CN115842716A

Movatterモバイル変換

Info

Publication number: CN115842716A
Application number: CN202111076425.7A
Authority: CN
Inventors: 邓书凡
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-09-14
Filing date: 2021-09-14
Publication date: 2023-03-24
Anticipated expiration: 2041-09-14
Also published as: CN115842716B

Abstract

The embodiment of the application discloses a method, a device, equipment and a storage medium for determining a fault server, and is applicable to the fields of big data, computer technology and the like. The method comprises the following steps: sending each access message to a detection server cluster, wherein each access message is subjected to security detection by any detection server in the detection server cluster, and a server identifier of the detection server is added to the access message; when an error report message returned by the detection server cluster based on any access message is received, extracting a target server identifier in the error report; and positioning the fault server in the detection server cluster according to the target server identification. By adopting the embodiment of the application, the fault server for processing the error report message can be quickly positioned, and the applicability is high.

Description

Method, device, equipment and storage medium for determining fault server

Technical Field

The present application relates to computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for determining a failed server.

Background

With the continuous development of computer technology, network security is more and more emphasized by computer users. More and more users often guarantee network security through firewalls, network protection systems and the like. For example, in order to improve the efficiency of business processing, many enterprises often implement business processing and network security protection through a server cluster consisting of hundreds of servers.

However, in this case, when an individual server of the server cluster fails, the server with the failure is often determined by performing query analysis on a large number of working logs of the server cluster, which takes a long time and is poor in applicability.

Therefore, how to quickly determine the failed server becomes an urgent problem to be solved.

Disclosure of Invention

The embodiment of the application provides a method, a device, equipment and a storage medium for determining a fault server, which can quickly determine the fault server for processing an error report message and have high applicability.

In one aspect, an embodiment of the present application provides a method for determining a failed server, where the method includes:

sending each access message to a detection server cluster, wherein each access message is subjected to security detection by any detection server in the detection server cluster, and a server identifier of the detection server is added to the access message;

when an error report message returned by the detection server cluster based on any access message is received, extracting a target server identifier in the error report message;

and positioning the fault server in the detection server cluster according to the target server identification.

On the other hand, an embodiment of the present application provides an apparatus for determining a failed server, where the apparatus includes:

the message processing module is used for sending each access message to a detection server cluster, each access message is subjected to security detection by any detection server in the detection server cluster, and a server identifier of the detection server is added to the access message;

the information processing module is used for extracting a target server identifier in an error message when the error message returned by the detection server cluster based on any access message is received;

and the fault analysis module is used for positioning the fault server in the detection server cluster according to the target server identification.

In another aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the processor and the memory are connected to each other;

the memory is used for storing computer programs;

the processor is configured to execute the method for determining a server failure provided by the embodiment of the present application when the computer program is called.

In another aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored, where the computer program is executed by a processor to implement the method for determining a server with a fault provided in the embodiment of the present application.

In another aspect, the present application provides a computer program product, which includes a computer program or computer instructions, and when the computer program or the computer instructions are executed by a processor, the method for determining a fault server provided in the present application is implemented.

In the embodiment of the application, the fault server can be directly determined from the detection server cluster through the target server identifier carried by the error report message, and compared with the method of manually inquiring the log in the prior art, the method and the device for determining the fault server can effectively improve the determination efficiency of the fault server. And, the failure server is determined based on the target server identification, so that higher accuracy and high applicability can be realized when the failure server is determined.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.

Fig. 1 is a schematic network structure diagram of a method for determining a failed server according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a method for determining a failed server according to an embodiment of the present application;

fig. 3a is a schematic view of a scenario of performing security detection on an access packet according to an embodiment of the present application;

fig. 3b is a schematic view of another scenario for performing security detection on an access packet according to an embodiment of the present application;

fig. 4a is a schematic view of a scenario of performing security detection on a response packet according to an embodiment of the present application;

fig. 4b is a schematic view of another scenario for performing security detection on a response packet according to the embodiment of the present application;

fig. 5 is a schematic structural diagram of server cluster-based packet security detection provided in the embodiment of the present application;

FIG. 6 is a schematic diagram of a scenario for storing log information according to an embodiment of the present application;

fig. 7 is a flowchart of a method for determining a failed server according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a determination apparatus of a failed server according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

Referring to fig. 1, fig. 1 is a schematic network structure diagram of a method for determining a failed server according to an embodiment of the present application. As shown in fig. 1, the detection server cluster includes a plurality of detection servers, such asdetection server 201,detection server 202, anddetection server 203 in fig. 1. And each detection server in the detection server cluster is used for processing the access message, each detection server is used for processing one access message, and each detection server can simultaneously process different access messages. The access message may be sent by a user terminal, which includes but is not limited to a mobile phone, a computer, an intelligent voice interaction device, an intelligent household appliance, a vehicle-mounted terminal, and the like.

