一种高速安全反向代理服务器的设计与实现

安全反向代理服务器架设在真实网页服务器与用户浏览器之间靠近真实服务器的一侧,通过传输层安全协议保障用户与真实服务器之间的通信.作为基于传输层安全协议的虚拟专用网服务器的一个最重要的组成部分,安全反向代理有着极大的商业价值和技术含量.在FreeBSD-6.3的基础上设计并实现了一个与传统TCP/IP并行的TCP/IP跳转表.基于TCP/IP跳转表设计并实现了一种多加速卡调度算法.设计并实现了直接从加速卡队列获取数据包的代理转发协议栈.设计并实现了基于后台真实服务器反馈的负载均衡算法.测试表明,由这些算法和协议栈组成的高速安全反向代理服务器新进连接数达到了国内领先水平.     

基于SSL的嵌入式Web服务器安全设计与实现

嵌入式Web服务器与传统Web服务器一样,面临网络安全问题。介绍嵌入式Web技术的体系结构和特点,给出一种基于SSL协议的嵌入式Web服务器安全增强方案设计。分析并选择适合的SSL协议和Web服务器软件包,构建一个安全的嵌入式Web服务器系统,测试并分析该系统的安全性。实验表明,该安全方案可以保障嵌入式Web服务器信息服务的机密性、完整性和不可否认性,达到了安全增强的效果。     

Coscheduled distributed-Web servers on system area network

As cluster-based Web servers are increasingly adopted to host a variety of network-based services, improving the performance of such servers has become critical to satisfy the customers’ demands. Especially, the user response time is an important factor so that clients feel satisfied with the Web services. In this paper, we investigate the feasibility of minimizing the response time of a server by exploiting the advantages of both user-level communication and coscheduling. We, thus, propose a coscheduled server model based on the recently proposed distributed PRESS Web server, where the remote cache accesses can be coscheduled on different nodes to reduce the response time. We experiment this concept using two known coscheduling techniques, called dynamic coscheduling (DCS) and DCS with immediate blocking. We have developed a comprehensive simulation testbed that captures the underlying communication layer in a cluster, the characteristics of various coscheduling algorithms, and the characteristics of the distributed server model to estimate the average delay and throughput with different system configurations. The accuracy of the VIA communication layer and the DCS mechanism is verified using measurements on a 16-node Linux cluster. Extensive simulation of four server models (PRESS over VIA, coscheduled PRESS model with DCS, with DCS and blocking, and Adaptive) using 32-node cluster configurations indicates that the average response time of a distributed server can be minimized significantly by coscheduling the communicating processes. The use of the DCS scheme reduced the average latency up to four times to the PRESS over VIA model that uses only user-level communication.     

A Tiered System for Serving Differentiated Content

Contemporary Web sites typically consist of front–end Web servers, application servers, and back-end information systems such as database servers. There has been limited research on how to provide overload control and service differentiation for the back-end systems. In this paper we propose an architecture called tiered service (TS) for these purposes. In TS, there are several heterogeneous back-end systems to serve the Web applications. The Web applications communicate with a routing intermediary to intelligently route the queries to the appropriate back-end servers based on various policies such as client profiles and server load. In our system the back ends may store different qualities of data; lower quality data typically requires less overhead to serve. The main contributions of this paper include (i) a tiered content replication scheme that replicates tiered qualities of data on heterogeneous back ends with different capacity to satisfy clients with diverse requirements for latency and quality of data, and (ii) an application-transparent query routing architecture that automatically routes the queries to the appropriate back ends. The architecture was implemented in our test bed, and its performance was benchmarked. The experimental results demonstrate that TS offers significant performance improvement.     

Inside SSL: accelerating secure transactions

By defining a protocol that supplies Web clients and servers with cryptographic parameters, the Secure Sockets Layer protocol enables the safe exchange of sensitive data, a crucial aspect of any e-business. The protocol's sticking point is that encrypting and decrypting data requires a tremendous amount of CPU processing power. The burden is especially apparent on the server side, because multiple Web clients often connect to a single Web server. For e-commerce transactions, it's important to implement SSL in a way that doesn't overburden your Web server's CPU and slow down the entire operation. Although the original Web servers that supported SSL did so exclusively in software, SSL adapter cards soon became available to help off-load the server's CPU load and increase performance. Today, content switches with SSL accelerators can encrypt and decrypt data at the network edge, eliminating the need for a Web server's CPU to perform any SSL-related calculations. The article focuses on the relative merits of these newer implementations. A look at the original software-only approach and its drawbacks clarify the reasons that hardware acceleration for SSL became necessary.     

