内网穿透神器frp使用

本文介绍了内网穿透工具frp的使用,请严格按照公司规定使用。

frp介绍

frp 是一个可用于内网穿透的高性能的反向代理应用,支持 tcp, udp 协议,为 http 和 https 应用协议提供了额外的能力,且尝试性支持了点对点穿透。

更多介绍:
https://github.com/fatedier/frp/blob/master/README_zh.md

架构

一个frp环境,需要一个有公网IP的CVM,一台内网的服务器。内网的服务通过frp客户端与公网CVM上的frp服务端连接,要访问内网的服务时,只需要访问公网的对应端口即可。

下载地址

https://github.com/fatedier/frp/releases
下载对应的版本,例如frp_0.31.1_linux_amd64.tar.gz,都是免安装的,里面有服务端和客户端。

frp服务端配置

这是在有公网IP的CVM上配置的

下载解压

1
2
3
# tar zxf frp_0.31.1_linux_amd64
# ls
frpc frpc_full.ini frpc.ini frps frps_full.ini frps.ini LICENSE systemd

服务端就只需要2个文件,执行文件frps,服务端配置文件frps.ini或者frps_full.ini,frps_full.ini内容要比较全一点。

修改配置文件

以下是我的配置文件,仅供参考:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# cat /etc/frp/frps_full.ini
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
bind_addr = 0.0.0.0
bind_port = 9000

# udp port to help make udp hole to penetrate nat
#bind_udp_port = 9001

# udp port used for kcp protocol, it can be same with 'bind_port'
# if not set, kcp is disabled in frps
#kcp_bind_port = 9000

# specify which address proxy will listen for, default value is same with bind_addr
# proxy_bind_addr = 127.0.0.1

# if you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bind_port
vhost_http_port = 8080
vhost_https_port = 4433

# response header timeout(seconds) for vhost http server, default is 60s
# vhost_http_timeout = 60

# set dashboard_addr and dashboard_port to view dashboard of frps
# dashboard_addr's default value is same with bind_addr
# dashboard is available only if dashboard_port is set
dashboard_addr = 0.0.0.0
dashboard_port = 9500

# dashboard user and passwd for basic auth protect, if not set, both default value is admin
dashboard_user = admin
dashboard_pwd = Pass@w0rd

# dashboard assets directory(only for debug mode)
# assets_dir = ./static
# console or real logFile path like ./frps.log
log_file = ./frps.log

# trace, debug, info, warn, error
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
disable_log_color = false

# auth token
token = Pass@w0rd

# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_timeout is 90
# heartbeat_timeout = 90

# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
allow_ports = 5000-5010,8080

# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
max_pool_count = 5

# max ports can be used for each client, default value is 0 means no limit
max_ports_per_client = 0

# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
# when subdomain is test, the host used by routing is test.frps.com
subdomain_host = liangfu.wang

# if tcp stream multiplexing is used, default is true
tcp_mux = true

# custom 404 page for HTTP requests
# custom_404_page = /path/to/404.html

[plugin.user-manager]
#addr = 127.0.0.1:9000
#path = /handler
#ops = Login

[plugin.port-manager]
#addr = 127.0.0.1:9001
#path = /handler
#ops = NewProxy

这是默认配置,不需要的功能可以注释掉,根据自己的需求修改服务器监听端口bind_port,会话连接token,frp客户端连接端口allow_ports。
需要注意的是:如果你需要配置web访问,需要将vhost_http_port = 80 修改成其他端口,例如8080

配置成服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 复制文件
cp frps /usr/local/bin/frps
mkdir /etc/frp
cp frps_full.ini /etc/frp/frps_full.ini

# 编写 frp service 文件
/etc/systemd/system/frps.service

# 内容如下
[Unit]
Description=Frp Server Service
After=network.target

[Service]
Type=simple
User=nobody
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/frps -c /etc/frp/frps_full.ini

[Install]
WantedBy=multi-user.target

# 启动 frp 并设置开机启动
systemctl enable frps
systemctl start frps
systemctl status frps

启动后可以查看frp经常是否存在

1
2
3
# ps -ef | grep frp
nobody 975 1 0 01:49 ? 00:00:06 /usr/bin/frps -c /etc/frp/frps_full.ini
root 8204 4014 0 18:31 pts/0 00:00:00 grep --color=auto frp

浏览器输入服务器地址+管理端口,打开frp管理页面
frp.png

frp客户端配置

这是在内网服务器或者虚拟机上配置的。

下载解压

1
2
3
# tar zxf frp_0.31.1_linux_amd64
# ls
frpc frpc_full.ini frpc.ini frps frps_full.ini frps.ini LICENSE systemd

客户端和服务端配置相同,需要执行文件frpc,客户端配置文件frpc.ini或者frpc_full.ini,frpc_full.ini内容要比较全一点。

修改配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# cat frpc.ini 
[common]
server_addr = x.x.x.x
server_port = 9000
log_file = ./frpc.log
log_level = info
log_max_days = 3
token = Pass@w0rd
pool_count = 5
tcp_mux = true
user = hexo
login_fail_exit = true
protocol = tcp
tls_enable = true

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = true
remote_port = 5002

根据自己frps的情况,修改frpc.ini,例如修改服务器地址,token,user,ssh内容,这我就可以通过ssh公网的5002端口进入到内网的服务器了。

配置成服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 复制文件
cp frpc /usr/local/bin/frpc
mkdir /etc/frp
cp frpc.ini /etc/frp/frpc.ini

# 编写 frp service 文件
/etc/systemd/system/frpc.service

# 内容如下
[Unit]
Description=Frp Client Service
After=network.target

[Service]
Type=simple
User=nobody
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/frpc -c /etc/frp/frpc.ini
ExecReload=/usr/local/bin/frpc reload -c /etc/frp/frpc.ini

[Install]
WantedBy=multi-user.target

# 启动 frp 并设置开机启动
systemctl enable frpc
systemctl start frpc
systemctl status frpc

启动后可以查看frp经常是否存在

1
2
3
# ps -ef | grep frp
nobody 965 1 0 10:29 ? 00:00:23 /usr/bin/frpc -c /etc/frp/frpc.ini
root 3105 2046 0 19:18 pts/0 00:00:00 grep --color=auto frp

通过frp的管理页面可以看到设备已经上线
frp-tcp.png

常用代理配置

常用的就ssh远程管理服务器和访问内网的web。

ssh代理

1
2
3
4
5
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 5001

http代理

1
2
3
4
5
6
[web]
type = http
local_port = 80
use_encryption = false
use_compression = true
custom_domains = liangfu.wang

如果想通过域名访问,就需要做CNAME解析,其实最简单的是通过IP访问,custom_domains 可以填IP。

参考链接

https://meta.appinn.net/t/frp/11319/14
https://mritd.me/2017/01/21/use-frp-for-internal-network-wear/