For example, the access packet 101 arrives at the detection server cluster through the network, and thedetection server 203 in the detection server cluster can process the access packet 101. The access packet 102 arrives at the detection server cluster via the network, and thedetection server 201 in the detection server cluster can process the access packet 102. The access packet 103 reaches the detection server cluster through the network, and thedetection server 202 in the detection server cluster can process the access packet 103.

For any received access message, the access message can be sent to a server detection cluster, any detection server in the detection server cluster carries out security detection on the access message, and a server identifier of the server is added to the access message in the processing process. Taking the access packet 102 as an example, security detection may be performed on thedetection server 201 in the detection server cluster, and thedetection server 201 may add a server identifier of thedetection server 201 in the access packet 102.

Based on the network structure, when an error report message returned by the detection server cluster based on any access message is received, the target server identification carried by the error report message can be determined, and then a fault server for processing the error report message is determined from the detection server cluster based on the target server identification.

For example, if an error message (access message 102) is detected, the target server identifier carried by the error message may be determined, and then thefault server 201 that processes the error message may be determined from the detection server cluster based on the target server identifier.

The detection server cluster in the embodiment of the present application may be a server set for performing centralized processing on various access packets, including but not limited to a data processing server cluster, a cloud computing server cluster, a server cluster corresponding to a world wide Web (Web) application firewall, and the like, and may be determined specifically based on requirements of an actual application scenario, which is not limited herein.

The Web Application Firewall may be a Web Application level intrusion prevention system (WAF), and is a product that provides protection for Web applications by executing a series of security policies for Hypertext Transfer Protocol (HTTP) and/or Hypertext Transfer Protocol over secure session Layer (HTTPs), and guarantees a service processing speed by a large number of detection servers working simultaneously.

Referring to fig. 2, fig. 2 is a schematic flowchart of a method for determining a failed server according to an embodiment of the present application. As shown in fig. 2, the method for determining a failed server according to the embodiment of the present application may include the following steps:

and S21, sending each access message to the detection server cluster.

In some possible embodiments, for any access packet sent by any requester, after receiving the access packet, the access packet may be sent to the detection server cluster, so as to process the access packet through any server in the detection server cluster.

And each access message is subjected to security detection by any detection server in the detection server cluster, and the server identifier of the detection server is added in the access message.

Specifically, after receiving any access packet, the access packet may be sent to a detection server cluster, and a detection server for processing the access packet is determined from the detection server cluster. After receiving the access packet, any detection server in an idle state in the detection server cluster may be determined as a detection server for performing security detection on the access packet. If each detection server in the detection server cluster has the capability of performing security detection on a plurality of messages, the detection servers with message security detection capability remaining in the detection server cluster can be determined as the detection servers for performing security detection on the access message.

Optionally, the detection server cluster includes different types of detection servers, and each type of detection server is configured to perform security detection on different types of access packets. After a certain access message is sent to the detection server cluster, the type of the access message is determined, and then security detection is performed on the access message based on any detection server in the detection server cluster, which is used for performing security detection on the type of the message.

Wherein the type of access packet may be determined based on the type of requestor, different types of requestors corresponding to different types of access packets. For example, the type of the requester can be divided based on an individual user and an enterprise user, or divided based on an IP address of the requester, which can be determined based on the requirements of the actual application scenario, which is not limited herein.

For example, the detection server cluster includes a detection server for performing security detection on an access packet initiated by an individual user and a detection server for performing security detection on an access packet initiated by an enterprise user. After receiving any access message and sending the access message to the detection server cluster, the requesting party of the access message can be determined based on the message content of the access message, and if the requesting party of the access message is a personal user, a detection server for performing security detection on the access message initiated by the personal user can be determined from the detection servers in the detection server cluster.

