mirror of
https://github.com/fatedier/frp.git
synced 2024-12-15 19:21:01 +01:00
commit
b8082e6e08
21
.github/ISSUE_TEMPLATE
vendored
21
.github/ISSUE_TEMPLATE
vendored
@ -1,21 +1,26 @@
|
||||
Issue is only used for submiting bug report and documents typo. If there are same issues or answers can be found in documents, we will close it directly.
|
||||
|
||||
Please answer these questions before submitting your issue. Thanks!
|
||||
Use the commands below to provide key information from your environment:
|
||||
You do NOT have to include this information if this is a FEATURE REQUEST
|
||||
|
||||
1. What did you do?
|
||||
If possible, provide a recipe for reproducing the error.
|
||||
**What version of frp are you using (./frpc -v or ./frps -v)?**
|
||||
|
||||
|
||||
2. What did you expect to see?
|
||||
**What operating system and processor architecture are you using (`go env`)?**
|
||||
|
||||
|
||||
**Steps to reproduce the issue:**
|
||||
1.
|
||||
2.
|
||||
3.
|
||||
|
||||
3. What did you see instead?
|
||||
**Describe the results you received:**
|
||||
|
||||
|
||||
|
||||
4. What version of frp are you using (./frpc -v or ./frps -v)?
|
||||
**Describe the results you expected:**
|
||||
|
||||
|
||||
**Additional information you deem important (e.g. issue happens only occasionally):**
|
||||
|
||||
5. Can you point out what caused this issue (optional)?
|
||||
|
||||
**Can you point out what caused this issue (optional)**
|
||||
|
181
README.md
181
README.md
@ -15,7 +15,7 @@ frp is a fast reverse proxy to help you expose a local server behind a NAT or fi
|
||||
* [Status](#status)
|
||||
* [Architecture](#architecture)
|
||||
* [Example Usage](#example-usage)
|
||||
* [Communicate with your computer in LAN by SSH](#communicate-with-your-computer-in-lan-by-ssh)
|
||||
* [Access your computer in LAN by SSH](#access-your-computer-in-lan-by-ssh)
|
||||
* [Visit your web service in LAN by custom domains](#visit-your-web-service-in-lan-by-custom-domains)
|
||||
* [Forward DNS query request](#forward-dns-query-request)
|
||||
* [Features](#features)
|
||||
@ -25,6 +25,7 @@ frp is a fast reverse proxy to help you expose a local server behind a NAT or fi
|
||||
* [Reload configures without frps stopped](#reload-configures-without-frps-stopped)
|
||||
* [Privilege Mode](#privilege-mode)
|
||||
* [Port White List](#port-white-list)
|
||||
* [TCP Stream Multiplexing](#tcp-stream-multiplexing)
|
||||
* [Connection Pool](#connection-pool)
|
||||
* [Rewriting the Host Header](#rewriting-the-host-header)
|
||||
* [Password protecting your web service](#password-protecting-your-web-service)
|
||||
@ -36,15 +37,13 @@ frp is a fast reverse proxy to help you expose a local server behind a NAT or fi
|
||||
* [Donation](#donation)
|
||||
* [AliPay](#alipay)
|
||||
* [Paypal](#paypal)
|
||||
* [Contributors](#contributors)
|
||||
|
||||
<!-- vim-markdown-toc -->
|
||||
|
||||
## What can I do with frp?
|
||||
|
||||
* Expose any http and https service behind a NAT or firewall to the internet by a server with public IP address(Name-based Virtual Host Support).
|
||||
* Expose any tcp service behind a NAT or firewall to the internet by a server with public IP address.
|
||||
* Inspect all http requests/responses that are transmitted over the tunnel(future).
|
||||
* Expose any tcp or udp service behind a NAT or firewall to the internet by a server with public IP address.
|
||||
|
||||
## Status
|
||||
|
||||
@ -64,37 +63,33 @@ Put **frps** and **frps.ini** to your server with public IP.
|
||||
|
||||
Put **frpc** and **frpc.ini** to your server in LAN.
|
||||
|
||||
### Communicate with your computer in LAN by SSH
|
||||
### Access your computer in LAN by SSH
|
||||
|
||||
1. Modify frps.ini, configure a reverse proxy named [ssh]:
|
||||
1. Modify frps.ini:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
|
||||
[ssh]
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. Start frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. Modify frpc.ini, set remote frps's server IP as x.x.x.x:
|
||||
3. Modify frpc.ini, `server_addr` is your frps's server IP:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[ssh]
|
||||
type = tcp
|
||||
local_ip = 127.0.0.1
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
4. Start frpc:
|
||||
@ -111,18 +106,13 @@ Sometimes we want to expose a local web service behind a NAT network to others f
|
||||
|
||||
However, we can expose a http or https service using frp.
|
||||
|
||||
1. Modify frps.ini, configure a http reverse proxy named [web] and set http port as 8080, custom domain as `www.yourdomain.com`:
|
||||
1. Modify frps.ini, configure http port 8080:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
vhost_http_port = 8080
|
||||
|
||||
[web]
|
||||
type = http
|
||||
custom_domains = www.yourdomain.com
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. Start frps:
|
||||
@ -136,11 +126,11 @@ However, we can expose a http or https service using frp.
