配置Frp实现内网穿透
Frp的简介
Frp全名Fast Reverse Proxy,是一个可用于内网穿透的高性能的反向代理应用,主要用于解决一些内网服务没有公网IP但是却需要提供公网访问的问题,使用Frp可以将内网中的TCP、UDP、HTTP、HTTPS等协议类型的应用发布到公网,并且支持web服务根据域名进行路由转发
前期准备
- 有公网IP的云服务器一台(笔者所用服务器为centos7)
- 内网服务器一台(可以是家用电脑,我这里使用的是centos7)
- Frp服务端和客户端
- 域名一个(可选)
- 如果为云服务器,配置安全组,放行相应端口,并关闭服务器防火墙
下载客户端文件
GitHub下载地址 根据自己系统版本下载相应文件
解压后的文件目录结构如下
├── frpc Frp客户端
├── frpc_full.ini Frp客户端配置文件模板
├── frpc.ini Frp客户端配置文件
├── frps Frp服务端
├── frps_full.ini Frp服务端配置文件模板
├── frps.ini Frp服务端配置文件
├── LICENSE
└── systemd
├── frpc.service Frp客户端注册服务所需文件
├── frpc@.service
├── frps.service Frp服务端注册服务所需文件
└── frps@.service
服务端部署,留frps文件
客户端部署,留frpc文件
服务端部署
- 将frps、frps.ini 拷贝到有公网IP的服务器
[root@zstack root] mkdir /usr/local/frps
[root@zstack root] cp frps* /usr/local/frps
- 编辑frps.service,将其路径改为实际路径
[Unit]
Description=Frp Server Service
After=network.target
[Service]
Type=simple
User=nobody
Restart=on-failure
ExecStart=/usr/local/frps/frps -c /usr/local/frps/frps.ini
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
StandardOutput=syslog
StandardError=inherit
[Install]
WantedBy=multi-user.target
- 将frps.service移动到systemd目录下,将其注册成服务
[root@zstack root] mv frps.service /usr/lib/systemd/system/
- 配置frps.ini文件
[common]
#服务器端监听的端口,默认是7000,可自定义
bind_port = 7000
#该端口就是以后访问web服务需要用到的端口
vhost_http_port = 7002
#监控界面配置
#监控界面访问端口
dashboard_port = 7001
#监控界面账户配置,默认值admin
dashboard_user = admin
dashboard_pwd = admin
#日志配置
log_file = ./logs/frps.log
#身份验证token
token = 123456789
- 启动frps
systemctl start frps
systemctl restart frps
systemctl status frps
systemctl enable frps
客户端部署
- 将frpc、frpc.ini 拷贝到有内网服务器中
[root@zstack root] mkdir /usr/local/frpc
[root@zstack root] cp frpc* /usr/local/frpc
- 编辑frpc.service,将其路径改为实际路径
[Unit]
Description=Frp Client Service
After=network.target
[Service]
Type=simple
User=nobody
Restart=on-failure
ExecStart=/usr/local/frpc/frpc -c /usr/local/frpc/frpc.ini
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
StandardOutput=syslog
StandardError=inherit
[Install]
WantedBy=multi-user.target
- 将frpc.service移动到systemd目录下,将其注册成服务
[root@zstack root] mv frpc.service /usr/lib/systemd/system/
- 配置frpc.ini文件
[common]
#外网-服务器端ip
server_addr = xxx.xxx.xxx.xxx
#外网-服务器端监听的端口(必须与Frps.ini中的配置一致)
server_port = 7000
token = 123456789
#ssh 内网穿透配置
[ssh]
#协议类型为tcp
type = tcp
#映射内网机器IP
local_ip = 127.0.0.1
#内网服务监听的端口
local_port = 22
# 公网映射端口
remote_port = 7003
[rdp]
type = tcp
local_ip = 192.168.13.236
local_port = 3389
remote_port = 7005
[web01]
type = tcp
local_ip = 192.168.13.1
local_port = 80
remote_port = 7004
[web02]
type = http
local_ip = 192.168.13.123
local_port = 5000
custom_domains = 101.132.125.84
locations = /
- 启动frpc
systemctl start frpc
systemctl restart frpc
systemctl status frpc
systemctl enable frpc
附录
frps.ini配置文件详解
#[common]是不可或缺的
#IPv6的地址或主机名必须用方括号括起来,如“[::1]:80”、“[IPv6 -host]:http”或“[IPv6 -host%zone]:80”
[common]
#服务器端监听的端口,默认是7000,可自定义
bind_port = 7000
# UDP端口,以帮助UDP内网穿透NAT
#bind_udp_port = 7001
#用于kcp协议的udp端口,可以与'bind_port'相同
#如果未设置,frps中禁用kcp
#kcp_bind_port = 7000
#指定要侦听的地址代理,默认值与bind_addr相同
# proxy_bind_addr = 127.0.0.1
#如果要支持虚拟主机,则必须设置用于侦听的http端口(可选)
#注意:http端口和https端口可以与bind_port相同
#vhost_http_port = 80
#vhost_https_port = 443
#为虚拟主机http服务器响应头超时(秒),默认是60秒
# vhost_http_timeout = 60
#设置dashboard_addr和dashboard_port以查看frps的仪表板
# dashboard_addr的默认值与bind_addr相同
#只有设置了dashboard_port,仪表板才可用
#dashboard_addr = 0.0.0.0
#dashboard_port = 7500
#仪表板用户和passwd用于基本身份验证保护,如果未设置,则两个默认值均为admin
#dashboard_user =admin
#dashboard_pwd =admin
#仪表板资产目录(仅适用于调试模式)
# assets_dir = ./static
#控制台或真实的logFile路径,例如./frps.log
#log_file = ./frps.log
#日志级别 trace, debug, info, warn, error
# 跟踪, 调试,信息,警告,错误
#log_level =info
#日志最大保存天数
#log_max_days = 3
#在log_file为控制台时禁用日志颜色,默认为false
#disable_log_color = false
#身份验证token
#token = 12345678
#心跳配置,但不建议修改默认值
#heartbeat_timeout的默认值为90
#heartbeat_timeout = 90
