1. Deployment reasons

At home to build a set of servers do study and tests used, because home is no public IP unicom’s network (telecommunications bring public IP and mobile public IP, at least one point price one point goods ~ ~ ~), usually there is no way outside SSH access, so intend to use gai exposed version of tencent will cloud server port, convenient fishing at work in the company.

2. Introduction to FRP

FRP is a high-performance reverse proxy application focused on Intranet penetration. Intranet services can be exposed to the public network in a secure and convenient way through the transfer of nodes with public IP addresses. In C/S mode, the server is deployed on a machine with a public IP address, and the client is deployed on a machine on the Intranet or firewall. The client accesses the exposed port on the server and reverts to the service on the Intranet. On this basis, FRP supports TCP, UDP, HTTP, HTTPS and other protocols, and provides encryption, compression, identity authentication, proxy speed limiting, load balancing and many other capabilities.

Liverpoolfc.tv: gofrp.org/

GitHub:github.com/fatedier/fr…

3. Tencent cloud server related deployment

Tencent cloud server uses 1 core 2GB 1Mbps high performance cloud disk network: default-VPC hack version cloud host server (with public IP is ok).

Step 1: Install the package

Download and extract the installation package, and download the latest version from the Github Release page. (Choose your own version)

Wget tar ZXVF - https://github.com/fatedier/frp/releases/download/v0.37.0/frp_0.37.0_linux_amd64.tar.gz Frp_0. 37.0 _linux_amd64. Tar. GzCopy the code

The cloud server serves as the server, so you can delete all frPC-related data packets and keep only FRPS related data packets.

Part two: Server configuration

Server configuration details

I directly modified the frps_full.ini reference file here, modified the listening address, log address, client authentication token, WEB_UI and other related configurations, and left the other configurations unchanged.

[root@host-cloud conf]# cat frps_full.ini [common] bind_addr = # Service listening address (internal IP address of Tencent cloud server) bind_port = 7000 bind_udp_port = 7001 kcp_bind_port = 7000 vhost_http_port = 80 vhost_https_port = 443 dashboard_addr = # Specifies the service listening address dashboard_port = 7500 Dashboard_user = #WEB_UI Username dashboard_pwd = #WEB_UI Password enable_prometheus = true log_file = /home/ FRP /logs/frps.log # Specifies the log address log_level = info log_max_days = 3 disable_log_color = false detailed_errors_to_client = true authentication_method = Token authenticate_heartbeats = false authenticate_new_work_conns = false token = # Client authentication Tocken oidC_SKip_EXPIRY_check = False oidC_SKip_ISSUer_Check = false ALLOW_ports = 2000-3000,3001,3003,4000-50000 max_POOL_count = 5 max_ports_per_client = 0 tls_only = false subdomain_host = frps.com tcp_mux = true udp_packet_size = 1500Copy the code

Basic configuration

parameter type instructions The default value An optional value note
bind_addr string The server listens for the address 0.0.0.0
bind_port int The server listens on the port 7000 Receives FRPC connections
bind_udp_port int The server listens on UDP ports 0 Used to assist in creating P2P connections
kcp_bind_port int The server listens on the KCP port 0 Used to receive FRPC with KCP connection
proxy_bind_addr string Proxy listening address With bind_addr Agents can be made to listen at different network card addresses
log_file string Log file address ./frps.log If set to Console, logs are printed to standard output
log_level string The log level info trace, debug, info, warn, error
log_max_days int Retention days of log files 3
disable_log_color bool Disable log colors in standard output false
detailed_errors_to_client bool The server returns a detailed error message to the client true
heart_beat_timeout int Timeout duration of the heartbeat connection between the server and client 90 Unit: second
user_conn_timeout int Timeout duration of waiting for client response after a user establishes a connection 10 Unit: second
udp_packet_size int Maximum packet length supported by the UDP proxy service 1500 The values on the server and client must be consistent
tls_cert_file string TLS Server certificate file path
tls_key_file string TLS Server key file path
tls_trusted_ca_file string TLS CA certificate path

Permission to verify

parameter type instructions The default value An optional value note
authentication_method string Authentication way token token, oidc
authenticate_heartbeats bool Example Enable heartbeat message authentication false
authenticate_new_work_conns bool Enable the authentication function for establishing a working connection false
token string Token value for authentication The client must set the same value to pass authentication
oidc_issuer string oidc_issuer
oidc_audience string oidc_audience
oidc_skip_expiry_check bool oidc_skip_expiry_check
oidc_skip_issuer_check bool oidc_skip_issuer_check

Configuration management

parameter type instructions The default value An optional value note
allow_ports string Server port that allows proxy binding The format is 1000-2000200, 1300-4000
max_pool_count int Maximum connection pool size 5
max_ports_per_client int Limits the maximum number of concurrent agents on a single client 0 0 means there is no limit
tls_only bool Only tlS-enabled client connections are accepted false

Step 3: Set the boot automatically

Save frps.service and [email protected] in system to the /usr/lib/systemd/system directory

[root@host-cloud system]# cat frps.service [Unit] Description=Frp Server Service After=network.target [Service] Type=simple User=root # Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frps -c Ini # Run the command + configuration file [Install] WantedBy=multi-user.target ============================================= [root@host-cloud system]# cat [email protected] [Unit] Description=Frp Server Target [Service] Type=simple User=root # Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frps -c /home/frp/conf/frps_full.ini # Run the command + configuration file [Install] WantedBy=multi-userCopy the code

Setting boot

[root@host-cloud system]# systemctl daemon-reload [root@host-cloud ~]# systemctl start frps.service [root@host-cloud ~]#  systemctl enable frps.serviceCopy the code

Configure security groups for Tencent cloud, and enable ports INPUT 7000, 7500, and OutPUS 6000.

