FRP + Nginx configures the HTTP Intranet penetration service shared by multiple users

One, foreword

FRP is a high-performance reverse proxy application for Intranet penetration, which is developed using Go language. It supports TCP, UDP, HTTP, and HTTPS. You can map a web service deployed locally to the extranet.

This paper mainly describes how to configure HTTP Intranet penetration service based on FRP + NGINx, carrying the use of many people at the same time, so as to support the local development and debugging of wechat public number and wechat small program

Resources required:

A public network server or VPS (Tencent Cloud host used by myself)
A domain name pointing to this public network servermsh.comAs an example)

The context covered in this article

centos7.2
Nginx 1.10.1
FRP 0.22.0
Go 1.11.4
Windows 10

Two, FRP principle

(Read the principle carefully. If you do not understand the principle, the overhand configuration is prone to errors and it is difficult to locate the cause. I learned this the hard way.)

Take the FRP Intranet penetration service I built as an example:

Step 1: When the configuration is correct, the FRP server and THE FRP client are started successively to establish a communication tunnel.

The FRP server is in thePublic Network ServerRun, listening for HTTP7071Port (this port can be customized), receiveUnder this portAll extranet user requests
FRP client in yourlocalRun the proxy local web service port that you want to expose to the extranet, as described in this article8585 , 8686Port as an example

Step 2: Configure the Nginx reverse proxy to map the subdomain name under dev.msh.com of the local public network server to port 7071 of the server, which is the port monitored by the FRP. Extranet users access subdomain names under dev.msh.com, for example:

a.dev.msh.com
b.dev.msh.com

This is equivalent to accessing msh.com: 7071, which triggers the interaction between the FRP server and the client, so that the HTTP request is transferred from the FRP server to the FRP client

Step 3: After receiving the HTTP request, the FRP client performs the following operations based on the custom configuration:

The domain name in the HTTP request isa.dev.msh.com, forwards the request to my local8585Web service port
The domain name in the HTTP request isb.dev.msh.com, forwards the request to my local8686Web service port

Step 4: When the local Web service receives the HTTP request, it processes the request and completes the response

Step 5: THE FRP client sends the response back to the FRP server. The server ultimately passes the response back to the extranet user

Step 6: The final measured effect is:

accessa.dev.msh.comIs equivalent to accessing my locallocalhost:8585
accessb.dev.msh.comIs equivalent to accessing my locallocalhost:8686

Three, preparation

3.1 Configuring subdomain names on the Background Of Domain Name Resolution

This article takes Msh.com as an example:

Log in to the domain name resolution background, add two A records dev and *. Dev under msh.com, and record the IP address of the public network server where the FRP server is deployed.

All subdomain names under dev.msh.com point to the public network server.

3.2 About go Language environment

Because this article uses a green installation, there is no need to configure the GO language environment. Thanks to Tyler RKD for pointing it out

4. Server configuration

4.1 Installing and configuring the FRP server

Download decompression

# downloadWget HTTP: / / https://github.com/fatedier/frp/releases/download/v0.22.0/frp_0.22.0_linux_amd64.tar.gz# decompressionThe tar - ZXVF frp_0. 22.0 _linux_amd64. Tar. GzCopy the code

Modifying a Configuration File

Go to the decompressed directory, locate the frps.ini file, and perform the following operations: For details about the configuration, see the corresponding comments

[common]
# FRP-listening port used for server and client communication
bind_port = 7000

The server uses this port to listen to and receive HTTP requests from users on the public network
vhost_http_port = 7071

# FRP provides a console that can be accessed through this port. You can view how many proxy connections FRP currently has and the corresponding status
dashboard_port = 7500


Subdomain_host = local_port = subdomain = local_port = subdomain = local_port
{subdomain}.{subdomain_host} domain name format to access your own local Web services.
If server subdomain_host is dev.msh.com, the client is in a configuration group
Local_port = 8585
# is:
Localhost :8585 = localhost:8585

subdomain_host = dev.msh.com

Copy the code

Start the FRP server in the background

nohup ./frps -c frps.ini &
# View the output log
tail -f nohup.out
Copy the code

Modify the configuration file and reload it

There is no command to reload the configuration file, so you have to use a stupid method

# Check the FRP process number
ps -ef |grep  'frp'
root     19061 13224  0 03:06 pts/2    00:00:00 ./frps -c frps.ini
root     23064 13224  0 03:34 pts/2    00:00:00 grep --color=auto frp
# kill process
kill19061-9# Start the FRP again
nohup ./frps -c frps.ini &
Copy the code

4.2 Nginx Reverse Proxy Configuration

(For details on how to install nginx, please refer to the nginx Linux Installation and Deployment tutorial.)