If the request party of the access message is an enterprise user, a detection server for performing security detection on the access message can be determined from detection servers in the detection server cluster for performing security detection on the access message initiated by the enterprise user.

Optionally, in order to ensure that the workload of each detection server in the detection server cluster is the same, after receiving any access packet and sending the access packet to the detection server cluster, a detection server for performing security detection on the access packet may be determined from the detection server cluster based on a load balancing algorithm. And distributing the detected access messages to each detection server in the detection server cluster in turn according to the detection sequence so as to realize the work load balance of each detection server.

In some possible embodiments, for each access packet, the corresponding detection server adds the server identifier of the detection server to the access packet when performing security detection on its access packet.

For any detection server, the server Identifier of the detection server may be a Universal Unique Identifier (UUID). The UUID of each detection server can uniquely identify the detection server based on 32 16 digits, so that different detection servers can be identified based on the UUID.

Specifically, for each access packet, after security detection is performed on the access packet based on the corresponding detection server, if the access packet is detected abnormally, the access packet carrying the server identifier of the detection server is returned to the corresponding requester. And if the access message detection is normal, sending the access message carrying the server identifier of the detection server to the corresponding Web site.

The detection server corresponding to the access message can restore the access message into an HTTP message when performing security detection on the access message, and perform feature detection on the message content of the HTTP message.

If the message content of the HTTP message includes a sensitive load, such as a sensitive field, a preset exception field, etc., it may be determined that the access message is detected as being abnormal. Under the condition that the access message is detected abnormally, the server identifier of the detection server can be added into the access message, and the access message carrying the server identifier of the detection server is returned to the requester corresponding to the access message.

For each access message, when the server identifier of the detection server is added to the access message based on the corresponding detection server, the server identifier of the detection server can be added to the HTTP message corresponding to the access message, and the HTTP message to which the server identifier is added is repackaged into an IP message, thereby achieving the purpose of adding the server identifier of the detection server to the access message.

As shown in fig. 3a, fig. 3a is a schematic view of a scenario of performing security detection on an access packet according to an embodiment of the present application. After the access message sent by the requester is sent to the corresponding detection server in the detection server cluster, the detection server performs security detection on the access message. And if the access message is detected abnormally, adding the UUID of the detection server in the access message, and returning the access message added with the UUID to the corresponding requesting party.

As shown in fig. 3b, fig. 3b is a schematic view of another scenario of performing security detection on an access packet according to the embodiment of the present application. After the access message sent by the requester is sent to the corresponding detection server in the detection server cluster, the detection server performs security detection on the access message. And if the access message is detected normally, adding the UUID of the detection server in the access message, and sending the access message added with the UUID to the Web site corresponding to the access message.

In some possible embodiments, for any Web site, after receiving an access packet sent by a detection server in a detection server cluster, the Web site sends a response packet for the received access packet. At this time, the response message may be sent to the detection server cluster, and a detection server for performing security detection on the response message is determined from the detection server cluster, so as to perform security detection on the response message and add a server identifier of the corresponding detection server in the response message.

Optionally, for any response packet, any detection server in the detection server cluster that processes an idle state or a detection server with a packet security detection capability may also be determined as a detection server for performing security detection on the response packet.

Optionally, in a case that the detection server cluster includes detection servers of different types, for any response packet, the type of the response packet may be determined, and then security detection is performed on the response packet based on any detection server in the detection server cluster, which is used for performing security detection on the type of packet. The type of the access packet may be determined based on the type of the Web site, the IP address, the site function, the security level, and the like, and may specifically be determined based on the requirements of the actual application scenario, which is not limited herein.

For example, different Web sites differ in their site functionality, and the security level of the Web site also differs accordingly. For example, the security level of the Web site for performing data calculation is often higher than the security level of the Web site for performing data query, so that for an access packet requesting to access different Web sites, a corresponding detection server can be determined from a detection server cluster according to the security level of the corresponding Web site to perform security detection on the access packet.

That is, the detection server cluster includes detection servers with different message detection capabilities, and after receiving any access message, the detection server cluster can determine the Web site requested to be accessed by the access message and determine the security level of the Web site. And further determining a detection server with message detection capability matched with the security level from the detection server cluster, so as to perform security detection on the access message based on the determined detection server.

