文章目录
- 项目概述
- 核心特性
- 系统架构
- 快速开始
- 1. 下载安装
- 2. 服务端快速配置
- 3. 客户端快速配置
- 4. 验证连接
- 配置文件说明
- 代理类型
- TCP/UDP 代理
- HTTP/HTTPS 代理
- 安全代理 (STCP/SUDP)
- P2P 代理 (XTCP)
- 插件系统
- 静态文件服务
- HTTP/SOCKS5 代理
- 协议转换
- 使用场景
- 远程办公
- Web 服务发布
- 游戏服务器
- 开发环境共享
- 监控运维
- Prometheus 监控
- Grafana 仪表板
- 日志管理
- Web 管理界面
- 安全配置
- 认证加强
- 防火墙配置
- 访问控制
- fail2ban 防护
- 项目地址
项目概述
frp(Fast Reverse Proxy)是一个高性能的反向代理服务,专注于内网穿透解决方案。它允许您将位于 NAT 或防火墙后的本地服务器暴露到互联网,支持多种协议和高级功能。
核心特性
- 多协议支持:TCP、UDP、HTTP、HTTPS、KCP、QUIC、WebSocket
- 安全认证:Token、OIDC、TLS 加密传输
- 高性能:TCP 流复用、连接池、压缩传输
- 易于配置:TOML/YAML/JSON 配置格式
- 监控支持:Prometheus 指标、Web 管理界面
- 插件扩展:静态文件、HTTP 代理、SOCKS5 等
系统架构
快速开始
1. 下载安装
# 下载最新版本
wget https://github.com/fatedier/frp/releases/download/v0.53.2/frp_0.53.2_linux_amd64.tar.gz
tar -xzf frp_0.53.2_linux_amd64.tar.gz
cd frp_0.53.2_linux_amd64
2. 服务端快速配置
# 使用简化配置启动服务端
cat > frps.toml << EOF
bindPort = 7000
vhostHTTPPort = 80[auth]
token = "your_token_here"[webServer]
addr = "0.0.0.0"
port = 7500
user = "admin"
password = "admin"
EOF# 启动服务端
./frps -c frps.toml
3. 客户端快速配置
# 配置客户端
cat > frpc.toml << EOF
serverAddr = "your.server.com"
serverPort = 7000[auth]
token = "your_token_here"[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000
EOF# 启动客户端
./frpc -c frpc.toml
4. 验证连接
# 通过代理连接 SSH
ssh -p 6000 username@your.server.com# 访问管理界面
curl http://your.server.com:7500
配置文件说明
# 基础连接配置
serverAddr = "your.server.com"
serverPort = 7000# 认证配置
[auth]
method = "token"
token = "your_secure_token"# 传输层配置
[transport]
protocol = "tcp"
tls.enable = true
tcpMux = true
poolCount = 5# 代理配置示例
[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["www.example.com"]
代理类型
TCP/UDP 代理
适用于任何基于 TCP/UDP 的服务:
# SSH 代理
[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000# DNS 代理
[[proxies]]
name = "dns"
type = "udp"
localIP = "127.0.0.1"
localPort = 53
remotePort = 6053
HTTP/HTTPS 代理
支持域名绑定和路径路由:
# Web 应用代理
[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 8080
customDomains = ["www.example.com"]
locations = ["/api", "/admin"]# HTTPS 代理
[[proxies]]
name = "secure_web"
type = "https"
localIP = "127.0.0.1"
localPort = 443
customDomains = ["secure.example.com"]
安全代理 (STCP/SUDP)
需要密钥认证的安全代理:
# 服务端配置
[[proxies]]
name = "secret_ssh"
type = "stcp"
secretKey = "abcdefg123456"
localIP = "127.0.0.1"
localPort = 22# 访问端配置
[[visitors]]
name = "secret_ssh_visitor"
type = "stcp"
serverName = "secret_ssh"
secretKey = "abcdefg123456"
bindIP = "127.0.0.1"
bindPort = 9000
P2P 代理 (XTCP)
客户端间直连,减少服务器带宽:
# P2P 文件传输
[[proxies]]
name = "p2p_transfer"
type = "xtcp"