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[web]
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = www.yourdomain.com
|
||||
```
|
||||
|
||||
4. Start frpc:
|
||||
@ -159,11 +149,6 @@ However, we can expose a http or https service using frp.
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
|
||||
[dns]
|
||||
type = udp
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. Start frps:
|
||||
@ -177,12 +162,12 @@ However, we can expose a http or https service using frp.
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[dns]
|
||||
type = udp
|
||||
local_ip = 8.8.8.8
|
||||
local_port = 53
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
4. Start frpc:
|
||||
@ -215,121 +200,58 @@ Then visit `http://[server_addr]:7500` to see dashboard, default username and pa
|
||||
|
||||
### Authentication
|
||||
|
||||
`auth_token` in frps.ini is configured for each proxy and check for authentication when frpc login in.
|
||||
Since v0.10.0, you only need to set `privilege_token` in frps.ini and frpc.ini.
|
||||
|
||||
Client that want's to register must set a global `auth_token` equals to frps.ini.
|
||||
|
||||
Note that time duration between frpc and frps mustn't exceed 15 minutes because timestamp is used for authentication.
|
||||
Note that time duration between server of frpc and frps mustn't exceed 15 minutes because timestamp is used for authentication.
|
||||
|
||||
Howerver, this timeout duration can be modified by setting `authentication_timeout` in frps's configure file. It's defalut value is 900, means 15 minutes. If it is equals 0, then frps will not check authentication timeout.
|
||||
|
||||
### Encryption and Compression
|
||||
|
||||
Defalut value is false, you could decide if the proxy will use encryption or compression whether the type is:
|
||||
Defalut value is false, you could decide if the proxy will use encryption or compression:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[ssh]
|
||||
type = tcp
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
use_encryption = true
|
||||
use_gzip = true
|
||||
use_compression = true
|
||||
```
|
||||
|
||||
### Reload configures without frps stopped
|
||||
|
||||
If you want to add a new reverse proxy and avoid restarting frps, you can use this function:
|
||||
|
||||
1. `dashboard_port` should be set in frps.ini:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
dashboard_port = 7500
|
||||
```
|
||||
|
||||
2. Start frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. Modify frps.ini to add a new proxy [new_ssh]:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
dashboard_port = 7500
|
||||
|
||||
[new_ssh]
|
||||
listen_port = 6001
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
4. Execute `reload` command:
|
||||
|
||||
`./frps -c ./frps.ini --reload`
|
||||
|
||||
5. Start frpc and [new_ssh] is available now.
|
||||
This feature is removed since v0.10.0.
|
||||
|
||||
### Privilege Mode
|
||||
|
||||
Privilege mode is used for who don't want to do operations in frps everytime adding a new proxy.
|
||||
|
||||
All proxies's configurations are set in frpc.ini when privilege mode is enabled.
|
||||
|
||||
1. Enable privilege mode and set `privilege_token`.Client with the same `privilege_token` can create proxy automaticly:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
privilege_mode = true
|
||||
privilege_token = 1234
|
||||
```
|
||||
|
||||
2. Start frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. Enable privilege mode for proxy [ssh]:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
privilege_token = 1234
|
||||
|
||||
[ssh]
|
||||
privilege_mode = true
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
4. Start frpc:
|
||||
|
||||
`./frpc -c ./frpc.ini`
|
||||
|
||||
5. Connect to server in LAN by ssh assuming username is test:
|
||||
|
||||
`ssh -oPort=6000 test@x.x.x.x`
|
||||
Privilege mode is the default and only mode support in frp since v0.10.0. All proxy configurations are set in client.
|
||||
|
||||
#### Port White List
|
||||
|
||||
`privilege_allow_ports` in frps.ini is used for preventing abuse of ports in privilege mode:
|
||||
`privilege_allow_ports` in frps.ini is used for preventing abuse of ports:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
privilege_mode = true
|
||||
privilege_token = 1234
|
||||
privilege_allow_ports = 2000-3000,3001,3003,4000-50000
|
||||
```
|
||||
|
||||
`privilege_allow_ports` consists of a specific port or a range of ports divided by `,`.
|
||||
|
||||
### TCP Stream Multiplexing
|
||||
|
||||
frp support tcp stream multiplexing since v0.10.0 like HTTP2 Multiplexing. All user requests to same frpc can use only one tcp connection.
|
||||
|
||||
You can disable this feature by modify frps.ini and frpc.ini:
|
||||
|
||||
```ini
|
||||
# frps.ini and frpc.ini, must be same
|
||||
[common]
|
||||
tcp_mux = false
|
||||
```
|
||||
|
||||
### Connection Pool
|
||||
|
||||
By default, frps send message to frpc for create a new connection to backward service when getting an user request.If a proxy's connection pool is enabled, there will be a specified number of connections pre-established.