Analytical and experimental evaluation of cluster-based network servers

In this paper we use analytic modeling and simulation to evaluate network servers implemented on clusters of workstations. More specifically, we model the potential benefits of locality-conscious request distribution within the cluster and evaluate the performance of a cluster-based server (called L2S) we designed in light of our experience with the model. Our most important modeling results show that locality-conscious distribution on a 16-node cluster can increase server throughput with respect to a locality-oblivious server by up to 5-fold, depending on the average size of the files requested and on the size of the server's working set. Our simulation results demonstrate that L2S achieves throughput that is within 28% of the full potential of locality-conscious distribution on 16 nodes, outperforming and significantly outscaling the best-known locality-conscious server. Based on our results and on the fact that the files serviced by network servers are becoming larger and more numerous, we conclude that our locality-conscious network server should prove very useful for its performance, scalability, and availability properties.     

SSL VPN中Web转发功能模块的设计与实现

SSLVPN需要能代理远程客户端访问内部网络上的服务器.在内部网络中最常见的服务器是Web Server.SSL VPN代理外部网络上的主机访问内部网络上Web Server称为Web转发,介绍Web转发功能模块的设计与实现.     

Web集群服务器可用性的提高

以Web集群服务器的后端节点作为研究对象,通过减少后端节点的MTTR（Mean Timeto Repair）,来提高它们的可用性,从而提高整个集群服务器的可用性。首先,通过分析现有的故障恢复方案的不足,提出了新的改进方案,在新的方案中,采用了动态地检测和发送状态信息的策略。并引入了故障猜测状态,弥补了现有方案的不足。最后设计了一个试验环境,与现有的方案测试相比,使用改进的方案,MTTR（平均敞障修复时间）减少了63％,很好地提高了后端节点的可用性。     

The implementation of a secure and pervasive multimodal Web system architecture

While most users currently access Web applications from Web browser interfaces, pervasive computing is emerging and offering new ways of accessing Internet applications from any device at any location, by utilizing various modes of interfaces to interact with their end users. The PC and its back-end servers remain important in a pervasive system, and the technology could involve new ways of interfacing with a PC and/or various types of gateways to back-end servers. In this research, cellular phone was used as the pervasive device for accessing an Internet application prototype, a multimodal Web system (MWS), through voice user interface technology.This paper describes how MWS was developed to provide a secure interactive voice channel using an Apache Web server, a voice server, and Java technology. Securing multimodal applications proves more challenging than securing traditional Internet applications. Various standards have been developed within a context of Java 2 Micro Edition (J2ME) platform to secure multimodal and wireless applications. In addition to covering these standards and their applicability to the MWS system implementation, this paper also shows that multimodal user-interface page can be generated by using XSLT stylesheet which transforms XML documents into various formats including XHTML, WML, and VoiceXML.     

使用LDAP在Web中实现基于角色的访问控制

当前多数Web服务器采用的基于用户身份的访问控制方法不能适应大型企业的安全需求。而另一方面,RBAC已成为一种公认的方便而有效的访问控制策略。为将它应用到Web当中,可以利用LDAP面向目录的特性,将LDAP目录服务器当作角色服务器使用。用户或Web服务器在一种安全模式下(在SSL上)得到角色服务器中用户的角色信息,从而实施相关的RBAC策略以达到访问控制的目的。文中给出这两种运行方式的框架并分析其利弊。     

一种Web集群系统下的QoS控制策略

本文提出了一种在Web集群环境下的QoS控制策略。集群前端分配器以会话单位来分配访问请求,保证后端服务器间负载的合理均衡分配,同时后端服务器采用基于会话的QoS控制策略,实现对集群系统的服务质量控制。     

Dynamic CPU provisioning for self-managed secure web applications in SMP hosting platforms

Overload control mechanisms such as admission control and connection differentiation have proven effective for preventing overload of application servers running secure web applications. However, achieving optimal results in overload prevention is only possible when some kind of resource management is considered in addition to these mechanisms.In this paper we propose an overload control strategy for secure web applications that brings together dynamic provisioning of platform resources and admission control based on secure socket layer (SSL) connection differentiation. Dynamic provisioning enables additional resources to be allocated to an application on demand to handle workload increases, while the admission control mechanism avoids the server’s performance degradation by dynamically limiting the number of new SSL connections accepted and preferentially serving resumed SSL connections (to maximize performance on session-based environments) while additional resources are being provisioned.Our evaluation demonstrates the benefit of our proposal for efficiently managing the resources and preventing server overload on a 4-way multiprocessor Linux hosting platform, especially when the hosting platform is fully overloaded.     

