Frp内网穿透配置

Frp基本信息

frp全名Fast Reverse Proxy,是用于提供内网穿透服务的工具,主要用于解决一些内网服务没有公网ip但是却需要提供外网访问的问题。使用frp你可以将内网中的TCP、UDP、HTTP、HTTPS等协议类型的服务发布到公网,并且支持Web服务根据域名进行路由转发。

Frp使用要求

Frp使用要求

如上图的frp架构图所示:
1、(必须)想要使用frp服务,将内网中的服务发布到公网。你需要先拥有一台拥有公网ip的网络设置搭建frp服务端,再在内网需要穿透的设置中搭建frp客户端服务才能进行穿透;
2、(非必需)你需要拥有一个域名解析到公网的ip地址,才能够实现web服务的通过域名进行路由转发的功能。

Frp服务的搭建

搭建frp很简单,关键的步骤只有三步:
1、获取frp文件;
2、设置frp配置文件;
3、启动frp服务。
注意:frp搭建的的这三步是分为客户端和服务端的,但是操作基本是一致的。本教程frp服务的搭建主要介绍frp搭建的主要三步,以及frp服务端和客户端配置文件内容的解释说明,以及如何将frp在linux系统中创建systemd服务,进行服务管理。

第一步:获取frp文件

frp支持linux平台和windows平台。参照你的设置的运行平台下载linux版本的文件或者是windows的。
下载地址:https://github.com/fatedier/frp/releases
一般linux平台下载的版本为:frp_版本号_linux_amd64.tar.gz
windows平台下载的版本为:frp_版本号_windows_amd64.zip
linux版本文件的解压命令为tar zxvf 文件名,windows版本文件直接右键解压即可。
文件解压后,一般都含有frps(frp服务端运行文件)、frpc(frp客户端运行文件)、frps.ini(frp服务端配置文件)、frpc.ini(frp客户端配置文件),以及frp_full.ini(frp全部配置文件解释说明和参考。)

第二步:frp配置文件设置

frp配置文件分为服务端和客户端,想要正常只用frp工具,我们需要对服务端和客户端的配置文件分别进行设置。
官方中文文档:https://github.com/fatedier/frp/blob/master/README_zh.md

  • frps.ini(服务端)配置文件解释说明:

    # [common] is integral section
    [common]
    # A literal address or host name for IPv6 must be enclosed
    # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
    bind_addr = 0.0.0.0
    bind_port = 7000
    
    # udp port to help make udp hole to penetrate nat
    bind_udp_port = 7001
    
    # udp port used for kcp protocol, it can be same with 'bind_port'
    # if not set, kcp is disabled in frps
    kcp_bind_port = 7000
    
    # specify which address proxy will listen for, default value is same with bind_addr
    # proxy_bind_addr = 127.0.0.1
    
    # if you want to support virtual host, you must set the http port for listening (optional)
    # Note: http port and https port can be same with bind_port
    vhost_http_port = 80
    vhost_https_port = 443
    
    # response header timeout(seconds) for vhost http server, default is 60s
    # vhost_http_timeout = 60
    
    # set dashboard_addr and dashboard_port to view dashboard of frps
    # dashboard_addr's default value is same with bind_addr
    # dashboard is available only if dashboard_port is set
    dashboard_addr = 0.0.0.0
    dashboard_port = 7500
    
    # dashboard user and passwd for basic auth protect, if not set, both default value is admin
    dashboard_user = admin
    dashboard_pwd = admin
    
    # dashboard assets directory(only for debug mode)
    # assets_dir = ./static
    # console or real logFile path like ./frps.log
    log_file = ./frps.log
    
    # trace, debug, info, warn, error
    log_level = info
    
    log_max_days = 3
    
    # auth token
    token = 12345678
    
    # heartbeat configure, it's not recommended to modify the default value
    # the default value of heartbeat_timeout is 90
    # heartbeat_timeout = 90
    
    # only allow frpc to bind ports you list, if you set nothing, there won't be any limit
    allow_ports = 2000-3000,3001,3003,4000-50000
    
    # pool_count in each proxy will change to max_pool_count if they exceed the maximum value
    max_pool_count = 5
    
    # max ports can be used for each client, default value is 0 means no limit
    max_ports_per_client = 0
    
    # if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
    # when subdomain is test, the host used by routing is test.frps.com
    subdomain_host = frps.com
    
    # if tcp stream multiplexing is used, default is true
    tcp_mux = true
  • frpc.ini(客户端)配置文件解释说明:

    # [common] is integral section
    [common]
    # A literal address or host name for IPv6 must be enclosed
    # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
    server_addr = 0.0.0.0
    server_port = 7000
    