|
||||
@ -338,30 +260,27 @@ This feature is fit for a large number of short connections.
|
||||
|
||||
1. Configure the limit of pool count each proxy can use in frps.ini:
|
||||
|
||||
```ini
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
max_pool_count = 50
|
||||
max_pool_count = 5
|
||||
```
|
||||
|
||||
2. Enable and specify the number of connection pool:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[ssh]
|
||||
type = tcp
|
||||
local_port = 22
|
||||
pool_count = 10
|
||||
[common]
|
||||
pool_count = 1
|
||||
```
|
||||
|
||||
### Rewriting the Host Header
|
||||
|
||||
When forwarding to a local port, frp does not modify the tunneled HTTP requests at all, they are copied to your server byte-for-byte as they are received. Some application servers use the Host header for determining which development site to display. For this reason, frp can rewrite your requests with a modified Host header. Use the `host_header_rewrite` switch to rewrite incoming HTTP requests.
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = test.yourdomain.com
|
||||
@ -376,12 +295,11 @@ Anyone who can guess your tunnel URL can access your local web server unless you
|
||||
|
||||
This enforces HTTP Basic Auth on all requests with the username and password you specify in frpc's configure file.
|
||||
|
||||
It can be only enabled when proxy type is http.
|
||||
It can only be enabled when proxy type is http.
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = test.yourdomain.com
|
||||
@ -389,7 +307,7 @@ http_user = abc
|
||||
http_pwd = abc
|
||||
```
|
||||
|
||||
Visit `test.yourdomain.com` and now you need to input username and password.
|
||||
Visit `http://test.yourdomain.com` and now you need to input username and password.
|
||||
|
||||
### Custom subdomain names
|
||||
|
||||
@ -405,7 +323,6 @@ Resolve `*.frps.com` to the frps server's IP.
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
subdomain = test
|
||||
@ -424,14 +341,12 @@ frp support forward http requests to different backward web services by url rout
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web01]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = web.yourdomain.com
|
||||
locations = /
|
||||
|
||||
[web02]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 81
|
||||
custom_domains = web.yourdomain.com
|
||||
@ -455,11 +370,12 @@ http_proxy = http://user:pwd@192.168.1.128:8080
|
||||
* Log http request information in frps.
|
||||
* Direct reverse proxy, like haproxy.
|
||||
* Load balance to different service in frpc.
|
||||
* Debug mode for frpc, prestent proxy status in terminal.
|
||||
* Inspect all http requests/responses that are transmitted over the tunnel.
|
||||
* Frpc can directly be a webserver for static files.
|
||||
* Full control mode, dynamically modify frpc's configure with dashboard in frps.
|
||||
* P2p communicate by make udp hole to penetrate NAT.
|
||||
* Client Plugin (http proxy).
|
||||
* kubernetes ingress support.
|
||||
|
||||
|
||||
## Contributing
|
||||
|
||||
@ -485,16 +401,3 @@ frp QQ group: 606194980
|
||||
### Paypal
|
||||
|
||||
Donate money by [paypal](https://www.paypal.me/fatedier) to my account **fatedier@gmail.com**.
|
||||
|
||||
## Contributors
|
||||
|
||||
* [fatedier](https://github.com/fatedier)
|
||||
