1. Deployment reasons
At home to build a set of servers do study and tests used, because home is no public IP unicom’s network (telecommunications bring public IP and mobile public IP, at least one point price one point goods ~ ~ ~), usually there is no way outside SSH access, so intend to use gai exposed version of tencent will cloud server port, convenient fishing at work in the company.
2. Introduction to FRP
FRP is a high-performance reverse proxy application focused on Intranet penetration. Intranet services can be exposed to the public network in a secure and convenient way through the transfer of nodes with public IP addresses. In C/S mode, the server is deployed on a machine with a public IP address, and the client is deployed on a machine on the Intranet or firewall. The client accesses the exposed port on the server and reverts to the service on the Intranet. On this basis, FRP supports TCP, UDP, HTTP, HTTPS and other protocols, and provides encryption, compression, identity authentication, proxy speed limiting, load balancing and many other capabilities.
Liverpoolfc.tv: gofrp.org/
GitHub:github.com/fatedier/fr…
3. Tencent cloud server related deployment
Tencent cloud server uses 1 core 2GB 1Mbps high performance cloud disk network: default-VPC hack version cloud host server (with public IP is ok).
Step 1: Install the package
Download and extract the installation package, and download the latest version from the Github Release page. (Choose your own version)
Wget tar ZXVF - https://github.com/fatedier/frp/releases/download/v0.37.0/frp_0.37.0_linux_amd64.tar.gz Frp_0. 37.0 _linux_amd64. Tar. GzCopy the codeThe cloud server serves as the server, so you can delete all frPC-related data packets and keep only FRPS related data packets.
Part two: Server configuration
Server configuration details
I directly modified the frps_full.ini reference file here, modified the listening address, log address, client authentication token, WEB_UI and other related configurations, and left the other configurations unchanged.
[root@host-cloud conf]# cat frps_full.ini [common] bind_addr = # Service listening address (internal IP address of Tencent cloud server) bind_port = 7000 bind_udp_port = 7001 kcp_bind_port = 7000 vhost_http_port = 80 vhost_https_port = 443 dashboard_addr = # Specifies the service listening address dashboard_port = 7500 Dashboard_user = #WEB_UI Username dashboard_pwd = #WEB_UI Password enable_prometheus = true log_file = /home/ FRP /logs/frps.log # Specifies the log address log_level = info log_max_days = 3 disable_log_color = false detailed_errors_to_client = true authentication_method = Token authenticate_heartbeats = false authenticate_new_work_conns = false token = # Client authentication Tocken oidC_SKip_EXPIRY_check = False oidC_SKip_ISSUer_Check = false ALLOW_ports = 2000-3000,3001,3003,4000-50000 max_POOL_count = 5 max_ports_per_client = 0 tls_only = false subdomain_host = frps.com tcp_mux = true udp_packet_size = 1500Copy the codeBasic configuration
| parameter | type | instructions | The default value | An optional value | note |
|---|---|---|---|---|---|
| bind_addr | string | The server listens for the address | 0.0.0.0 | ||
| bind_port | int | The server listens on the port | 7000 | Receives FRPC connections | |
| bind_udp_port | int | The server listens on UDP ports | 0 | Used to assist in creating P2P connections | |
| kcp_bind_port | int | The server listens on the KCP port | 0 | Used to receive FRPC with KCP connection | |
| proxy_bind_addr | string | Proxy listening address | With bind_addr | Agents can be made to listen at different network card addresses | |
| log_file | string | Log file address | ./frps.log | If set to Console, logs are printed to standard output | |
| log_level | string | The log level | info | trace, debug, info, warn, error | |
| log_max_days | int | Retention days of log files | 3 | ||
| disable_log_color | bool | Disable log colors in standard output | false | ||
| detailed_errors_to_client | bool | The server returns a detailed error message to the client | true | ||
| heart_beat_timeout | int | Timeout duration of the heartbeat connection between the server and client | 90 | Unit: second | |
| user_conn_timeout | int | Timeout duration of waiting for client response after a user establishes a connection | 10 | Unit: second | |
| udp_packet_size | int | Maximum packet length supported by the UDP proxy service | 1500 | The values on the server and client must be consistent | |
