私钥和用户证书的加解密工作与统一验证服务器交互(视不同方案实现而定),将交互结果返回客户端;对于多个客户端,通过会话&缓存服务器将各客户端映射到一台统一验证服务器上,使每个客户端分享统一验证服务器的硬件加速能力;Step 2: During the handshake process, the session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate (depending on different implementations), and returns the interaction result to the client; for multiple clients, The session & cache server maps each client to a unified authentication server, so that each client shares the hardware acceleration capability of the unified authentication server;
步骤3:完成握手过程后,会话&缓存服务器开展缓存服务为客户端提供CDN服务,客户端则正常使用CDN服务,对于客户端所请求的数据,如果是可缓存数据,直接在边缘节点的服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs the cache service to provide the CDN service for the client, and the client normally uses the CDN service. For the data requested by the client, if the data is cacheable, the server directly at the edge node Get, if it is non-cacheable data, get it from the source server.
步骤4:统一验证服务器的数量可以随流量线性来部署统一验证服务器的比例,需要扩展时,可将统一验证服务器进行线性扩展,每台服务器上插上至少一个SSL加速板卡,以应对更大规模的SSL事务处理需求;或者形成主备,以应对故障处理。Step 4: The number of unified authentication servers can be deployed linearly with the proportion of the traffic. When the expansion is required, the unified authentication server can be linearly extended, and at least one SSL acceleration board is inserted into each server to cope with the larger Scale SSL transaction processing requirements; or form an active/standby to handle fault handling.
本发明实施例还同时提供一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;该HTTPS加速系统包括如下单元:The embodiment of the present invention further provides an HTTPS acceleration system based on a content distribution network, where the content distribution network includes a CDN network management center and a DNS redirection analysis center located at a central portion, a plurality of CDN network edge nodes located at an edge portion, and a rear location. The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end; the HTTPS acceleration system includes the following units:
HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求;
The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;
三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;
三次握手处理单元,设置为执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上,使每个客户端分享统一验证服务器的硬件加速能力。The three-way handshake processing unit is set to execute: during the handshake process, the assigned session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encryption and decryption of the private key and the user certificate, and interacts with each other. The result is returned to the client; if there are multiple clients, each client is mapped to a unified authentication server through the session & cache server, so that each client shares the hardware acceleration capability of the unified authentication server.
HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
其中,统一验证服务器上设有用户证书和私钥,并集成了若干SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器设置为处理加解密;统一验证服务器的数量可以随流量线性来部署统一验证服务器的比例,需要扩展时,可将统一验证服务器进行线性扩展,每台服务器上插上若干SSL加速板卡,以应对更大规模的SSL事务处理需求;或者形成主备,以应对故障处理。The unified authentication server is provided with a user certificate and a private key, and integrates a plurality of SSL acceleration boards, one or more unified authentication servers corresponding to one user certificate, the unified verification server is set to handle encryption and decryption; The number can be distributed with the linearity of the traffic to the proportion of the unified authentication server. When the expansion is required, the unified authentication server can be linearly extended, and several SSL acceleration boards are inserted into each server to cope with the larger-scale SSL transaction processing requirements; or Form the master and backup to deal with the fault handling.
本发明实施例有效地结合SSL加速板卡和CDN网络边缘节点各自的技术优势,具有以下优点:The embodiments of the present invention effectively combine the technical advantages of the SSL acceleration board and the CDN network edge node, and have the following advantages:
(1)使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。(1) Using the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server can reduce the load and deploy the SSL acceleration board to the unified authentication server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency.
(2)使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大节省了成本。(2) Using an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to one pair of N, which greatly saves costs for CDN vendors.
(3)从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。(3) From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.
(4)统一验证服务器除了通过插SSL加速板卡做加解密工作,还可以根据客户的不同需求情况,在统一验证服务器上部署软件,如CDN服务器申请证书
方案、Cloudflare的keyless-SSL方案等,本发明实施例都能有效支持;在实现与前端服务器同在边缘节点的交互,减少了服务器间往返RTT,提高了效率。(4) In addition to the encryption and decryption work, the unified authentication server can also deploy software on the unified authentication server according to different needs of customers, such as CDN server application certificate.
The scheme, the keyless-SSL scheme of Cloudflare, etc. can be effectively supported by the embodiments of the present invention; the interaction with the front-end server at the edge node is realized, the round-trip RTT between servers is reduced, and the efficiency is improved.
