Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method and system of remote access router administration page, to reduce hardware and software cost, improves operating efficiency.
Technical scheme of the present invention is achieved in that
A method for remote access router administration page, comprising:
Set up between router with cloud server and safeguard that transmission control protocol TCP is long and be connected;
The listening port number that cloud server determination router is corresponding, sends to corresponding router by described TCP long connection by the address of described cloud server and described listening port number;
Router opens web terminal mouth, sets up and connects described web terminal mouth, the safety shell protocol SSH port of cloud server and the SSH reverse tunnel of described listening port;
Client browser is by the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router.
In an advantageous embodiment, described router has more than 2, and each router sends authentication information to cloud server in advance, after cloud server certification is passed through, for router generates the device id number for identifying described router;
The information of the router after cloud server shows certification further in its web front-end administration page.
In an advantageous embodiment, the listening port that described cloud server determination router is corresponding, sends to router by the long connection of described TCP, execution opportunity and concrete grammar comprise:
The web front-end of client browser access cloud server, sends to the router for management and opens telemanagement instruction;
Cloud server determines the listening port that this router is corresponding after receiving this unlatching telemanagement instruction, by described TCP long connection, the address of cloud server and this listening port number is sent to this router.
In an advantageous embodiment, described client browser, by after the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router, comprises further:
Cloud server sends closedown telemanagement instruction to described router by described TCP long connection, and this router closes described SSH reverse tunnel after receiving described closedown telemanagement instruction, and returns closedown response to cloud server; Cloud server discharges described listening port after receiving and closing response.
In an advantageous embodiment, described client browser, by the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router, specifically comprises:
The address that client browser accesses described cloud server adds described listening port number;
The web proxy server of cloud server adds described listening port number by the local loopback address of SSH port access;
Described local loopback address adds the local address that described listening port number is mapped to the described listening port number corresponding router administration page and adds web terminal mouth.
In an advantageous embodiment, the method comprises further: generate PKI and corresponding private key, be stored in by this PKI in the authorized_key file of described cloud server and go, be stored in by private key in described router;
And when described router sets up the SSH reverse tunnel connecting described web terminal mouth, the SSH port of cloud server and described listening port, specifically utilize private key that described PKI is corresponding automatically to carry out the key authentication of SSH.
In an advantageous embodiment, described router has two or more, and the described PKI that all routers use is identical with private key.
In an advantageous embodiment, the SSH port of described cloud server is handed down to described router in advance, and is stored in described router.
In an advantageous embodiment, the web terminal mouth that described router is opened is 80 ports of router.
A system for remote access router administration page, comprising:
The long link block of TCP, is arranged in router and cloud server, is connected for setting up between router with cloud server and safeguarding that transmission control protocol TCP is long;
Access opening module, is arranged in cloud server, for determining the listening port number that router is corresponding, by described TCP long connection, the address of described cloud server and described listening port number is sent to corresponding router;
SSH reverse tunnel module, is arranged in the router, for opening the web terminal mouth of router, setting up and connecting described web terminal mouth, the SSH port of cloud server and the SSH reverse tunnel of described listening port;
Web proxy server, is arranged in cloud server, for accepting the access request of client browser, by the administration page of this web proxy server and described SSH reverse tunnel access router.
Compared with prior art, the present invention does not need to be configured to router scene, do not need to arrange a local computer in every platform router correspondence and remote control software is installed yet, it also avoid the complex operations of remote opening computer, remote computer also need not install remote control software, only need by browser access cloud server, just can realize remote access and the web-based management page of arbitrary router being connected cloud server, and this router is configured, therefore software and hardware success is greatly reduced, also situ configuration need not be arrived just, save human cost, also need not carry out the operation of remote opening computer simultaneously, improve operating efficiency.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is further described in more detail.
Fig. 1 is the schematic flow sheet of the method for remote access router administration page of the present invention.See Fig. 1, method of the present invention comprises:
Step 101, set up between router and cloud server and safeguard that transmission control protocol (TCP, Transmission Control Protocol) is long and connect.
Router described in the present invention can be wireless router, also can be cable router.Be described for wireless router in specific embodiments of the invention.Embody rule scene of the present invention is exactly: all arrange wireless router in multiple places, the public place such as each emporium, dining room, bus station, Business Building such as in city arranges a large amount of wireless routers, each wireless router can form a WLAN (wireless local area network), wireless router described in unified access authentication mode access authentication can be adopted, thus facilitate user's accessing WLAN and then access the Internet by wireless router whenever and wherever possible.These wireless routers are exactly management object of the present invention.Described cloud server is arranged on high in the clouds, equipment requiring installation Authentication Client in described wireless router, for performing in the method for the invention the step needing router to perform.