| tls_cert_file | string | TLS Server certificate file path | |||
| tls_key_file | string | TLS Server key file path | |||
| tls_trusted_ca_file | string | TLS CA certificate path |
Permission to verify
| parameter | type | instructions | The default value | An optional value | note |
|---|---|---|---|---|---|
| authentication_method | string | Authentication way | token | token, oidc | |
| authenticate_heartbeats | bool | Example Enable heartbeat message authentication | false | ||
| authenticate_new_work_conns | bool | Enable the authentication function for establishing a working connection | false | ||
| token | string | Token value for authentication | The client must set the same value to pass authentication | ||
| oidc_issuer | string | oidc_issuer | |||
| oidc_audience | string | oidc_audience | |||
| oidc_skip_expiry_check | bool | oidc_skip_expiry_check | |||
| oidc_skip_issuer_check | bool | oidc_skip_issuer_check |
Configuration management
| parameter | type | instructions | The default value | An optional value | note |
|---|---|---|---|---|---|
| allow_ports | string | Server port that allows proxy binding | The format is 1000-2000200, 1300-4000 | ||
| max_pool_count | int | Maximum connection pool size | 5 | ||
| max_ports_per_client | int | Limits the maximum number of concurrent agents on a single client | 0 | 0 means there is no limit | |
| tls_only | bool | Only tlS-enabled client connections are accepted | false |
Step 3: Set the boot automatically
Save frps.service and [email protected] in system to the /usr/lib/systemd/system directory
[root@host-cloud system]# cat frps.service [Unit] Description=Frp Server Service After=network.target [Service] Type=simple User=root # Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frps -c Ini # Run the command + configuration file [Install] WantedBy=multi-user.target ============================================= [root@host-cloud system]# cat [email protected] [Unit] Description=Frp Server Target [Service] Type=simple User=root # Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frps -c /home/frp/conf/frps_full.ini # Run the command + configuration file [Install] WantedBy=multi-userCopy the codeSetting boot
[root@host-cloud system]# systemctl daemon-reload [root@host-cloud ~]# systemctl start frps.service [root@host-cloud ~]# systemctl enable frps.serviceCopy the codeConfigure security groups for Tencent cloud, and enable ports INPUT 7000, 7500, and OutPUS 6000.
Access http://public IP address :7500
4. Client service deployment
Step 1: Install the package
Download and extract the installation package, and download the latest version from the Github Release page. (Choose your own version)
Wget tar ZXVF - https://github.com/fatedier/frp/releases/download/v0.37.0/frp_0.37.0_linux_amd64.tar.gz Frp_0. 37.0 _linux_amd64. Tar. GzCopy the codeThe cloud server serves as a client, so you can delete all FRPs-related data packets and retain only FRPC-related data packets.
Part two: Configuration files
Client configuration details
FRPC configuration file
[root@host-machine FRP]# cat conf/frpc.ini [common] server_addr = X.X.X.X # cloud server IP address public IP server_port = 7000 log_file = Log # Log address log_level = INFO log_max_days = 3 token = XXXXXXX # Server authentication token admin_ADDR = 192.168.31.200 Admin_port = 7400 admin_user = fong admin_pwd = qwer1234 pool_count = 5 tcp_mux = true user = fong Login_fail_exit = true protocol = TCP TLs_enable = true [SSH] type = TCP local_IP = 192.168.31.200 local_port = 22 remote_port = 6000Copy the codeBasic configuration
| parameter | type | instructions | The default value | An optional value | note |
|---|---|---|---|---|---|
| server_addr | string | Address of the connection server | 0.0.0.0 | ||
| server_port | int | Port connecting to the server | 7000 | ||
| http_proxy | string | Proxy address used to connect to the server | Format for {protocol} : / / user:[email protected]:8080 protocol Currently supports HTTP, SOCKs5, and NTLM | ||
| log_file | string | Log file address | ./frpc.log | If set to Console, logs are printed to standard output | |
| log_level | string | The log level | info | trace, debug, info, warn, error | |
| log_max_days | int | Retention days of log files | 3 | ||
| disable_log_color | bool | Disable log colors in standard output | false | ||
| pool_count | int | Connection pool size | 0 | ||