(5)SSL加速板卡可以在边缘统一验证服务器集群中线性扩展,以增加其事务处理能力,不影响集中管理,也节省了扩容成本。(5) The SSL acceleration board can be linearly extended in the edge unified authentication server cluster to increase its transaction processing capability without affecting centralized management and saving expansion costs.
本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,均应涵盖在权利要求范围当中。A person skilled in the art should understand that the technical solutions of the present invention may be modified or equivalent, without departing from the spirit and scope of the present invention, and should be included in the scope of the claims.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical The components work together. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
本发明实施例使用SSL加速板卡代替普通边缘服务器的加解密工作,使边缘服务器减轻负载,将SSL加速板卡部署到统一验证服务器上,大大降低了普通边缘服务器的CPU消耗,提高了效率。使用一张SSL加速卡来服务若干客户的加解密工作,从原来的一对一的服务到1对N,这样对CDN厂商而言,大大
节省了成本。从原来的一张SSL加速卡需要管理一个证书,到现在的N个客户使用一张SSL加速板卡,证书集中式管理,这样证书的管理量大大减少,单机管理成本大大降低。
The embodiment of the present invention uses the SSL acceleration board to replace the encryption and decryption work of the common edge server, so that the edge server reduces the load and deploys the SSL acceleration board to the unified verification server, which greatly reduces the CPU consumption of the common edge server and improves the efficiency. Use an SSL accelerator card to serve the encryption and decryption of several customers, from the original one-to-one service to a pair of N, so for CDN vendors,
Save costs. From the original SSL acceleration card, a certificate needs to be managed. Up to now, N customers use an SSL acceleration board and the certificate is managed centrally, so that the management of the certificate is greatly reduced, and the management cost of the single machine is greatly reduced.
Claims (10)
- 一种基于内容分发网络的HTTPS加速方法,包括:该内容分发网络包括位于中心部分的内容分发网络CDN网管中心和域名系统DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;An HTTPS acceleration method based on a content distribution network, comprising: the content distribution network comprises a content distribution network CDN network management center located in a central part, a domain name system DNS redirection analysis center, a plurality of CDN network edge nodes located at an edge portion, and a rear location The source server of the end; each CDN network edge node separately deploys a session & cache server at the front end and a unified authentication server at the back end;该HTTPS加速方法包括:The HTTPS acceleration method includes:步骤1:客户端向CDN网络边缘节点发起HTTPS访问请求;CDN网络边缘节点通过前端的负载均衡分配一台会话&缓存服务器与客户端进行三次握手;Step 1: The client initiates an HTTPS access request to the CDN network edge node; the CDN network edge node allocates a session & cache server to perform a three-way handshake with the client through load balancing of the front end;步骤2:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;Step 2: During the handshake process, the assigned session & cache server is responsible for HTTPS session management. The session & cache server interacts with the unified authentication server for the encryption and decryption of the private key and the user certificate, and returns the interaction result to the client.步骤3:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是为可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,向源服务器获取。Step 3: After the handshake process is completed, the session & cache server performs a cache service to provide a CDN service for the client; if the data requested by the client is cacheable data, it is directly obtained in the session & cache server, if not Cache data and get it from the source server.
- 根据权利要求1所述的HTTPS加速方法,其中:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The HTTPS acceleration method according to claim 1, wherein: the unified authentication server is provided with a user certificate and a private key, and at least one SSL acceleration board is integrated, and one or more unified authentication servers correspond to a user certificate, and the unified The authentication server is set to handle encryption and decryption.
- 根据权利要求2所述的HTTPS加速方法,其中:所述步骤2还包括以下过程:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The HTTPS acceleration method according to claim 2, wherein the step 2 further comprises the following process: if there are multiple clients, the clients are mapped to a unified authentication server through the session & cache server.
- 根据权利要求1或2或3所述的HTTPS加速方法,其中:该HTTPS加速方法还包括如下步骤:将统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接至少一个SSL加速板卡。The HTTPS acceleration method according to claim 1 or 2 or 3, wherein the HTTPS acceleration method further comprises the steps of: linearly deploying the proportion of the unified verification server with the traffic, and linearly expanding the unified verification server, and each unified verification At least one SSL acceleration board is plugged into the server.
- 根据权利要求1或2或3所述的HTTPS加速方法,其中:该HTTPS加速方法还包括如下步骤:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。The HTTPS acceleration method according to claim 1 or 2 or 3, wherein the HTTPS acceleration method further comprises the steps of: inserting multiple SSL acceleration boards on each unified authentication server, and different SSL acceleration boards form a master-slave relationship. .
