内网穿透工具FRP配置文件详解

目录

    • frp介绍
    • 配置说明
    • 服务器端配置frps
    • 内网机器端配置frpc

frp介绍

首先给出信息源:frp内网穿透工具GITHUB链接
What is frp?
frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. As of now, it supports TCP and UDP, as well as HTTP and HTTPS protocols, where requests can be forwarded to internal services by domain name.
frp also has a P2P connect mode.
什么是frp?
frp 是一种快速反向代理,可帮助您将 NAT 或防火墙后面的本地服务器暴露给 Internet。截至目前,它支持 TCP 和 UDP,以及 HTTP 和 HTTPS 协议,可将这些协议的请求通过域名转发到内部服务。

注:截止文章发布,已经更新到v0.37.0版本了,新版本增加了一些新功能,同时修复了之前版本发现的某些BUG问题,当然,如果原有版本能满足使用需求的话,也可以使用老版本,我这里附上v0.33.0版本的全系列文件,同时希望支持原创!

配置说明

以下内容是从frp_0.33.0_linux_amd64.tar.gz 文件中引用的,在实际业务环境中搭建使用的配置信息相对较少,当然并非只使用frp一种工具跳转,由于实际业务环境复 (za)(luan),结合了nginx等其他工具与技术,实现了曲线救国的效果。
主要使用到的配置信息总结如下:

  • frps.ini配置文件:
    • [common]
      • bind_port =
      • authentication_method = token
      • token =
      • vhost_http_port =
      • subdomain_host =
  • frpc.ini配置文件
    • [common]
      • server_addr =
      • server_port =
      • token =
    • [yourssh]
      • type = tcp
      • local_ip =
      • local_port = 22
      • remot_port =
    • [yourweb01]
      • type = http
      • local_ip =
      • local_port =
      • subdomain =

以上为目前我所用到的配置项,具体配置信息根据实际环境确定即可。
以后我会补充结合实际需求场景做的配置方法步骤。
业务需求配置参考01
同时也会继续学习尝试其他的配置参数功能。

下面是配置文件详解

服务器端配置frps

配置文件名称:frps_full.ini

# [common] is integral section
# [common]是不可缺少的部分
[common]
# A literal address or host name for IPv6 must be enclosed in square brackets,
# ipv6的文本地址或主机名必须用方括号括起来,
# as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# 形如 “[::1]:80”、“[ipv6主机]:http” 或 “[ipv6主机%zone]:80”
# For single "bind_addr" field, no need square brackets, like "bind_addr = ::".
# 对于单个 “bind_addr” 字段,不需要方括号,如 “bind_addr = ::” 。
bind_addr = 0.0.0.0

# 绑定服务器的服务端口
bind_port = 7000

# udp port to help make udp hole to penetrate nat
# upd端口用于创建nat穿透通道
bind_udp_port = 7001

# udp port used for kcp protocol, it can be same with 'bind_port'
# 用于kcp协议的upd端口,相当于“bind_port”功能
# if not set, kcp is disabled in frps
# 如果不设置,frps中kcp是禁用状态
# 注:KCP是一个快速可靠协议,能以比TCP浪费10%-20%的带宽的代价,换取平均延迟降低30%-40%,且最大延迟降低三倍的传输效果。
kcp_bind_port = 7000

# specify which address proxy will listen for, default value is same with bind_addr
# 指定代理将侦听的地址,默认值与“bind_addr”相同
# proxy_bind_addr = 127.0.0.1

# if you want to support virtual host, you must set the http port for listening (optional)
# 如果希望支持虚拟主机,必须设置侦听的http端口(可选)
# Note: http port and https port can be same with bind_port
# 注意:http端口和https端口可以与“bind_port”相同
vhost_http_port = 80
vhost_https_port = 443

# response header timeout(seconds) for vhost http server, default is 60s
# 虚拟主机的http服务响应头超时时间(秒),默认是60秒
# vhost_http_timeout = 60

# tcpmux_httpconnect_port specifies the port that the server listens for TCP
# HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
# requests on one single port. If it's not - it will listen on this value for
# HTTP CONNECT requests. By default, this value is 0.
# tcpmux_httpconnect_port = 1337

# set dashboard_addr and dashboard_port to view dashboard of frps
# 设置查看frps服务的仪表盘(运行数据)dashboard_addr(仪表盘地址)和dashboard_port(仪表盘端口)
# dashboard_addr's default value is same with bind_addr
# dashboard_addr默认和bind_addr相同
# dashboard is available only if dashboard_port is set
# 当dashboard_port被设置后,dashboard才可用
dashboard_addr = 0.0.0.0
dashboard_port = 7500

# dashboard user and passwd for basic auth protect, if not set, both default value is admin
# 用于登录验证dashboard的账号和密码,如果不设置,账号和密码的默认值都为admin
dashboard_user = admin
dashboard_pwd = admin

# enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.
# enable_prometheus参数为true,将在dashboard_addr:dashboard_port中的/metrics api中显示prometheus指标
# 注:Prometheus是一个开源的系统监控和告警系统。也可以理解为一项技术。
enable_prometheus = true

# dashboard assets directory(only for debug mode)
# assets_dir = ./static

# console or real logFile path like ./frps.log
# 控制台或者实际日志文件路径,比如./frps.log
log_file = ./frps.log

# trace, debug, info, warn, error
# 跟踪,调试,信息,警告,错误
# 注:此处是设置日志记录的级别,英文是可选的设置值
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
# 控制台输出日志时,禁用日志颜色标记,默认不禁用(?待验证?)
disable_log_color = false

# DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.
detailed_errors_to_client = true

# authentication_method specifies what authentication method to use authenticate frpc with frps.
# authentication_method参数指定使用何种验证方法,对frpc(客户端)和frps(服务端)进行验证。
# If "token" is specified - token will be read into login message.
# 如果指定使用“token”,token值将在登录消息中被读取。
# If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".
# 如果指定使用“oidc”,OIDC(Open ID Connect) token值将由OIDC设置颁发。默认情况下,验证方法为“token”。
authentication_method = token

# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false

# AuthenticateNewWorkConns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false

# auth token
# 验证token值
token = 12345678

# oidc_issuer specifies the issuer to verify OIDC tokens with.
# By default, this value is "".
oidc_issuer =

# oidc_audience specifies the audience OIDC tokens should contain when validated.
# By default, this value is "".
oidc_audience =

# oidc_skip_expiry_check specifies whether to skip checking if the OIDC token is expired.
# By default, this value is false.
oidc_skip_expiry_check = false


# oidc_skip_issuer_check specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.
# By default, this value is false.
oidc_skip_issuer_check = false

# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_timeout is 90
# heartbeat_timeout = 90

# user_conn_timeout configure, it's not recommended to modify the default value
# the default value of user_conn_timeout is 10
# user_conn_timeout = 10

# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
# 只允许frpc(客户端)绑定列出的端口,如果不设置,将不会被限制
allow_ports = 2000-3000,3001,3003,4000-50000

# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
max_pool_count = 5

# max ports can be used for each client, default value is 0 means no limit
max_ports_per_client = 0

# tls_only specifies whether to only accept TLS-encrypted connections. By default, the value is false.
tls_only = false

# tls_cert_file = server.crt
# tls_key_file = server.key
# tls_trusted_ca_file = ca.crt

# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
# 如果subdomain_host参数不为空,可以在frpc(客户端)的配置文件(frpc.ini)中的type=http或者type=https的项目中设置子域名
# when subdomain is test, the host used by routing is test.frps.com
# 例如,subdomain为test时,主机会路由到test.frps.com网址。
# 注:此处的test是frpc(客户端)的配置文件中的subdomain设置值,frps.com是下面的subdomain_host参数值。
subdomain_host = frps.com

# if tcp stream multiplexing is used, default is true
tcp_mux = true

# custom 404 page for HTTP requests
# custom_404_page = /path/to/404.html

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500

[plugin.user-manager]
addr = 127.0.0.1:9000
path = /handler
ops = Login

[plugin.port-manager]
addr = 127.0.0.1:9001
path = /handler
ops = NewProxy

内网机器端配置frpc

配置文件名称:frpc_full.ini

# [common] is integral section
# [common]是不可缺少的部分
[common]
# A literal address or host name for IPv6 must be enclosed in square brackets,
# ipv6的文本地址或主机名必须用方括号括起来,
# as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# 形如 “[::1]:80”、“[ipv6-host]:http” 或 “[ipv6-host%zone]:80”
# For single "server_addr" field, no need square brackets, like "server_addr = ::".
# 对于单个 “bind_addr” 字段,不需要方括号,如 “bind_addr = ::” 。

# 注:连接frps服务器的地址
server_addr = 0.0.0.0
# 注:连接frps服务器的端口
server_port = 7000

# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:[email protected]:8080
# http_proxy = socks5://user:[email protected]:1080
# http_proxy = ntlm://user:[email protected]:2080

# console or real logFile path like ./frpc.log
# 控制台或者实际日志文件路径,比如./frps.log
log_file = ./frpc.log

# trace, debug, info, warn, error
# 跟踪,调试,信息,警告,错误
# 注:此处是设置日志记录的级别,英文是可选的设置值
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
disable_log_color = false

# for authentication, should be same as your frps.ini
# 身份验证方式必须与frps服务器端的配置相同
# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false

# authenticate_new_work_conns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false

# auth token
# 身份验证token值
token = 12345678

# oidc_client_id specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_id =

# oidc_client_secret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_secret =

# oidc_audience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
oidc_audience =

# oidc_token_endpoint_url specifies the URL which implements OIDC Token Endpoint.
# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
oidc_token_endpoint_url =