#仅允许frpc绑定您列出的端口,如果不进行任何设置,将没有任何限制
#allow_ports = 2000-3000,3001,3003,4000-50000
#如果每个代理中的pool_count超过最大值,它将更改为max_pool_count
#max_pool_count = 5
#最大端口可用于每个客户端,默认值为0表示无限制
#max_ports_per_client = 0
#如果subdomain_host不为空,则可以在frpc的配置文件中将类型设置为http或https时设置子域
#当subdomain是test时,路由使用的主机是test.frps.com
#subdomain_host = frps.com
#如果使用tcp流多路复用,则默认为true
#tcp_mux = true
#自定义404页的HTTP请求
# custom_404_page = /path/to/404.html
frpc.ini配置文件详解
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
server_addr = 0.0.0.0
server_port = 7000
# if you want to connect frps by http proxy or socks5 proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:passwd@192.168.1.128:8080
# http_proxy = socks5://user:passwd@192.168.1.128:1080
# console or real logFile path like ./frpc.log
log_file = ./frpc.log
# trace, debug, info, warn, error
log_level = info
log_max_days = 3
# disable log colors when log_file is console, default is false
disable_log_color = false
# for authentication
token = 12345678
# set admin address for control frpc's action by http api such as reload
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static
# connections will be established in advance, default value is zero
pool_count = 5
# if tcp stream multiplexing is used, default is true, it must be same with frps
tcp_mux = true
# your proxy name will be changed to {user}.{proxy}
user = your_name
# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true
# communication protocol used to connect to server
# now it supports tcp and kcp and websocket, default is tcp
protocol = tcp
# if tls_enable is true, frpc will connect frps by tls
tls_enable = true
# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8
# proxy names you want to start seperated by ','
# default is empty, means all proxies
# start = ssh,dns
# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
# heartbeat_interval = 30
# heartbeat_timeout = 90
# 'ssh' is the unique proxy name
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
type = tcp
local_ip = 127.0.0.1
local_port = 22
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0
# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false
[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false
[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false
# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[web01]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# if not set, you can access this custom_domains without certification
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
subdomain = web01
custom_domains = web02.yourdomain.com
# locations is only available for http type
locations = /,/pic
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3
[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web01
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2
[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock
[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc
[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_https2http]
type = https
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[secret_tcp]
# If the type is secret tcp, remote_port is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = stcp
# sk used for authentication for visitors
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
# user of frpc should be same in both stcp server and stcp visitor
[secret_tcp_visitor]
# frpc role visitor -> frps -> frpc role server
role = visitor
type = stcp
# the server name you want to visitor
server_name = secret_tcp
sk = abcdefg
# connect this address to visitor stcp server
bind_addr = 127.0.0.1
bind_port = 9000
use_encryption = false
use_compression = false
[p2p_tcp]
type = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
[p2p_tcp_visitor]
role = visitor
type = xtcp
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
bind_port = 9001
use_encryption = false
use_compression = false