“Cloud computing” refers to the on-demand availability of computer system resources (e.g., applications, services, processors, storage devices, file systems, and databases) over the Internet and data stored in cloud storage. Servers hosting cloud-based resources may be referred to as “cloud-based servers” (or “cloud servers”). A “cloud computing service” refers to an administrative service (implemented in hardware that executes in software and/or firmware) that manages a set of cloud computing computer system resources.
Cloud computing platforms include quantities of cloud servers, cloud storage, and further cloud computing resources that are managed by a cloud computing service. Cloud computing platforms offer higher efficiency, greater flexibility, lower costs, and better performance for applications and services relative to “on-premises” servers and storage, which are physically hosted locally, such as in a facility of an organization. Accordingly, users are shifting away from locally maintaining applications, services, and data and migrating to cloud computing platforms.
Cloud relay services enable organizations to extend the reach of their on-premises services by allowing authorized users or applications to access on-premises resources securely through the cloud. The cloud relay services can manage incoming traffic, apply security measures such as firewalls or authentication mechanisms, and/or direct requests to the respective on-premises services, ensuring seamless and protected access while maintaining the integrity and security of the on-premises resources from the public Internet. Additionally, cloud relay services may enable end-to-end encryption of communications between clients and the on-premises resources, thereby mitigating risks associated with transmitting sensitive information across public networks.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
System, methods, apparatuses, and computer program products are disclosed for injecting custom information for a server while establishing end-to-end secure communications with a client via a tunneling service. A reverse proxy (of a tunneling service) receives, from a client over a first transport-layer connection, a request that includes a resource identifier associated with an on-premises resource. The reverse proxy determines, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource. In response, the reverse proxy transmits, to an error handling service (EHS) over a new second transport-layer connection, a new application-layer request comprising error handling information. The error handling information enables the EHS to establish, via the reverse proxy, a secure communications channel with the client using the existing first transport-layer connection between the client and the reverse proxy and the existing second transport-layer connection between the reverse proxy and the EHS. The reverse proxy receives, from the EHS, an encrypted response comprising an error message generated based at least on the error handling information, and forwards the encrypted response to the client.
Further features and advantages of the embodiments, as well as the structure and operation of various embodiments, are described in detail below with reference to the accompanying drawings. It is noted that the claimed subject matter is not limited to the specific embodiments described herein. Such embodiments are presented herein for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate embodiments of the present application and, together with the description, further serve to explain the principles of the embodiments and to enable a person skilled in the pertinent art to make and use the embodiments.
The subject matter of the present application will now be described with reference to the accompanying drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Additionally, the left-most digit(s) of a reference number identifies the drawing in which the reference number first appears.
The following detailed description discloses numerous example embodiments. The scope of the present patent application is not limited to the disclosed embodiments, but also encompasses combinations of the disclosed embodiments, as well as modifications to the disclosed embodiments. It is noted that any section/subsection headings provided herein are not intended to be limiting. Embodiments are described throughout this document, and any type of embodiment may be included under any section/subsection. Furthermore, embodiments disclosed in any section/subsection may be combined with any other embodiments described in the same section/subsection and/or a different section/subsection in any manner.
As used herein, the term “on-premises resource” refers to hardware and/or software resources (such as, but not limited to, physical computing infrastructure, servers, networking equipment, databases, applications, services, and/or storage devices) that an organization owns, operates, and/or maintains within facilities and/or dedicated data centers that are directly controlled and/or managed by the organization.
Extending on-premises services to the cloud enables organizations to leverage the benefits of cloud computing while still maintaining a portion of the resources of the organization on-premise. This hybrid approach allows organizations to enjoy the scalability, flexibility, and cost-efficiency of cloud services while retaining control over sensitive or critical data housed within their physical premises. By integrating on-premises resources with cloud relay solutions, organizations can achieve a seamless and agile infrastructure, optimizing resources, and/or workloads based on fluctuating demands. Cloud relay services allow organizations to leverage cloud based tools to manage incoming traffic, apply security measures such as firewalls or authentication mechanisms, and/or direct requests to on-premises services, ensuring seamless and protected access while maintaining the integrity and security of the on-premises resources from the public Internet. Additionally, cloud relay services may enable end-to-end encryption of communications between clients and the on-premises resources, thereby mitigating risks associated with transmitting sensitive information across public networks.
Cloud relay services extend cloud management capabilities to on-premises infrastructure and/or multi-cloud environments, enabling organizations to centrally manage their resources across different environments. In embodiments, cloud relay services enable organizations to deploy cloud services, such as, but not limited to, cluster computing services, application services, and/or data services, to on-premises servers. This unified management approach allows organizations to leverage advanced capabilities of a cloud service provider for monitoring, security, and/or compliance across a different computing environment, enabling more efficient hybrid and/or multi-cloud operations.
Organizations are enabled to, in embodiments, extend on-premises services to the cloud through an onboarding process that connects and/or registers on-premises resources, such as, but not limited to, servers, computing clusters, applications, database servers, databases, and/or the like, with a cloud relay service of a cloud service provider. Onboarding enables these on-premises resources to be managed through a centralized interface of the cloud service provider, providing a unified view and consistent management experience across hybrid and/or multi-cloud environments. In embodiments, the onboarding process may include installing a cloud relay service agent on the target on-premises resources, enabling them to communicate securely with the cloud relay service, and then registering the target on-premises resources with cloud relay service. Once onboarded, the target on-premises resources become cloud relay-enabled, enabling organizations to apply cloud management capabilities, policies, and/or services to the target on-premises resources, regardless of their location, thus facilitating centralized control, compliance, and efficient management across diverse environments.
In embodiments, the cloud relay service agent installed on the target on-premises resources includes a listening agent that establishes a secure connection between the on-premises resources and the cloud relay service, and continually communicates with the cloud relay service. For example, the listening agent may provide information such as, but not limited to, telemetry data, configurations, metadata, and/or the like to the cloud relay service, enabling the target on-premises resources to be centrally monitored, controlled, and/or managed within the cloud environment, thereby extending cloud management capabilities to the target on-premises resources. In embodiments, the information provided by the listening agent may enable the cloud relay service to determine the availability of the on-premises resources. For instance, the cloud relay service may determine whether an on-premises resource is available (i.e., online, and reachable), and/or how many instances of the on-premises resource are available.