Optionally, for any response packet, the response packet may be sent to a detection server in the detection server cluster, where the detection server processes an access packet corresponding to the response packet, and performs security detection on the response packet based on the detection server, and adds a server identifier of the detection server in the response packet.

Further, for each response message, the response message is an IP message, and when the detection server corresponding to the response message performs security detection on the response message, the response message can be restored to an HTTP message, and feature detection is performed on the message content of the HTTP message.

For the response message of each access message, the response message is also an IP message, so that when any detection server detects the response message, the response message can be also restored to an HTTP message, and feature detection is performed on the message content of the HTTP message.

If the message content of the HTTP message includes a sensitive load, such as a sensitive field, a preset exception field, etc., it may be determined that the response message is abnormal in detection. Otherwise, the response message can be determined to be detected normally.

Further, for the response message of each access message, if the response message is detected to be abnormal, the response message carrying the server identifier is returned to the corresponding Web site. And if the response message is detected normally, sending the response message carrying the server identifier to a corresponding request party.

For each response message, when the server identifier of the detection server is added to the response message based on the corresponding detection server, the server identifier of the detection server can be added to the HTTP message corresponding to the response message, and the HTTP message with the server identifier added thereto is repackaged into an IP message, thereby achieving the purpose of adding the server identifier of the detection server to the response message.

As shown in fig. 4a, fig. 4a is a schematic view of a scene of performing security detection on a response packet according to an embodiment of the present application. After the response message sent by the Web site is sent to the corresponding detection server, the detection server performs security detection on the response message. And if the response message is abnormal, adding the UUID of the detection server in the response message, and returning the response message added with the UUID to the corresponding Web site.

As shown in fig. 4b, fig. 4b is another schematic view of a scenario of performing security detection on a response packet according to the embodiment of the present application. After the response message sent by the Web site is sent to the corresponding detection server, the detection server performs security detection on the response message. If the response message is detected normally, the UUID of the detection server is added in the response message, and the response message with the UUID added is sent to the requester corresponding to the access message corresponding to the response message.

Based on the above implementation manner, the detection server cluster may add the server identifier of the corresponding detection server to all the messages in the communication links corresponding to the requestor and the Web site, thereby completing the marking of the messages in each communication link.

In some possible embodiments, before each detection server performs security detection on the corresponding access packet, the identity information reported by the detection server may be acquired. Similarly, before each detection server performs security detection on the corresponding response message, the identity information reported by the detection server can be acquired.

Any detection server can report the identity information to the identity server, and then the identity information reported by each detection server can be acquired from the identity server through a query interface of the identity server.

For any detection server, the identity information of the detection server includes a server identifier of the detection server, and if the identity information of the detection server includes a UUID of the detection server.

The following describes a message security detection process in the method for determining a failed server according to the embodiment of the present application with reference to fig. 5. Referring to fig. 5, fig. 5 is a schematic structural diagram of message security detection based on a server cluster according to an embodiment of the present application. As shown in fig. 5, the client is a requester of the access message, and typically accesses the content of the Web site through a browser. The Web site provides a server to the outside through an HTTP protocol, receives an access request (access packet) from a client, and returns related data. Because the Web site itself is easily attacked by an attacker, a detection server cluster (such as a WAF) is needed to protect the security of the site.

The detection server cluster is a security detection device in the framework for the client to access the Web site, and takes the WAF as an example, the WAF receives an access message initiated by the client, and analyzes the content of the access message to determine whether the access message is abnormal. And if the access message detection is normal, sending the access message to the Web site, and if the access message detection is abnormal, returning the access message to the client to refuse access.

Meanwhile, in order to ensure the message analysis and forwarding rate, the WAF may receive an access message sent by the client through the proxy device, and determine to send the access message to a certain detection server in the detection server cluster for message detection through a load balancing algorithm. Or the response message sent by the received Web site is determined to be forwarded to a certain detection server in the detection server cluster for message detection through a load balancing algorithm. In the process, the detection server adds the server identification thereof to the access message and/or the response message detected by the detection server.

The identity server is used for uniformly storing the identity information of each detection server in the detection server cluster and providing two interfaces, namely a registration interface and an inquiry interface. Each detection server in the detection server cluster reports identity information based on the registration interface, such as reporting an IP address through registration and rescue, detecting server host names, detection point IDs, server identifications and the like.

