Reverse proxy method, server and storage medium based on fast data path
By integrating the eBPF engine and XDP program into the reverse proxy server, data packets are intercepted in real time, bypassing the TCP/IP protocol stack and network card driver, and data is transmitted directly through the kernel socket. This solves the load problem of the reverse proxy server under concurrent connections, improves processing efficiency, and reduces latency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- JIANGSU SHENWANG TECH CO LTD
- Filing Date
- 2023-08-11
- Publication Date
- 2026-07-14
AI Technical Summary
Reverse proxy servers experience high loads when handling concurrent connection requests, becoming a service bottleneck. Existing technologies also suffer from high data transmission latency and system resource overhead.
A reverse proxy method based on fast data paths is adopted, which intercepts data packets through the eBPF engine and XDP program, bypasses the TCP/IP protocol stack and network card driver, and transmits data directly through the kernel socket.
It reduces system resource overhead, lowers network latency, and improves the processing efficiency of the reverse proxy server.
Smart Images

Figure CN117061610B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network data transmission, and in particular to a reverse proxy method, server, and storage medium based on a fast data path. Background Technology
[0002] A reverse proxy is a service that uses a proxy server to accept connection requests from the internet, forward them to servers on the internal network, and return the results from those servers to the client that made the connection request. In this case, the proxy server acts as a reverse proxy server to the outside world. Simply put, the real server cannot be directly accessed from the external network, so a proxy server is needed. This proxy server, however, can be accessed from the external network while remaining in the same network environment as the real server.
[0003] However, regardless of whether the reverse proxy server reference model adopts the OSI model or the TCP / IP model, its data needs to pass through the network card link in the kernel space, network driver, TCP / IP protocol stack, and socket processing before entering the user space program for processing. This layer-by-layer transmission method increases data transmission latency and system memory resource overhead, reducing proxy efficiency. Currently, it is generally used for load balancing of web servers. For each proxy, the proxy server must open two connections, one external and one internal. Therefore, when the number of concurrent connection requests is very large, the load on the proxy server becomes very heavy, and ultimately the proxy server itself becomes the bottleneck of the service. Summary of the Invention
[0004] This application provides a reverse proxy method, server, and storage medium based on a fast data path, which improves the network processing speed of the reverse proxy server when processing services in parallel.
[0005] On the one hand, this application provides a reverse proxy method based on a fast data path, the method comprising:
[0006] The proxy service listener is started and the extended Berkeley packet filter eBPF engine is loaded. The Fast Data Path (XDP) program is started to intercept data packets received from the network card but not yet entering the TCP / IP protocol stack. These data packets are sent by the client or network server via the Internet.
[0007] The intercepted data packets are subjected to a transmission protocol determination. When the data packet is determined to be a TCP protocol, the target network server, client, and proxy permissions of the reverse proxy are determined based on the application port connected to the data packet.
[0008] The HTTP protocol of the data packet is determined based on the address and / or port information of the client or network server, and the proxy status of the data packet is determined based on the established proxy service connection information table; the proxy service connection information table records the connection information of the end-to-end proxy connection established between the client and the server.
[0009] If the data packet has proxy permissions and an end-to-end proxy connection has been established, the data information is extracted from it, and the TCP / IP protocol stack, network card driver, and user space program are skipped. The data information is sent directly to the client or target network server by calling the kernel's socket buffer. If the data packet has proxy permissions but no end-to-end proxy connection has been established, the corresponding connection information is added to the proxy service connection information table, and the subsequent intercepted data packets are detected and detected in a loop.
[0010] Furthermore, before starting the proxy service listener and loading the eBPF engine, the method also includes:
[0011] Read the pre-configuration information and obtain the proxy permission table, which records the port number to be listened to and the network server address and / or port number;
[0012] Load the proxy service connection information table, determine the connection information of all established end-to-end connections in the table, the connection information records the connection information between the client and the network server, including the client address and / or port number, the network server address and / or port number, and the transmission identifier;
[0013] After the proxy service listener is started and the eBPF engine is loaded, the XDP program intercepts the data packets received by the network card in real time and performs data analysis.