During the onboarding process, the cloud relay service, in embodiments, establishes a hybrid connection with the on-premises resource that acts as a conduit for communication between the cloud relay service and the on-premises resource. In embodiments, the hybrid connection may include properties associated with the on-premises resource, such as, but not limited to, a hostname, an Internet Protocol (IP) address, a port number, security information, and/or the like. The cloud relay service may, in embodiments, create, store, and/or maintain a mapping between a hostname and a corresponding on-premises resource to enable forwarding of incoming client requests to the on-premises resource. In embodiments, security information associated with the on-premises resource may include, but is not limited to, encryption protocols, encryption keys, security certificates, and/or the like to enable end-to-end secure communications between clients and on-premises resources.
The cloud relay service, in embodiments, provides the security information to the cloud relay service agent installed on the on-premises resource to enable the on-premises resource to decrypt communications from clients and/or to encrypt communications sent to clients. In embodiments, the cloud relay service agent may store the security information in secure location associated with the on-premises resource, including, but not limited to, as a Kubernetes secret. The cloud relay service may, in embodiments, also store the security information in a secure location associated with the cloud service provider to enable management of the on-premises resources by the cloud service provider. For instance, in embodiments, the cloud service provider may store the security information in a key vault associated with the on-premises resource.
When a reverse proxy of the cloud relay service receives a client request destined for an on-premises resource, the reverse proxy performs a lookup to map the client request to the on-premises resource. For instance, the reverse proxy may parse the client request to determine a resource identifier associated with the request and attempt to map the resource identifier to an on-premises resource. In embodiments, the resource identifier may include a static identifier, a temporary identifier, and/or a combination thereof. Upon successfully mapping the resource identifier to an on-premises resource, the reverse proxy determines the availability of the on-premises resource. For instance, based on management information maintained by the cloud service provider, the reverse proxy may determine whether an on-premises resource is available (i.e., online, and reachable), and/or how many instances of the on-premises resource are available.
When the on-premises resource is available, the reverse proxy establishes a tunnel forwards the client request to the cloud relay service agent running on the on-premises resource. In embodiments, the client request may be encrypted based on the security information generated during the onboarding process, and is decryptable by the cloud relay service agent using the security information generated during the onboarding process. The cloud relay service agent may, in embodiments, decrypt the client request and provide the cleartext request to the on-premises resource for processing. In embodiments, the on-premises resource may generate a response to the client request and provide the response to the cloud relay service agent for relaying to the client. For instance, the cloud relay service agent may receive the response from the on-premises resource, encrypt the response based on the security information generated during the onboarding process, and forward the encrypted response to the cloud relay service. Upon receiving the encrypted response, the reverse proxy may, in embodiments, forward the encrypted response to the client. In embodiments, communications between the client and the on-premises resource are encrypted end-to-end based on one or more security protocols, such as, but not limited to, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and/or the like.
In embodiments, the reverse proxy of the cloud relay service may encounter, during handling of an incoming client request, an error, such as, but not limited to, the client request including an invalid resource identifier, the client request including an expired resource identifier, and/or the resource identifier in the client request mapping to an on-premises resource that is unavailable (e.g., offline and/or unreachable). Due to the design of the reverse proxy as a transport-layer device without access to required security certificates, the reverse proxy is unable to send a secure response over an application-layer protocol to the client. As such, when the reverse proxy encounters an error while handling a client request, the client typically receives a generic error message indicating that the connection has been terminated.
Embodiments disclosed herein are directed to graceful error handling by a reverse proxy of a cloud relay service by injecting custom information while establishing a secure communications channel with the client. In embodiments, the cloud relay service may include a high-privilege error handling service (EHS) in the cloud service provider environment that is capable establishing a secure communications channel with the client, and responding with an encrypted response that includes a detailed error message. When the reverse proxy encounters an error while handling a client request that is received over a first transport-layer connection, the reverse proxy may, in embodiments, provide error information to the EHS by injecting custom information into a new application-layer request, and providing the application request to the EHS over a new second transport-layer connection. Upon receiving the application-layer request, the EHS may, in embodiments, determine an on-premises resource associated with the client request, and generate a response containing an error message generated based on the error information in the application-layer request. In embodiments, the EHS may retrieve security information associated with the determined on-premises resource from a secure location in the cloud service provider environment, and establish, via the reverse proxy, a secure communications channel with the client using the existing first transport-layer connection between the client and the reverse proxy and the existing second transport-layer connection between the reverse proxy and the EHS. The EHS may then provide, to the reverse proxy, the response as an encrypted message over the secure communications channel that was established over the existing second transport-layer connection. The reverse proxy may then forward, to the client, the encrypted message over the secure communications channel that was established over the existing first transport-layer connection. The client device may, in embodiments, decrypt the encrypted message to obtain the error message in cleartext.
These and further embodiments are disclosed herein that enable the functionality described above and additional functionality. Such embodiments are described in further detail as follows.
