Frp内网穿透


frp

参考链接:https://www.iplaysoft.com/frp.html

github项目地址:https://github.com/chiugui/frp

官网:https://gofrp.org

frp简介

概览

frp 是一个专注于内网穿透的高性能的反向代理应用,支持 TCP、UDP、HTTP、HTTPS 等多种协议。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网。

通过在具有公网 IP 的节点上部署 frp 服务端,可以轻松地将内网服务穿透到公网,同时提供诸多专业的功能特性,这包括:

  • 客户端服务端通信支持 TCP、KCP 以及 Websocket 等多种协议。
  • 采用 TCP 连接流式复用,在单个连接间承载更多请求,节省连接建立时间。
  • 代理组间的负载均衡。
  • 端口复用,多个服务通过同一个服务端端口暴露。
  • 多个原生支持的客户端插件(静态文件查看,HTTP、SOCK5 代理等),便于独立使用 frp 客户端完成某些工作。
  • 高度扩展性的服务端插件系统,方便结合自身需求进行功能扩展。
  • 服务端和客户端 UI 页面。

原理

frp 主要由 客户端(frpc)服务端(frps) 组成,服务端通常部署在具有公网 IP 的机器上,客户端通常部署在需要穿透的内网服务所在的机器上。

内网服务由于没有公网 IP,不能被非局域网内的其他用户访问。

用户通过访问服务端的 frps,由 frp 负责根据请求的端口或其他信息将请求路由到对应的内网机器,从而实现通信。

frp安装

安装环境

frp服务端

[root@frps frps]# hostnamectl
   Static hostname: frps
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 87926494fa2449c8b7adce9a64c5c70e
           Boot ID: 10391e2c5494451abddbc6329685c4d7
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-1062.18.1.el7.x86_64
      Architecture: x86-64

frp客户端

[root@frps /opt/frpc]# hostnamectl
   Static hostname: frpc
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 7d3920cb5d75497a8862dd8e8e5e1c85
           Boot ID: 05e71273fdbb45a5af1bb9ea46297e59
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-957.el7.x86_64
      Architecture: x86-64

frp软件下载

找到github项目中的releases :https://github.com/fatedier/frp/releases ,下载对应主机的架构版本,此处我是x86_64位的系统,所以下载 [frp_0.34.1_linux_amd64.tar.gz]

解压缩下载的压缩包,将其中的 frpc 拷贝到内网服务所在的机器上,将 frps 拷贝到具有公网 IP 的机器上,放置在任意目录。

#服务端示例,客户端同理
[root@frps ~]# cd /opt/
[root@frps /opt]# wget https://github.com/fatedier/frp/releases/download/v0.34.1/frp_0.34.1_linux_amd64.tar.gz
[root@frps /opt]# tar xf frp_0.34.1_linux_amd64.tar.gz
[root@frps /opt]# ll
total 8376
drwxrwxr-x 3 mysql mysql     134 Sep 30 15:44 frp_0.34.1_linux_amd64
-rw-r--r-- 1 root  root  8576578 Oct 24 16:27 frp_0.34.1_linux_amd64.tar.gz
[root@frps /opt]# ln -s frp_0.34.1_linux_amd64 frps
[root@frps /opt]# cd frps
[root@frps /opt/frps]# ll
total 22608
-rwxrwxr-x 1 mysql mysql  9908224 Sep 30 15:38 frpc
-rw-rw-r-- 1 mysql mysql     7928 Sep 30 15:44 frpc_full.ini
-rw-rw-r-- 1 mysql mysql      126 Sep 30 15:44 frpc.ini
-rwxrwxr-x 1 mysql mysql 13205504 Sep 30 15:38 frps
-rw-rw-r-- 1 mysql mysql     4928 Sep 30 15:44 frps_full.ini
-rw-rw-r-- 1 mysql mysql       26 Sep 30 15:44 frps.ini
-rw-rw-r-- 1 mysql mysql    11358 Sep 30 15:44 LICENSE
drwxrwxr-x 2 mysql mysql       88 Sep 30 15:44 systemd

frp配置

FRP 默认提供了 2 个服务端配置文件,一个是简化版的 frps.ini,另一个是完整版的 frps_full.ini。初学者只需用简版配置即可,在简版 frps.ini 配置文件里,默认设置了监听端口为 7000,你可以按需修改它。

服务端

[root@frps frps]# cat frps.ini
[common]              #一些常用配置
bind_port = 7000     #frps监听的端口
vhost_https_port = 443  #支持虚拟主机的方式,此处为https,监听443端口
#vhost_http_port = 8080 #支持虚拟主机的方式,此处为http,监听8080端口

authentication_method = token    #客户端与服务端的认证方式为token
token = xxx                #token为xxx

#dashboard相关配置
dashboard_addr = 0.0.0.0        #监听的地址
dashboard_port = 7500            #监听端口
dashboard_user = admin            #dashboard的认证账号
dashboard_pwd = admin            #dashboard的认证密码
#以上各个端口不能冲突