[0014] Furthermore, when the data packet is determined not to be a TCP protocol, it is directly sent to the upper TCP / IP protocol stack for sequential execution;
[0015] When the data packet is parsed and determined to be a TCP protocol, the application port specified by the data packet is obtained and matched with the port number in the proxy permission table; different application port numbers are used to connect to and implement different application functions.
[0016] When no matching port number is found, the request to send or receive the data packet is not authorized to reverse proxy and is directly sent to the upper TCP / IP protocol stack for sequential execution; when a matching port number is found, the request to send or receive the data packet is authorized to reverse proxy and the HTTP protocol of the data packet is verified.
[0017] Furthermore, the HTTP protocol of the data packet is divided into HTTP request and HTTP response; the data packet initiated by the client contains an HTTP request and is sent to the target network server to request data, while the data packet initiated by the target network server contains an HTTP response and is used to respond to the data request initiated by the client.
[0018] Furthermore, when the data packet corresponds to an HTTP request initiated by the client, the proxy service connection information table is obtained, and the client address and / or port information recorded therein is read.
[0019] Match the target client address and / or port information in the data packet with the client address and / or port information recorded in the proxy service connection information table;
[0020] When the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and the drop command is returned to close the processing permission of the upper protocol.
[0021] When the data packet corresponds to an HTTP response initiated by a network server, the proxy service connection information table is obtained, and the network server address and / or port information recorded therein is read.
[0022] Match the target network server address and / or port information in the data packet with the network server address and / or port information recorded in the proxy service connection information table;
[0023] When the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and the drop command is returned to close the processing privileges of the upper protocol.
[0024] Furthermore, when the data packet corresponds to an HTTP request, after disabling the processing permissions of upper-layer protocols, the method further includes:
[0025] Extract the transmission identifier of the target network server from the end-to-end connection information and use it as the target transmission identifier for sending data;
[0026] The kernel's socket buffer is directly invoked to receive the data packet, and the starting position of the target data transmission is located based on the target transmission identifier; the target data is then directly sent to the target network server based on the kernel socket.
[0027] When the data packet corresponds to an HTTP response, after disabling the processing permissions of upper-layer protocols, the method further includes:
[0028] Extract the client's transmission identifier from the end-to-end connection information and use it as the target transmission identifier for sending data;
[0029] The kernel's socket buffer is directly invoked to receive the data packet, and the starting position of the target data transmission is located based on the target transmission identifier; the target data is then directly sent to the client based on the kernel socket.
[0030] Furthermore, the HTTP protocol process for determining the data packet is as follows: when the address and / or port information do not match, the client is instructed to connect to the network server for the first time and the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution.
[0031] The end-to-end connection information is constructed based on the client address and / or port information, the target network server address and / or port information, and the transport identifiers;
[0032] Add the constructed end-to-end connection information to the proxy service connection information table.
[0033] Furthermore, the XDP program has a built-in hook function. When it determines whether an end-to-end proxy connection is established between the client and the network server based on intercepted data packets, the hook function skips the TCP / IP protocol stack, network card driver, and user space program, and sends data to the other end via socket.
[0034] On the other hand, this application provides a reverse proxy server, which includes a processor and a memory. The memory stores at least one instruction, at least one program, code set, or instruction set. The at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the reverse proxy method based on fast data path described in any of the above aspects.
[0035] In another aspect, this application provides a computer-readable storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the reverse proxy method based on fast data path described in any of the above aspects.
[0036] The beneficial effects of the technical solution provided in this application include at least the following: by integrating an eBPF engine into the reverse proxy server, the XDP program intercepts data packets received by the network card link in real time, preventing them from directly entering the TCP / IP protocol stack. It then performs TCP and HTTP protocol checks on these packets to determine proxy permissions, connected devices, and end-to-end connection status, thereby taking over the data packets. This bypasses the TCP / IP protocol stack, network card driver, and user-space program, and calls the kernel's socket to send data directly to the peer, completing cross-platform data transmission, reducing traditional data transmission paths, reducing system resource overhead, further reducing network latency, and improving the efficiency of the reverse proxy server. Attached Figure Description
[0037] Figure 1 This is a schematic diagram illustrating a scenario where a reverse proxy server connects a client and a web server for data communication.