This step 101 is in order in settlement server and far-end local area network (LAN), router keeps instant messaging and issues the problem of control command.Described TCP long connection just refers to that client (referring to router herein) is first set up communication with service end (referring to cloud server herein) and is connected, do not disconnect after connection establishment, and then carry out the connected mode of message transmission and reception, exist because communication connects under this mode always, be usually used in point-to-point communication.Can prior art be adopted as the long concrete process of establishing connected of TCP, repeat no more herein.
In the present invention, what cloud server and the router of far-end local area network (LAN) can be utilized to set up issues configuration information good TCP long connection, comprises that cloud server provides remote control service address information (as IP address or URL etc.), opens or close the instruction of telemanagement, some information of determined listening port number etc. are in the router of far-end.
In one preferred embodiment of the invention, described router has more than 2, and each router sends authentication information to cloud server in advance, after cloud server certification is passed through, for router generates the device id number for identifying described router; Under described router is that cloud server connects online state, can safeguards that a TCP is long by heartbeat and connect.There is web front-end administration page in described cloud server, be illustrated in figure 2 a kind of schematic diagram of the web front-end administration page of described cloud server.Keeper can utilize the client of far-end (computer is mobile phone etc. even) browser can access the web front-end administration page of this cloud server, the information of the router after cloud server shows certification further in its web front-end administration page, the title of such as router, device id, affiliated Merchant ID, business types, whether be in line states, the button etc. of opening or closing telemanagement, be convenient to keeper and each router through certification be managed for configuration.
When keeper is for the router of wherein, such as described device id is the router of 2001, when carrying out telemanagement, can click the button of unlatching telemanagement corresponding to this router, namely this click commands is send to this router to open telemanagement instruction; After described cloud server receives this unlatching telemanagement instruction by web front-end, perform following steps 102.
Step 102, the listening port number that cloud server determination router is corresponding, send to corresponding router by the address of described cloud server and described listening port number, the router that namely described keeper institute clickable icon is corresponding by described TCP long connection.The address of described cloud server specifically high in the clouds, for carrying out the address of the server of remote management services, can be IP address, also can be URL(uniform resource locator) (URL).
In the present invention, described cloud server can be reserved some listening port nomenclatures and carry out management control to long-range router, specifically comprise in this step: cloud server can scan reserved listening port, determine that one is not distributed to the current router two 001 needing to control by the listening port number used, such as listening port number is herein 1000, is sent open the instruction of telemanagement, the address of described cloud server and described listening port number by the long router two 001 connected to described correspondence of described TCP.
In the present invention, all relevant servers of described cloud server can be provided by the server of same IP address, also can different service be provided by the server of different IP addresses.The server of remote management and control of the present invention is provided, namely the IP address of the server of described listening port number and SSH port or URL is provided can be stored in advance in each router, in this case, this IP address that server of remote management and control is provided or URL can be sent by the long router connected to correspondence of described TCP.But, because the IP address or URL that provide the server of remote management and control likely change, therefore in an advantageous embodiment, can while the router that connect to described correspondence long by described TCP send the instruction and described listening port number of opening telemanagement, IP address or the URL of the server that this listening port number and SSH port are provided is sent to this router.Such as herein, described for providing the IP address of the server of remote management services to be 210.14.157.96.
Step 103, router open web terminal mouth, set up and connect described web terminal mouth, safety shell protocol (SSH, the Secure Shell) port of cloud server and the SSH reverse tunnel of described listening port.Wherein, the SSH port of described cloud server and described listening port are opened in advance.
This step 103 technical issues that need to address are: be divided into Intranet and neutral zone (DMZ) after router fire compartment wall, although and Intranet and DMZ can access outer net, cannot directly access mutually.The difference of Intranet and DMZ is exactly, and from the access of outer net, is all mapped to by the rule on fire compartment wall on the server in DMZ, and Intranet be generally do not allow such.DMZ can only be given ported at fire compartment wall, when Inside and outside network is not directly exchanged visits, if allow the machine of Intranet externally provide service, such as SSH reverse tunnel, use the tunnel that it creates, can play the effect of agency, the direction of data flow is: the machine-> tunnel-> outer net.Be applied in technical scheme of the present invention, if tunnel conversely, be exactly: outer net->DMZ-> tunnel-> Intranet.This just needs the reverse tunnel using SSH, it beyond the clouds server is opened a listening port (such as above-mentioned distribute 10000 ports), then can cross similar remote port to map, by the web terminal mouth of this locality, normally 80 ports, are mapped to the SSH port of 10000 ports (http: // 127.0.0.1:10000) and cloud server.Described SSH port numbers adopts the SSH port numbers of acquiescence usually, and namely 27100, can pre-set in the router.