- 一种基于内容分发网络的HTTPS加速系统,该内容分发网络包括位于 中心部分的CDN网管中心和DNS重定向解析中心、位于边缘部分的多个CDN网络边缘节点以及位于后端的源服务器;各CDN网络边缘节点分别部署了位于前端的会话&缓存服务器和位于后端的统一验证服务器;An HTTPS acceleration system based on a content distribution network, the content distribution network including CDN network management center and DNS redirection analysis center in the central part, multiple CDN network edge nodes in the edge part, and source servers located in the back end; each CDN network edge node deploys the session & cache server at the front end and the unified at the back end Verification server;该HTTPS加速系统包括如下单元:The HTTPS acceleration system includes the following units:HTTPS访问请求发起单元,设置为执行:客户端向CDN网络边缘节点发起HTTPS访问请求;The HTTPS access request initiating unit is configured to execute: the client initiates an HTTPS access request to the CDN network edge node;三次握手发起单元,设置为执行:CDN网络边缘节点通过前端的负载均衡,分配一台对应的会话&缓存服务器,与客户端进行三次握手;The three-way handshake initiation unit is configured to perform: the CDN network edge node allocates a corresponding session & cache server through the load balancing of the front end, and performs a three-way handshake with the client;三次握手处理单元,用于执行:握手过程中,分配好的会话&缓存服务器负责HTTPS会话管理,该会话&缓存服务器同时就私钥和用户证书的加解密工作与统一验证服务器进行交互,将交互结果返回客户端;The three-way handshake processing unit is configured to perform: during the handshake process, the allocated session & cache server is responsible for HTTPS session management, and the session & cache server simultaneously interacts with the unified authentication server for encrypting and decrypting the private key and the user certificate, and interacts with each other. The result is returned to the client;HTTPS访问应答单元,设置为执行:完成握手过程后,所述会话&缓存服务器开展缓存服务为客户端提供CDN服务;对于客户端所请求的数据,如果是可缓存数据,直接在会话&缓存服务器获取,如果是不可缓存数据,则向源服务器获取。The HTTPS access response unit is set to execute: after completing the handshake process, the session & cache server performs a cache service to provide a CDN service for the client; for the data requested by the client, if the data is cacheable, directly in the session & cache server Get, if it is non-cacheable data, get it from the source server.
- 根据权利要求6所述的HTTPS加速系统,其中:所述统一验证服务器上设有用户证书和私钥,集成至少一个SSL加速板卡,一台或者多台统一验证服务器对应一用户证书,该统一验证服务器被设置为处理加解密。The HTTPS acceleration system according to claim 6, wherein: the unified authentication server is provided with a user certificate and a private key, and at least one SSL acceleration board is integrated, and one or more unified authentication servers correspond to a user certificate, and the unified The authentication server is set to handle encryption and decryption.
- 根据权利要求6所述的HTTPS加速系统,其特征在于:所述三次握手处理单元还设置为执行如下操作:如果有多个客户端,则通过该会话&缓存服务器将各客户端映射到一台统一验证服务器上。The HTTPS acceleration system according to claim 6, wherein the three-way handshake processing unit is further configured to perform the following operations: if there are multiple clients, mapping each client to one through the session & cache server Unified authentication on the server.
- 根据权利要求6、7或8所述的HTTPS加速系统,其中:所述统一验证服务器的比例数量随流量线性进行部署,将统一验证服务器线性扩展,每台统一验证服务器上插接有至少一个SSL加速板卡。The HTTPS acceleration system according to claim 6, 7 or 8, wherein: the proportion of the unified verification server is linearly distributed with traffic, linearly expanding the unified verification server, and at least one SSL is inserted into each unified authentication server. Speed up the board.
