FRP基本信息
frp全名Fast Reverse Proxy,是用于提供内网穿透服务的工具,主要用于解决一些内网服务没有公网ip但是却需要提供外网访问的问题。使用frp你可以将内网中的TCP、UDP、HTTP、HTTPS等协议类型的服务发布到公网,并且支持Web服务根据域名进行路由转发。
FRP使用要求
如上图的frp架构图所示:
1、(必须)想要使用frp服务,将内网中的服务发布到公网。你需要先拥有一台拥有公网ip的网络设置搭建frp服务端,再在内网需要穿透的设置中搭建frp客户端服务才能进行穿透;
2、(非必需)你需要拥有一个域名解析到公网的ip地址,才能够实现web服务的通过域名进行路由转发的功能。
FRP服务的搭建
搭建frp很简单,关键的步骤只有三步:
1、获取frp文件;
2、设置frp配置文件;
3、启动frp服务。
注意:frp搭建的的这三步是分为客户端和服务端的,但是操作基本是一致的。本教程frp服务的搭建主要介绍frp搭建的主要三步,以及frp服务端和客户端配置文件内容的解释说明,以及如何将frp在linux系统中创建systemd服务,进行服务管理。
1、获取frp文件
frp支持linux平台和windows平台。参照你的设置的运行平台下载linux版本的文件或者是windows的。
下载地址:https://github.com/fatedier/frp/releases
一般linux平台下载的版本为:frp_版本号_linux_amd64.tar.gz
windows平台下载的版本为:frp_版本号_windows_amd64.zip
linux版本文件的解压命令为tar zxvf 文件名,windows版本文件直接右键解压即可。
文件解压后,一般都含有frps(frp服务端运行文件)、frpc(frp客户端运行文件)、frps.ini(frp服务端配置文件)、frpc.ini(frp客户端配置文件),以及frp_full.ini(frp全部配置文件解释说明和参考。)
2、设置frp配置文件
frp配置文件分为服务端和客户端,想要正常只用frp工具,我们需要对服务端和客户端的配置文件分别进行设置。
官方中文文档:https://gofrp.org/docs/
- frps.ini(服务端)配置文件解释说明:
# [common] is integral section [common] # A literal address or host name for IPv6 must be enclosed # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80" bind_addr = 0.0.0.0 bind_port = 7000 # udp port to help make udp hole to penetrate nat bind_udp_port = 7001 # udp port used for kcp protocol, it can be same with 'bind_port' # if not set, kcp is disabled in frps kcp_bind_port = 7000 # specify which address proxy will listen for, default value is same with bind_addr # proxy_bind_addr = 127.0.0.1 # if you want to support virtual host, you must set the http port for listening (optional) # Note: http port and https port can be same with bind_port vhost_http_port = 80 vhost_https_port = 443 # response header timeout(seconds) for vhost http server, default is 60s # vhost_http_timeout = 60 # set dashboard_addr and dashboard_port to view dashboard of frps # dashboard_addr's default value is same with bind_addr # dashboard is available only if dashboard_port is set dashboard_addr = 0.0.0.0 dashboard_port = 7500 # dashboard user and passwd for basic auth protect, if not set, both default value is admin dashboard_user = admin dashboard_pwd = admin # dashboard assets directory(only for debug mode) # assets_dir = ./static # console or real logFile path like ./frps.log log_file = ./frps.log # trace, debug, info, warn, error log_level = info log_max_days = 3 # disable log colors when log_file is console, default is false disable_log_color = false # auth token token = 12345678 # heartbeat configure, it's not recommended to modify the default value # the default value of heartbeat_timeout is 90 # heartbeat_timeout = 90 # only allow frpc to bind ports you list, if you set nothing, there won't be any limit allow_ports = 2000-3000,3001,3003,4000-50000 # pool_count in each proxy will change to max_pool_count if they exceed the maximum value max_pool_count = 5 # max ports can be used for each client, default value is 0 means no limit max_ports_per_client = 0 # if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file # when subdomain is test, the host used by routing is test.frps.com subdomain_host = frps.com # if tcp stream multiplexing is used, default is true tcp_mux = true # custom 404 page for HTTP requests # custom_404_page = /path/to/404.html
- frpc.ini(客户端)配置文件解释说明:
# [common] is integral section [common] # A literal address or host name for IPv6 must be enclosed # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80" server_addr = 0.0.0.0 server_port = 7000 # if you want to connect frps by http proxy or socks5 proxy, you can set http_proxy here or in global environment variables # it only works when protocol is tcp # http_proxy = http://user:passwd@192.168.1.128:8080 # http_proxy = socks5://user:passwd@192.168.1.128:1080 # console or real logFile path like ./frpc.log log_file = ./frpc.log # trace, debug, info, warn, error log_level = info log_max_days = 3 # disable log colors when log_file is console, default is false disable_log_color = false # for authentication token = 12345678 # set admin address for control frpc's action by http api such as reload admin_addr = 127.0.0.1 admin_port = 7400 admin_user = admin admin_pwd = admin # Admin assets directory. By default, these assets are bundled with frpc. # assets_dir = ./static # connections will be established in advance, default value is zero pool_count = 5 # if tcp stream multiplexing is used, default is true, it must be same with frps tcp_mux = true # your proxy name will be changed to {user}.