This step 103 specifically comprises: router receive cloud server by TCP long connect the unlatching telemanagement instruction of sending after (such as flag bit be wherein 1 be namely expressed as open telemanagement instruction), open local web terminal mouth, i.e. 80 ports, by autossh instruction set up connect described web terminal mouth (i.e. 80 ports), cloud server SSH port (as 27100 ports) and as described in the SSH reverse tunnel of listening port (as 210.14.157.96:10000).
Step 104, client browser are by the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router.
After the above-mentioned SSH reverse tunnel established between router and cloud server, external network server just can access the management background system of residing router, but can't the administration page of access router, the administration page of described router refers to the web-based management page, namely directly can be accessed and the administration page controlled by browser.The client that the object of the invention is to connect described cloud server connects the web-based management page of the described far-end LAN router of this cloud server by browser access.So except passing through SSH reverse tunnel, beyond the clouds server is opened 80 listening ports not enough, the web server of server beyond the clouds (normally nginx server) is also needed to configure a web proxy server, after configuration take-effective, the PC of connection server just can access the administration page of described remote lan router by this web proxy server and reverse tunnel.
In this step 104, described client browser, by the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router, specifically comprises:
(1) address that client browser accesses described cloud server adds described listening port number.
As shown in Figure 3, when keeper clicks certain router described in Fig. 2 in client browser, if No. ID, router device is 2001, unlatching telemanagement button after, step 102 described above and step 103 can be performed, described router two 001 can set up SSH reverse tunnel with cloud server, then automatically to input in the address field of client browser and the address accessing cloud server adds the listening port number of this router two 001 correspondence, i.e. 210.14.157.96:10000.
(2) the web proxy server of cloud server adds described listening port number, i.e. 127.0.0.1:10000 by the local loopback address of SSH port access.
(3) described local loopback address adds the local address that described listening port number is mapped to the described listening port number corresponding router administration page and adds web terminal mouth, i.e. http: // 192.168.1.1:80, usually described 80 ports are default ports, even if be therefore mapped to http: // 192.168.1.1 also can be defaulted as and add 80 ports.
Added the mapping one by one of port by above-mentioned address, End-Customer end browser can have access to the described listening port number corresponding router administration page, and the administration page 301 as Fig. 3 is exactly the web-based management page of router two 001 correspondence as described in Fig. 2.
In addition, in a kind of specific embodiment, when described router sets up the SSH reverse tunnel connecting described web terminal mouth, the SSH port of cloud server and described listening port, need a ssh key authentication process, in order to simplify this step, the method comprises further: generate PKI and corresponding private key, be stored in by this PKI in the authorized_key file of described cloud server and go, be stored in by private key in described router; And when described router sets up the SSH reverse tunnel connecting described web terminal mouth, the SSH port of cloud server and described listening port, specifically utilize private key that described PKI is corresponding automatically to carry out the key authentication of SSH.
Usual described router has two or more, PKI is regenerated to service end in order to not allow all-router, and convenient management, in a further preferred embodiment, and the described PKI that all routers use is identical with private key, namely all routers all use same PKI and private key.
Described client browser, by after the web proxy server of cloud server and the administration page of described SSH reverse tunnel access router, when not needing to carry out telemanagement to described router, may further include:
Keeper can click the button of closing telemanagement described in Fig. 2 by client browser, cloud server by described TCP long connect to send close telemanagement instruction (such as flag bit be wherein 0 be namely expressed as close telemanagement instruction) to described router, after this router receives described closedown telemanagement instruction, close described SSH reverse tunnel, and return closedown response to cloud server; Cloud server discharges described listening port after receiving and closing response.
Corresponding with said method, the invention also discloses a kind of system of remote access router administration page, Fig. 4 is the one composition schematic diagram of the system of remote access router administration page of the present invention.See Fig. 4, this system comprises:
The long link block 401 of TCP, is arranged in router and cloud server, is connected for setting up between router with cloud server and safeguarding that transmission control protocol TCP is long;
Access opening module 402, is arranged in cloud server, for determining the listening port number that router is corresponding, by described TCP long connection, the address of described cloud server and described listening port number is sent to corresponding router;
SSH reverse tunnel sets up module 403, arranges in the router, for opening the web terminal mouth of router, setting up and connecting described web terminal mouth, the SSH port of cloud server and the SSH reverse tunnel of described listening port;
Web proxy server 404, is arranged in cloud server, for accepting the access request of client browser, by the administration page of this web proxy server and described SSH reverse tunnel access router.
Described system also comprises access closing module 405 further, is arranged in cloud server, for sending closedown telemanagement instruction to described router by described TCP long connection.Described router closes described SSH reverse tunnel after receiving described closedown telemanagement instruction, and returns closedown response to cloud server; Cloud server discharges described listening port after receiving and closing response.
