A kind of high performance ssl proxy devices and methods thereforTechnical field
The present invention relates to network safety filed, particularly relate to a kind of high performance ssl proxy devices and methods therefor.
Background technology
Along with the development of network technology, the life of people is increasing and network is closely bound up, such as, amuse and divert oneself, inspection information, shopping payment, Online Payment, see a doctor and register etc.The network user of explosive growth, the personal information of magnanimity is present in network.For personal information, everyone is responsive, and last year, domestic several large website exposed user profile leakage in succession, touched the nerve of user especially.In order to increase fail safe, increasing website increases the application of Hyper text transfer security protocol (HTTPS).HTTPS agreement is used in network communication very early, because the secure tunnel foundation of HTTPS very can consume cpu resource, is only widely used in now the communication of security sensitive on network, such as payment aspect.Because network security problem exposes again and again, also allow user more and more be concerned about, increasing website is registered in the reciprocal process of login user and is used HTTPS agreement.But due to the consideration of server performance and Consumer's Experience, HTTPS accesses seldom to have network company all to support.When performance bottleneck is just present in user and server interaction, WEB service software is the cpu resource that seriously consumes server setting up ssl tunneling, for the customer volume that present website is huge, server will process huge user's access, handling property is had too many difficulties to cope with, and increases so the application of SSL encrypted card is begun to demand.
Because SSL encrypted card has independent SSL process chip, the resource can liberating server CPU, for the treatment of other affairs, can significantly improve the handling property of HTTPS.SSL encrypted card is generally arranged on mainboard PCI slot as display card.If but want the performance giving full play to SSL encrypted card, fully to understand the characteristic of SSL encrypted card process chip and driving, and optimize the process structure of application layer software for its characteristics design.
Currently available technology adopts WEB service software to coordinate SSL encrypted card to complete the encryption and decryption of SSL and to carry out the read-write of data.Referring to Fig. 1, what existing WEB service software adopted is the mode of multi-process in conjunction with epoll Non-Blocking I/O network model, and the role of a ssl proxy played the part of by this type of WEB service software between user side and Resource Server, and the step of its main processes is as follows:
Step one, initialization SSL environment configurations and socket also set a property, and open and monitor;
Step 2, establishment subprocess, initialization epoll structure, adds pending event, and waiting event triggers;
When step 3, user access, trigger epoll event, return the socket of user, the SSL negotiation of process and user and backstage Resource Server also to be set up and the SSL of user is connected and connects with the SSL of backstage Resource Server respectively, then user's socket is added the queue of epoll action listener, the request of process subsequent user;
Step 4, receive user resource operation request and carry out the operation that reads and writes data of user side and backstage Resource Server;
Step 5, user complete access, and ssl proxy stop connects, Resource recovery.
Wherein the detailed process of step 3 is as follows:
Step 3 .1, ssl proxy process receive user's request;
The socket of step 3 .2, acquisition user;
Step 3 .3, set up SSL with user side and be connected; setting up SSL again with backstage Resource Server is connected (in this application scenario; being connected with backstage Resource Server also needs SSL to protect), now ssl proxy process establishes two-way ssl tunneling between user and backstage resource.
Wherein the detailed process of step 3 is as follows:
Etc. pending user's request resource, read and write data at user side and background server end by SSL_read () and SSL_write ().
The SSL service software of described prior art adopts the epoll models coupling multi-process pattern of unblock.But the SSL service software of prior art, because process be connected with the SSL of user side and background server, user and background server reading and writing data be in same epoll circulates, interacting, it is efficient not that program is performed, so there is the space much can optimized.
In high load capacity situation, because process should process the negotiation of two-way SSL connection, also to process the read-write of bi-directional data, SSL negotiations process is again process very consuming time, can affect the speed read and write data, if the amount of reading and writing data is very large, again newly-built connection speed is had an impact, not efficiently.