客户端

[root@frpc /opt/frpc]# cat frpc.ini
[common]        #连接服务端的配置
server_addr = frp.chongking.com    #此处为服务端ip或解析到服务端的域名
server_port = 7000                #服务端监听的端口
token = xxx                #认证token,同服务端token

#以下为需要代理的服务
[ssh]                #名称自定义
type = tcp            #代理的类型 tcp | udp | http | https | stcp | xtcp, default is tcp
local_ip = 127.0.0.1 #需要代理的主机
local_port = 22         #需要代理的端口
remote_port = 6000     #此服务在服务端的端口,此端口将会在服务端监听.

[mysql]
type = tcp
local_ip = 127.0.0.1
local_port = 3306
remote_port = 3306

[web01]
type = https                #代理的协议为https
local_ip = 192.168.199.153    #需要代理的主机为其它主机
local_port = 5001
custom_domains = frp.chongking.com #访问此域名的https服务将会被代理到此服务上

启动frp服务

编写好配置文件后,先通过 ./frps -c ./frps.ini 启动服务端,再通过 ./frpc -c ./frpc.ini 启动客户端。如果需要在后台长期运行,建议结合其他工具使用,例如 systemdsupervisior

#退出终端,并且放后台运行

#服务端
nohup ./frps -c ./frps.ini &

#客户端
nohup ./frpc -c ./frpc.ini &

如果是 Windows 用户,需要在 cmd 终端中执行命令。

查看服务

服务端

监听的端口

[root@frps frps]# netstat -lntup |grep frps
tcp6       0      0 :::7000                 :::*                    LISTEN      19339/./frps
tcp6       0      0 :::443                  :::*                    LISTEN      19339/./frps
tcp6       0      0 :::3306                 :::*                    LISTEN      19339/./frps
tcp6       0      0 :::7500                 :::*                    LISTEN      19339/./frps
tcp6       0      0 :::6000                 :::*                    LISTEN      19339/./frps

可以发现客户端配置ssh中的remote_port=6000端口,在服务端监听了

[root@frps frps]# ps -ef|grep frps
root     19339  1110  0 19:59 pts/0    00:00:00 ./frps -c ./frps.ini
root     32473  1110  0 20:40 pts/0    00:00:00 grep --color=auto frps

客户端

[root@frpc /opt/frpc]# ps -ef|grep frpc
root      29125   7503  0 20:00 pts/0    00:00:00 ./frpc -c ./frpc.ini
root      35987   7503  0 20:40 pts/0    00:00:00 grep --color=auto frpc

查询监听端口的另一种方式

[root@frps frps]# lsof -i:5022
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    1106 root    3u  IPv4 4902607      0t0  TCP frps:mice->27.10.193.68:61246 (ESTABLISHED)
sshd    1108 root    3u  IPv4 4902692      0t0  TCP frps:mice->27.10.193.68:61247 (ESTABLISHED)
sshd    4803 root    3u  IPv4  600770      0t0  TCP *:mice (LISTEN)
[root@frps frps]# lsof -i:80
COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx    6027  root    6u  IPv4 277946      0t0  TCP *:http (LISTEN)
nginx   18250 nginx    6u  IPv4 277946      0t0  TCP *:http (LISTEN)

验证

浏览器访问 https://frp.chongking.com 最终放到的是我局域网中的https://192.168.199.153:5001 的nas web

ssh -p 6000 frp.chongking.com 最终访问到的是我局域网中安装了frpc服务器的ssh 22 服务

mysql -uroot -hfrp.chongking.com -p123456 -P 3306 最终访问到的是我局域网中安装了frpc服务器的数据库3306端口

登录dashboard

http://frp.chongking.com:7500 账号:admin 密码:admin


官方配置文件解释

服务端

# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
bind_addr = 0.0.0.0
bind_port = 7000

# udp port to help make udp hole to penetrate nat
bind_udp_port = 7001

# udp port used for kcp protocol, it can be same with 'bind_port'
# if not set, kcp is disabled in frps
kcp_bind_port = 7000

# specify which address proxy will listen for, default value is same with bind_addr
# proxy_bind_addr = 127.0.0.1

# if you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bind_port
vhost_http_port = 80
vhost_https_port = 443

# response header timeout(seconds) for vhost http server, default is 60s
# vhost_http_timeout = 60

# TcpMuxHttpConnectPort specifies the port that the server listens for TCP
# HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
# requests on one single port. If it's not - it will listen on this value for
# HTTP CONNECT requests. By default, this value is 0.
# tcpmux_httpconnect_port = 1337

# set dashboard_addr and dashboard_port to view dashboard of frps
# dashboard_addr's default value is same with bind_addr
# dashboard is available only if dashboard_port is set
dashboard_addr = 0.0.0.0
dashboard_port = 7500