In more specifically embodiment, described system also comprises web front-end administration module, for the router after show administrative authentication in web front-end administration page, and shows administration interface as described in Figure 2.
Below for a concrete application scenarios, further describe technical scheme of the present invention.
Fig. 5 is based on SSH Reverse Tunnel remote access router exemplary application scene graph in the embodiment of the present invention.See Fig. 5,
First, need to build environment, set configuration according to demand, first the wireless router of local area network (LAN) is connected to cloud server, server web backstage can see that this equipment is in line states and its other relevant information, as shown in the web-based management interface of Fig. 2 beyond the clouds.
Then, after carrying out necessary test, just may cross the web-based management interface served beyond the clouds, click the button of " unlatching " telemanagement corresponding to some wireless routers, just can control corresponding far-end wireless router.
Detailed process is as follows:
Comprise at wireless router end:
A1, wireless router adopt Atheros DB120 reference board chip, Atheros AR9344rev 2 system type, MIPS 74Kc V4.12 CPU, and the kernel version of brush is that 3.10.36 openwrt develops edition system.
A2, the device authentication client developed by oneself without circuit device, be connected to the device authentication server in cloud server, after authentication success, equipment is in line states, and sets up and safeguarded that by heartbeat the long of a TCP is connected.
A3, connect by described TCP is long, cloud server can issue configuration information to wireless router, and control command etc.Wireless router also can upload configuration information and user profile to cloud server, carry out data syn-chronization for cloud database.
A4, wireless router, by being connected with the TCP of cloud server is long, receiving the control request of the unlatching telemanagement that cloud server is sent or close the control request of telemanagement, and making corresponding process.
A5, when wireless router receives the control request from the unlatching telemanagement of cloud server, just opened the SSH reverse tunnel of 80 ports by autossh, for the web-based management page of cloud server access router, as shown in Figure 3; When wireless router receives the control request from the closedown telemanagement of cloud server, just close this SSH reverse tunnel.
Server side beyond the clouds, mainly comprises:
The CPU of b1, cloud server adopts 6 core Intel (R) Xeon (R) CPU E5-2620 0 2.00GHz, 16G internal memory.System version is the GNU/linux system of 2.6.32-279.el6.x86_64 kernel.
B2, cloud server, by device authentication server and client, maintain the long connection of a TCP by heartbeat, are kept in communication with client by this TCP long connection.
B3, accept the control request of " the unlatching telemanagement " to certain wireless router (as wireless router 3) that client rs PC browser sends, by with the TCP of this wireless router 3 long be connected issue " unlatching telemanagement " remote control notification to this wireless router 3, receive this wireless router 3 set up the correct response of SSH reverse tunnel after, just this wireless router 3 of remote controlled far-end, and this wireless router 3 is in the mark (flag) of state of a control in sync database, the information of this flag may be displayed in the web-based management interface of cloud server.
B4, accept the control request of " closedown telemanagement " to wireless router 3 that client rs PC browser sends, by with the TCP of this wireless router 3 long be connected issue " closedown telemanagement " remote control notification to this wireless router 3, after receiving the correct response of closedown SSH reverse tunnel of this wireless router 3, just this wireless router 3 of far-end can be disconnected, and this wireless router 3 is in the mark (flag) of non-control state in sync database, the information of this flag may be displayed in the web-based management interface of cloud server.
In addition, each functional module in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of modules exists, also can two or more module integrations in a unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.The functional module of described each embodiment can be positioned at a terminal or network node, or also can be distributed on multiple terminal or network node.
In addition, each embodiment of the present invention can be realized by the data processor performed as computer by data processing equipment.Obviously, data processor constitutes the present invention.In addition, program is read out storage medium or memory device (as hard disk and or internal memory) the middle execution by program being installed or copied to data processing equipment by direct by the data processor be usually stored in a storage medium.Therefore, such storage medium also constitutes the present invention.Storage medium can use the recording mode of any type, such as paper storage medium (as paper tape etc.), magnetic storage medium (as floppy disk, hard disk, flash memory etc.), optical storage media (as CD-ROM etc.), magnetic-optical storage medium (as MO etc.) etc.
Therefore the invention also discloses a kind of storage medium, wherein store data processor, this data processor is for performing any one embodiment of said method of the present invention.
In addition, method step of the present invention is except realizing with data processor, can also be realized by hardware, such as, can be realized by gate, switch, application-specific integrated circuit (ASIC) (ASIC), programmable logic controller (PLC) and embedding microcontroller etc.Therefore this hardware that can realize the method for the invention also can form the present invention.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.