# set admin address for control frpc's action by http api such as reload
# 通过http api,例如重载,为控制frpc操作设置管理地址
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static

# connections will be established in advance, default value is zero
pool_count = 5

# if tcp stream multiplexing is used, default is true, it must be same with frps
tcp_mux = true

# your proxy name will be changed to {user}.{proxy}
user = your_name

# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true

# communication protocol used to connect to server
# 用于连接服务器的通讯协议
# now it supports tcp, kcp and websocket, default is tcp
# 目前支持tcp,kcp和websocket,默认是tcp
protocol = tcp

# if tls_enable is true, frpc will connect frps by tls
tls_enable = true

# tls_cert_file = client.crt
# tls_key_file = client.key
# tls_trusted_ca_file = ca.crt
# tls_server_name = example.com

# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8

# proxy names you want to start seperated by ','
# 你想启用的代理名称,以“,”(英文逗号)分隔
# default is empty, means all proxies
# 默认是空,表示启用全部代理
# start = ssh,dns

# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
# heartbeat_interval = 30
# heartbeat_timeout = 90

# additional meta info for client
meta_var1 = 123
meta_var2 = 234

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500

# 'ssh' is the unique proxy name
# “ssh”是唯一标识符的代理名称
# 注:[ssh]这里的ssh可以自定义,但需要保证唯一性。
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
# 如果在[common]部分user参数不为空,这里将会变为{user}.{proxy}(即 user的值.proxy的值)的形式,例如“your_name.ssh”
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
# type的类型包含tcp,udp,http,https,stcp,xtcp,默认是tcp
type = tcp

# 注:相对于frpc部署机器,想使用穿透功能的其他机器IP,需要frpc机器可访问到
# 注:如果想让frpc部署机器可连接的其他机器穿透,这里可以写对应机器的IP地址
local_ip = 127.0.0.1
# 注:ssh服务的端口
local_port = 22
# limit bandwidth for this proxy, unit is KB and MB
bandwidth_limit = 1MB
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
# 通过frps侦听的远程端口
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
# additional meta info for each proxy
meta_var1 = 123
meta_var2 = 234

[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0

# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false

[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false

[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false

# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
# 解析域名到[server_addr]后,就可以使用http://web01.yourdomain.com访问web01,使用http://web02.yourdomain.com访问web02
# 注:此处的“http://web01.yourdomain.com”中的“web01”的值是对应下面的subdomain参数值,“访问web01”中的web01是指“[web01]”应用名称。
[web01]
# 注:type应用类型,参考ssh中的type说明
type = http
# 注:需要穿透的服务器IP地址,可以是与部署frpc机器的局域网,也可以是互联网中的地址,要保证frpc机器能够访问到。
local_ip = 127.0.0.1
# 与type对应的应用端口
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# 对http协议来讲,使用用户名和密码访问http是一种安全验证机制
# if not set, you can access this custom_domains without certification
# 如果不设置,你将无需认证即可访问custom_domains的地址
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
# 如果frps服务端的frps.ini配置中subdomain_host=frps.com,你可以使用http://test.frps.com访问web01代理
# 注:这里有点难理解,我测试了一下,http://test.frps.com是存在的域名,可以直接访问,应该是为了测试使用了。
# 注:上面frps.ini配置文件中的翻译不太准确,但也不能算错误。
subdomain = web01
custom_domains = web02.yourdomain.com
# locations is only available for http type
# locations参数只有在应用类型type=http时可用
locations = /,/pic
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3

[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web01
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2

[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock

[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc

[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_https2http]
type = https
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp

[plugin_https2https]
type = https
custom_domains = test.yourdomain.com
plugin = https2https
plugin_local_addr = 127.0.0.1:443
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp

[plugin_http2https]
type = http
custom_domains = test.yourdomain.com
plugin = http2https
plugin_local_addr = 127.0.0.1:443
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp

[secret_tcp]
# If the type is secret tcp, remote_port is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = stcp
# sk used for authentication for visitors
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false

# user of frpc should be same in both stcp server and stcp visitor
[secret_tcp_visitor]
# frpc role visitor -> frps -> frpc role server
role = visitor
type = stcp
# the server name you want to visitor
server_name = secret_tcp
sk = abcdefg
# connect this address to visitor stcp server
bind_addr = 127.0.0.1
bind_port = 9000
use_encryption = false
use_compression = false

[p2p_tcp]
type = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false

[p2p_tcp_visitor]
role = visitor
type = xtcp
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
bind_port = 9001
use_encryption = false
use_compression = false

[tcpmuxhttpconnect]
type = tcpmux
multiplexer = httpconnect
local_ip = 127.0.0.1
local_port = 10701
custom_domains = tunnel1

你可能感兴趣的:(技术,运维,服务器,ssh)