[0038] Figure 2 This is a flowchart of the XDP-based reverse proxy method provided in the embodiments of this application;
[0039] Figure 3 This is a network transmission protocol model path diagram of a traditional reverse proxy server;
[0040] Figure 4 This is a path diagram for data transmission based on the XDP reverse proxy method. Detailed Implementation
[0041] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.
[0042] In this article, "multiple" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship.
[0043] A typical proxy server only proxies connection requests from an internal network to the Internet. Clients must specify the proxy server and forward HTTP requests that would otherwise be sent directly to the web server to the proxy server. Since hosts on the external network do not configure or use this proxy server, and ordinary proxy servers are designed to search multiple undefined servers on the Internet rather than responding to requests from multiple clients on the Internet to access a single, fixed server, ordinary web proxy servers do not support external access requests to the internal network. When a proxy server can proxy hosts on the external network to access the internal network, this type of proxy service is called a reverse proxy service. In this case, the proxy server appears to the outside world as a web server, and the external network can simply treat it as a standard web server without specific configuration. The difference is that this server does not store any actual web page data; all static web pages or CGI programs are stored on the internal web server. Therefore, attacks on reverse proxy servers will not damage web page information, thus enhancing the security of the web server.
[0044] eBPF (extended Berkeley Packet Filter) is a general-purpose execution engine that provides the ability to efficiently and safely execute specific code based on system or program events. Users of this general-purpose capability are no longer limited to kernel developers. eBPF consists of bytecode instructions, storage objects, and helper functions. Bytecode instructions must be verified by the BPF verifier before being executed by the kernel. Furthermore, in kernels with BPF JIT mode enabled, the bytecode instructions are directly translated into kernel-executable native instructions for execution.
[0045] XDP (eXpress Data Path) is a special eBPF program that offers very high performance in packet processing because it processes data before the protocol stack. The rise of XDP or Express Data Path stemmed from the Linux kernel's need for high-performance packet processing capabilities. Many kernel-bypassing techniques (DPDK being the most prominent) aim to accelerate network operations by moving packet processing to user space. This means eliminating the overhead of context switching, system call translation, or IRQ (Interrupt Request) requests between the kernel and user space boundaries. The operating system relinquishes control of the network stack to user-space processes, which interact directly with the NIC (Network Interface Card) through their own drivers.
[0046] Figure 1This is a schematic diagram of a scenario where a reverse proxy server connects a client and a web server for data communication. The reverse proxy server can establish network connections with both the web server and the client, acting as a relay station for network communication. It forwards requests initiated by the client to the web server and sends the web server's response back to the client. Specifically, it can be composed of a regular server or a server cluster, and internally integrates a proxy service listener, an eBPF engine, and an XDP program.
[0047] Clients can be terminal devices such as smartphones, tablets, desktop computers, and workstations. Web servers, on the other hand, are devices that provide specific services. They can be single or multiple servers, server clusters, cloud computing platforms, and virtualization centers—at least one of these. They are responsible for responding to client data requests, executing specific tasks based on those requests, and sending the results back to the client via a reverse proxy server.
[0048] Figure 2 This is a flowchart of the XDP-based reverse proxy method provided in the embodiments of this application, applied to... Figure 1 The reverse proxy server in the method includes the following steps:
[0049] Step 201: Start the proxy service listener and load the extended eBPF engine. Use the started XDP program to intercept data packets received from the network card but not yet entered the TCP / IP protocol stack.
[0050] When a reverse proxy server is required to perform reverse proxy services, it initializes or starts a proxy service listener, which listens for network packets received at the network interface card (NIC) link. Specifically, this is done by loading an extended eBPF engine, which integrates the XDP program. The XDP program intercepts all data packets passing through the NIC link. Note that at this point, the data packets have just been sent to the NIC via the internet and have not yet entered the upper-layer protocols of network transmission.
[0051] like Figure 3 As shown, in traditional reverse proxy technology, the data stream needs to go from bottom to top through the kernel space network interface card (NIC), network driver, TCP / IP protocol stack, and socket before entering the user space program for processing. After the user space creates a network connection, the data stream is first processed in the user space program, and then needs to enter the kernel space and go from top to bottom through the socket, TCP / IP protocol stack, network driver, and NIC before it can enter the network for transmission (sent to the receiving end). This process of data stream transmission and processing takes a long time.