* [Hurricanezwf](https://github.com/Hurricanezwf)
|
||||
* [Pan Hao](https://github.com/vashstorm)
|
||||
* [Danping Mao](https://github.com/maodanp)
|
||||
* [Eric Larssen](https://github.com/ericlarssen)
|
||||
* [Damon Zhao](https://github.com/se77en)
|
||||
* [Manfred Touron](https://github.com/moul)
|
||||
* [xuebing1110](https://github.com/xuebing1110)
|
||||
* [Anbitioner](https://github.com/bingtianbaihua)
|
||||
* [LitleCarl](https://github.com/LitleCarl)
|
||||
|
202
README_zh.md
202
README_zh.md
@ -4,7 +4,7 @@
|
||||
|
||||
[README](README.md) | [中文文档](README_zh.md)
|
||||
|
||||
frp 是一个高性能的反向代理应用,可以帮助您轻松地进行内网穿透,对外网提供服务,支持 tcp, udp, http, https 等协议类型,并且 web 服务支持根据域名进行路由转发。
|
||||
frp 是一个可用于内网穿透的高性能的反向代理应用,支持 tcp, udp, http, https 协议。
|
||||
|
||||
## 目录
|
||||
|
||||
@ -23,33 +23,34 @@ frp 是一个高性能的反向代理应用,可以帮助您轻松地进行内
|
||||
* [服务器端热加载配置文件](#服务器端热加载配置文件)
|
||||
* [特权模式](#特权模式)
|
||||
* [端口白名单](#端口白名单)
|
||||
* [TCP 多路复用](#tcp-多路复用)
|
||||
* [连接池](#连接池)
|
||||
* [修改 Host Header](#修改-host-header)
|
||||
* [通过密码保护你的 web 服务](#通过密码保护你的-web-服务)
|
||||
* [自定义二级域名](#自定义二级域名)
|
||||
* [URL 路由](#url-路由)
|
||||
* [通过 HTTP PROXY 连接 frps](#通过-http-proxy-连接-frps)
|
||||
* [通过代理连接 frps](#通过代理连接-frps)
|
||||
* [开发计划](#开发计划)
|
||||
* [为 frp 做贡献](#为-frp-做贡献)
|
||||
* [捐助](#捐助)
|
||||
* [支付宝扫码捐赠](#支付宝扫码捐赠)
|
||||
* [Paypal 捐赠](#paypal-捐赠)
|
||||
* [贡献者](#贡献者)
|
||||
|
||||
<!-- vim-markdown-toc -->
|
||||
|
||||
## frp 的作用
|
||||
|
||||
* 利用处于内网或防火墙后的机器,对外网环境提供 http 或 https 服务。
|
||||
* 对于 http 服务支持基于域名的虚拟主机,支持自定义域名绑定,使多个域名可以共用一个80端口。
|
||||
* 利用处于内网或防火墙后的机器,对外网环境提供 tcp 服务,例如在家里通过 ssh 访问处于公司内网环境内的主机。
|
||||
* 可查看通过代理的所有 http 请求和响应的详细信息。(待开发)
|
||||
* 对于 http, https 服务支持基于域名的虚拟主机,支持自定义域名绑定,使多个域名可以共用一个80端口。
|
||||
* 利用处于内网或防火墙后的机器,对外网环境提供 tcp 和 udp 服务,例如在家里通过 ssh 访问处于公司内网环境内的主机。
|
||||
|
||||
## 开发状态
|
||||
|
||||
frp 目前正在前期开发阶段,master 分支用于发布稳定版本,dev 分支用于开发,您可以尝试下载最新的 release 版本进行测试。
|
||||
frp 仍然处于前期开发阶段,未经充分测试与验证,不推荐用于生产环境。
|
||||
|
||||
**目前的交互协议可能随时改变,不能保证向后兼容,升级新版本时需要注意公告说明。**
|
||||
master 分支用于发布稳定版本,dev 分支用于开发,您可以尝试下载最新的 release 版本进行测试。
|
||||
|
||||
**目前的交互协议可能随时改变,不保证向后兼容,升级新版本时需要注意公告说明同时升级服务端和客户端。**
|
||||
|
||||
## 架构
|
||||
|
||||
@ -59,40 +60,37 @@ frp 目前正在前期开发阶段,master 分支用于发布稳定版本,dev
|
||||
|
||||
根据对应的操作系统及架构,从 [Release](https://github.com/fatedier/frp/releases) 页面下载最新版本的程序。
|
||||
|
||||
将 **frps** 及 **frps.ini** 放到有公网 IP 的机器上。
|
||||
将 **frps** 及 **frps.ini** 放到具有公网 IP 的机器上。
|
||||
|
||||
将 **frpc** 及 **frpc.ini** 放到处于内网环境的机器上。
|
||||
|
||||
### 通过 ssh 访问公司内网机器
|
||||
|
||||
1. 修改 frps.ini 文件,配置一个名为 ssh 的反向代理:
|
||||
1. 修改 frps.ini 文件,这里使用了最简化的配置:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
|
||||
[ssh]
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. 启动 frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. 修改 frpc.ini 文件,设置 frps 所在服务器的 IP 为 x.x.x.x;
|
||||
3. 修改 frpc.ini 文件,假设 frps 所在服务器的公网 IP 为 x.x.x.x;
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[ssh]
|
||||
type = tcp
|
||||
local_ip = 127.0.0.1
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
4. 启动 frpc:
|
||||
@ -107,36 +105,31 @@ frp 目前正在前期开发阶段,master 分支用于发布稳定版本,dev
|
||||
|
||||
有时想要让其他人通过域名访问或者测试我们在本地搭建的 web 服务,但是由于本地机器没有公网 IP,无法将域名解析到本地的机器,通过 frp 就可以实现这一功能,以下示例为 http 服务,https 服务配置方法相同, vhost_http_port 替换为 vhost_https_port, type 设置为 https 即可。
|
||||
|
||||