# dashboard user and passwd for basic auth protect, if not set, both default value is admin
dashboard_user = admin
dashboard_pwd = admin

# enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.
enable_prometheus = true

# dashboard assets directory(only for debug mode)
# assets_dir = ./static
# console or real logFile path like ./frps.log
log_file = ./frps.log

# trace, debug, info, warn, error
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
disable_log_color = false

# DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.
detailed_errors_to_client = true

# AuthenticationMethod specifies what authentication method to use authenticate frpc with frps.
# If "token" is specified - token will be read into login message.
# If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".
authentication_method = token

# AuthenticateHeartBeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false

# AuthenticateNewWorkConns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false

# auth token
token = 12345678

# OidcClientId specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_id =

# OidcClientSecret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_secret = 

# OidcAudience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
oidc_audience = 

# OidcTokenEndpointUrl specifies the URL which implements OIDC Token Endpoint.
# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
oidc_token_endpoint_url = 

# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_timeout is 90
# heartbeat_timeout = 90

# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
allow_ports = 2000-3000,3001,3003,4000-50000

# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
max_pool_count = 5

# max ports can be used for each client, default value is 0 means no limit
max_ports_per_client = 0

# TlsOnly specifies whether to only accept TLS-encrypted connections. By default, the value is false.
tls_only = false

# tls_cert_file = server.crt
# tls_key_file = server.key
# tls_trusted_ca_file = ca.crt

# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
# when subdomain is test, the host used by routing is test.frps.com
subdomain_host = frps.com

# if tcp stream multiplexing is used, default is true
tcp_mux = true

# custom 404 page for HTTP requests
# custom_404_page = /path/to/404.html

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500

[plugin.user-manager]
addr = 127.0.0.1:9000
path = /handler
ops = Login

[plugin.port-manager]
addr = 127.0.0.1:9001
path = /handler
ops = NewProxy

客户端

# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
server_addr = 0.0.0.0
server_port = 7000

# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:passwd@192.168.1.128:8080
# http_proxy = socks5://user:passwd@192.168.1.128:1080
# http_proxy = ntlm://user:passwd@192.168.1.128:2080

# console or real logFile path like ./frpc.log
log_file = ./frpc.log

# trace, debug, info, warn, error
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
disable_log_color = false

# for authentication
token = 12345678

# set admin address for control frpc's action by http api such as reload
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static

# connections will be established in advance, default value is zero
pool_count = 5

# if tcp stream multiplexing is used, default is true, it must be same with frps
tcp_mux = true

# your proxy name will be changed to {user}.{proxy}
user = your_name

# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true

# communication protocol used to connect to server
# now it supports tcp, kcp and websocket, default is tcp
protocol = tcp

# if tls_enable is true, frpc will connect frps by tls
tls_enable = true

# tls_cert_file = client.crt
# tls_key_file = client.key
# tls_trusted_ca_file = ca.crt

# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8

# proxy names you want to start seperated by ','
# default is empty, means all proxies
# start = ssh,dns

# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
# heartbeat_interval = 30
# heartbeat_timeout = 90

# additional meta info for client
meta_var1 = 123
meta_var2 = 234

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500

# 'ssh' is the unique proxy name
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
type = tcp
local_ip = 127.0.0.1
local_port = 22
# limit bandwidth for this proxy, unit is KB and MB
bandwidth_limit = 1MB
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
# additional meta info for each proxy
meta_var1 = 123
meta_var2 = 234

[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0

# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false

[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false

[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false

# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[web01]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# if not set, you can access this custom_domains without certification
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
subdomain = web01
custom_domains = web02.yourdomain.com
# locations is only available for http type
locations = /,/pic
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3

[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web01
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2

[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock

[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc

[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_https2http]
type = https
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp

[plugin_http2https]
type = http
custom_domains = test.yourdomain.com
plugin = http2https
plugin_local_addr = 127.0.0.1:443
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp

[secret_tcp]
# If the type is secret tcp, remote_port is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = stcp
# sk used for authentication for visitors
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false

# user of frpc should be same in both stcp server and stcp visitor
[secret_tcp_visitor]
# frpc role visitor -> frps -> frpc role server
role = visitor
type = stcp
# the server name you want to visitor
server_name = secret_tcp
sk = abcdefg
# connect this address to visitor stcp server
bind_addr = 127.0.0.1
bind_port = 9000
use_encryption = false
use_compression = false

[p2p_tcp]
type = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false

[p2p_tcp_visitor]
role = visitor
type = xtcp
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
bind_port = 9001
use_encryption = false
use_compression = false

[tcpmuxhttpconnect]
type = tcpmux
multiplexer = httpconnect
local_ip = 127.0.0.1
local_port = 10701
custom_domains = tunnel1

声明:鹅石壳儿|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - Frp内网穿透


Just Do IT !