[0052] In this solution, the XDP program intercepts data at the network card link location and then analyzes and processes the intercepted data packets.
[0053] Reverse proxy servers typically establish communication connections with several web servers. For web servers that need to perform reverse proxying, the following settings need to be configured before starting the proxy service listener and loading the eBPF engine:
[0054] a. Read the pre-configuration information and obtain the proxy permission table. The proxy permission table records the port number to be listened to and the network server address and / or port number.
[0055] Pre-configured information can be set and stored in the reverse proxy server by engineers in advance. This includes at least a proxy permission table, which records the port numbers (of the reverse proxy server) and network server addresses and / or port numbers that need to be monitored. In other words, there are no reverse proxy permissions for ports or network servers not recorded in the proxy permission table. This allows for execution on specific servers or special services, making reasonable use of resources.
[0056] b. Load the proxy service connection information table, determine the connection information of all established end-to-end connections in the table. The connection information records the connection information between the client and the network server, including the client address and / or port number, the network server address and / or port number, and the transmission identifier.
[0057] The proxy service connection information table contains device and connection information about the reverse proxy server establishing communication connections. For example, it records the network data currently being established between client A and network server B. The purpose of recording this information is to analyze all intercepted data packets to check whether a connection has been established or remained open within a certain timeframe. For instance, if client C and network server D establish a connection and then continue data transmission shortly afterward, the proxy service connection information table records this for a certain delay. If the connection is lost for more than a beneficial practice threshold, the connection entry is deleted, and a new connection must be established based on subsequent data packets.
[0058] c. After starting the proxy service listener and loading the eBPF engine, the XDP program intercepts the data packets received by the network card in real time and performs data analysis.
[0059] Step 202: Determine the transmission protocol of the intercepted data packets. If the data packets are determined to be TCP, determine the target network server, client, and proxy permissions of the reverse proxy based on the application port connected to the data packets.
[0060] The purpose of transport protocol determination is to identify the data packet type. Since network communication between the client and server is based on the TCP protocol, this step is a preliminary determination, as the intercepted data has not yet reached the TCP / IP protocol stack. Next, the proxy permission table loaded in the previous steps is used to determine the target network server, client, and proxy permissions of the reverse proxy based on the request / receive port number, sender address, and / or port number in the data packet.
[0061] For example, if the data packet is sent by a network server, the network server's address and / or port number are checked to determine whether a reverse proxy is needed. The data packet will necessarily contain the peer (client) address and / or port number. Conversely, if the packet is sent by a client, the peer (target server) address and / or port number will be recorded, and then it will be determined whether the client has proxy privileges.
[0062] Specifically, this step may also include the following steps:
[0063] d. When the packet parsing determines that it is not a TCP protocol, it is directly sent to the upper TCP / IP protocol stack for sequential execution;
[0064] For packets or data requests that are not part of the TCP protocol, indicating that there is no need to execute the reverse proxy task, the intercepted packets are "allowed" and handed over to the upper-layer protocols, namely the NIC driver, TCP / IP protocol stack, socket, buffer, and finally to the application.
[0065] e. When the data packet is parsed and determined to be a TCP protocol, the application port specified by the data packet is obtained and matched with the port number in the proxy permission table; different application port numbers are used to connect to and implement different application functions;
[0066] The application port is contained in the data packet and can be obtained through parsing. This step corresponds to step b, which involves extracting the verification from the proxy service connection information table.
[0067] f. When no matching port number is found, the request to send or receive data packets does not have reverse proxy privileges and is directly sent to the upper TCP / IP protocol stack for sequential execution; when a matching port number is found, the request to send or receive data packets has reverse proxy privileges and the HTTP protocol of the data packets is verified.
[0068] Step 203: Determine the HTTP protocol of the data packet based on the address and / or port information of the client or network server, and determine the proxy status of the data packet based on the established proxy service connection information table.
[0069] This step further assesses the HTTP protocol after confirming proxy permissions, as the proxy service connection information table records connection information for end-to-end proxy connections established between the client and server. This step determines the proxy status between the client and target server currently (or within a preset time period). If a connection has been established, step 204 is executed directly for fast reverse proxying. If no match is found in the record table, it indicates that the client and target server have not established a connection, and step 205 is required to establish the connection.