Optionally, for any detection server in the detection server cluster, the identity information of the detection server may further include any one or more of information reporting time of the identity information, an IP address of the detection server, a host name of the detection server, and detection information of the detection server, which may be specifically determined based on requirements of an actual application scenario, and is not limited herein.

The server detection information includes, but is not limited to, detection content of the detection server, a monitoring point identifier, and the like, and may be determined based on actual application scene requirements, which is not limited herein.

For example, each detection server reports the identity information of the detection server by calling a registration interface opened to the outside by the identity server, where the identity information may specifically include information reporting time, server IP address, detection information (detection point ID), and server identifier. The specific data structure may be as follows:

{

1615647046 is used for reporting information,

"Server IP address": 123.123.123.123",

"Server identification" 9A09488E-7D1D-4995-9A7D-3AFB736CA3FE ",

"Server hostname" "host01",

"detection Point ID": ID-34dc45tr "

}

In some possible embodiments, the identity information of each detection server in the detection server cluster may also be stored in a Database (Database), a cloud storage (cloud storage) system, or a block chain (Blockchain), and may specifically be determined based on the actual application scenario requirements, which is not limited herein.

The cloud storage system refers to a storage system which integrates a large number of storage devices (storage devices are also called storage nodes) of different types in a network through application software or application interfaces to cooperatively work together through functions such as cluster application, a grid technology, a distributed storage file system and the like, and provides data storage for the outside.

In the database, which may be regarded as an electronic file cabinet, a place for storing electronic files, a user may add, query, update, delete, etc. data in the files. A "database" is a collection of data that is stored together in a manner that can be shared by multiple users, has as little redundancy as possible, and is independent of the application.

The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. The blockchain is essentially a decentralized database, which is a string of data blocks associated by using cryptography, and each data block can store the identity information of each detection server in the detection server cluster.

And S22, when an error report message returned by the detection server cluster based on any access message is received, extracting the target server identification in the error report.

In some possible embodiments, when a detection server in the detection server cluster fails to process an access packet or an encounter packet corresponding to the access packet, an error report packet may be returned based on the corresponding access packet or a response packet. That is, the error report returned by the detection server cluster includes an error report returned based on the access message or an error report returned based on the response message.

The error report message may be any access message sent by any requester, or a response message sent by any Web site for any access request, and may be specifically determined based on the requirements of the actual application scenario, which is not limited herein.

The error report message also carries a corresponding access message or a server identifier carried by a corresponding response message.

The detection server cluster comprises a detection server cluster, a detection server, a target detection server identification and a fault detection server identification, wherein the working state of the detection server cluster can be detected in real time in the working process of the detection server cluster, if an error report message is detected, the detection server with a fault can be determined to exist in the detection server cluster, and then when the error report message returned by the detection server is received, the target detection server identification in the error report can be extracted, and the fault server in the detection server cluster is determined based on the target detection server identification.

And S23, positioning the fault server in the detection server cluster according to the target server identifier.

In some possible embodiments, after determining the target server identifier carried in the error report packet, the identity information reported by each detection server may be obtained first, and the target identity information matched with the target server identifier is determined from each identity information.

Specifically, the identity information including the identifier of the target server may be determined from the information identities reported by the detection servers in the detection server cluster, and the identity information may be determined as target identity information matched with the identifier of the target server.

Optionally, under the condition that each detection server in the detection server cluster reports the identity information to the identity server, the identity information of each detection server may be acquired through a query interface of the identity server, and then target identity information matched with the target server identifier is determined therefrom. Or, the identity information matched with the target server identifier may be directly queried through a query interface of the identity server, and may be specifically determined based on the actual application scenario requirements, which is not limited herein.

Further, the detection server in the detection server cluster that matches the target identity information may be determined as a faulty server that processes the error report message. Namely, the determined fault server is the detection server which has faults in the process of processing the error report message.

When the main database fails and cannot provide data read-write service, the standby server can bear the data read-write service. After the main database is repaired, the data can be synchronized from the standby database, the standby database is used as the main database, and the main database is used as the standby database.

In some possible embodiments, in the process of processing the access packet and the response packet of the access packet based on each detection server in the detection server cluster, log information of each detection server may also be obtained and stored, for example, the log information of each detection server is stored in a block chain, a database, a local storage, a cloud storage system, and the like.