- 根据权利要求6、7或8所述的HTTPS加速系统,其中:每台统一验证服务器上插接多个SSL加速板卡,不同SSL加速板卡构成主备关系。 The HTTPS acceleration system according to claim 6, 7 or 8, wherein: each of the unified authentication servers is connected to multiple SSL acceleration boards, and different SSL acceleration boards form an active/standby relationship.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610873442.6 | 2016-09-30 | ||
CN201610873442.6A CN106341417B (en) | 2016-09-30 | 2016-09-30 | A kind of HTTPS acceleration method and system based on content distributing network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018059578A1 true WO2018059578A1 (en) | 2018-04-05 |
Family
ID=57839835
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/104806 WO2018059578A1 (en) | 2016-09-30 | 2017-09-30 | Https acceleration method and system based on content distribution network |
Country Status (2)
Country | Link |
---|---|
CN (2) | CN110808989B (en) |
WO (1) | WO2018059578A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115460083A (en) * | 2021-06-09 | 2022-12-09 | 贵州白山云科技股份有限公司 | Security acceleration service deployment method, device, medium and equipment |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110808989B (en) * | 2016-09-30 | 2022-01-21 | 贵州白山云科技股份有限公司 | HTTPS acceleration method and system based on content distribution network |
CN106789344B (en) * | 2017-01-19 | 2019-11-12 | 上海帝联信息科技股份有限公司 | Data transmission method, system, CDN network and client |
CN107707514B (en) * | 2017-02-08 | 2018-08-21 | 贵州白山云科技有限公司 | One kind is for encrypted method and system and device between CDN node |
CN107707517B (en) * | 2017-05-09 | 2018-11-13 | 贵州白山云科技有限公司 | A kind of HTTPs handshake methods, device and system |
CN107257327B (en) * | 2017-05-25 | 2020-12-29 | 中央民族大学 | High-concurrency SSL session management method |
CN108574687B (en) * | 2017-07-03 | 2020-11-27 | 北京金山云网络技术有限公司 | Communication connection establishment method and device, electronic equipment and computer readable medium |
US11153289B2 (en) * | 2017-07-28 | 2021-10-19 | Alibaba Group Holding Limited | Secure communication acceleration using a System-on-Chip (SoC) architecture |
CN109428876B (en) * | 2017-09-01 | 2021-10-08 | 腾讯科技(深圳)有限公司 | Handshake connection method and device |
CN109561027A (en) * | 2017-09-26 | 2019-04-02 | 中兴通讯股份有限公司 | Flow optimization method, load balancer and the storage medium of transparent caching |
CN109842664A (en) * | 2017-11-29 | 2019-06-04 | 苏宁云商集团股份有限公司 | A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS |
CN108401011B (en) * | 2018-01-30 | 2021-09-24 | 网宿科技股份有限公司 | Acceleration method and device for handshake request in content distribution network and edge node |
CN108429682A (en) * | 2018-02-26 | 2018-08-21 | 湖南科技学院 | A kind of optimization method and system of network transmission link |
CN110324365B (en) * | 2018-03-28 | 2023-01-24 | 网易(杭州)网络有限公司 | Keyless front-end cluster system, application method, storage medium and electronic device |
CN111010404B (en) * | 2018-03-30 | 2022-07-29 | 贵州白山云科技股份有限公司 | Data transmission method, data transmission equipment and computer readable storage medium |
CN108804515B (en) * | 2018-04-25 | 2021-05-28 | 网宿科技股份有限公司 | Webpage loading method, webpage loading system and server |
CN114338629A (en) * | 2020-09-25 | 2022-04-12 | 北京金山云网络技术有限公司 | Data processing method, device, equipment and medium |
CN112187804B (en) * | 2020-09-29 | 2023-01-20 | 北京金山云网络技术有限公司 | Communication method and device of server, computer equipment and storage medium |
US11579781B2 (en) | 2020-10-23 | 2023-02-14 | Red Hat, Inc. | Pooling distributed storage nodes that have specialized hardware |
CN113301159B (en) * | 2021-05-26 | 2022-12-09 | 中国电子科技集团公司第五十四研究所 | Service position obtaining method and device in edge computing system |
CN117857095A (en) * | 2023-12-05 | 2024-04-09 | 天翼云科技有限公司 | Non-private key TLS handshake solving method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634650B1 (en) * | 2004-07-22 | 2009-12-15 | Xsigo Systems | Virtualized shared security engine and creation of a protected zone |
CN104732164A (en) * | 2013-12-18 | 2015-06-24 | 国家计算机网络与信息安全管理中心 | Device and method both for accelerating SSL (Security Socket Layer) data processing speed |
CN106027646A (en) * | 2016-05-19 | 2016-10-12 | 杜在东 | HTTPS acceleration method and device |
CN106230782A (en) * | 2016-07-20 | 2016-12-14 | 腾讯科技(深圳)有限公司 | A kind of information processing method based on content distributing network and device |