[0070] Step 204: In response to the data packet having proxy permissions and an end-to-end proxy connection being established, extract the data information from it, skip the TCP / IP protocol stack, network card driver and user space program, and directly send the data information to the client or target network server by calling the kernel's socket buffer.
[0071] The purpose of the XDP protocol is to, after establishing an end-to-end connection, perform simple data processing and then directly send data to the client or target network server on the other end by calling the kernel's socket. This is in comparison to... Figure 3 The data transmission method, which proceeds from the bottom up through the network card link to the application layer data proxy, and then from the top down through multiple layers of protocols before entering the network transmission, bypasses the TCP / IP protocol stack, network card driver, and user space program, thus shortening the data transmission path.
[0072] Step 205: In response to the data packet having proxy permissions but not establishing an end-to-end proxy connection, add the corresponding connection information to the proxy service connection information table, and continue to detect and cyclically detect subsequent intercepted data packets.
[0073] If no end-to-end connection is established, it indicates that this is the first time data transmission communication has been performed. In this case, the corresponding connection information needs to be added to the proxy service connection information table so that the efficient transmission scheme in step 204 can be executed during subsequent monitoring.
[0074] In summary, this solution integrates an eBPF engine into the reverse proxy server. The XDP program intercepts data packets received via the network interface card (NIC) link in real time, preventing them from directly entering the TCP / IP protocol stack. It then performs TCP and HTTP protocol checks to determine proxy permissions, connected devices, and end-to-end connection status. This allows the solution to take over data packets, bypassing the TCP / IP protocol stack, NIC driver, and user-space programs. By calling kernel sockets, data is sent directly to the peer, completing cross-platform data transmission, reducing traditional data transmission paths, minimizing system resource overhead, further reducing network latency, and improving the efficiency of the reverse proxy server.
[0075] The TCP protocol check in step 203 and the HTTP protocol check in step 204 are both to determine whether the fast reverse proxy requirement is met. And for those that are not met, the process is completely... Figure 3 The data is transmitted from bottom to top and from top to bottom. For cases that meet the HTTP protocol criteria, further data processing is required. Specifically, step 204 includes the following steps:
[0076] First, data packets are categorized by the sending end, dividing the HTTP protocol of the data packets into HTTP requests and HTTP responses. The data packets initiated by the client contain HTTP requests and are sent to the target web server to request data. The data packets initiated by the target web server contain HTTP responses and are used to respond to the data requests initiated by the client.
[0077] S11, When the data packet corresponds to an HTTP request initiated by the client, the reverse proxy server will obtain the proxy service connection information table and read the client address and / or port information recorded therein;
[0078] S12, Match the target client address and / or port information in the data packet with the client address and / or port information recorded in the proxy service connection information table;
[0079] S13: When the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and returns a drop command to close the processing privileges of the upper protocol.
[0080] If there is no match, data will be transmitted in a bottom-up order. If there is a match, it means that the connection has been established. This data packet follows the fast reverse proxy scheme and returns a drop command to close the processing permissions of the upper layer protocols (network card driver, TCP / IP protocol stack and application layer, etc.).
[0081] S21, when the data packet corresponds to an HTTP response initiated by the network server, obtain the proxy service connection information table and read the network server address and / or port information recorded therein;
[0082] S22, Match the target network server address and / or port information in the data packet with the network server address and / or port information recorded in the proxy service connection information table;
[0083] S23, when the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and the drop command is returned to close the processing authority of the upper protocol.
[0084] The above steps determine the HTTP protocol of the data packets and the proxy status. For requests in the proxy state, processing permissions for higher-layer protocols are disabled, thus enabling cross-protocol data transmission. (Refer to...) Figure 4 As shown, it specifically includes the following:
[0085] S31, when the data packet corresponds to an HTTP request, after closing the processing permission of the upper layer protocol, extract the transmission identifier of the target network server in the end-to-end connection information and use it as the target transmission identifier for sending data.
[0086] S32 directly calls the kernel's socket buffer to receive data packets and locates the starting position of the target data transmission based on the target transmission identifier; it then sends the target data directly to the target network server based on the kernel socket.