1. 修改 frps.ini 文件,配置一个名为 web 的 http 反向代理,设置 http 访问端口为 8080,绑定自定义域名 `www.yourdomain.com`:
|
||||
1. 修改 frps.ini 文件,设置 http 访问端口为 8080:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
vhost_http_port = 8080
|
||||
|
||||
[web]
|
||||
type = http
|
||||
custom_domains = www.yourdomain.com
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. 启动 frps;
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. 修改 frpc.ini 文件,设置 frps 所在的服务器的 IP 为 x.x.x.x,local_port 为本地机器上 web 服务对应的端口:
|
||||
3. 修改 frpc.ini 文件,假设 frps 所在的服务器的 IP 为 x.x.x.x,local_port 为本地机器上 web 服务对应的端口, 绑定自定义域名 `www.yourdomain.com`:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[web]
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = www.yourdomain.com
|
||||
```
|
||||
|
||||
4. 启动 frpc:
|
||||
@ -151,17 +144,12 @@ frp 目前正在前期开发阶段,master 分支用于发布稳定版本,dev
|
||||
|
||||
DNS 查询请求通常使用 UDP 协议,frp 支持对内网 UDP 服务的穿透,配置方式和 TCP 基本一致。
|
||||
|
||||
1. 修改 frps.ini 文件,配置一个名为 dns 的反向代理:
|
||||
1. 修改 frps.ini 文件:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
|
||||
[dns]
|
||||
type = udp
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
2. 启动 frps:
|
||||
@ -175,12 +163,12 @@ DNS 查询请求通常使用 UDP 协议,frp 支持对内网 UDP 服务的穿
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
|
||||
[dns]
|
||||
type = udp
|
||||
local_ip = 8.8.8.8
|
||||
local_port = 53
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
4. 启动 frpc:
|
||||
@ -202,7 +190,7 @@ DNS 查询请求通常使用 UDP 协议,frp 支持对内网 UDP 服务的穿
|
||||
```ini
|
||||
[common]
|
||||
dashboard_port = 7500
|
||||
# dashboard 用户名密码可选,默认都为 admin
|
||||
# dashboard 用户名密码,默认都为 admin
|
||||
dashboard_user = admin
|
||||
dashboard_pwd = admin
|
||||
```
|
||||
@ -213,9 +201,7 @@ dashboard_pwd = admin
|
||||
|
||||
### 身份验证
|
||||
|
||||
出于安全性的考虑,服务器端可以在 frps.ini 中为每一个代理设置一个 auth_token 用于对客户端连接进行身份验证,例如上文中的 [ssh] 和 [web] 两个代理的 auth_token 都为 123。
|
||||
|
||||
客户端需要在 frpc.ini 中配置自己的 auth_token,与服务器中的配置一致才能正常运行。
|
||||
从 v0.10.0 版本开始,所有 proxy 配置全部放在客户端(也就是之前版本的特权模式),服务端和客户端的 common 配置中的 `privilege_token` 参数一致则身份验证通过。
|
||||
|
||||
需要注意的是 frpc 所在机器和 frps 所在机器的时间相差不能超过 15 分钟,因为时间戳会被用于加密验证中,防止报文被劫持后被其他人利用。
|
||||
|
||||
@ -223,141 +209,74 @@ dashboard_pwd = admin
|
||||
|
||||
### 加密与压缩
|
||||
|
||||
这两个功能默认是不开启的,需要在 frpc.ini 中通过配置来为指定的代理启用加密与压缩的功能,无论类型是 tcp, http 还是 https:
|
||||
这两个功能默认是不开启的,需要在 frpc.ini 中通过配置来为指定的代理启用加密与压缩的功能,压缩算法使用 snappy:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[ssh]
|
||||
type = tcp
|
||||
listen_port = 6000
|
||||
auth_token = 123
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
use_encryption = true
|
||||
use_gzip = true
|
||||
use_compression = true
|
||||
```
|
||||
|
||||
如果公司内网防火墙对外网访问进行了流量识别与屏蔽,例如禁止了 ssh 协议等,通过设置 `use_encryption = true`,将 frpc 与 frps 之间的通信内容加密传输,将会有效防止流量被拦截。
|
||||
|
||||
如果传输的报文长度较长,通过设置 `use_gzip = true` 对传输内容进行压缩,可以有效减小 frpc 与 frps 之间的网络流量,加快流量转发速度,但是会额外消耗一些 cpu 资源。
|
||||
如果传输的报文长度较长,通过设置 `use_compression = true` 对传输内容进行压缩,可以有效减小 frpc 与 frps 之间的网络流量,加快流量转发速度,但是会额外消耗一些 cpu 资源。
|
||||
|
||||
### 服务器端热加载配置文件
|
||||
|
||||
当需要新增一个 frpc 客户端时,为了避免将 frps 重启,可以使用 reload 命令重新加载配置文件。
|
||||
|
||||
reload 命令仅能用于修改代理的配置内容,[common] 内的公共配置信息无法修改。
|
||||
|
||||
1. 首先需要在 frps.ini 中指定 dashboard_port:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
dashboard_port = 7500
|
||||
```
|
||||
|
||||
