frp内网穿透http演示,以及TLS加密安全传输的示例~
aria2-client
auth: {
// either add the token field or the user and pass field, not both.
token: 'wanghaoxuan'
/*-----------------------------*/
// user: '*YOUR_USERNAME*',
// pass: '*YOUR_SECRET_PASS*'
}
aria2-server
aria2c --enable-rpc --rpc-listen-all --rpc-listen-port=<PORT> --rpc-secret=<TOKEN> --dir=<DIR>
frps
[common]
bind_port = 1***0
vhost_http_port = 1***0
frpc
[common]
server_addr = www.hyiki.website
server_port = 1***0
; [ssh]
; type = tcp
; local_ip = 127.0.0.1
; local_port = 22
; remote_port = 6000
[web]
type = http
local_port = 1***0
custom_domains = www.hyiki.website
Encryption and Compression
The features are off by default. You can turn on encryption and/or compression:
# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
use_encryption = true
use_compression = true
TLS
frp supports the TLS protocol between frpc and frps since v0.25.0.
For port multiplexing, frp sends a first byte 0x17 to dial a TLS connection.
Configure tls_enable = true in the [common] section to frpc.ini to enable this feature.
To enforce frps to only accept TLS connections - configure tls_only = true in the [common] section in frps.ini. This is optional.
frpc TLS settings (under the [common] section):
tls_enable = true
tls_cert_file = certificate.crt
tls_key_file = certificate.key
tls_trusted_ca_file = ca.crt
frps TLS settings (under the [common] section):
tls_only = true
tls_enable = true
tls_cert_file = certificate.crt
tls_key_file = certificate.key
tls_trusted_ca_file = ca.crt
You will need a root CA cert and at least one SSL/TLS certificate. It can be self-signed or regular (such as Let’s Encrypt or another SSL/TLS certificate provider).
If you using frp via IP address and not hostname, make sure to set the appropriate IP address in the Subject Alternative Name (SAN) area when generating SSL/TLS Certificates.
Given an example:
- Prepare openssl config file. It exists at
/etc/pki/tls/openssl.cnfin Linux System and/System/Library/OpenSSL/openssl.cnfin MacOS, and you can copy it to current path, likecp /etc/pki/tls/openssl.cnf ./my-openssl.cnf. If not, you can build it by yourself, like:
cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
EOF
- build ca certificates:
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt
- build frps certificates:
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com")) \
-out server.csr
openssl x509 -req -days 365 -sha256 \
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com") \
-out server.crt
- build frpc certificates:
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com,DNS:example.client.com")) \
-out client.csr
openssl x509 -req -days 365 -sha256 \
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \
-out client.crt