For instance,
Client(s) 102 may comprise any type of stationary or mobile processing device, including, but not limited to, a desktop computer, a server, a mobile or handheld device (e.g., a tablet, a personal data assistant (PDA), a smart phone, a laptop, etc.), an Internet-of-Things (IoT) device, etc. As shown in
In embodiments, application 110 may comprise various applications, such as, but not limited to, mobile applications, desktop applications, a web browser, and/or the like, configured to transmit client request(s) 120 to reverse proxy 112 via optional client portal 118. Various example implementations of application 110 are described below in reference to
Server infrastructure 104 may be a network-accessible server set (e.g., a cloud-based environment or platform). In an embodiment, the underlying resources of server infrastructure 104 may be co-located (e.g., housed in one or more nearby buildings with associated components such as backup power supplies, redundant data communications, environmental controls, etc.) to form a datacenter, may be distributed across different regions, and/or may be arranged in other manners. In accordance with an embodiment, server infrastructure 104 comprises part of the Microsoft® Azure® cloud computing platform, owned by Microsoft Corporation of Redmond, Washington, although this is only an example and not intended to be limiting. server(s) 108 may, in embodiments, be implemented, at least partially, on mobile device 102. Various example implementations of server infrastructure 104 are described below in reference to
On-premises resource(s) 106 may comprise a wide array of hardware and software that an organization owns, operates, and/or maintains within facilities and/or dedicated data centers it directly controls and/or manages, including, but not limited to, physical computing infrastructure, servers, computing clusters, applications, services, database servers, and/or data storage systems that an organization owns, operates, and maintains within its own facilities or dedicated data centers. Various example implementations of on-premises resource(s) 106 are described below in reference to
Network(s) 108 may comprise one or more networks such as local area networks (LANs), wide area networks (WANs), enterprise networks, the Internet, etc., and may include one or more wired and/or wireless portions. In embodiments, network(s) 108 that connect client(s) 102 to server infrastructure 104 may be different from, the same as, or overlapping with network(s) 108 that connect server infrastructure 104 with on-premises resource(s) 106. Various example implementations of server infrastructure 104 are described below in reference to
Reverse proxy 112 is configured to extend on-premises resource(s) 106 to the cloud by forwarding client request(s) 120 received from client(s) 102 over first transport-layer connections of network(s) 108 to on-premises resource(s) 106. In embodiments, reverse proxy 112 may receive client request(s) 120 from client(s) 102 via optional client portal 118. In embodiments, reverse proxy 112 is configured to gracefully handle errors encountered with client request(s) 120 by providing error information in a new application-layer request 122 to EHS 114, and forward encrypted responses 126 received from EHS 114 over network(s) 108 to client(s) 102. In embodiments, reverse proxy 112 is configured to forward responses, if any, received from on-premises resource(s) 106 over network(s) 108 to client(s) 102.
In embodiments, reverse proxy 112 may include, but is not limited to, an application-layer Server Name Indication (SNI) proxy that facilitates the handling of multiple secure connections (e.g., Hypertext Transfer Protocol Secure (HTTPS), etc.) to different destinations using a single IP address. SNI is an extension of the TLS protocol that enables client(s) 102 to indicate the hostname of the desired destination server during the TLS handshake process. Reverse proxy 112 may, in embodiments, intercept incoming TLS connection requests (e.g., client request(s) 120), inspect the SNI field to determine the intended destination hostname (e.g., hostname associated with on-premises resource(s) 106, cloud resource (not depicted), etc.), and forward the connection request to the appropriate backend resource (e.g., on-premises resource(s) 106, cloud resource, etc.) based on the information in the SNI field. SNI enables hosting multiple websites, resources, and/or services with distinct SSL certificates on the same IP address, thereby optimizing resource utilization and enabling more efficient use of IP addresses in scenarios where traditional proxying methods might not allow for such differentiation based on hostnames within encrypted connections.
When reverse proxy 112 encounters an error while processing client request(s) 120, reverse proxy 112 is configured to inject custom error handling information into a new application-layer (e.g., HTTPS, Hypertext Transfer Protocol (HTTP), etc.) request 122, and transmit application-layer request 122 to EHS 114 over a new second transport-layer connection. In embodiments, reverse proxy 112 is configured to receive an encrypted response 126 containing an error message from EHS 114, and to forward the encrypted response 126 over network(s) 108 to client(s) 102. Reverse proxy 112, and components thereof, will be discussed in greater detail in conjunction with
EHS 114 is configured to receive, from reverse proxy 112 over the second transport-layer connection, application-layer request 122 containing custom error handling information, and to provide, to reverse proxy 112, an encrypted response 126 containing an error message for forwarding to client(s) 102. In embodiments, the custom error handling information may include, but is not limited to, a resource identifier (e.g., hostname, etc.) associated with on-premises resource(s) 106, a correlation identifier, a status code (e.g., HTTP/HTTPS status code, etc.), and/or an error message. EHS 114 is configured to retrieve, from security certificate(s) 116, security information 124 associated with the resource identifier, and establish, via reverse proxy 112, a secure communications channel with client(s) 102 using existing first transport-layer connections between client(s) 102 and reverse proxy 112 and existing second transport-layer connections between reverse proxy 112 and EHS 114. EHS 114 may then generate a response containing the error message, encrypt the response based on the retrieved security information, and transmit, to client(s) 102 via reverse proxy 112, the encrypted response over the secure communications channel as encrypted response 126. EHS 114, and components thereof, are discussed in greater detail in conjunction with
Security certificate(s) 116 is a service configured to store security information 124 associated with on-premises resource(s) 106 that enable cloud services of server infrastructure 104 to securely communicate with client(s) 102 on behalf of organization(s) associated with on-premises resource(s) 106. In embodiments, security certificate(s) 106 may include, but is/are not limited to, a secure and centralized cloud service (e.g., cloud key vault) designed for storing and/or managing sensitive information like keys, secrets, certificates, and/or encryption keys. In embodiments, security certificate(s) 116 is configured to provide security information 124 to EHS 114 based on a resource identifier received from EHS 114. In embodiments, access to security certificate(s) 116 may be limited to high-privileged services, such as, but not limited to, EHS 114.
Client portal 118 is a cloud interface configured to provide client(s) 102 access to cloud services and/or on-premises resource(s) 106. For instance, client portal 118 may, in embodiments, comprise a web portal that provides a webpage to enable application 110 running on client(s) 102 to display a user interface to a user of client(s) 102. In embodiments, user interactions with the user interface may cause client portal 118 to generate and/or provide client request(s) 120 to reverse proxy 112. Similarly, client portal 118 may receive encrypted response 126 from reverse proxy 112, provide encrypted response 126 as a webpage to application 110 running on client(s) 112. As used herein, the terms “client,” “client(s),” “client 102,” and/or “client(s) 102” may refer to client computing devices connected to server infrastructure 104 via network(s) 108, and/or client portal 118.