2. 启动 frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. 修改 frps.ini 增加一个新的代理 [new_ssh]:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
dashboard_port = 7500
|
||||
|
||||
[new_ssh]
|
||||
listen_port = 6001
|
||||
auth_token = 123
|
||||
```
|
||||
|
||||
4. 执行 reload 命令,使 frps 重新加载配置文件,实际上是通过 7500 端口发送了一个 http 请求
|
||||
|
||||
`./frps -c ./frps.ini --reload`
|
||||
|
||||
5. 之后启动 frpc,[new_ssh] 代理已经可以使用。
|
||||
由于从 v0.10.0 版本开始,所有 proxy 都在客户端配置,这个功能暂时移除。
|
||||
|
||||
### 特权模式
|
||||
|
||||
如果想要避免每次增加代理都需要操作服务器端,可以启用特权模式。
|
||||
|
||||
特权模式被启用后,代理的所有配置信息都可以在 frpc.ini 中配置,无需在服务器端做任何操作。
|
||||
|
||||
1. 在 frps.ini 中设置启用特权模式并设置 privilege_token,客户端需要配置同样的 privilege_token 才能使用特权模式创建代理:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
bind_port = 7000
|
||||
privilege_mode = true
|
||||
privilege_token = 1234
|
||||
```
|
||||
|
||||
2. 启动 frps:
|
||||
|
||||
`./frps -c ./frps.ini`
|
||||
|
||||
3. 在 frpc.ini 配置代理 [ssh],使用特权模式创建,无需事先在服务器端配置:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[common]
|
||||
server_addr = x.x.x.x
|
||||
server_port = 7000
|
||||
privilege_token = 1234
|
||||
|
||||
[ssh]
|
||||
privilege_mode = true
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
```
|
||||
|
||||
remote_port 即为原先在 frps.ini 的代理中配置的 listen_port 参数,使用特权模式后需要在 frpc 的配置文件中指定。
|
||||
|
||||
4. 启动 frpc:
|
||||
|
||||
`./frpc -c ./frpc.ini`
|
||||
|
||||
5. 通过 ssh 访问内网机器,假设用户名为 test:
|
||||
|
||||
`ssh -oPort=6000 test@x.x.x.x`
|
||||
由于从 v0.10.0 版本开始,所有 proxy 都在客户端配置,原先的特权模式是目前唯一支持的模式。
|
||||
|
||||
#### 端口白名单
|
||||
|
||||
启用特权模式后为了防止端口被滥用,可以手动指定允许哪些端口被使用,在 frps.ini 中通过 privilege_allow_ports 来指定:
|
||||
为了防止端口被滥用,可以手动指定允许哪些端口被使用,在 frps.ini 中通过 privilege_allow_ports 来指定:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
privilege_mode = true
|
||||
privilege_token = 1234
|
||||
privilege_allow_ports = 2000-3000,3001,3003,4000-50000
|
||||
```
|
||||
|
||||
privilege_allow_ports 可以配置允许使用的某个指定端口或者是一个范围内的所有端口,以 `,` 分隔,指定的范围以 `-` 分隔。
|
||||
|
||||
### TCP 多路复用
|
||||
|
||||
从 v0.10.0 版本开始,客户端和服务器端之间的连接支持多路复用,不再需要为每一个用户请求创建一个连接,使连接建立的延迟降低,并且避免了大量文件描述符的占用,使 frp 可以承载更高的并发数。
|
||||
|
||||
该功能默认启用,如需关闭,可以在 frps.ini 和 frpc.ini 中配置,该配置项在服务端和客户端必须一致:
|
||||
|
||||
```ini
|
||||
# frps.ini 和 frpc.ini 中
|
||||
[common]
|
||||
tcp_mux = false
|
||||
```
|
||||
|
||||
### 连接池
|
||||
|
||||
默认情况下,当用户请求建立连接后,frps 才会请求 frpc 主动与后端服务建立一个连接。当为指定的代理启用连接池后,frp 会预先和后端服务建立起指定数量的连接,每次接收到用户请求后,会从连接池中取出一个连接和用户连接关联起来,避免了等待与后端服务建立连接以及 frpc 和 frps 之间传递控制信息的时间。
|
||||
|
||||
这一功能比较适合有大量短连接请求时开启。
|
||||
|
||||
1. 首先可以在 frps.ini 中设置每个代理可以创建的连接池上限,避免大量资源占用,默认为 100,客户端设置超过此配置后会被调整到当前值:
|
||||
1. 首先可以在 frps.ini 中设置每个代理可以创建的连接池上限,避免大量资源占用,客户端设置超过此配置后会被调整到当前值:
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
max_pool_count = 50
|
||||
max_pool_count = 5
|
||||
```
|
||||
|
||||
2. 在 frpc.ini 中为指定代理启用连接池,指定预创建连接的数量:
|
||||
2. 在 frpc.ini 中为客户端启用连接池,指定预创建连接的数量:
|
||||
|
||||
```ini
|
||||
# frpc.ini
|
||||
[ssh]
|
||||
type = tcp
|
||||
local_port = 22
|
||||
pool_count = 10
|
||||
[common]
|
||||
pool_count = 1
|
||||
```
|
||||
|
||||
### 修改 Host Header
|
||||
@ -367,7 +286,6 @@ privilege_allow_ports 可以配置允许使用的某个指定端口或者是一
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = test.yourdomain.com
|
||||
@ -387,7 +305,6 @@ frp 支持通过 HTTP Basic Auth 来保护你的 web 服务,使用户需要通
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = test.yourdomain.com
|
||||