{proxy} user = your_name # decide if exit program when first login failed, otherwise continuous relogin to frps # default is true login_fail_exit = true # communication protocol used to connect to server # now it supports tcp and kcp and websocket, default is tcp protocol = tcp # if tls_enable is true, frpc will connect frps by tls tls_enable = true # specify a dns server, so frpc will use this instead of default one # dns_server = 8.8.8.8 # proxy names you want to start seperated by ',' # default is empty, means all proxies # start = ssh,dns # heartbeat configure, it's not recommended to modify the default value # the default value of heartbeat_interval is 10 and heartbeat_timeout is 90 # heartbeat_interval = 30 # heartbeat_timeout = 90 # 'ssh' is the unique proxy name # if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh' [ssh] # tcp | udp | http | https | stcp | xtcp, default is tcp type = tcp local_ip = 127.0.0.1 local_port = 22 # limit bandwith for this proxy, unit is KB and MB bandwith_limit = 1MB # true or false, if true, messages between frps and frpc will be encrypted, default is false use_encryption = false # if true, message will be compressed use_compression = false # remote port listen by frps remote_port = 6001 # frps will load balancing connections for proxies in same group group = test_group # group should have same group key group_key = 123456 # enable health check for the backend service, it support 'tcp' and 'http' now # frpc will connect local service's port to detect it's healthy status health_check_type = tcp # health check connection timeout health_check_timeout_s = 3 # if continuous failed in 3 times, the proxy will be removed from frps health_check_max_failed = 3 # every 10 seconds will do a health check health_check_interval_s = 10 [ssh_random] type = tcp local_ip = 127.0.0.1 local_port = 22 # if remote_port is 0, frps will assign a random port for you remote_port = 0 # if you want to expose multiple ports, add 'range:' prefix to the section name # frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on. [range:tcp_port] type = tcp local_ip = 127.0.0.1 local_port = 6010-6020,6022,6024-6028 remote_port = 6010-6020,6022,6024-6028 use_encryption = false use_compression = false [dns] type = udp local_ip = 114.114.114.114 local_port = 53 remote_port = 6002 use_encryption = false use_compression = false [range:udp_port] type = udp local_ip = 127.0.0.1 local_port = 6010-6020 remote_port = 6010-6020 use_encryption = false use_compression = false # Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02 [web01] type = http local_ip = 127.0.0.1 local_port = 80 use_encryption = false use_compression = true # http username and password are safety certification for http protocol # if not set, you can access this custom_domains without certification http_user = admin http_pwd = admin # if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com subdomain = web01 custom_domains = web02.yourdomain.com # locations is only available for http type locations = /,/pic host_header_rewrite = example.com # params with prefix "header_" will be used to update http request headers header_X-From-Where = frp health_check_type = http # frpc will send a GET http request '/status' to local http service # http service is alive when it return 2xx http response code health_check_url = /status health_check_interval_s = 10 health_check_max_failed = 3 health_check_timeout_s = 3 [web02] type = https local_ip = 127.0.0.1 local_port = 8000 use_encryption = false use_compression = false subdomain = web01 custom_domains = web02.yourdomain.com # if not empty, frpc will use proxy protocol to transfer connection info to your local service # v1 or v2 or empty proxy_protocol_version = v2 [plugin_unix_domain_socket] type = tcp remote_port = 6003 # if plugin is defined, local_ip and local_port is useless # plugin will handle connections got from frps