In addition, referring to Fig. 2, current existing SSL encrypted card process chip has following characteristic: SSL encrypted card has N number of encryption and decryption process core, and N is generally 64.SSL encrypted card is provided with data handling queues, and processing queue buffer is 2048, and the process flow steps of SSL encrypted card is as follows:
Step one, obtain the data treating encryption and decryption being sent to kernel from user side;
Step 2, by pending data starting and ending address, processing command, process deposit data address, state flag bit is filled in processing queue buffer;
Data processing function in step 3, execution driver, imports into the parameter of buffer as function;
Step 4, function process complete and return, the data that user side goes reading process complete according to system mode.
Through the data of our actual measurement, inside queue, have the situation of 1 pending data, the processing time is 20us; When queue has 2000 pending data, after performing data processing function, buffer can be divided equally 64 process cores and process simultaneously by function, and the processing time is approximately 625us.In other words when processing 2000 data, each process one, needs 20*2000us; 2000 data put into buffer process simultaneously only needs 625us.
It can thus be appreciated that when existing SSL encrypted card performs data processing function, have 2000 data to process inside queue and only have data to process separately, the efficiency of process has very large lifting at every turn simultaneously.
Therefore, there is the two-way SSL of establishment and connect the at substantial time and affect read-write data speed in the SSL service software of prior art, and also connects to the new SSL of establishment the problem impacted time reading and writing data amount is large.And the SSL service software of prior art does not consider the characteristic of SSL encrypted card process chip still to there is very large room for improvement.
Summary of the invention
In view of this, the object of this invention is to provide a kind of high performance ssl proxy devices and methods therefor, to make full use of the characteristic of SSL encrypted card process chip to improve the performance of data processing, can be more stable when high pressure works.
For achieving the above object, the invention provides technical scheme as follows: a kind of high performance ssl proxy device, its as WEB service software application in server.Comprise:
User side link block, for receiving user's access and holding consultation with user side, sets up user side SSL and connects.
Background processing module, for receiving the resource operation request of user and holding consultation with backstage Resource Server, sets up backstage Resource Server and connects, and according to the resource operation request of user, carries out the operation that reads and writes data of user side and backstage Resource Server.
Described user side link block and described background processing module lay respectively in two threads of same process.
Described background processing module is set up and is connected for foundation is connected with backstage Resource Server SSL with backstage Resource Server.
Described user side link block and described background processing module adopt respective epoll model respectively.
Described epoll model can be the epoll structure of epoll structure or the unblock of blocking.
Described user side link block comprises: initialization unit, for carrying out epoll initialization; Socket returns unit, for when user access triggers epoll event, returns user's socket; SSL negotiation element, for carrying out SSL negotiation with user side, setting up SSL and connecting; Threaded processing element one, for adding to the socket of user and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add unit one, the socket of user is added the epoll action listener queue in thread.
Described background processing module comprises: epoll waits for unit, for after the resource operation request receiving user, and the triggering of thread waits event; SSL linkage unit, the state value connected for basis and backstage Resource Server and backstage Resource Server are consulted, and set up SSL and connect; Threaded processing element two, for adding the socket be connected with backstage Resource Server and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add unit two, the socket of backstage Resource Server is added the epoll action listener queue in thread.
Described background processing module also comprises: operational processes unit, for the resource operation request according to user after the epoll event triggering of thread, carries out the operation that reads and writes data of user side and backstage Resource Server.
Return epoll after the operation that reads and writes data of described operational processes unit completing user end and backstage Resource Server and wait for unit.
A kind of high performance ssl proxy method, its as WEB service software application in server.It comprises the steps:
User side Connection Step, receives user's access and holds consultation with user side, setting up user side SSL and connect.
Background process step, receives the resource operation request of user and holds consultation with backstage Resource Server, sets up backstage Resource Server and connects, and according to the resource operation request of user, carries out the operation that reads and writes data of user side and backstage Resource Server.
Described user side Connection Step and described background process step lay respectively in two threads of same process.
