内网穿透工具—FRP

本文涉及的产品
云解析 DNS,旗舰版 1个月
全局流量管理 GTM,标准版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
简介: 内网穿透工具—FRP

FRP基本信息


frp全名Fast Reverse Proxy,是用于提供内网穿透服务的工具,主要用于解决一些内网服务没有公网ip但是却需要提供外网访问的问题。使用frp你可以将内网中的TCP、UDP、HTTP、HTTPS等协议类型的服务发布到公网,并且支持Web服务根据域名进行路由转发。

FRP使用要求

640.png

如上图的frp架构图所示:

1、(必须)想要使用frp服务,将内网中的服务发布到公网。你需要先拥有一台拥有公网ip的网络设置搭建frp服务端,再在内网需要穿透的设置中搭建frp客户端服务才能进行穿透;

2、(非必需)你需要拥有一个域名解析到公网的ip地址,才能够实现web服务的通过域名进行路由转发的功能。

FRP服务的搭建

搭建frp很简单,关键的步骤只有三步:

1、获取frp文件;

2、设置frp配置文件;

3、启动frp服务。

注意:frp搭建的的这三步是分为客户端和服务端的,但是操作基本是一致的。本教程frp服务的搭建主要介绍frp搭建的主要三步,以及frp服务端和客户端配置文件内容的解释说明,以及如何将frp在linux系统中创建systemd服务,进行服务管理。

1、获取frp文件

frp支持linux平台和windows平台。参照你的设置的运行平台下载linux版本的文件或者是windows的。

下载地址:https://github.com/fatedier/frp/releases

一般linux平台下载的版本为:frp_版本号_linux_amd64.tar.gz

windows平台下载的版本为:frp_版本号_windows_amd64.zip

linux版本文件的解压命令为tar zxvf 文件名,windows版本文件直接右键解压即可。

文件解压后,一般都含有frps(frp服务端运行文件)、frpc(frp客户端运行文件)、frps.ini(frp服务端配置文件)、frpc.ini(frp客户端配置文件),以及frp_full.ini(frp全部配置文件解释说明和参考。)

2、设置frp配置文件

frp配置文件分为服务端和客户端,想要正常只用frp工具,我们需要对服务端和客户端的配置文件分别进行设置。

官方中文文档:https://gofrp.org/docs/

  • frps.ini(服务端)配置文件解释说明:
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
bind_addr = 0.0.0.0
bind_port = 7000
# udp port to help make udp hole to penetrate nat
bind_udp_port = 7001
# udp port used for kcp protocol, it can be same with 'bind_port'
# if not set, kcp is disabled in frps
kcp_bind_port = 7000
# specify which address proxy will listen for, default value is same with bind_addr
# proxy_bind_addr = 127.0.0.1
# if you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bind_port
vhost_http_port = 80
vhost_https_port = 443
# response header timeout(seconds) for vhost http server, default is 60s
# vhost_http_timeout = 60
# set dashboard_addr and dashboard_port to view dashboard of frps
# dashboard_addr's default value is same with bind_addr
# dashboard is available only if dashboard_port is set
dashboard_addr = 0.0.0.0
dashboard_port = 7500
# dashboard user and passwd for basic auth protect, if not set, both default value is admin
dashboard_user = admin
dashboard_pwd = admin
# dashboard assets directory(only for debug mode)
# assets_dir = ./static
# console or real logFile path like ./frps.log
log_file = ./frps.log
# trace, debug, info, warn, error
log_level = info
log_max_days = 3
# disable log colors when log_file is console, default is false
disable_log_color = false
# auth token
token = 12345678
# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_timeout is 90
# heartbeat_timeout = 90
# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
allow_ports = 2000-3000,3001,3003,4000-50000
# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
max_pool_count = 5
# max ports can be used for each client, default value is 0 means no limit
max_ports_per_client = 0
# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
# when subdomain is test, the host used by routing is test.frps.com
subdomain_host = frps.com
# if tcp stream multiplexing is used, default is true
tcp_mux = true
# custom 404 page for HTTP requests
# custom_404_page = /path/to/404.html