plugin = unix_domain_socket # params with prefix "plugin_" that plugin needed plugin_unix_path = /var/run/docker.sock [plugin_http_proxy] type = tcp remote_port = 6004 plugin = http_proxy plugin_http_user = abc plugin_http_passwd = abc [plugin_socks5] type = tcp remote_port = 6005 plugin = socks5 plugin_user = abc plugin_passwd = abc [plugin_static_file] type = tcp remote_port = 6006 plugin = static_file plugin_local_path = /var/www/blog plugin_strip_prefix = static plugin_http_user = abc plugin_http_passwd = abc [plugin_https2http] type = https custom_domains = test.yourdomain.com plugin = https2http plugin_local_addr = 127.0.0.1:80 plugin_crt_path = ./server.crt plugin_key_path = ./server.key plugin_host_header_rewrite = 127.0.0.1 plugin_header_X-From-Where = frp [plugin_http2https] type = http custom_domains = test.yourdomain.com plugin = http2https plugin_local_addr = 127.0.0.1:443 plugin_host_header_rewrite = 127.0.0.1 plugin_header_X-From-Where = frp [secret_tcp] # If the type is secret tcp, remote_port is useless # Who want to connect local port should deploy another frpc with stcp proxy and role is visitor type = stcp # sk used for authentication for visitors sk = abcdefg local_ip = 127.0.0.1 local_port = 22 use_encryption = false use_compression = false # user of frpc should be same in both stcp server and stcp visitor [secret_tcp_visitor] # frpc role visitor -> frps -> frpc role server role = visitor type = stcp # the server name you want to visitor server_name = secret_tcp sk = abcdefg # connect this address to visitor stcp server bind_addr = 127.0.0.1 bind_port = 9000 use_encryption = false use_compression = false [p2p_tcp] type = xtcp sk = abcdefg local_ip = 127.0.0.1 local_port = 22 use_encryption = false use_compression = false [p2p_tcp_visitor] role = visitor type = xtcp server_name = p2p_tcp sk = abcdefg bind_addr = 127.0.0.1 bind_port = 9001 use_encryption = false use_compression = false
3、启动frp服务
linux环境下启动服务
需要先把运行文件添加可执行权限。
例如我的文件实在root文件夹中,我需要搭建frp服务端,那么待设置好服务端配置文件(frps.ini)后执行以下命令即可:
cd /root chmod +x frps nohup ./frps -c ./frps.ini &
执行成功后,会显示frp的进程号码。你也可以通过命令来查看frps运行的进程编号:
ps -e | grep frps
windows环境
以管理员身份运行cmd命令提示符。进入相应的目录后,运行命令即可:
frps -c frps.ini &
关于frp管理的优化设置
注:现官方已提供systemd服务配置文件,可直接使用。
debian8.0,或者是centos7.0以上的版本,服务都是基于systemd的方式进行管理的。frp通过设置后也可以实现systemd的方式进行管理,这样我们就可以通过systemctl命令来进行服务的统一管理,同时通过这样的设置也可以将frp服务加入开机自启动。
- 将frp设置成linux系统的服务,基于systemd方式管理 编写frps.service文件,以centos7为例:vi /usr/lib/systemd/system/frps.service 内容如下:
[Unit] Description=Frp Server Service After=network.target [Service] Type=simple User=nobody Restart=on-failure RestartSec=5s ExecStart=/usr/bin/frps -c /etc/frp/frps.ini [Install] WantedBy=multi-user.target
编写frpc.service文件,以centos7为例
vi /usr/lib/systemd/system/frps.service 内容如下:
[Unit] Description=Frp Client Service After=network.target [Service] Type=simple User=nobody Restart=on-failure RestartSec=5s ExecStart=/usr/bin/frpc -c /etc/frp/frpc.ini ExecReload=/usr/bin/frpc reload -c /etc/frp/frpc.ini [Install] WantedBy=multi-user.target
- 将frp设置成开机自启动
#frps systemctl enable frps systemctl start frps #frpc systemctl enable frpc systemctl start frpc
参考配置
服务器端
[common] bind_addr = 0.0.0.0 //绑定地址 bind_port = 8888 //TCP绑定端口 bind_udp_port = 8888 //UDP绑定端口 kcp_bind_port = 8888 //KCP绑定端口 vhost_http_port = 80 //HTTP代理端口 vhost_https_port = 443 //HTTPS代理端口 dashboard_addr = 0.0.0.0 //仪表盘地址 dashboard_port = 10000 //仪表盘端口 dashboard_user = admin //仪表盘用户名 dashboard_pwd = admin //仪表盘密码 token = 123456 //连接密码 subdomain_host = test.com //子域名使用的主机名
客户端
[common] server_addr = 10.10.10.10 //服务器地址 server_port = 8888 //服务器绑定端口 token = 123456 //特权模式密码 tls_enable = true //加密传输 admin_addr = 127.0.0.1 //客户端Web地址 admin_port = 7400 //Web访问端口 admin_user = admin //Web访问账户 admin_pwd = admin //Web访问密码 user = your_name //用户名,设置后代理将显示为 <用户名.代理名> [web] //服务名称(自定义) local_ip = 127.0.0.1 //本机ip type = http //链路类型 local_port = 80 //本机端口 subdomain = web //服务端为test.com,故此处子域名为web.test.com custom_domains = demo.com //自定义访问域名,多个使用,分割 use_compression = true //使用压缩 use_encryption = true //使用加密 [ssh] local_ip = 127.0.0.1 type = tcp local_port = 22 remote_port = 9000 use_compression = true use_encryption = true