Set up in described background process step and be connected for foundation is connected with backstage Resource Server SSL with backstage Resource Server.
Described user side Connection Step and described background process step adopt respective epoll model respectively.
Described epoll model can be the epoll structure of epoll structure or the unblock of blocking.
Described user side Connection Step comprises: initialization step, carries out epoll initialization; Socket returns step, when user access triggers epoll event, returns user's socket; SSL negotiation step, and user side carries out SSL negotiation, sets up SSL and connects; Thread process step one, to add to the socket of user and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add step one, the socket of user is added the epoll action listener queue in thread.
Described background process step comprises: epoll waiting step, after the resource operation request receiving user, and the triggering of thread waits event; SSL Connection Step, consults according to the state value connected with backstage Resource Server and backstage Resource Server, sets up SSL and connects; Thread process step 2, to add the socket be connected with backstage Resource Server and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add step 2, the socket of backstage Resource Server is added the epoll action listener queue in thread.
Described background process step also comprises: operational processes step, according to the resource operation request of user after the epoll event triggering of thread, carries out the operation that reads and writes data of user side and backstage Resource Server.
Epoll waiting step is returned after the operation that reads and writes data of described operational processes step completing user end and backstage Resource Server.
The present invention takes full advantage of the feature that SSL encrypted card has multiple encryption and decryption process core, is connected and sets up SSL with backstage Resource Server to be connected setting up SSL with user side and the data read-write operation carrying out user side and backstage Resource Server puts into two threads of two processes or same process.Substantially increase the handling property carrying out data like this, and can be more stable when high pressure works.
Accompanying drawing explanation
Fig. 1 is the functional structure chart of existing WEB service software;
Fig. 2 is the structural representation of SSL encrypted card;
Fig. 3 is the functional structure chart of WEB service software of the present invention;
Fig. 4 is the structure chart of the high performance ssl proxy device of the present invention;
Fig. 5 is the flow chart of the high performance ssl proxy method of the present invention.
Embodiment
Describe the present invention below in conjunction with accompanying drawing.
The present invention makes full use of the characteristic of SSL encrypted card, on the basis of existing technology, by adding thread process, newly-built user side SSL is connected and is connected asynchronization with newly-built backstage Resource Server SSL, and adopt dual epoll model to process respectively for described two SSL connection, substantially increase handling property.
Referring to Fig. 3 and Fig. 4, a kind of high performance ssl proxy device, its as WEB service software application in server.The basic hardware framework of server comprises CPU, internal memory, input input equipment, nonvolatile memory (such as hard disk) and other hardware.Logically, described high performance ssl proxy device comprises:
User side link block, for receiving user's access and holding consultation with user side, sets up user side SSL and connects.
Background processing module, for receiving the resource operation request of user and holding consultation with backstage Resource Server, sets up backstage Resource Server and connects.And according to the resource operation request of user, carry out the operation that reads and writes data of user side and backstage Resource Server.
Described user side link block and described background processing module lay respectively in two threads of same process.
In the present embodiment, also need SSL to protect owing to being connected with backstage Resource Server, be connected for foundation is connected with backstage Resource Server SSL with backstage Resource Server so described background processing module is set up.
In the present embodiment, ssl proxy device can also comprise apparatus for initializing, for initialization SSL environment and socket.
In the present embodiment, ssl proxy device also can also comprise epoll model apparatus for establishing, utilizes at least one process of fork () function creation, and listen is monitored the epoll action listener queue that socket adds described process.
In the present embodiment, described user side link block and described background processing module adopt respective epoll model respectively.
Described epoll model can be the epoll structure of epoll structure or the unblock of blocking.
Described user side link block comprises: initialization unit, for carrying out epoll initialization.Socket returns unit, for when user access triggers epoll event, returns user's socket.SSL negotiation element, for carrying out SSL negotiation with user side, setting up SSL and connecting.Threaded processing element one, for adding to the socket of user and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body.Monitor queue and add unit one, the socket of user is added the epoll action listener queue in thread.