[0087] Because the relationship between servers and clients is one-to-many, meaning multiple clients access the target network server, a single network server typically establishes multiple connection records. The transport identifier is used to ensure the uniqueness of these connections. In other words, each connection record in the proxy service's connection information table stores the sender and receiver identifiers, and the reverse proxy server, acting as an intermediary, is responsible for verifying and matching these transport identifiers. For example, if a data packet sent by a client contains the client's transport identifier, the reverse proxy server will intercept it, extract the transport identifier, query the proxy service's connection information table for a matching connection, and then select the corresponding transport identifier of the target network server. This identifier is used as the connection identifier to connect to the target network server and establish data communication transmission—the target transport identifier.
[0088] Similarly, when the target server is the sender, the client's transmission identifier is extracted from the end-to-end connection information and used as the target transmission identifier for sending data.
[0089] S33 directly calls the kernel's socket to receive data packets and locates the starting position of the target data transmission based on the target transmission identifier; it then sends the target data directly to the client based on the kernel socket.
[0090] like Figure 4 As shown, the XDP program has a built-in hook function. When the network card link of the reverse proxy server receives data, it intercepts the data packet and determines that an end-to-end proxy connection has been established between the client and the network server. Then, it skips the TCP / IP protocol stack, network card driver and user space program through the hook function and sends the data to the other end through the socket. This process no longer goes through the application layer.
[0091] For system security reasons, data must be copied between kernel space and user space before it can be transmitted over the network. This increases system overhead and transmission latency. In contrast, this solution performs simple processing on the network card when it receives an HTTP request / response and then directly uses the kernel's socket technology to send the data to the server / client's socket without having to go through two data copies. This greatly reduces system processing time and network latency.
[0092] When a client sends its first request to the target web server, the reverse proxy server does not record the connection information between the two, so the initial data packet can only pass through... Figure 3 The complete data transmission model is executed sequentially, and connection information is established based on the sender and receiver addresses, port numbers, transmission identifiers, etc. In this way, when a second data packet is sent later, data can be transmitted across the upper layer protocol through the hook function.
[0093] Furthermore, when the application proxy detects a client connection, it accepts the connection and creates a network connection to the backend server. When it detects that the client is closing the connection, it closes the previously created network connection to the backend server and deletes the proxy's service connection information.
[0094] This application also provides a reverse proxy server, which includes a processor and a memory. The memory stores at least one instruction, at least one program, code set, or instruction set. The at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the reverse proxy method based on fast data path described in any of the above aspects.
[0095] This application also provides a computer-readable storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the reverse proxy method based on fast data path described in any of the above aspects.
[0096] The preferred embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above. The devices and structures not described in detail should be understood as being implemented in a conventional manner in the art. Any person skilled in the art can make many possible changes and modifications, or equivalent changes to equivalent embodiments without departing from the technical solution of the present invention. This does not affect the substantive content of the present invention. Therefore, any simple modifications, equivalent changes and modifications made to the above embodiments based on the technical essence of the present invention without departing from the content of the technical solution of the present invention shall still fall within the protection scope of the technical solution of the present invention.
Claims
1. A reverse proxy method based on fast data paths, characterized in that, The method includes: The proxy service listener is started and the extended Berkeley packet filter eBPF engine is loaded. The Fast Data Path (XDP) program is started to intercept data packets received from the network card but not yet entering the TCP / IP protocol stack. These data packets are sent by the client or network server via the Internet. The intercepted data packets are subjected to a transmission protocol determination. When the data packet is determined to be a TCP protocol, the target network server, client, and proxy permissions of the reverse proxy are determined based on the application port connected to the data packet. The HTTP protocol of the data packet is determined based on the address and / or port information of the client or network server, and the proxy status of the data packet is determined based on the established proxy service connection information table; the proxy service connection information table records the connection information of the end-to-end proxy connection established between the client and the server. If the data packet has proxy permissions and an end-to-end proxy connection has been established, the data information is extracted from it, and the TCP / IP protocol stack, network card driver, and user space program are skipped. The data information is sent directly to the client or target network server by calling the kernel's socket buffer. If the data packet has proxy permissions but no end-to-end proxy connection has been established, the corresponding connection information is added to the proxy service connection information table, and the subsequent intercepted data packets are detected and detected in a loop.
