(摘) Frp内网穿透

Frp是一个开源的内网穿透工具,主要是将内网(端口)暴露给公网。它需要一个公网主机作服端。

又是golang编写，就继承了跨平台和环保特点。从实例来学习。

SSH内网

1. 服务端
   配置文件frps.toml,意思是服务端开放7000端口与客户端通信

bindPort = 7000

frps -c ./frps.toml 运行，指定配置文件

2. 客户端
   配置文件如下:

serverAddr = "x.x.x.x"  
serverPort = 7000

[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000

frpc -c ./frpc.toml 运行，指定配置文件

3. 访问

ssh -o Port=6000 test@x.x.x.x

以上示例表示与服务器7000通信，借用服务器上的6000端口转发客户机上的22端口数据

域名访问内网不同Web服务

1. 服务端

bindPort = 7000
vhostHTTPPort = 8080

如果需要HTTPS代理，需设置 vhostHTTPSPort

2. 客户端

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "web"
type = "http"
localPort = 80
customDomains = ["www.a.com"]

[[proxies]]
name = "web2"
type = "http"
localPort = 8080
customDomains = ["www.b.com"]

3. 域名解析
   将www.a.com和www.b.com域名A记录解析到服务器x.x.x.x。

4. 访问 http://www.a.com:8080 访问客户机80端口； http://www.b.com 访问客户机8080端口。

简单的文件访问服务

1. 服务端

bindPort = 7000

2. 客户端

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "test_static_file"
type = "tcp"
remotePort = 6000
[proxies.plugin]
# 关键是使用这个插件
type = "static_file"
localPath = "/tmp/file"
# URL中的前缀将被去除，保留的内容即为要访问的文件路径
stripPrefix = "static"
httpUser = "abc"
httpPassword = "abc"

3. 访问 http://x.x.x.x:6000/static/ 即可查看 /tmp/file 下的文件

本的 HTTP 启用 HTTPS

1. 服务端

bindPort = 7000
vhostHTTPSPort = 443

2. 客户端

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "test_http2https"
type = "https"
customDomains = ["test.a.com"]

crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"

3. 访问 https://test.a.com

点对点内网穿透

xtcp用于大量数据传输且不希望流量经过服务器的情况下实现内网穿透
xtcp并不一定成功，失败后可尝试stcp代理

1. A

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "p2p_ssh"
type = "xtcp"
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22

2. B

serverAddr = "x.x.x.x"
serverPort = 7000

[[visitors]]
name = "p2p_ssh_visitor"
type = "xtcp"
serverName = "p2p_ssh"
secretKey = "abcdefg"
bindAddr = "127.0.0.1"
bindPort = 6000
# 自动保持隧道打开则设为true
#keepTunnelOpen = false

3. 访问B ssh -oPort=6000 test@127.0.0.1

安全暴露内网

1. 服务端无设置

bindPort = 7000

2. 客户端A

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "secret_ssh"
type = "stcp"
# 只有与此处设置的 secretKey 一致的用户才能访问此服务
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22

3. 访问者B

serverAddr = "x.x.x.x"
serverPort = 7000

[[visitors]]
name = "secret_ssh_visitor"
type = "stcp"
# 要访问的 stcp 代理的名字
serverName = "secret_ssh"
secretKey = "abcdefg"
# 绑定本地端口以访问 SSH 服务
bindAddr = "127.0.0.1"
bindPort = 6000

4. 访问 ssh -o Port=6000 test@127.0.0.1

其它

身份认证

在客户和服务端配置文件中添加 auth.token = “abc”

支持QUIC

服务端添加 quicBindPort = 7000 这样QUIC绑定了一个UDP端口（bindPort使用的TCP端口）
客户机添加 transport.protocol = “quic”

客户端动态配置更新

# 客户端配置中启用一个Web服务作为API，提供更新服务
webServer.addr = "127.0.0.1"
webServer.port = 7400

frpc reload -c ./frpc.toml

客户端设置限速

#frpc.toml
[[rpoxies]]
name = "ssh"
type = "tcp"
localPort = 22
remotePort = 6000
transport.bnadwidthLimit = "1MB"

如果希望启用服务端限速，需要额外配置 transport.bandwidthLimitMode = “server” （应该服务端来实现限速功能才对）

设置BasicAuth鉴权

# frpc.toml
[[proxies]]
name = "web"
type = "http"
localPort = 80
customDomains = ["test.yourdomain.com"]
httpUser = "abc"
httpPassword = "abc"

我的服务端

bindPort = 7000
auth.token = "121212"

我的客户端

serverAddr = "171.12.176.159"
serverPort = 7000
auth.token = "121212"

[[proxies]]
name = "test-tcp"
type = "tcp"
localIP = "127.0.0.1"
localPort = 80
remotePort = 7001

这样，就可以 http://171.12.176.159:7001 访问到本机的80服务了。

在 “自定义域名访问内网服务”中，如果服务端设置

bindPort = 7000
vhostHTTPPort = 80

客户端A

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "web"
type = "http"
localPort = 80
customDomains = ["www.yourdomain.com"]

[[proxies]]
name = "web2"
type = "http"
localPort = 8080
customDomains = ["www.yourdomain2.com"]

客户端B

serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "web2"
type = "http"
localPort = 8080
customDomains = ["www.yourdomain2.com"]

则可以实现不同域名访问不同的主机?(未测试)