Embodiments described herein may operate in various ways to gracefully handle errors while establishing secure communications with a client via a tunneling service. For instance,
Request handler 202 is configured to receive client request(s) 120 from client(s) 102 and/or client portal 118, and process client request(s) 120. For instance, request handler 202 may determine an intended destination of client request(s) 120 based on a resource identifier (e.g., SNI field, hostname, etc.) in client request(s) 120, and forward client request(s) 120 to the appropriate backend resource (e.g., on-premises resource(s) 106, cloud resource, etc.). In embodiments, request handler 202 may validate the resource identifier in client request(s) 120 based on on-premises resource mapping(s) 212, including, but not limited to, determining whether the resource identifier is in a correct format, determining whether the resource identifier is expired, determining whether the resource identifier is spoofed, and/or the like. Furthermore, request handler 202 may, in embodiments, determine whether on-premises resource(s) 106 associated with the resource identifier are available (e.g., online and reachable).
When request handler 202 encounters an error while handling client request(s) 120, request handler 202 is configured to provide custom error handling information 214 to information injector 204 to enable information injector 204 to inject the custom error handling information into application-layer request 122. In embodiments, errors encountered by request handler 202 may include, but are not limited to, an invalid resource identifier, an expired resource identifier, a resource identifier in an incorrect resource identifier format, an intended on-premises resource associated with a valid and non-expired resource identifier is unavailable (e.g., offline and/or unreachable), and/or the like.
In embodiments, request handler 202 is further configured to proxy communications between EHS 114 and client(s) 102, and/or vice versa. For instance, request handler 202 may facilitate establishment of a secure communications channel between EHS 114 and client(s) 102 by receiving and forwarding handshake (e.g., TLS handshake, etc.) messages between EHS 114 and client(s) 102. Furthermore, request handler 202 may, in embodiments, proxy communications between EHS 114 and client(s) 102, and/or vice versa, after the establishment of a secure communications channel. For instance, request handler 202 may receive, from EHS 114, encrypted response 126, and forward encrypted response 126 over network(s) 108 to client(s) 102.
Information injector 204 is configured to receive custom error handling information 214 from request handler 202, inject custom error handling information 214 into application-layer request 122, and provide application-layer request 122 to EHS 114 over a new second transport-layer connection. In embodiments, custom error handling information 214 may include, but is not limited to, a resource identifier (e.g., hostname, etc.) associated with on-premises resource(s) 106, a correlation identifier, a status code (e.g., HTTP/HTTPS status code, etc.), and/or an error message. Information injector 204 may inject custom error handling information 214 into one or more elements of application-layer request 122, such as, but not limited to, a header of application-layer request 122 and/or components thereof, a body of application-layer request 122 and/or components thereof, and/or any combination thereof. In embodiments, application-layer request 122 may include, but is not limited to, an HTTP/HTTPS POST request, an HTTP/HTTPS GET request, an HTTP/HTTPS version 1.1 request, and/or any combination thereof.
Information extractor 206 is configured to receive application-layer request 122 from information reverse proxy 112 over the second transport-layer connection, and extract custom error handling information 214 therefrom. In embodiments, information extractor 206 may provide portions of the extracted custom error handling information 214 to temporary dynamic HTTPS server 208 and/or response generator 210. For instance, information extractor 206 may extract response information 216, such as, but not limited to, a correlation identifier, a status code, and/or an error message from the extracted custom error handling information 214 and provide response information 216 to response generator 210. In embodiments, information extractor 206 may extract a resource identifier from custom error handling information 214 and fetch, from security certificate(s) 116, security information 124 corresponding to the extracted resource identifier. Information extractor 206 may then provide, as connection information 220, portions of the extracted custom error handling information 214 and/or security information 124 to temporary dynamic HTTPS server 208.
Temporary dynamic HTTPS server 208 is configured to connection information 220 from information extractor 206, and establish, via reverse proxy 112, a secure communications channel with client(s) 102 using the existing second transport-layer connection and the existing first transport-layer connection. In embodiments, temporary dynamic HTTPS server 208 exchanges one or more handshake messages with client(s) 102 to establish the secure communications channel. Temporary dynamic HTTPS server 208 is configured to receive response 218 from response generator 210 and transmit response 218 over the established secure communications channel to client(s) 102 as encrypted response 126. In embodiments, the established secure communications channel may include, but is not limited to, an HTTPS connection.
Response generator 210 is configured to receive response information 216 from information extractor 206 and generate a response 218 based on response information 216. For instance, response generator 210 may generate a response 218 by including a status code and/or correlation identifier from response information 216 in one or more header fields of response 218, and/or by including an error message from response information 216 in a body of response 218. In embodiments, response generator 210 provides response 218 to temporary dynamic HTTPS server 208 for transmission, over the secure communications channel established using the existing second transport-layer connection, to client(s) 102 via reverse proxy 112.
On-premises mapping(s) 212 may include a service configured to information that map resource identifiers to on-premises resource(s) 106. In embodiments, on-premises mapping(s) 212 may include active mappings that map valid and non-expired resource identifiers to on-premises resource(s) 106, and/or expired mappings that map expired resource identifiers to on-premises resource(s) 106. Maintaining expired mappings may, in embodiments, enable request handler 202 to detect incoming requests with spoofed resource identifiers. For instance, a resource identifier for an on-premises resource may be deemed to be spoofed if it does not appear in on-premises mapping(s) 212 as either an active mapping or an expired mapping. In embodiments, on-premises mapping(s) 212 may be updated as existing resource identifiers expire, and/or new identifiers are generated.