Modify the nginx.conf file

	# FRP's reverse proxy to receive HTTP requests
	server {
		listen 80;
		server_name *.dev.msh.com  dev.msh.com;
		
		location / {
			Port # 7071 is the HTTP port that FRP listens onProxy_pass http://127.0.0.1:7071; proxy_set_header Host$host: 80; proxy_set_header X-Real-IP$remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			
			proxy_connect_timeout 7d;
			proxy_send_timeout 7d;
			proxy_read_timeout 7d;

			}
		# prevent crawlers from crawling
		if ($http_user_agent~ *"360Spider|JikeSpider|Spider|spider|bot|Bot|2345Explorer|curl|wget|webZIP|qihoobot|Baiduspider|Googlebot|Googlebot-Mobil e|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|NSPlayer|bingbot")
			{
				return403; }}Copy the code

Let nginx reload the configuration file

/usr/local/nginx/sbin/nginx   -s reload
Copy the code

4.3 Enabling a Firewall Port

Ports 7000 and 7071 are the bind_port and vhost_HTTP_port configured above
firewall-cmd --zone=public --add-port=7000/tcp --permanent
firewall-cmd --zone=public --add-port=7071/tcp --permanent

# Restart the firewall to make the changes take effect
firewall-cmd --reload
Copy the code

5. Client installation and configuration

Downloading a Client

Go to Github to download the latest version of Windows client github.com/fatedier/fr… Find frP_0.23.1_windows_amd64. zip and click download

(Mac users please download the Mac version of the client)

After decompressing, edit the frpc.ini file

[common]
# IP address of the public network server where the FRP server is deployedServer_addr = 132.232.64.79The bind_port of the server must be the same
server_port = 7000


The name of the proxy service in [] is globally unique. The name of each proxy service cannot be the same as that of each proxy service.
Otherwise, normal use will be affected.
 [http-a]
type = http
# local_port represents the local Web service port that you want to expose to the extranet
local_port = 8585
The subdomain must be unique in the global scope. The subdomain of each proxy service must not have the same name, otherwise it will affect normal use.
The client subdomain needs to work with the server subdomain_host
subdomain = a


For details about proxy service 2, refer to Configuration Group 1
[http-b]
type = http
local_port = 8686
subdomain = b
 
           
Copy the code

Start the client

Right-click powershell or CMD in the FRP decompression directory and run the following command

 .\frpc.exe -c .\frpc.ini
Copy the code

If start Proxy Success is displayed, the communication tunnel between the FRP server and THE FRP client is established successfully

Test access

Visit http://a.dev.msh.com in your browser to test whether your local Web service has been exposed to the Internet

Six, problem solving

Question: why build your own Intranet penetration service, rather than buy peanut shell such a charge Intranet penetration service?

Solution: The peanut shell is overpriced, costing 868 yuan a year for a flagship version, and has only four port mappings, meaning that even four developers might not be enough. A medium-sized Internet company has 40, 50 or hundreds of employees. If peanut shell is used, 30,000 or 40,000 yuan will be spent every year, which is obviously not a small amount. For an Internet company, it has its own server resources and domain name resources. In this case, why not build its own Intranet penetration service?

Question: wechat applet only supports HTTPS protocol, and just set up HTTP Intranet penetration, how to do not apply?

Solution: You can find the project Settings in wechat Web developer tools, and check the items of “do not verify legitimate domain name, business domain name, TLS version and HTTPS certificate”. In this way, you can use HTTPS in the production environment and HTTP in the local development environment

For information on how to deploy HTTPS in a production environment, please refer to my article on Nuggets

In addition, regarding how to deploy HTTPS in the local development environment, I have tried mkcert and JDK keystore, but failed to find a practical solution

Question: I set up the Intranet penetration service, how to limit only internal members available, to prevent outsiders free “hitchhiking”?

Solution: Authentication can be done based on token parameters. If the token parameters in the common configurations on the server and client are the same, the authentication succeeds.