Described background processing module comprises: epoll waits for unit, for after the resource operation request receiving user, and the triggering of thread waits event.SSL linkage unit, the state value connected for basis and backstage Resource Server and backstage Resource Server are consulted, and set up SSL and connect.Threaded processing element two, for adding the socket be connected with backstage Resource Server and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body.Monitor queue and add unit two, the socket of backstage Resource Server is added the epoll action listener queue in thread.
Described background processing module can also comprise: operational processes unit, for the resource operation request according to user after the epoll event triggering of thread, carries out the operation that reads and writes data of user side and backstage Resource Server.
Return epoll after the operation that reads and writes data of described operational processes unit completing user end and backstage Resource Server and wait for unit.
The present invention also provides a kind of high performance ssl proxy method further, its as WEB service software application in server.It comprises the steps:
User side Connection Step, receives user's access and holds consultation with user side, setting up user side SSL and connect.
Background process step, receives the resource operation request of user and holds consultation with backstage Resource Server, sets up backstage Resource Server and connects, and according to the resource operation request of user, carries out the operation that reads and writes data of user side and backstage Resource Server.
Described user side Connection Step and described background process step lay respectively in two threads of same process.
Set up in described background process step and be connected for foundation is connected with backstage Resource Server SSL with backstage Resource Server.
Described user side Connection Step and described background process step adopt respective epoll model respectively.
Described epoll model can be the epoll structure of epoll structure or the unblock of blocking.
Described user side Connection Step comprises: initialization step, carries out epoll initialization; Socket returns step, when user access triggers epoll event, returns user's socket; SSL negotiation step, and user side carries out SSL negotiation, sets up SSL and connects; Thread process step one, to add to the socket of user and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add step one, the socket of user is added the epoll action listener queue in thread.
Described background process step comprises: epoll waiting step, after the resource operation request receiving user, and the triggering of thread waits event; SSL Connection Step, consults according to the state value connected with backstage Resource Server and backstage Resource Server, sets up SSL and connects; Thread process step 2, to add the socket be connected with backstage Resource Server and SSL structure body in thread process block structure body array and correlation in initialization thread processing block Array for structural body; Monitor queue and add step 2, the socket of backstage Resource Server is added the epoll action listener queue in thread.
Described background process step also comprises: operational processes step, according to the resource operation request of user after the epoll event triggering of thread, carries out the operation that reads and writes data of user side and backstage Resource Server.
Epoll waiting step is returned after the operation that reads and writes data of described operational processes step completing user end and backstage Resource Server.
In sum, by giving each process many establishments thread, share and user side and and the two-way SSL negotiations process of backstage Resource Server, the event handling of two epoll model, reduces SSL negotiations process and user data and reads and writes influencing each other of processing.For the feature of encrypted card multi-core, open more process or add the effect that thread can reach the same.In actual test process, under opening 24 processes (server core cpu number is 8) situation: throughput 860Mbps; Concurrency performance 10000, comparing original scheme newly can have very large lifting.The present invention, under same cpu resource consumes, takes full advantage of the processing feature of the multiple encryption and decryption core of SSL encrypted card, improves handling property.Program structure of the present invention is more reasonable, makes ssl proxy program stable under high pressure test.
In addition, what preferred embodiment adopted is unblock epoll structure, then supports SSL encrypted card unblock encryption and decryption functions, and performance can also promote on this basis greatly.After adopting the difference of unblock epoll structure and the present embodiment to be mainly that epoll event triggers, process socket read-write buffer unblock process more more than clogged conditions, due to the difference that this belongs to unblock epoll structure and blocks epoll structure itself, therefore do not repeat them here.No matter unblock epoll structure and block epoll structure, as long as it adopts by adding thread process, newly-built user side SSL is connected and is connected asynchronization with newly-built backstage Resource Server SSL, and carry out process respectively for the dual epoll model of described two SSL connection employing and just can reach.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.