@ -395,7 +312,7 @@ http_user = abc
|
||||
http_pwd = abc
|
||||
```
|
||||
|
||||
通过浏览器访问 `test.yourdomain.com`,需要输入配置的用户名和密码才能访问。
|
||||
通过浏览器访问 `http://test.yourdomain.com`,需要输入配置的用户名和密码才能访问。
|
||||
|
||||
### 自定义二级域名
|
||||
|
||||
@ -403,10 +320,11 @@ http_pwd = abc
|
||||
|
||||
通过在 frps 的配置文件中配置 `subdomain_host`,就可以启用该特性。之后在 frpc 的 http、https 类型的代理中可以不配置 `custom_domains`,而是配置一个 `subdomain` 参数。
|
||||
|
||||
只需要将 `*.subdomain_host` 解析到 frps 所在服务器。之后用户可以通过 `subdomain` 自行指定自己的 web 服务所需要使用的二级域名,通过 `{subdomain}.{subdomain_host}` 来访问自己的 web 服务。
|
||||
只需要将 `*.{subdomain_host}` 解析到 frps 所在服务器。之后用户可以通过 `subdomain` 自行指定自己的 web 服务所需要使用的二级域名,通过 `{subdomain}.{subdomain_host}` 来访问自己的 web 服务。
|
||||
|
||||
```ini
|
||||
# frps.ini
|
||||
[common]
|
||||
subdomain_host = frps.com
|
||||
```
|
||||
|
||||
@ -415,7 +333,6 @@ subdomain_host = frps.com
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
subdomain = test
|
||||
@ -436,14 +353,12 @@ frp 支持根据请求的 URL 路径路由转发到不同的后端服务。
|
||||
```ini
|
||||
# frpc.ini
|
||||
[web01]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 80
|
||||
custom_domains = web.yourdomain.com
|
||||
locations = /
|
||||
|
||||
[web02]
|
||||
privilege_mode = true
|
||||
type = http
|
||||
local_port = 81
|
||||
custom_domains = web.yourdomain.com
|
||||
@ -452,7 +367,7 @@ locations = /news,/about
|
||||
|
||||
按照上述的示例配置后,`web.yourdomain.com` 这个域名下所有以 `/news` 以及 `/about` 作为前缀的 URL 请求都会被转发到 web02,其余的请求会被转发到 web01。
|
||||
|
||||
### 通过 HTTP PROXY 连接 frps
|
||||
### 通过代理连接 frps
|
||||
|
||||
在只能通过代理访问外网的环境内,frpc 支持通过 HTTP PROXY 和 frps 进行通信。
|
||||
|
||||
@ -472,11 +387,11 @@ http_proxy = http://user:pwd@192.168.1.128:8080
|
||||
* frps 记录 http 请求日志。
|
||||
* frps 支持直接反向代理,类似 haproxy。
|
||||
* frpc 支持负载均衡到后端不同服务。
|
||||
* frpc debug 模式,控制台显示代理状态,类似 ngrok 启动后的界面。
|
||||
* frpc http 请求及响应信息展示。
|
||||
* frpc 支持直接作为 webserver 访问指定静态页面。
|
||||
* frpc 完全控制模式,通过 dashboard 对 frpc 进行在线操作。
|
||||
* 支持 udp 打洞的方式,提供两边内网机器直接通信,流量不经过服务器转发。
|
||||
* 支持 plugin,frpc 获取到的连接可以交给指定 plugin 处理,例如 http 代理,简单的 web server。
|
||||
* 集成对 k8s 等平台的支持。
|
||||
|
||||
## 为 frp 做贡献
|
||||
|
||||
@ -504,16 +419,3 @@ frp 交流群:606194980 (QQ 群号)
|
||||
### Paypal 捐赠
|
||||
|
||||
海外用户推荐通过 [Paypal](https://www.paypal.me/fatedier) 向我的账户 **fatedier@gmail.com** 进行捐赠。
|
||||
|
||||
## 贡献者
|
||||
|
||||
* [fatedier](https://github.com/fatedier)
|
||||
* [Hurricanezwf](https://github.com/Hurricanezwf)
|
||||
* [Pan Hao](https://github.com/vashstorm)
|
||||
* [Danping Mao](https://github.com/maodanp)
|
||||
* [Eric Larssen](https://github.com/ericlarssen)
|
||||
* [Damon Zhao](https://github.com/se77en)
|
||||
* [Manfred Touron](https://github.com/moul)
|
||||
* [xuebing1110](https://github.com/xuebing1110)
|
||||
* [Anbitioner](https://github.com/bingtianbaihua)
|
||||
* [LitleCarl](https://github.com/LitleCarl)
|
||||
|
@ -1,10 +1,10 @@
|
||||
[common]
|
||||
server_addr = 0.0.0.0
|
||||
server_port = 7000
|
||||
auth_token = 123
|
||||
privilege_token = 12345678
|
||||
#privilege_token = 12345678
|
||||
|
||||
[ssh]
|
||||
type = tcp
|
||||
local_ip = 127.0.0.1
|
||||
local_port = 22
|
||||
remote_port = 6000
|
||||
|
@ -4,11 +4,4 @@ bind_port = 7000
|
||||
vhost_http_port = 80
|
||||
vhost_https_port = 443
|
||||
dashboard_port = 7500
|
||||
privilege_mode = true
|
||||
privilege_token = 12345678