| user | string | The user name | After this parameter is set, the proxyName is changed to {user}.{proxyName} to avoid conflicts between the proxyName and other users | ||
| dns_server | string | Use the DNS server address | By default, the system-configured DNS server is used. You can forcibly replace this parameter with a user-defined DNS server address | ||
| login_fail_exit | bool | Whether to log out after the first login failure | true | ||
| protocol | string | Communication protocol connecting to the server | tcp | tcp, kcp, websocket | |
| tls_enable | bool | Enable the TLS protocol to encrypt connections | false | ||
| tls_cert_file | string | TLS client certificate file path | |||
| tls_key_file | string | TLS Client key file path | |||
| tls_trusted_ca_file | string | TLS CA certificate path | |||
| tls_server_name | string | The TLS Server name | If it is empty, server_addr is used | ||
| heartbeat_interval | int | Interval for sending heartbeat packets to the server | 30 | ||
| heartbeat_timeout | int | And server heartbeat timeout | 90 | ||
| udp_packet_size | int | Maximum packet length supported by the UDP proxy service | 1500 | The values on the server and client must be consistent | |
| start | string | Specifies enabling partial agents | This parameter is used when multiple agents are configured and you want to enable only part of them. By default, all agents are enabled |
Permission to verify
| parameter | type | instructions | The default value | An optional value | note |
|---|---|---|---|---|---|
| authentication_method | string | Authentication way | token | token, oidc | The value must be consistent with that on the server |
| authenticate_heartbeats | bool | Example Enable heartbeat message authentication | false | The value must be consistent with that on the server | |
| authenticate_new_work_conns | bool | Enable the authentication function for establishing a working connection | false | The value must be consistent with that on the server | |
| token | string | Token value for authentication | The authentication can pass only when the value is the same as that on the server | ||
| oidc_client_id | string | oidc_client_id | |||
| oidc_client_secret | string | oidc_client_secret | |||
| oidc_audience | string | oidc_audience | |||
| oidc_token_endpoint_url | string | oidc_token_endpoint_url |
Step 3: Start the machine
[root@host-machine systemd]# cat /usr/lib/systemd/system/frpc.service [Unit] Description=Frp Client Service After=network.target [Service] Type=simple User=root Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frpc -c /home/frp/conf/frpc.ini ExecReload=/home/frp/bin/frpc reload -c /home/frp/conf/frpc.ini [Install] WantedBy=multi-user.target ======================================================================= [root@host-machine systemd]# cat /usr/lib/systemd/system/[email protected] [Unit] Description=Frp Client Service After=network.target [Service] Type=idle User=root Restart=on-failure RestartSec=5s ExecStart=/home/frp/bin/frpc -c /home/frp/conf/%i.ini ExecReload=/home/frp/bin/frpc reload -c /home/frp/conf/%i.ini [Install] WantedBy=multi-user.targetCopy the code [root@host-machine ~]# systemctl daemon-reload
[root@host-machine ~]# systemctl start frpc.service
[root@host-machine ~]# systemctl enable frpc.service
Copy the codeModify the local SSH service to disable root login and use the key to log in.
Port 22 # default port
#AddressFamily any # listen ipv4 and ipv6
ListenAddress 192.168.31.200 # listen ipv4 ipaddress
#ListenAddress :: # listen ipv6 ipaddress
HostKey /etc/ssh/ssh_host_rsa_key # ssh rsa private key dir
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key # ssh ecdsa private key dir
HostKey /etc/ssh/ssh_host_ed25519_key # ssh ED25519 private key dir
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO # log level
# Authentication:
LoginGraceTime 2m # user auth max 2min
PermitRootLogin no # allow root account SSH login,(test yes,product no)
StrictModes yes #
MaxAuthTries 4 # maximum number of authentications allowed per connection
MaxSessions 20 # max connection
PubkeyAuthentication yes # public key to verify
AuthorizedKeysFile .ssh/authorized_keys # public key to verify dir
PasswordAuthentication no # Whether password authentication is allowed
Copy the codeAfter the client is successfully connected, access http://public IP address :7500
5. How to log in
Ssh-oport =6000 [email protected]. x(public IP address)Copy the codeThe FRP forwards the traffic requesting X.X.X.X :6000 to port 22 on the Intranet machine.