    # if you want to connect frps by http proxy or socks5 proxy, you can set http_proxy here or in global environment variables
    # it only works when protocol is tcp
    # http_proxy = http://user:passwd@192.168.1.128:8080
    # http_proxy = socks5://user:passwd@192.168.1.128:1080
    
    # console or real logFile path like ./frpc.log
    log_file = ./frpc.log
    
    # trace, debug, info, warn, error
    log_level = info
    
    log_max_days = 3
    
    # for authentication
    token = 12345678
    
    # set admin address for control frpc's action by http api such as reload
    admin_addr = 127.0.0.1
    admin_port = 7400
    admin_user = admin
    admin_pwd = admin
    
    # connections will be established in advance, default value is zero
    pool_count = 5
    
    # if tcp stream multiplexing is used, default is true, it must be same with frps
    tcp_mux = true
    
    # your proxy name will be changed to {user}.{proxy}
    user = your_name
    
    # decide if exit program when first login failed, otherwise continuous relogin to frps
    # default is true
    login_fail_exit = true
    
    # communication protocol used to connect to server
    # now it supports tcp and kcp and websocket, default is tcp
    protocol = tcp
    
    # if tls_enable is true, frpc will connect frps by tls
    tls_enable = true
    
    # specify a dns server, so frpc will use this instead of default one
    # dns_server = 8.8.8.8
    
    # proxy names you want to start divided by ','
    # default is empty, means all proxies
    # start = ssh,dns
    
    # heartbeat configure, it's not recommended to modify the default value
    # the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
    # heartbeat_interval = 30
    # heartbeat_timeout = 90
    
    # 'ssh' is the unique proxy name
    # if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
    [ssh]
    # tcp | udp | http | https | stcp | xtcp, default is tcp
    type = tcp
    local_ip = 127.0.0.1
    local_port = 22
    # true or false, if true, messages between frps and frpc will be encrypted, default is false
    use_encryption = false
    # if true, message will be compressed
    use_compression = false
    # remote port listen by frps
    remote_port = 6001
    # frps will load balancing connections for proxies in same group
    group = test_group
    # group should have same group key
    group_key = 123456
    # enable health check for the backend service, it support 'tcp' and 'http' now
    # frpc will connect local service's port to detect it's healthy status
    health_check_type = tcp
    # health check connection timeout
    health_check_timeout_s = 3
    # if continuous failed in 3 times, the proxy will be removed from frps
    health_check_max_failed = 3
    # every 10 seconds will do a health check
    health_check_interval_s = 10
    
    [ssh_random]
    type = tcp
    local_ip = 127.0.0.1
    local_port = 22
    # if remote_port is 0, frps will assign a random port for you
    remote_port = 0
    
    # if you want to expose multiple ports, add 'range:' prefix to the section name
    # frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
    [range:tcp_port]
    type = tcp
    local_ip = 127.0.0.1
    local_port = 6010-6020,6022,6024-6028
    remote_port = 6010-6020,6022,6024-6028
    use_encryption = false
    use_compression = false
    
    [dns]
    type = udp
    local_ip = 114.114.114.114
    local_port = 53
    remote_port = 6002
    use_encryption = false
    use_compression = false
    
    [range:udp_port]
    type = udp
    local_ip = 127.0.0.1
    local_port = 6010-6020
    remote_port = 6010-6020
    use_encryption = false
    use_compression = false
    
    # Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
    [web01]
    type = http
    local_ip = 127.0.0.1
    local_port = 80
    use_encryption = false
    use_compression = true
    # http username and password are safety certification for http protocol
    # if not set, you can access this custom_domains without certification
    http_user = admin
    http_pwd = admin
    # if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
    subdomain = web01
    custom_domains = web02.yourdomain.com
    # locations is only available for http type
    locations = /,/pic
    host_header_rewrite = example.com
    # params with prefix "header_" will be used to update http request headers
    header_X-From-Where = frp
    health_check_type = http
    # frpc will send a GET http request '/status' to local http service
    # http service is alive when it return 2xx http response code
    health_check_url = /status
    health_check_interval_s = 10
    health_check_max_failed = 3
    health_check_timeout_s = 3
    
    [web02]
    type = https
    local_ip = 127.0.0.1
    local_port = 8000
    use_encryption = false
    use_compression = false
    subdomain = web01
    custom_domains = web02.yourdomain.com
    
    [plugin_unix_domain_socket]
    type = tcp
    remote_port = 6003
    # if plugin is defined, local_ip and local_port is useless
    # plugin will handle connections got from frps
    plugin = unix_domain_socket
    # params with prefix "plugin_" that plugin needed
    plugin_unix_path = /var/run/docker.sock
    
    [plugin_http_proxy]
    type = tcp
    remote_port = 6004
    plugin = http_proxy
    plugin_http_user = abc
    plugin_http_passwd = abc
    