2. The reverse proxy method based on fast data path according to claim 1, characterized in that, Before starting the proxy service listener and loading the eBPF engine, the method further includes: Read the pre-configuration information and obtain the proxy permission table, which records the port number to be listened to and the network server address and / or port number; Load the proxy service connection information table, determine the connection information of all established end-to-end connections in the table, the connection information records the connection information between the client and the network server, including the client address and / or port number, the network server address and / or port number, and the transmission identifier; After the proxy service listener is started and the eBPF engine is loaded, the XDP program intercepts the data packets received by the network card in real time and performs data analysis.
3. The reverse proxy method based on fast data paths according to claim 2, characterized in that, When the data packet is determined not to be a TCP protocol, it is directly sent to the upper TCP / IP protocol stack for sequential execution. When the data packet is parsed and determined to be a TCP protocol, the application port specified by the data packet is obtained and matched with the port number in the proxy permission table; different application port numbers are used to connect to and implement different application functions. When no matching port number is found, the request to send or receive the data packet is not authorized to reverse proxy and is directly sent to the upper TCP / IP protocol stack for sequential execution; when a matching port number is found, the request to send or receive the data packet is authorized to reverse proxy and the HTTP protocol of the data packet is verified.
4. The reverse proxy method based on fast data path according to claim 1, characterized in that, The HTTP protocol of the data packets is divided into HTTP requests and HTTP responses; the data packets initiated by the client contain HTTP requests and are sent to the target network server to request data, while the data packets initiated by the target network server contain HTTP responses and are used to respond to the data requests initiated by the client.
5. The reverse proxy method based on fast data paths according to claim 4, characterized in that, When the data packet corresponds to an HTTP request initiated by the client, the proxy service connection information table is obtained, and the client address and / or port information recorded therein is read. Match the target client address and / or port information in the data packet with the client address and / or port information recorded in the proxy service connection information table; When the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and the drop command is returned to close the processing permission of the upper protocol. When the data packet corresponds to an HTTP response initiated by a network server, the proxy service connection information table is obtained, and the network server address and / or port information recorded therein is read. Match the target network server address and / or port information in the data packet with the network server address and / or port information recorded in the proxy service connection information table; When the address and / or port information do not match, the data packet is directly sent to the upper TCP / IP protocol stack for sequential execution; when the address and / or port information match, it indicates that an end-to-end proxy connection has been established, and the drop command is returned to close the processing privileges of the upper protocol.
6. The reverse proxy method based on fast data paths according to claim 5, characterized in that, When the data packet corresponds to an HTTP request, after disabling the processing permissions of upper-layer protocols, the method further includes: Extract the transmission identifier of the target network server from the end-to-end connection information and use it as the target transmission identifier for sending data; The kernel's socket buffer is directly invoked to receive the data packet, and the starting position of the target data transmission is located based on the target transmission flag; the target data is then directly sent to the target network server based on the kernel socket. When the data packet corresponds to an HTTP response, after disabling the processing permissions of upper-layer protocols, the method further includes: Extract the client's transmission identifier from the end-to-end connection information and use it as the target transmission identifier for sending data; The kernel's socket buffer is directly invoked to receive the data packet, and the starting position of the target data transmission is located based on the target transmission flag; the target data is then directly sent to the client based on the kernel socket.
7. The reverse proxy method based on fast data paths according to claim 5, characterized in that, The process of determining the HTTP protocol of the data packet, when the address and / or port information do not match, instructs the client to connect to the network server for the first time and sends the data packet directly to the upper TCP / IP protocol stack for sequential execution; The end-to-end connection information is constructed based on the client address and / or port information, the target network server address and / or port information, and the transport identifiers; Add the constructed end-to-end connection information to the proxy service connection information table.
8. The reverse proxy method based on fast data paths according to any one of claims 1-7, characterized in that, The XDP program has a built-in hook function. Based on intercepted data packets, when it determines whether an end-to-end proxy connection is established between the client and the network server, the hook function skips the TCP / IP protocol stack, network card driver, and user space program, and sends data to the other end via socket.
9. A reverse proxy server, characterized in that, The reverse proxy server includes a processor and a memory, wherein the memory stores at least one instruction, at least one program, code set, or instruction set, and the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the reverse proxy method based on fast data path as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The readable storage medium stores at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the reverse proxy method based on a fast data path as described in any one of claims 1 to 7.