Referring to fig. 6, fig. 6 is a schematic view of a scenario for storing log information according to an embodiment of the present application. After the log information of any detection server in the detection server cluster is acquired, the log information can be stored in a local storage and a log server, so that the log information is prevented from being lost due to the fact that the local storage or the log server breaks down.

When the log information of the detection server is stored, the corresponding log information can be stored based on the identity information of the detection server, so that when the log information of the detection server is retrieved and inquired, the log information of the detection server can be retrieved or inquired based on the identity information of the detection server. For example, the log information of the detection server can be marked based on the server identifier of the detection server, and the marked log information can be stored.

Based on the method, after the fault server is determined, the log information of the fault server can be obtained based on the target server identification of the fault server, and then fault analysis is carried out on the fault server and/or the corresponding error report message based on the log information of the fault server.

In particular, the failure server may be failure analyzed based on log information of different log levels of the failure server. The log levels comprise ERROR, WARN, INFO, DEBUG and the like, and the fault server can be subjected to all-dimensional fault analysis based on log information of different log levels.

The log information of the ERROR level indicates the highest-level ERROR record, which indicates that a very serious fault occurs in the detection server, directly resulting in abnormal operation. The journal information of the WARN level is a low-level abnormal journal which indicates that the detection server triggers an abnormal process in the running process, but the normal work of the system is not influenced, and the service process of the next stage can be normally executed. The log information of the INFO level usually records key information in the operation process of the detection server, and retains key operation data during the normal operation of the detection server. The log information of the DEBUG level mainly records various detailed detection server operation information, including parameter detailed information, debugging detail related information, operation return information and other various information.

Alternatively, the failure server may be failure analyzed based on different types of log information for the failure server. The log information of each type includes, but is not limited to, configuration log information, monitoring log information, alarm log information, operation log information, and the like, and may be determined based on the requirements of the actual application scenario, which is not limited herein.

The configuration log information can record actions of a user such as adding, deleting and modifying the configuration information of the detection server, monitor the log information and record the monitoring actions of the detection server, the alarm log information can record operation alarm information of the detection server, and the operation log information records related actions of the detection server in the operation process.

The following further describes the method for determining a failed server according to the embodiment of the present application with reference to fig. 7. Referring to fig. 7, fig. 7 is a flowchart of a method for determining a failed server according to an embodiment of the present application. Receiving an access message to a Web site sent by a client, and determining a target detection server in a detection server cluster through a load balancing algorithm, wherein the target detection server is used for carrying out security detection on the access message.

And further, carrying out security detection on the access message through the target detection server. The access message can be restored into an HTTP message, and the HTTP message is subjected to security detection. And if the access message is detected normally, inserting the server identifier of the target detection server into the access message, repackaging the HTTP message inserted with the server identifier into an IP message, and sending the IP message to the corresponding Web site.

If the access message is detected abnormally, the server identifier of the target detection server is inserted into the access message, and the HTTP message inserted with the server identifier can be returned to the client after being encapsulated into an IP message again.

Before the target detection server performs security detection on the access message, the target detection server may report identity information of the target detection server, where the identity information includes a server identifier of the target detection server, information reporting time, a server IP address, and other information.

Further, after the error report message is detected, the fault server can be determined from the detection server cluster based on the target server identifier carried in the error report message, and the log information of the fault server is obtained based on the target server identifier, so that the fault analysis is performed on the fault server based on the log information of the fault server.

In the embodiment of the application, the fault server can be directly determined from the detection server cluster through the target server identifier carried by the error report message, and compared with the method of manually inquiring the log in the prior art, the method and the device for determining the fault server have the advantage that the positioning speed of the fault server is improved. The fault server is determined based on the target server identification, so that higher accuracy and high applicability can be realized when the fault server is determined. Moreover, log information of a fault server can be quickly acquired based on the target server identification, and the fault analysis efficiency is improved.

Referring to fig. 8, fig. 8 is a schematic structural diagram of a determination apparatus of a failed server according to an embodiment of the present application. The device for determining the fault server provided by the embodiment of the application comprises:

amessage processing module 81, configured to send each access message to a detection server cluster, where each access message is subjected to security detection by any detection server in the detection server cluster, and a server identifier of the detection server is added to the access message;

aninformation processing module 82, configured to, when an error report message returned by the detection server cluster based on any one of the access messages is received, extract a target server identifier in the error report message;

and thefault analysis module 83 is configured to locate a fault server in the detection server cluster according to the target server identifier.