Access http://public IP address :7500

4. Client service deployment

Step 1: Install the package

Download and extract the installation package, and download the latest version from the Github Release page. (Choose your own version)

Wget tar ZXVF - https://github.com/fatedier/frp/releases/download/v0.37.0/frp_0.37.0_linux_amd64.tar.gz Frp_0. 37.0 _linux_amd64. Tar. GzCopy the code

The cloud server serves as a client, so you can delete all FRPs-related data packets and retain only FRPC-related data packets.

Part two: Configuration files

Client configuration details

FRPC configuration file

[root@host-machine FRP]# cat conf/frpc.ini [common] server_addr = X.X.X.X # cloud server IP address public IP server_port = 7000 log_file = Log # Log address log_level = INFO log_max_days = 3 token = XXXXXXX # Server authentication token admin_ADDR = 192.168.31.200 Admin_port = 7400 admin_user = fong admin_pwd = qwer1234 pool_count = 5 tcp_mux = true user = fong Login_fail_exit = true protocol = TCP TLs_enable = true [SSH] type = TCP local_IP = 192.168.31.200 local_port = 22 remote_port = 6000Copy the code

Basic configuration

parameter type instructions The default value An optional value note
server_addr string Address of the connection server 0.0.0.0
server_port int Port connecting to the server 7000
http_proxy string Proxy address used to connect to the server Format for {protocol} : / / user:[email protected]:8080 protocol Currently supports HTTP, SOCKs5, and NTLM
log_file string Log file address ./frpc.log If set to Console, logs are printed to standard output
log_level string The log level info trace, debug, info, warn, error
log_max_days int Retention days of log files 3
disable_log_color bool Disable log colors in standard output false
pool_count int Connection pool size 0
user string The user name After this parameter is set, the proxyName is changed to {user}.{proxyName} to avoid conflicts between the proxyName and other users
dns_server string Use the DNS server address By default, the system-configured DNS server is used. You can forcibly replace this parameter with a user-defined DNS server address
login_fail_exit bool Whether to log out after the first login failure true
protocol string Communication protocol connecting to the server tcp tcp, kcp, websocket
tls_enable bool Enable the TLS protocol to encrypt connections false
tls_cert_file string TLS client certificate file path
tls_key_file string TLS Client key file path
tls_trusted_ca_file string TLS CA certificate path
tls_server_name string The TLS Server name If it is empty, server_addr is used
heartbeat_interval int Interval for sending heartbeat packets to the server 30
heartbeat_timeout int And server heartbeat timeout 90
udp_packet_size int Maximum packet length supported by the UDP proxy service 1500 The values on the server and client must be consistent
start string Specifies enabling partial agents This parameter is used when multiple agents are configured and you want to enable only part of them. By default, all agents are enabled

Permission to verify

parameter type instructions The default value An optional value note
authentication_method string Authentication way token token, oidc The value must be consistent with that on the server
authenticate_heartbeats bool Example Enable heartbeat message authentication false The value must be consistent with that on the server
authenticate_new_work_conns bool Enable the authentication function for establishing a working connection false The value must be consistent with that on the server
token string Token value for authentication The authentication can pass only when the value is the same as that on the server
oidc_client_id string oidc_client_id
oidc_client_secret string oidc_client_secret
oidc_audience string oidc_audience
oidc_token_endpoint_url string oidc_token_endpoint_url

Step 3: Start the machine

[root@host-machine systemd]# cat /usr/lib/systemd/system/frpc.service [Unit] Description=Frp Client Service After=network.target [Service] Type=simple User=root Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frpc -c /home/frp/conf/frpc.ini ExecReload=/home/frp/bin/frpc reload -c /home/frp/conf/frpc.ini [Install] WantedBy=multi-user.target ======================================================================= [root@host-machine systemd]# cat /usr/lib/systemd/system/[email protected] [Unit] Description=Frp Client Service After=network.target [Service]  Type=idle User=root Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frpc -c /home/frp/conf/%i.ini ExecReload=/home/frp/bin/frpc reload -c /home/frp/conf/%i.ini [Install] WantedBy=multi-user.targetCopy the code
 [root@host-machine ~]# systemctl daemon-reload
 [root@host-machine ~]# systemctl start frpc.service
 [root@host-machine ~]# systemctl enable frpc.service
Copy the code

Modify the local SSH service to disable root login and use the key to log in.

 Port 22       # default port
 #AddressFamily any    # listen ipv4 and ipv6
 ListenAddress 192.168.31.200  # listen ipv4 ipaddress
 #ListenAddress ::   # listen ipv6 ipaddress
 ​
 HostKey /etc/ssh/ssh_host_rsa_key # ssh rsa private key dir
 #HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key # ssh ecdsa private key dir
 HostKey /etc/ssh/ssh_host_ed25519_key # ssh ED25519 private key dir
 ​
 # Ciphers and keying
 #RekeyLimit default none
 ​
 # Logging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
 LogLevel INFO     # log level
 ​
 # Authentication:
 ​
 LoginGraceTime 2m   # user auth max 2min
 PermitRootLogin no    # allow root account SSH login,(test yes,product no)
 StrictModes yes     #
 MaxAuthTries 4      # maximum number of authentications allowed per connection
 MaxSessions 20      # max connection
 ​
 PubkeyAuthentication yes  # public key to verify
 AuthorizedKeysFile  .ssh/authorized_keys    # public key to verify dir
 PasswordAuthentication no   # Whether password authentication is allowed
 ​
Copy the code

After the client is successfully connected, access http://public IP address :7500

5. How to log in

Ssh-oport =6000 [email protected]. x(public IP address)Copy the code

The FRP forwards the traffic requesting X.X.X.X :6000 to port 22 on the Intranet machine.