Embodiments described herein may operate in various ways to facilitate communications between a client, reverse proxy, and an error handling service for graceful error handling while establishing secure communications with a client via a tunneling service. For instance,
In
In
In
In
Embodiments described herein may operate in various ways to inject custom information for a server while establishing secure communications with a client via a tunneling service. For instance,
Flowchart 400 starts at step 402. In step 402, a client request is received over a first transport layer connection at a reverse proxy of a cloud service, the client request includes a resource identifier associated with an on-premises resource. For instance, request handler 202 of reverse proxy 112 may receive client request(s) 120 from client(s) 102 over first TCP connection 302. In embodiments, client request(s) 120 includes a resource identifier associated with on-premises resource(s) 106.
In step 404, an error that prevents forwarding of the client request to the on-premises resource is determined to have occurred based at least on the resource identifier. For instance, request handler 202 of reverse proxy 112 may determine, based on a resource identifier in client request(s) 120, that an error prevents forwarding of client request(s) 120. In embodiments, errors encountered by request handler 202 may include, but are not limited to, an invalid resource identifier, an expired resource identifier, a resource identifier in an incorrect resource identifier format, an intended on-premises resource associated with a valid and non-expired resource identifier is unavailable (e.g., offline and/or unreachable), and/or the like. In embodiments, request handler 202 may determine that a resource identifier is invalid and/or expired by performing a lookup of the resource identifier in on-premises mapping(s) 212. For instance, a resource identifier for an on-premises resource may be deemed to be expired if it appears in on-premises mapping(s) 212 as an expired mapping, and spoofed if it does not appear in on-premises mapping(s) 212 as either an active mapping or an expired mapping.
In step 406, an application-layer request comprising error handling information is transmitted to an error handling service over a second transport-layer connection, the error handling information enabling the error handling service to establish a secure communications channel with the client over the second transport-layer connection and the first transport-layer connection. For instance, information injector 204 may inject custom error handling information 214 into application-layer request 122, and transmit application-layer request 122 to EHS 114 over HTTP/HTTPS connection 304 that is established over second TCP connection 306. In embodiments, information injector 204 may inject custom error handling information 214 into one or more elements of application-layer request 122, such as, but not limited to, a header of application-layer request 122 and/or components thereof, a body of application-layer request 122 and/or components thereof, and/or any combination thereof. In embodiments, custom error handling information 214 may include, but is not limited to, a resource identifier (e.g., hostname, etc.) associated with on-premises resource(s) 106, a correlation identifier, a status code (e.g., HTTP/HTTPS status code, etc.), and/or an error message. In embodiments, error handling information 214 enables EHS 114 to establish, via reverse proxy 112, HTTPS connection 332 with client(s) 102 using second TCP connection 306 and first TCP connection 302.
In step 408, an encrypted response comprising an error message generated based at least on the error handling information is received from the error handling service. For instance, request handler 202 of reverse proxy 112 may receive, from EHS 114, encrypted response 126 over HTTPS connection 332 that is established over second TCP connection 306.
In step 410, the encrypted message is forwarded to the client. For instance, request handler 202 may forward encrypted response 126 to client(s) 102 over HTTPS connection 332 that is established over first TCP connection 302.
Embodiments described herein may operate in various ways to gracefully handle errors while establishing secure communications with a client via a tunneling service. For instance,
Flowchart 500 starts at step 502. In step 502, an application-layer request comprising error handling information is received at error handling service over a transport-layer connection. For instance, EHS 114 may receive, over TCP connection 306, application-layer request 122. In embodiments, application-layer request 122 includes custom error handling information 214, such as, but is not limited to, a resource identifier (e.g., hostname, etc.) associated with on-premises resource(s) 106, a correlation identifier, a status code (e.g., HTTP/HTTPS status code, etc.), and/or an error message.
In step 504, an on-premises resource associated with the application-layer request is determined based on the error handling information. For instance, information extractor 206 may extract a resource identifier from custom error handling information 214 received as part of application-layer request 122.
In step 506, security information associated with the on-premises resource is retrieved. For instance, information extractor 206 may retrieve, from security certificate(s) 116, security information 124 based on the resource identifier extracted from error handling information 214, and provide security information 124 to temporary dynamic HTTPS server 208 as part of connection information 220. Based on security information 124, temporary dynamic HTTPS server 208 may, in embodiments, establish HTTPS connection 332 with client(s) 102 over second TCP connection 306 and first TCP connection 302.
In step 508, an error message is generated based on the error handling information. For instance, response generator 210 may generate a response 218 based on response information 216. For instance, response generator 210 may generate response 218 by including a status code and/or correlation identifier from response information 216 in one or more header fields of response 218, and/or by including an error message from response information 216 in a body of response 218. In embodiments, response generator 210 provides response 218 to temporary dynamic HTTPS server 208 for transmission to client(s) 102 via reverse proxy 112.
In step 510, the error message is encrypted based on the security information. For instance, temporary dynamic HTTPS server 208 may receive response 218 from response generator 210, and encrypt response 218 using security information 124 to produce encrypted response 126.
In step 512, the encrypted error message is provided to a reverse proxy over a secure communications channel established using at least the second transport-layer connection. For instance, temporary dynamic HTTPS server 208 may provide encrypted response 126 to reverse proxy 112 over HTTPS connection 332 that is established over second TCP connection 306. In embodiments, reverse proxy 112 may forward encrypted response 126 to client(s) 102 over HTTPS connection 332 that is established over first TCP connection 302.
The systems and methods described above in reference to
Embodiments disclosed herein may be implemented in one or more computing devices that may be mobile (a mobile device) and/or stationary (a stationary device) and may include any combination of the features of such mobile and stationary computing devices. Examples of computing devices, such as system 100 of
Computing device 602 can be any of a variety of types of computing devices. For example, computing device 602 may be a mobile computing device such as a handheld computer (e.g., a personal digital assistant (PDA)), a laptop computer, a tablet computer (such as an Apple iPad™), a hybrid device, a notebook computer (e.g., a Google Chromebook™ by Google LLC), a netbook, a mobile phone (e.g., a cell phone, a smart phone such as an Apple® iPhone® by Apple Inc., a phone implementing the Google® Android™ operating system, etc.), a wearable computing device (e.g., a head-mounted augmented reality and/or virtual reality device including smart glasses such as Google® Glass™, Oculus Rift® of Facebook Technologies, LLC, etc.), or other type of mobile computing device. Computing device 602 may alternatively be a stationary computing device such as a desktop computer, a personal computer (PC), a stationary server device, a minicomputer, a mainframe, a supercomputer, etc.