In some possible embodiments, theinformation processing module 82 is further configured to:

before each detection server carries out security detection on the corresponding access message, acquiring identity information reported by the detection server, wherein the identity information reported by the detection server comprises a server identifier of the detection server;

thefailure analysis module 83 is configured to:

acquiring identity information reported by each detection server, and determining target identity information matched with the target server identifier from each identity information;

and determining the detection server matched with the target identity information in the detection server cluster as a fault server.

In some possible embodiments, each of the detection servers returns the access packet carrying the server identifier of the detection server to the corresponding requester when the corresponding access packet is detected to be abnormal, and sends the access packet carrying the server identifier of the detection server to the corresponding Web site when the corresponding access packet is detected to be normal.

In some possible embodiments, themessage processing module 81 is further configured to:

for the response message of each access message, sending the response message to the detection server corresponding to the access message, wherein the response message is subjected to security detection by the detection server, and the server identifier of the detection server is added in the response message;

the error report message includes an error report message returned based on the access or the response message corresponding to the access message.

In some feasible embodiments, each of the detection servers returns a response packet carrying the server identifier of the detection server to the corresponding Web site when the corresponding response packet is detected to be abnormal, and sends the response packet carrying the server identifier of the detection server to the corresponding requester when the corresponding response packet is detected to be normal.

In some possible embodiments, each of the access messages is an internet protocol IP message; when the server identifier of the detection server is added to the corresponding access message by each detection server, themessage processing module 81 is configured to:

and restoring the corresponding access message into a hypertext transfer protocol (HTTP) message, adding the server identifier of the detection server into the HTTP message, and packaging the HTTP message added with the server identifier into an IP message carrying the server identifier of the detection server.

In some possible embodiments, each of the detection servers reports corresponding identity information to the identity server through a registration interface of the identity server; theinformation processing module 82 is configured to:

acquiring identity information reported by each detection server from the identity server through a query interface of the identity server;

the identity information reported by each detection server further includes at least one of information reporting time, an IP address of the detection server, a host name of the detection server, or detection information of the detection server.

In a specific implementation, the determining apparatus of the fault server may execute the implementation manners provided in the above steps in fig. 2 through each built-in functional module thereof, which may specifically refer to the implementation manners provided in the above steps, and details are not described herein again.

Referring to fig. 9, fig. 9 is a schematic structural diagram of an electronic device provided in an embodiment of the present application. As shown in fig. 9, theelectronic device 1000 in the present embodiment may include: theprocessor 1001, thenetwork interface 1004, and thememory 1005, and theelectronic device 1000 may further include: auser interface 1003, and at least onecommunication bus 1002. Wherein acommunication bus 1002 is used to enable connective communication between these components. Theuser interface 1003 may include a Display screen (Display) and a Keyboard (Keyboard), and theoptional user interface 1003 may also include a standard wired interface and a standard wireless interface. Thenetwork interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). Thememory 1004 may be a high-speed RAM memory or a non-volatile memory (e.g., at least one disk memory). Thememory 1005 may alternatively be at least one memory device located remotely from theprocessor 1001. As shown in fig. 9, thememory 1005, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a device control application program.

In theelectronic device 1000 shown in fig. 9, thenetwork interface 1004 may provide a network communication function; theuser interface 1003 is an interface for providing a user with input; and theprocessor 1001 may be used to invoke a device control application stored in thememory 1005 to implement:

In some possible embodiments, theprocessor 1001 is further configured to:

In some possible embodiments, each of the detection servers returns an access packet carrying the server identifier of the detection server to the corresponding requester when the corresponding access packet is detected to be abnormal, and sends the access packet carrying the server identifier of the detection server to the corresponding Web site when the corresponding access packet is detected to be normal.