ReDAL: An Efficient and Practical Request Distribution Technique for Application Server Clusters

Modern Web-based application infrastructures are based on clustered multitiered architectures, where request distribution occurs in two sequential stages: over a cluster of Web servers and over a cluster of application servers. Much work has focused on strategies for distributing requests across a Web server cluster in order to improve the overall throughput across the cluster. The strategies applied at the application layer are the same as those at the Web server layer because it is assumed that they transfer directly. In this paper, we argue that the problem of distributing requests across an application server cluster is fundamentally different from the Web server request distribution problem due to core differences in request processing in Web and application servers. We devise an approach for distributing requests across a cluster of application servers such that the overall system throughput is enhanced, and load across the application servers is balanced.     

Java安全体系在Web程序中的研究和应用

提出了一种基于Java的Web程序安全解决方案。该方案采用JAAS（Java Authentication Authorization Service）实现可插入式登录模块,采用X509数字证书作为用户身份认证,通过配置Web服务器,并利用服务器证书和客户端证书实现服务器与客户端之间的SSL双向认证;待认证成功后,再利用服务器和客户端协商好的对称密钥来建立HTTPS连接,以实现数据的安全传送。该方案为基于Java的Web程序提供了一个安全接口,可以方便地移植。     

基于Nginx负载均衡的动态改进算法

随着过去几十年互联网服务的指数增长,各大网站的访问量急剧上升。海量的用户请求使得热门网站的网络请求率可能在几秒钟内大规模增加。一旦服务器承受不住这样的高并发请求,由此带来的网络拥塞和延迟会极大地影响用户体验。负载均衡是高可用网络基础架构的关键组件,通过在后端引入一个负载均衡器,将工作负载分布到多个服务器来缓解海量并发请求对服务器造成的巨大压力,提高后端服务器和数据库的性能以及可靠性。而Nginx作为一款高性能的HTTP和反向代理服务器,正越来越多地应用到实践中。文中将分析Nginx服务器负载均衡的体系架构,研究默认的加权轮询算法,并提出一种改进后的动态负载均衡算法,实时收集负载信息,重新计算并分配权值。通过实验测试,对比不同算法下的负载均衡性能,改进后的算法能有效提高服务器集群的性能。     

基于内容识别的Web集群负载均衡算法的研究

可扩展Web服务器集群是目前高性能网络服务器的主要架构方法,负载均衡技术是集群系统中任务分配的核心环节.提出了一种基于内容识别的负载均衡算法,引入了访问量阈值的概念,并通过动态的修正访问量阈值以适应网络负载的变化;利用动态反馈机制来获取服务器的负载状态,同时通过保证负载的局部性,减少相同内容在多个服务器中的重复缓存,提高服务器Cache的命中率.     

集群系统中自适应负载反馈平衡策略的研究

当前在集群系统中，负载平衡策略虽然很多，但是为了减少反馈开销，一般策略为采用在前端估计后端负载，所以不能很好地完成负载平衡的任务。针对这一问题，提出了一种自适应负载反馈平衡策略，各个服务器根据自身负载的变化来决定负载反馈的时机，前端根据负载信息和请求率计算出各个服务器的负载权值，最后根据负载权值来调度服务器处理请求，以实现负载平衡。由于采用了自适应的反馈策略，在获得各个服务器负载信息的同时减少了负载反馈的开销，实现了系统的负载均衡。测试结果表明该策略表现出了一定的优势。     

网络负载均衡在Web服务器中的应用

网络负载均衡是一种动态均衡技术,也是提高网络可靠性、进行高性能计算以及实现网络负载合理均衡分配的关键技术,它能将工作负载在多个配置和性能相近的服务器间进行均衡分配,保证网络高效运行。服务器群集使得网络负载均衡能力得到极大改善,在Windows Server 2003中网络负载均衡功能易于操作实现。本文介绍了Windows Server 2003网络负载均衡技术在Web网站的应用案例。     

PRESS: a clustered server based on user-level communication

In this paper, we propose and evaluate a cluster-based network server called PRESS. The server relies on locality-conscious request distribution and a standard for user-level communication to achieve high performance and portability. We evaluate PRESS by first isolating the performance benefits of three key features of user-level communication: low processor overhead, remote memory accesses, and zero-copy transfers. Next, we compare PRESS to servers that involve less intercluster communication, but are not as easily portable. Our results for an 8-node server cluster and five WWW traces demonstrate that user-level communication can improve performance by as much as 52 percent compared to a kernel-level protocol. Low processor overhead, remote memory writes, and zero-copy all make nontrivial contributions toward this overall gain. Our results also show that portability in PRESS causes no throughput degradation when we exploit user-level communication extensively.     

SSL VPN的负载转移技术

针对SSL VPN通讯性能较低的问题，在分析其性能瓶颈之后，提出了一种将部分SSL传输负载转移到内部服务器的解决方案．根据此时VPN服务器的工作特点，还设计了IP报文嫁接算法来进一步优化其传输性能．试验证明，采用上述技术之后SSL VPN的整体吞吐率得到了极大的提高．