As shown in
A single processor 610 (e.g., central processing unit (CPU), microcontroller, a microprocessor, signal processor, ASIC (application specific integrated circuit), and/or other physical hardware processor circuit) or multiple processors 610 may be present in computing device 602 for performing such tasks as program execution, signal coding, data processing, input/output processing, power control, and/or other functions. Processor 610 may be a single-core or multi-core processor, and each processor core may be single-threaded or multithreaded (to provide multiple threads of execution concurrently). Processor 610 is configured to execute program code stored in a computer readable medium, such as program code of operating system 612 and application programs 614 stored in storage 620. Operating system 612 controls the allocation and usage of the components of computing device 602 and provides support for one or more application programs 614 (also referred to as “applications” or “apps”). Application programs 614 may include common computing applications (e.g., e-mail applications, calendars, contact managers, web browsers, messaging applications), further computing applications (e.g., word processing applications, mapping applications, media player applications, productivity suite applications), one or more machine learning (ML) models, as well as applications related to the embodiments disclosed elsewhere herein.
Any component in computing device 602 can communicate with any other component according to function, although not all connections are shown for ease of illustration. For instance, as shown in
Storage 620 is physical storage that includes one or both of memory 656 and storage device 690, which store operating system 612, application programs 614, and application data 616 according to any distribution. Non-removable memory 622 includes one or more of RAM (random access memory), ROM (read only memory), flash memory, a solid-state drive (SSD), a hard disk drive (e.g., a disk drive for reading from and writing to a hard disk), and/or other physical memory device type. Non-removable memory 622 may include main memory and may be separate from or fabricated in a same integrated circuit as processor 610. As shown in
One or more programs may be stored in storage 620. Such programs include operating system 612, one or more application programs 614, and other program modules and program data. Examples of such application programs may include, for example, computer program logic (e.g., computer program code/instructions) for implementing one client(s) 102, server infrastructure 104, on-premises resource(s) 106, network(s) 108, application 110, reverse proxy 112, EHS 114, security certificate(s) 116, client portal 118, request handler 202, information injector 204, information extractor 206, temporary dynamic HTTPS server 208, response generator 210, on-premises mapping(s) 212, and/or each of the components described therein, and/or communications flow diagrams 300, 310, 320, and/or 330, and/or the steps of flowcharts 400 and/or 500, described herein, including portions thereof, and/or further examples described herein.
Storage 620 also stores data used and/or generated by operating system 612 and application programs 614 as application data 616. Examples of application data 616 include web pages, text, images, tables, sound files, video data, and other data, which may also be sent to and/or received from one or more network servers or other devices via one or more wired or wireless networks. Storage 620 can be used to store further data including a subscriber identifier, such as an International Mobile Subscriber Identity (IMSI), and an equipment identifier, such as an International Mobile Equipment Identifier (IMEI). Such identifiers can be transmitted to a network server to identify users and equipment.
A user may enter commands and information into computing device 602 through one or more input devices 630 and may receive information from computing device 602 through one or more output devices 650. Input device(s) 630 may include one or more of touch screen 632, microphone 634, camera 636, physical keyboard 638 and/or trackball 640 and output device(s) 650 may include one or more of speaker 652 and display 654. Each of input device(s) 630 and output device(s) 650 may be integral to computing device 602 (e.g., built into a housing of computing device 602) or external to computing device 602 (e.g., communicatively coupled wired or wirelessly to computing device 602 via wired interface(s) 680 and/or wireless modem(s) 660). Further input devices 630 (not shown) can include a Natural User Interface (NUI), a pointing device (computer mouse), a joystick, a video game controller, a scanner, a touch pad, a stylus pen, a voice recognition system to receive voice input, a gesture recognition system to receive gesture input, or the like. Other possible output devices (not shown) can include piezoelectric or other haptic output devices. Some devices can serve more than one input/output function. For instance, display 654 may display information, as well as operating as touch screen 632 by receiving user commands and/or other information (e.g., by touch, finger gestures, virtual keyboard, etc.) as a user interface. Any number of each type of input device(s) 630 and output device(s) 650 may be present, including multiple microphones 634, multiple cameras 636, multiple speakers 652, and/or multiple displays 654.
One or more wireless modems 660 can be coupled to antenna(s) (not shown) of computing device 602 and can support two-way communications between processor 610 and devices external to computing device 602 through network 604, as would be understood to persons skilled in the relevant art(s). Wireless modem 660 is shown generically and can include a cellular modem 666 for communicating with one or more cellular networks, such as a GSM network for data and voice communications within a single cellular network, between cellular networks, or between the mobile device and a public switched telephone network (PSTN). Wireless modem 660 may also or alternatively include other radio-based modem types, such as a Bluetooth modem 664 (also referred to as a “Bluetooth device”) and/or Wi-Fi 662 modem (also referred to as an “wireless adaptor”). Wi-Fi modem 662 is configured to communicate with an access point or other remote Wi-Fi-capable device according to one or more of the wireless network protocols based on the IEEE (Institute of Electrical and Electronics Engineers) 802.11 family of standards, commonly used for local area networking of devices and Internet access. Bluetooth modem 664 is configured to communicate with another Bluetooth-capable device according to the Bluetooth short-range wireless technology standard(s) such as IEEE 802.15.1 and/or managed by the Bluetooth Special Interest Group (SIG).
