frp 要转发Web服务有二种方式。
- 第一种就是直接用TCP类型直接转发,即将内网的80或443直接用TCP模式转发,访问外网服务器相当于访问了内网对应端口。优点是如果https,外网服务器也不需要配置任何ssl证书;缺点是一个外网端口只能转发一个内网端口。这种模式配置类似于转发远程桌面的配置,只是端口换成Web服务端口。
- 第二种就是用http/https类型转发,这个可以实现端口复用,同一个端口根据不同的域名转发到不同的内网Web服务上。这种类用的类型有三种:
- 外网http -> 内网http
- 外网https -> 内网http
- 外网https -> 内网https
一、http/https类型转发配置
直接将frp服务器的http/https的80/445端口直接暴露在外面做转发。
1、服务端配置
# 服务器端口
bindPort = 7000
# http(s)端口
vhostHTTPPort = 80
vhostHTTPSPort = 445
# 权限认证
auth.method = "token"
auth.token = "123456"
# 其他配置
2. 客户端配置
# frps服务器 ip、端口
server_addr = "xxx.xxx.xxx.xxx"
server_port = 7000
# 权限认证
auth.method = "token"
auth.token = "Zw123455.."
# http->http 模式, 直接转发80端口
[[proxies]]
name = "http2http"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["http2http.yourdomain.com"]
# https->http 模式,使用 https2http 插件
[[proxies]]
name = "https2http"
type = "https"
customDomains = ["https2http.yourdomain.com"]
[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:80"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "https2http.yourdomain.com"
requestHeaders.set.x-from-where = "frp"
# https->https 模式, 直接转发,可以不加载ssl证书
[[proxies]]
name = "https2https"
type = "https"
localIP = "127.0.0.1"
localPort = 443
customDomains = ["https2https.yourdomain.com"]
二、frp服务端使用Nginx转发
为了更好的转发http/https协议,可以先用通过Nginx监听对应的80/443端口,然后再需要转发到内网的域名转到frp服务端的端口上。
1. 服务端配置
# 服务器端口
bindPort = 7000
# http(s)端口,80、443端口留给Nginx
vhostHTTPPort = 8080
vhostHTTPSPort = 8081
# 权限认证
auth.method = "token"
auth.token = "123456"
# 其他配置
2. Nginx 配置
# http2http 域名监听
server {
listen 80;
listen [::]:80;
server_name http2http.yourdomain.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080; // 转发到frp监听的http端口上
}
}
# https2http 域名监听
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name https2http.yourdomain.com;
ssl_certificate ./server.crt;
ssl_certificate_key ./server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #指定SSL服务器端支持的协议版本
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080; // 转发到frp监听的http端口上
}
}
# https2https 域名监听
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name https2https.yourdomain.com;
ssl_certificate ./server.crt;
ssl_certificate_key ./server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #指定SSL服务器端支持的协议版本
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_ssl_server_name on; # 关键:启用 SNI 传递,否则后端ssl验证域名会失败
proxy_ssl_name $host; # 指定 SNI 字段为请求的域名
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8081; // 转发到frp监听的https端口上
}
}
3. 客户端配置
# frps服务器 ip、端口
server_addr = "xxx.xxx.xxx.xxx"
server_port = 7000
# 权限认证
auth.method = "token"
auth.token = "Zw123455.."
# http->http 模式, 直接转发80端口
[[proxies]]
name = "http2http"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["http2http.yourdomain.com"]
# https->http 模式,服务站的https收Nginx完成了,这里只要做http转发
[[proxies]]
name = "http2http"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["https2http.yourdomain.com"]
# https->https 模式, 直接转发,可以不加载ssl证书
[[proxies]]
name = "https2https"
type = "https"
localIP = "127.0.0.1"
localPort = 443
customDomains = ["https2https.yourdomain.com"]
评论区