1. Field of the Invention
The present invention relates to an address translating program, an address translating method, and an address translating apparatus which are applied to client-server communications, and more particularly to an address translating program, an address translating method, and an address translating apparatus for translating the addresses of packets transmitted and received via a proxy server.
2. Description of the Related Art
Generally a proxy server is placed between an in-office network and the Internet outside the office. The proxy server relays packets that are transmitted and received between a client on the in-office network and a server on the Internet. A packet that is sent to the Internet is given the IP (Internet Protocol) address of the proxy server as a source address.
When the client gains access through the proxy server, it is possible to conceal the IP address of the client machine from the server. Therefore, the proxy server is installed to ensure security at the time the client is connected to the Internet.
FIG. 27 of the accompanying drawings shows in block diagram a first example of a communication session via a conventional proxy server. As shown in FIG. 27, when an attempt is made by a client 911 to access a server 913 via a proxy server 912, the IP address of the client 911 is set as a source address in a first zone between the client 911 and the proxy server 912. The IP address of the proxy server 912 is set as a destination address in the first zone. In a second zone between the proxy server 912 and the server 913, the IP address of the proxy server 912 is set as a source address. The IP address of the server 913 is set as a destination address in the second zone. In this manner, the IP address of the client 911 is concealed from the server 913.
The proxy server 912 is also used for caching application data and centralizing authentication, in addition to ensuring security for Internet connections. The proxy server 912 is also used for those purposes when access is made to a server on an intranet. When a server on an intranet is accessed, the server 913 recognizes the IP address of the client 911 for access control, contents control, and session management, and also reads the IP address into the log for grasping an accessing situation. For accessing a server on an intranet, therefore, it is desirable to inform the server 913 of the IP address of the client 911, rather than concealing the IP address of the client 911 as when accessing the Internet.
However, when the server 913 is accessed via the proxy server 912, the source address that is sent to the server 913 is the IP address of the proxy server 912, not the IP address of the client 911. Therefore, the server 913 is unable to recognize the IP address of the client 911.
For this reason, some proxy servers have a function to store the IP address of the client 911 in application data and send the application data to the proxy server 913. The proxy server 913 analyzes the IP address of the client 911 in the application data, and uses it for access control, etc. According to the HTTP (HyperText Transfer Protocol), the IP address of the client 911 is stored in the application data, using an HTTP header (e.g., X-Client-IP header or X-Forwarded-For).
FIG. 28 of the accompanying drawings shows in block diagram a second example of a communication session via a conventional proxy server. As shown in FIG. 28, when an attempt is made by a client 911 to access a server 913 via a proxy server 912, the IP address of the client 911 is set as a source address in a first zone between the client 911 and the proxy server 912. The IP address of the proxy server 912 is set as a destination address in the first zone. In a second zone between the proxy server 912 and the server 913, the IP address of the proxy server 912 is set as a source address. The IP address of the server 913 is set as a destination address in the second zone.
When a packet is transmitted in the second zone, the proxy server 912 stores the IP address of the client 911 in the X-Client-IP header and sends it to the server 913. The server 913 can recognize the IP address of the client 911 by analyzing the X-Client-IP header in the HTTP header.
If packet filtering is performed by the proxy server 912, then it is possible for the proxy server 912 to guard against an attack that is made from the outside (the second zone in FIGS. 27 and 28) on the inside (the first zone in FIGS. 27 and 28) (see “Building Internet Firewalls 2nd Edition <VOLUME1>—Theory and Practice” written by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, published by O' Reilly Japan, Dec. 25, 2002, p. 122-127, p. 179-183).
In order for the server 913 to recognize the IP address of the client 911 when an access is made via the proxy server 912, the server 913 needs to analyze the application data and read the IP address of the client 911 that is stored in the application data. Since the server 913 also receives packets that are transmitted not via the proxy server 912, it is necessary for the server 913 to identify and separately process an access that is made via the proxy server 912 and an access that is made not via the proxy server 912.
However, because the administrators of many servers that exist on the Internet are different from each other, it is difficult to install the above identifying and processing capability in all the servers on the Internet.