Computing device 602 can further include power supply 682, LI receiver 684, accelerometer 686, and/or one or more wired interfaces 680. Example wired interfaces 680 include a USB port, IEEE 1394 (Fire Wire) port, a RS-232 port, an HDMI (High-Definition Multimedia Interface) port (e.g., for connection to an external display), a DisplayPort port (e.g., for connection to an external display), an audio port, an Ethernet port, and/or an Apple® Lightning® port, the purposes and functions of each of which are well known to persons skilled in the relevant art(s). Wired interface(s) 680 of computing device 602 provide for wired connections between computing device 602 and network 604, or between computing device 602 and one or more devices/peripherals when such devices/peripherals are external to computing device 602 (e.g., a pointing device, display 654, speaker 652, camera 636, physical keyboard 638, etc.). Power supply 682 is configured to supply power to each of the components of computing device 602 and may receive power from a battery internal to computing device 602, and/or from a power cord plugged into a power port of computing device 602 (e.g., a USB port, an A/C power port). LI receiver 684 may be used for location determination of computing device 602 and may include a satellite navigation receiver such as a Global Positioning System (GPS) receiver or may include other type of location determiner configured to determine location of computing device 602 based on received information (e.g., using cell tower triangulation, etc.). Accelerometer 686 may be present to determine an orientation of computing device 602.
Note that the illustrated components of computing device 602 are not required or all-inclusive, and fewer or greater numbers of components may be present as would be recognized by one skilled in the art. For example, computing device 602 may also include one or more of a gyroscope, barometer, proximity sensor, ambient light sensor, digital compass, etc. Processor 610 and memory 656 may be co-located in a same semiconductor device package, such as being included together in an integrated circuit chip, FPGA, or system-on-chip (SOC), optionally along with further components of computing device 602.
In embodiments, computing device 602 is configured to implement any of the above-described features of flowcharts herein. Computer program logic for performing any of the operations, steps, and/or functions described herein may be stored in storage 620 and executed by processor 610.
In some embodiments, server infrastructure 670 may be present in computing environment 600 and may be communicatively coupled with computing device 602 via network 604. Server infrastructure 670, when present, may be a network-accessible server set (e.g., a cloud-based environment or platform). As shown in
Each of nodes 674 may, as a compute node, comprise one or more server computers, server systems, and/or computing devices. For instance, a node 674 may include one or more of the components of computing device 602 disclosed herein. Each of nodes 674 may be configured to execute one or more software applications (or “applications”) and/or services and/or manage hardware resources (e.g., processors, memory, etc.), which may be utilized by users (e.g., customers) of the network-accessible server set. For example, as shown in
In an embodiment, one or more of clusters 672 may be co-located (e.g., housed in one or more nearby buildings with associated components such as backup power supplies, redundant data communications, environmental controls, etc.) to form a datacenter, or may be arranged in other manners. Accordingly, in an embodiment, one or more of clusters 672 may be a datacenter in a distributed collection of datacenters. In embodiments, exemplary computing environment 600 comprises part of a cloud-based platform such as Amazon Web Services® of Amazon Web Services, Inc. or Google Cloud Platform™ of Google LLC, although these are only examples and are not intended to be limiting.
In an embodiment, computing device 602 may access application programs 676 for execution in any manner, such as by a client application and/or a browser at computing device 602. Example browsers include Microsoft Edge® by Microsoft Corp. of Redmond, Washington, Mozilla Firefox®, by Mozilla Corp. of Mountain View, California, Safari®, by Apple Inc. of Cupertino, California, and Google® Chrome by Google LLC of Mountain View, California.
For purposes of network (e.g., cloud) backup and data security, computing device 602 may additionally and/or alternatively synchronize copies of application programs 614 and/or application data 616 to be stored at network-based server infrastructure 670 as application programs 676 and/or application data 678. For instance, operating system 612 and/or application programs 614 may include a file hosting service client, such as Microsoft® OneDrive® by Microsoft Corporation, Amazon Simple Storage Service (Amazon S3)® by Amazon Web Services, Inc., Dropbox® by Dropbox, Inc., Google Drive™ by Google LLC, etc., configured to synchronize applications and/or data stored in storage 620 at network-based server infrastructure 670.
In some embodiments, on-premises servers 692 may be present in computing environment 600 and may be communicatively coupled with computing device 602 via network 604. On-premises servers 692, when present, are hosted within an organization's infrastructure and, in many cases, physically onsite of a facility of that organization. On-premises servers 692 are controlled, administered, and maintained by IT (Information Technology) personnel of the organization or an IT partner to the organization. Application data 698 may be shared by on-premises servers 692 between computing devices of the organization, including computing device 602 (when part of an organization) through a local network of the organization, and/or through further networks accessible to the organization (including the Internet). Furthermore, on-premises servers 692 may serve applications such as application programs 696 to the computing devices of the organization, including computing device 602. Accordingly, on-premises servers 692 may include storage 694 (which includes one or more physical storage devices such as storage disks and/or SSDs) for storage of application programs 696 and application data 698 and may include one or more processors for execution of application programs 696. Still further, computing device 602 may be configured to synchronize copies of application programs 614 and/or application data 616 for backup storage at on-premises servers 692 as application programs 696 and/or application data 698.
Embodiments described herein may be implemented in one or more of computing device 602, network-based server infrastructure 670, and on-premises servers 692. For example, in some embodiments, computing device 602 may be used to implement systems, clients, or devices, or components/subcomponents thereof, disclosed elsewhere herein. In other embodiments, a combination of computing device 602, network-based server infrastructure 670, and/or on-premises servers 692 may be used to implement the systems, clients, or devices, or components/subcomponents thereof, disclosed elsewhere herein.
As used herein, the terms “computer program medium,” “computer-readable medium,” and “computer-readable storage medium,” etc., are used to refer to physical hardware media. Examples of such physical hardware media include any hard disk, optical disk, SSD, other physical hardware media such as RAMs, ROMs, flash memory, digital video disks, zip disks, MEMs (microelectronic machine) memory, nanotechnology-based storage devices, and further types of physical/tangible hardware storage media of storage 620. Such computer-readable media and/or storage media are distinguished from and non-overlapping with communication media and propagating signals (do not include communication media and propagating signals). Communication media embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wireless media such as acoustic, RF, infrared and other wireless media, as well as wired media. Embodiments are also directed to such communication media that are separate and non-overlapping with embodiments directed to computer-readable storage media.