In some possible embodiments, theprocessor 1001 is further configured to:

In some possible embodiments, each of the access messages is an internet protocol IP message; when each of the detection servers adds the server identifier of the detection server to the corresponding access message, theprocessor 1001 is configured to:

In some possible embodiments, each of the detection servers reports corresponding identity information to the identity server through a registration interface of the identity server; in some possible embodiments, theprocessor 1001 is configured to:

It should be understood that in some possible embodiments, theprocessor 1001 may be a Central Processing Unit (CPU), and the processor may be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field-programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The memory may include both read-only memory and random access memory, and provides instructions and data to the processor. The portion of memory may also include non-volatile random access memory. For example, the memory may also store device type information.

In a specific implementation, theelectronic device 1000 may execute, through each built-in functional module thereof, the implementation manner provided in each step in fig. 2, which may be specifically referred to as the implementation manner provided in each step, and is not described herein again.

In the embodiment of the application, the fault server can be directly determined from the detection server cluster through the target server identifier carried by the error report message, and compared with the prior art in which the fault server is determined by manually inquiring the log, the determination speed of the fault server is improved. The fault server is determined based on the target server identification, so that higher accuracy and high applicability can be realized when the fault server is determined. Moreover, log information of a fault server can be rapidly acquired based on the target server identification, and the fault analysis efficiency is improved.

An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and the computer program is executed by a processor to implement the method provided in each step in fig. 2, which may specifically refer to the implementation manner provided in each step, and is not described herein again.

The computer readable storage medium may be the determining device of the fault server and/or an internal storage unit of the electronic device, such as a hard disk or a memory of the electronic device. The computer readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Memory Card (SMC), a Secure Digital (SD) card, a flash card (flash card), and the like, which are provided on the electronic device. The computer readable storage medium may further include a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), and the like. Further, the computer readable storage medium may also include both an internal storage unit and an external storage device of the electronic device. The computer-readable storage medium is used for storing the computer program and other programs and data required by the electronic device. The computer readable storage medium may also be used to temporarily store data that has been output or is to be output.

Embodiments of the present application provide a computer program product, which includes a computer program or computer instructions, and the computer program or the computer instructions are stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided by the steps of fig. 2.

The terms "first", "second", and the like in the claims and in the description and drawings of the present application are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or electronic device that comprises a list of steps or elements is not limited to only those steps or elements recited, but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or electronic device. Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments. The term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.

Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and is not intended to limit the scope of the present application, which is defined by the appended claims.

Claims

1. A method for determining a failed server, the method comprising:

2. The method of claim 1, further comprising:

the positioning the fault server in the detection server cluster according to the target server identifier includes:

3. The method according to claim 1, wherein each detection server returns the access packet carrying the server identifier of the detection server to the corresponding requesting party when the corresponding access packet is detected abnormally, and sends the access packet carrying the server identifier of the detection server to the corresponding Web site when the corresponding access packet is detected normally.

4. The method of claim 1, further comprising:

the error report message comprises an error report message returned based on the access message or a response message corresponding to the access message.

5. The method according to claim 4, wherein each detection server returns the response packet carrying the server identifier of the detection server to the corresponding Web site when the corresponding response packet detects an anomaly, and sends the response packet carrying the server identifier of the detection server to the corresponding requestor when the corresponding response packet detects a normal anomaly.

6. The method of claim 1, wherein each of the access messages is an internet protocol, IP, message; each detection server adds the server identifier of the detection server in the corresponding access message, and the method comprises the following steps:

and each detection server restores the corresponding access message into a hypertext transfer protocol (HTTP) message, adds a server identifier of the detection server into the HTTP message, and encapsulates the HTTP message with the server identifier added into an IP message carrying the server identifier of the detection server.

7. The method of claim 2, wherein each of the detection servers reports corresponding identity information to the identity server through a registration interface of the identity server; the acquiring the identity information reported by each detection server includes:

8. An apparatus for determining a failed server, the apparatus comprising:

the message processing module is used for sending each access message to the detection server cluster, each access message is subjected to security detection by any detection server in the detection server cluster, and the server identifier of the detection server is added in the access message;

and the fault analysis module is used for positioning a fault server in the detection server cluster according to the target server identification.

9. An electronic device comprising a processor and a memory, the processor and the memory being interconnected;

the memory is used for storing a computer program;

the processor is configured to perform the method of any of claims 1 to 7 when the computer program is invoked.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which is executed by a processor to implement the method of any one of claims 1 to 7.

11. A computer program product, characterized in that it comprises a computer program or computer instructions which, when executed by a processor, implement the method of any one of claims 1 to 7.