CN106341417A (en) * | 2016-09-30 | 2017-01-18 | 贵州白山云科技有限公司 | Content delivery network-based HTTPS acceleration method and system |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9647835B2 (en) * | 2011-12-16 | 2017-05-09 | Akamai Technologies, Inc. | Terminating SSL connections without locally-accessible private keys |
US9531691B2 (en) * | 2011-12-16 | 2016-12-27 | Akamai Technologies, Inc. | Providing forward secrecy in a terminating TLS connection proxy |
KR101491697B1 (en) * | 2013-12-10 | 2015-02-11 | 주식회사 시큐아이 | Security device including ssl acceleration card and operating method thereof |
CN104702611B (en) * | 2015-03-15 | 2018-05-25 | 西安电子科技大学 | A kind of device and method for protecting Secure Socket Layer session key |
CN105871797A (en) * | 2015-11-19 | 2016-08-17 | 乐视云计算有限公司 | Handshake method, device and system of client and server |
CN106101007B (en) * | 2016-05-24 | 2019-05-07 | 杭州迪普科技股份有限公司 | Handle the method and device of message |
-
2016
- 2016-09-30 CN CN201911090331.8A patent/CN110808989B/en active Active
- 2016-09-30 CN CN201610873442.6A patent/CN106341417B/en active Active
-
2017
- 2017-09-30 WO PCT/CN2017/104806 patent/WO2018059578A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634650B1 (en) * | 2004-07-22 | 2009-12-15 | Xsigo Systems | Virtualized shared security engine and creation of a protected zone |
CN104732164A (en) * | 2013-12-18 | 2015-06-24 | 国家计算机网络与信息安全管理中心 | Device and method both for accelerating SSL (Security Socket Layer) data processing speed |
CN106027646A (en) * | 2016-05-19 | 2016-10-12 | 杜在东 | HTTPS acceleration method and device |
CN106230782A (en) * | 2016-07-20 | 2016-12-14 | 腾讯科技(深圳)有限公司 | A kind of information processing method based on content distributing network and device |
CN106341417A (en) * | 2016-09-30 | 2017-01-18 | 贵州白山云科技有限公司 | Content delivery network-based HTTPS acceleration method and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115460083A (en) * | 2021-06-09 | 2022-12-09 | 贵州白山云科技股份有限公司 | Security acceleration service deployment method, device, medium and equipment |
CN115460083B (en) * | 2021-06-09 | 2024-04-19 | 贵州白山云科技股份有限公司 | Security acceleration service deployment method, device, medium and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106341417A (en) | 2017-01-18 |
CN110808989B (en) | 2022-01-21 |
CN106341417B (en) | 2019-11-05 |
CN110808989A (en) | 2020-02-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018059578A1 (en) | Https acceleration method and system based on content distribution network | |
US9571279B2 (en) | Systems and methods for secured backup of hardware security modules for cloud-based web services | |
US9712503B1 (en) | Computing instance migration | |
US20150358312A1 (en) | Systems and methods for high availability of hardware security modules for cloud-based web services | |
CN106341375B (en) | Method and system for realizing encrypted access of resources | |
US11303431B2 (en) | Method and system for performing SSL handshake | |
US10318747B1 (en) | Block chain based authentication | |
US10341118B2 (en) | SSL gateway with integrated hardware security module | |
US10623186B1 (en) | Authenticated encryption with multiple contexts | |
US10257171B2 (en) | Server public key pinning by URL | |
US9749354B1 (en) | Establishing and transferring connections | |
US20220166605A1 (en) | Cryptographic Key Storage System and Method | |
JP2020522164A (en) | Method, device and program for TLS inspection | |
US8132246B2 (en) | Kerberos ticket virtualization for network load balancers | |
US9191201B1 (en) | Optimizing secure communications | |
JP7530146B2 (en) | Secure private key distribution among endpoint instances | |
US11621856B2 (en) | Generating a domain name system container image to create an instance of a domain name system container | |
US9800568B1 (en) | Methods for client certificate delegation and devices thereof | |
CN112235274B (en) | Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication | |
WO2020093609A1 (en) | Block generation method, apparatus and device for blockchain, and non-volatile readable storage medium | |
US11271968B2 (en) | Zero round trip time transmission for anticipatory request messages | |
WO2022063213A1 (en) | Network access method and system based on cloud delivery, and medium and device | |
US10819515B1 (en) | Derived unique recovery keys per session |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17855028 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17855028 Country of ref document: EP Kind code of ref document: A1 |