  • frpc.ini(客户端)配置文件解释说明:
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
server_addr = 0.0.0.0
server_port = 7000
# if you want to connect frps by http proxy or socks5 proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:passwd@192.168.1.128:8080
# http_proxy = socks5://user:passwd@192.168.1.128:1080
# console or real logFile path like ./frpc.log
log_file = ./frpc.log
# trace, debug, info, warn, error
log_level = info
log_max_days = 3
# disable log colors when log_file is console, default is false
disable_log_color = false
# for authentication
token = 12345678
# set admin address for control frpc's action by http api such as reload
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static
# connections will be established in advance, default value is zero
pool_count = 5
# if tcp stream multiplexing is used, default is true, it must be same with frps
tcp_mux = true
# your proxy name will be changed to {user}.{proxy}
user = your_name
# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true
# communication protocol used to connect to server
# now it supports tcp and kcp and websocket, default is tcp
protocol = tcp
# if tls_enable is true, frpc will connect frps by tls
tls_enable = true
# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8
# proxy names you want to start seperated by ','
# default is empty, means all proxies
# start = ssh,dns
# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
# heartbeat_interval = 30
# heartbeat_timeout = 90
# 'ssh' is the unique proxy name
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
type = tcp
local_ip = 127.0.0.1
local_port = 22
# limit bandwith for this proxy, unit is KB and MB
bandwith_limit = 1MB
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0
# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false
[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false
[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false
# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[web01]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# if not set, you can access this custom_domains without certification
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
subdomain = web01
custom_domains = web02.yourdomain.com
# locations is only available for http type
locations = /,/pic
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3
[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web01
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2
[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock
[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc
[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_https2http]
type = https
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[plugin_http2https]
type = http
custom_domains = test.yourdomain.com
plugin = http2https
plugin_local_addr = 127.0.0.1:443
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[secret_tcp]
# If the type is secret tcp, remote_port is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = stcp
# sk used for authentication for visitors
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
# user of frpc should be same in both stcp server and stcp visitor
[secret_tcp_visitor]
# frpc role visitor -> frps -> frpc role server
role = visitor
type = stcp
# the server name you want to visitor
server_name = secret_tcp
sk = abcdefg
# connect this address to visitor stcp server
bind_addr = 127.0.0.1
bind_port = 9000
use_encryption = false
use_compression = false
[p2p_tcp]
type = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
[p2p_tcp_visitor]
role = visitor
type = xtcp
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
bind_port = 9001
use_encryption = false
use_compression = false

3、启动frp服务

linux环境下启动服务

需要先把运行文件添加可执行权限。

例如我的文件实在root文件夹中,我需要搭建frp服务端,那么待设置好服务端配置文件(frps.ini)后执行以下命令即可:

    cd /root
    chmod +x frps
    nohup ./frps -c ./frps.ini &

    执行成功后,会显示frp的进程号码。你也可以通过命令来查看frps运行的进程编号:

    ps -e | grep frps

    windows环境

    以管理员身份运行cmd命令提示符。进入相应的目录后,运行命令即可:

    frps -c frps.ini &

    关于frp管理的优化设置

    注:现官方已提供systemd服务配置文件,可直接使用。

    debian8.0,或者是centos7.0以上的版本,服务都是基于systemd的方式进行管理的。frp通过设置后也可以实现systemd的方式进行管理,这样我们就可以通过systemctl命令来进行服务的统一管理,同时通过这样的设置也可以将frp服务加入开机自启动。

    1. 将frp设置成linux系统的服务,基于systemd方式管理 编写frps.service文件,以centos7为例:vi /usr/lib/systemd/system/frps.service 内容如下:
      [Unit]
      Description=Frp Server Service
      After=network.target
      [Service]
      Type=simple
      User=nobody
      Restart=on-failure
      RestartSec=5s
      ExecStart=/usr/bin/frps -c /etc/frp/frps.ini
      [Install]
      WantedBy=multi-user.target

      编写frpc.service文件,以centos7为例

      vi /usr/lib/systemd/system/frps.service 内容如下:

        [Unit]
        Description=Frp Client Service
        After=network.target
        [Service]
        Type=simple
        User=nobody
        Restart=on-failure
        RestartSec=5s
        ExecStart=/usr/bin/frpc -c /etc/frp/frpc.ini
        ExecReload=/usr/bin/frpc reload -c /etc/frp/frpc.ini
        [Install]
        WantedBy=multi-user.target


        1. 将frp设置成开机自启动
          #frps
          systemctl enable frps
          systemctl start frps
          #frpc
          systemctl enable frpc
          systemctl start frpc


          参考配置

          服务器端

          [common]
          bind_addr = 0.0.0.0             //绑定地址
          bind_port = 8888                //TCP绑定端口
          bind_udp_port = 8888            //UDP绑定端口
          kcp_bind_port = 8888            //KCP绑定端口
          vhost_http_port = 80            //HTTP代理端口
          vhost_https_port = 443          //HTTPS代理端口
          dashboard_addr = 0.0.0.0        //仪表盘地址
          dashboard_port = 10000          //仪表盘端口
          dashboard_user = admin          //仪表盘用户名
          dashboard_pwd = admin           //仪表盘密码
          token = 123456                  //连接密码
          subdomain_host = test.com       //子域名使用的主机名

          客户端

          [common]
          server_addr = 10.10.10.10    //服务器地址
          server_port = 8888              //服务器绑定端口
          token = 123456                  //特权模式密码
          tls_enable = true               //加密传输
          admin_addr = 127.0.0.1          //客户端Web地址
          admin_port = 7400               //Web访问端口
          admin_user = admin              //Web访问账户
          admin_pwd = admin               //Web访问密码
          user = your_name                //用户名,设置后代理将显示为 <用户名.代理名>
          [web]                           //服务名称(自定义)
          local_ip = 127.0.0.1            //本机ip
          type = http                     //链路类型
          local_port = 80                 //本机端口
          subdomain = web                 //服务端为test.com,故此处子域名为web.test.com
          custom_domains = demo.com       //自定义访问域名,多个使用,分割
          use_compression = true          //使用压缩
          use_encryption = true           //使用加密
          [ssh]
          local_ip = 127.0.0.1
          type = tcp
          local_port = 22
          remote_port = 9000
          use_compression = true
          use_encryption = true


          相关文章
          |
          开发工具
          frp-免费内网穿透
          frp-免费内网穿透
          673 0
          |
          运维 安全 网络协议
          使用Frp的stcp实现安全内网穿透访问
          使用Frp的stcp实现安全内网穿透访问
          882 1
          使用Frp的stcp实现安全内网穿透访问
          |
          2月前
          |
          安全 网络协议 Linux
          内网穿透工具Frp
          【10月更文挑战第6天】内网穿透工具Frp
          286 66
          |
          2月前
          |
          数据建模 Docker Windows
          内网穿透frp配置
          内网穿透frp配置
          88 0
          |
          7月前
          |
          应用服务中间件 nginx
          内网穿透ngrok
          ngrok实现内网穿透操作流程
          |
          网络协议 Ubuntu Linux
          frp内网穿透
          frp内网穿透
          2943 0
          |
          网络协议 应用服务中间件 Linux
          搭建frp实现内网穿透
          前言: 为什么需要内网穿透功能? 从公网中访问自己的私有设备向来是一件难事儿。 自己的主力台式机、NAS等等设备,它们可能处于路由器后,或者运营商因为IP地址短缺不给你分配公网IP地址。如果我们想直接访问到这些设备(远程桌面,远程文件,SSH等等),一般来说要通过一些转发或者P2P组网软件的帮助。 搭建frp服务器进行内网穿透,可用且推荐,可以达到不错的速度,且理论上可以开放任何想要的端口,可以实现的功能远不止远程桌面或者文件共享
          |
          Windows
          神奇的工具:ngrok的使用
          神奇的工具:ngrok的使用
          163 0
          |
          小程序 API
          ngrok内网穿透
          ngrok内网穿透
          ngrok内网穿透
          frp内网穿透配置
          frp内网穿透配置
          145 0