|
||||
|
||||
[ssh]
|
||||
type = tcp
|
||||
auth_token = 123
|
||||
bind_addr = 0.0.0.0
|
||||
listen_port = 6000
|
||||
#privilege_token = 12345678
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 31 KiB |
@ -174,7 +174,6 @@ func (cfg *BindInfoConf) UnMarshalToMsg(pMsg *msg.NewProxy) {
|
||||
|
||||
func (cfg *BindInfoConf) check() (err error) {
|
||||
if len(ServerCommonCfg.PrivilegeAllowPorts) != 0 {
|
||||
// TODO: once linstenPort used, should remove the port from privilege ports
|
||||
if ok := util.ContainsPort(ServerCommonCfg.PrivilegeAllowPorts, cfg.RemotePort); !ok {
|
||||
return fmt.Errorf("remote port [%d] isn't allowed", cfg.RemotePort)
|
||||
}
|
||||
|
@ -187,23 +187,14 @@ func LoadServerCommonConf(conf ini.File) (cfg *ServerCommonConf, err error) {
|
||||
|
||||
// PrivilegeMode configure
|
||||
if cfg.PrivilegeMode == true {
|
||||
tmpStr, ok = conf.Get("common", "privilege_token")
|
||||
if ok {
|
||||
if tmpStr == "" {
|
||||
err = fmt.Errorf("Parse conf error: privilege_token can not be empty")
|
||||
return
|
||||
}
|
||||
cfg.PrivilegeToken = tmpStr
|
||||
} else {
|
||||
err = fmt.Errorf("Parse conf error: privilege_token must be set if privilege_mode is enabled")
|
||||
return
|
||||
}
|
||||
cfg.PrivilegeToken, _ = conf.Get("common", "privilege_token")
|
||||
|
||||
allowPortsStr, ok := conf.Get("common", "privilege_allow_ports")
|
||||
// TODO: check if conflicts exist in port ranges
|
||||
if ok {
|
||||
cfg.PrivilegeAllowPorts, err = util.GetPortRanges(allowPortsStr)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect, %v", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
@ -169,6 +169,7 @@ func (svr *Service) Run() {
|
||||
stream, err := session.AcceptStream()
|
||||
if err != nil {
|
||||
log.Warn("Accept new mux stream error: %v", err)
|
||||
session.Close()
|
||||
return
|
||||
}
|
||||
wrapConn := frpNet.WrapConn(stream)
|
||||
|
@ -60,24 +60,24 @@ func GetPortRanges(rangeStr string) (portRanges [][2]int64, err error) {
|
||||
if rangeType == 1 {
|
||||
singlePort, err := strconv.ParseInt(portArray[0], 10, 64)
|
||||
if err != nil {
|
||||
return [][2]int64{}, fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect, %v", err)
|
||||
return [][2]int64{}, err
|
||||
}
|
||||
portRanges = append(portRanges, [2]int64{singlePort, singlePort})
|
||||
} else if rangeType == 2 {
|
||||
min, err := strconv.ParseInt(portArray[0], 10, 64)
|
||||
if err != nil {
|
||||
return [][2]int64{}, fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect, %v", err)
|
||||
return [][2]int64{}, err
|
||||
}
|
||||
max, err := strconv.ParseInt(portArray[1], 10, 64)
|
||||
if err != nil {
|
||||
return [][2]int64{}, fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect, %v", err)
|
||||
return [][2]int64{}, err
|
||||
}
|
||||
if max < min {
|
||||
return [][2]int64{}, fmt.Errorf("Parse conf error: privilege_allow_ports range incorrect")
|
||||
return [][2]int64{}, fmt.Errorf("range incorrect")
|
||||
}
|
||||
portRanges = append(portRanges, [2]int64{min, max})
|
||||
} else {
|
||||
return [][2]int64{}, fmt.Errorf("Parse conf error: privilege_allow_ports is incorrect")
|
||||
return [][2]int64{}, fmt.Errorf("format error")
|
||||
}
|
||||
}
|
||||
return portRanges, nil
|
||||
|
Loading…
Reference in New Issue
Block a user