As noted above, computer programs and modules (including application programs 614) may be stored in storage 620. Such computer programs may also be received via wired interface(s) 680 and/or wireless modem(s) 660 over network 604. Such computer programs, when executed or loaded by an application, enable computing device 602 to implement features of embodiments discussed herein. Accordingly, such computer programs represent controllers of the computing device 602.
Embodiments are also directed to computer program products comprising computer code or instructions stored on any computer-readable medium or computer-readable storage medium. Such computer program products include the physical storage of storage 620 as well as further physical storage types.
In an embodiment, a method for error handling while establishing end-to-end encrypted communications with a client, the method comprises: receiving, at a reverse proxy of a cloud service, a client request that includes a resource identifier associated with an on-premises resource; determining, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource; transmitting, to an error handling service over a second transport-layer connection, an application layer request comprising error handling information, the error handling information enabling the error handling service to establish a secure communications channel with the client over the second transport layer connection and the first transport layer connection; receiving, from the error handling service, an encrypted response comprising an error message generated based at least on the error handling information; and forwarding, to the client, the encrypted response.
In an embodiment, the encrypted response is encrypted with security information associated with the on-premises resource.
In an embodiment, the security information comprises: a security certificate generated during onboarding of the on-premises resource, and stored at both a location accessible to the error handling service and at the on-premises resource.
In an embodiment, determining, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource comprises at least one of: determining that the on-premises resource is unreachable; determining that the resource identifier has expired; or determining that the resource identifier is invalid.
In an embodiment, the application layer request comprising error handling information comprises: a Hypertext Transfer Protocol Secure (HTTPS) or a Hypertext Transfer Protocol (HTTP) message containing at least one of: a hostname of the on-premises resource, the error message, or a correlation identifier.
In an embodiment, the on-premises resource comprises: a computing cluster associated with a customer of the cloud service and connected to the cloud service via a hybrid connection.
In an embodiment, the method further comprises: retrieving, by the error handling service, security information associated with the on-premises resource; generating, by the error handling service, the error message based on the error handling information; and encrypting, by the error handling service, the error message using the security information associated with the on-premises resource.
In an embodiment, a system for error handling while establishing end-to-end encrypted communications with a client comprises: a processor; a memory device comprising program code structured to cause the processor to: receive, at a reverse proxy of a cloud service, a client request that includes a resource identifier associated with an on-premises resource; determine, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource; transmit, to an error handling service over a second transport-layer connection, an application layer request comprising error handling information, the error handling information enabling the error handling service to establish a secure communications channel with the client over the second transport layer connection and the first transport layer connection; receive, from the error handling service, an encrypted response comprising an error message generated based at least on the error handling information; and forward, to the client, the encrypted response.
In an embodiment, the encrypted response is encrypted using security information associated with the on-premises resource.
In an embodiment, the security information comprises: a security certificate generated during onboarding of the on-premises resource, and stored at both a location accessible to the error handling service and at the on-premises resource.
In an embodiment, to determine, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource, the program code is structured to cause the processor to perform at least one of: determine that the on-premises resource is unreachable; determine that resource identifier has expired; or determine that resource identifier is invalid.
In an embodiment, the application layer request comprises error handling information comprises: a Hypertext Transfer Protocol Secure (HTTPS) or a Hypertext Transfer Protocol (HTTP) message containing at least one of: a hostname of the on-premises resource, the error message, or a correlation identifier.
In an embodiment, the on-premises resource comprises: a computing cluster associated with a customer of the cloud service and connected to the cloud service via a hybrid connection.
In an embodiment, the program code is further structured to cause the processor to: retrieve security information associated with the on-premises resource; generate the error message based on the error handling information; and encrypt the error message using the security information associated with the on-premises resource.
In an embodiment, a computer-readable storage medium comprises computer-executable instructions for error handling while establishing end-to-end encrypted communications with a client, the computer-executable instructions, when executed by a processor, cause the processor to: receive, at a reverse proxy of a cloud service, a client request that includes a resource identifier associated with an on-premises resource; determine, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource; transmit, to an error handling service over a second transport-layer connection, an application layer request comprising error handling information, the error handling information enabling the error handling service to establish a secure communications channel with the client over the second transport layer connection and the first transport layer connection; receive, from the error handling service, an encrypted response comprising an error message generated based at least on the error handling information; and forward, to the client, the encrypted response.
In an embodiment, the encrypted response is encrypted using security information associated with the on-premises resource.
In an embodiment, the security information comprises: a security certificate generated during onboarding of the on-premises resource, and stored at both a location accessible to the error handling service and at the on-premises resource.
In an embodiment, to determine, based at least on the resource identifier, that an error prevents forwarding of the client request to the on-premises resource, the instructions, when executed by the processor, cause the processor to perform at least one of: determine that the on-premises resource is unreachable; determine that the resource identifier has expired; or determine that the resource identifier is invalid.
In an embodiment, the application layer request comprising error handling information comprises: a Hypertext Transfer Protocol Secure (HTTPS) or a Hypertext Transfer Protocol (HTTP) message containing at least one of: a hostname of the on-premises resource, the error message, or a correlation identifier.
In an embodiment, the on-premises resource comprises: a computing cluster associated with a customer of the cloud service and connected to the cloud service via a hybrid connection.
References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
In the discussion, unless otherwise stated, adjectives such as “substantially” and “about” modifying a condition or relationship characteristic of a feature or features of an embodiment of the disclosure, are understood to mean that the condition or characteristic is defined to within tolerances that are acceptable for operation of the embodiment for an application for which it is intended. Furthermore, where “based on” is used to indicate an effect being a result of an indicated cause, it is to be understood that the effect is not required to only result from the indicated cause, but that any number of possible additional causes may also contribute to the effect. Thus, as used herein, the term “based on” should be understood to be equivalent to the term “based at least on.”
While various embodiments of the present disclosure have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be understood by those skilled in the relevant art(s) that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. Accordingly, the breadth and scope of the present invention should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.