    [plugin_socks5]
    type = tcp
    remote_port = 6005
    plugin = socks5
    plugin_user = abc
    plugin_passwd = abc
    
    [plugin_static_file]
    type = tcp
    remote_port = 6006
    plugin = static_file
    plugin_local_path = /var/www/blog
    plugin_strip_prefix = static
    plugin_http_user = abc
    plugin_http_passwd = abc
    
    [secret_tcp]
    # If the type is secret tcp, remote_port is useless
    # Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
    type = stcp
    # sk used for authentication for visitors
    sk = abcdefg
    local_ip = 127.0.0.1
    local_port = 22
    use_encryption = false
    use_compression = false
    
    # user of frpc should be same in both stcp server and stcp visitor
    [secret_tcp_visitor]
    # frpc role visitor -> frps -> frpc role server
    role = visitor
    type = stcp
    # the server name you want to visitor
    server_name = secret_tcp
    sk = abcdefg
    # connect this address to visitor stcp server
    bind_addr = 127.0.0.1
    bind_port = 9000
    use_encryption = false
    use_compression = false
    
    [p2p_tcp]
    type = xtcp
    sk = abcdefg
    local_ip = 127.0.0.1
    local_port = 22
    use_encryption = false
    use_compression = false
    
    [p2p_tcp_visitor]
    role = visitor
    type = xtcp
    server_name = p2p_tcp
    sk = abcdefg
    bind_addr = 127.0.0.1
    bind_port = 9001
    use_encryption = false
    use_compression = false

第三步:启动服务

linux环境下启动服务,需要先把运行文件添加可执行权限。
例如我的文件实在root文件夹中,我需要搭建frp服务端,那么待设置好服务端配置文件(frps.ini)后执行以下命令即可:

cd /root
chmod +x frps
nohup ./frps -c ./frps.ini &

执行成功后,会显示frp的进程号码。你也可以通过命令来查看frps运行的进程编号:ps -e | grep frps

在windows环境下则是以管理员身份运行cmd命令提示符。进入相应的目录后,运行命令即可: frps -c frps.ini &

关于frp管理的优化设置

debian8.0,或者是centos7.0以上的版本,服务都是基于systemd的方式进行管理的。frp通过设置后也可以实现systemd的方式进行管理,这样我们就可以通过systemctl命令来进行服务的统一管理,同时通过这样的设置也可以将frp服务加入开机自启动。

  1. 将frp设置成linux系统的服务,基于systemd方式管理 编写frp.service文件,以centos7为例:
    vim /usr/lib/systemd/system/frps.service
    内容如下:

    [Unit]
    Description=frps daemon
    After=syslog.target network.target
    Wants=network.target
    
    [Service]
    Type=simple
    ExecStart=/root/frp/frps -c /root/frp/frps.ini
    Restart=always
    RestartSec=1min
    
    [Install]
    WantedBy=multi-user.target
  2. 将frp设置成开机自启动
    systemctl enable frps
    systemctl start frps

    Frp到此就配置完了。

附:个人参考配置

  • 服务器端:
    [common]
    bind_addr = 0.0.0.0             //绑定地址
    bind_port = 8888                //TCP绑定端口
    bind_udp_port = 8888            //UDP绑定端口
    kcp_bind_port = 8888            //KCP绑定端口
    vhost_http_port = 80            //HTTP代理端口
    vhost_https_port = 443          //HTTPS代理端口
    dashboard_addr = 0.0.0.0        //仪表盘地址
    dashboard_port = 10000          //仪表盘端口
    dashboard_user = admin          //仪表盘用户名
    dashboard_pwd = admin           //仪表盘密码
    token = 123456                  //连接密码
    subdomain_host = test.com       //子域名使用的主机名
  • 客户端:

    [common]
    server_addr = 172.16.100.100    //服务器地址
    server_port = 8888              //服务器绑定端口
    token = 123456                  //特权模式密码
    admin_addr = 127.0.0.1          //客户端Web地址
    admin_port = 7400               //Web访问端口
    admin_user = admin              //Web访问账户
    admin_pwd = admin               //Web访问密码
    
    [web]                           //服务名称(自定义)
    local_ip = 127.0.0.1            //本机ip
    type = http                     //链路类型
    local_port = 80                 //本机端口
    subdomain = web                 //服务端为test.com,故此处子域名为web.test.com
    custom_domains = demo.com       //自定义访问域名,多个使用,分割
    use_compression = true          //使用压缩
    use_encryption = true           //使用加密
    
    [ssh]
    local_ip = 127.0.0.1
    type = tcp
    local_port = 22
    remote_port = 9000
    use_compression = true
    use_encryption = true

    注:具体参数请根据需要配置。

最后修改:2019 年 04 月 19 日 11 : 52 PM
如果觉得我的文章对你有用,请随意赞赏

发表评论