secretKey = "p2p_secret"
localIP = "127.0.0.1"
localPort = 8080[[visitors]]
name = "p2p_transfer_visitor"
type = "xtcp"
serverName = "p2p_transfer"
secretKey = "p2p_secret"
bindIP = "127.0.0.1"
bindPort = 8081
插件系统
frp 支持多种客户端插件,扩展功能:
静态文件服务
[[proxies]]
name = "static_files"
type = "http"
customDomains = ["files.example.com"][proxies.plugin]
type = "static_file"
localPath = "/var/www/html"
stripPrefix = "files"
httpUser = "admin"
httpPassword = "password"
HTTP/SOCKS5 代理
# HTTP 代理
[[proxies]]
name = "http_proxy"
type = "tcp"
remotePort = 8080[proxies.plugin]
type = "http_proxy"
httpUser = "proxy_user"
httpPassword = "proxy_pass"# SOCKS5 代理
[[proxies]]
name = "socks5_proxy"
type = "tcp"
remotePort = 1080[proxies.plugin]
type = "socks5"
username = "socks_user"
password = "socks_pass"
协议转换
# HTTP 转 HTTPS
[[proxies]]
name = "http_to_https"
type = "http"
customDomains = ["convert.example.com"][proxies.plugin]
type = "http2https"
localAddr = "127.0.0.1:443"
hostHeaderRewrite = "internal.example.com"
使用场景
远程办公
# 企业内网访问
[[proxies]]
name = "office_rdp"
type = "tcp"
localIP = "192.168.1.100"
localPort = 3389
remotePort = 3389[[proxies]]
name = "office_ssh"
type = "tcp"
localIP = "192.168.1.101"
localPort = 22
remotePort = 2222
Web 服务发布
# 个人博客
[[proxies]]
name = "blog"
type = "http"
localIP = "127.0.0.1"
localPort = 4000
customDomains = ["myblog.com"]# API 服务
[[proxies]]
name = "api"
type = "http"
localIP = "127.0.0.1"
localPort = 8080
subDomain = "api"
游戏服务器
# Minecraft 服务器
[[proxies]]
name = "minecraft"
type = "tcp"
localIP = "127.0.0.1"
localPort = 25565
remotePort = 25565[proxies.transport]
bandwidthLimit = "1GB"
useCompression = false
开发环境共享
# 前端开发服务器
[[proxies]]
name = "frontend"
type = "http"
localIP = "127.0.0.1"
localPort = 3000
subDomain = "dev"# 数据库访问
[[proxies]]
name = "database"
type = "tcp"
localIP = "127.0.0.1"
localPort = 5432
remotePort = 5432
监控运维
Prometheus 监控
# prometheus.yml
scrape_configs:- job_name: 'frps'static_configs:- targets: ['localhost:7500']metrics_path: '/metrics'- job_name: 'frpc'static_configs:- targets: ['localhost:7400']
Grafana 仪表板
- 连接数监控
- 流量统计
- 代理状态
- 性能指标
日志管理
# 日志轮转配置
/var/log/frp/*.log {dailyrotate 30compresscopytruncate
}
Web 管理界面
- 服务端:
http://your.server.com:7500 - 客户端:
http://127.0.0.1:7400
安全配置
认证加强
[auth]
method = "token"
token = "$(openssl rand -base64 32)"
additionalScopes = ["HeartBeats", "NewWorkConns"]# TLS 强制加密
[transport.tls]
force = true
certFile = "/etc/frp/ssl/server.crt"
keyFile = "/etc/frp/ssl/server.key"
防火墙配置
# 基础防火墙规则
ufw allow 7000/tcp # frp 服务端口
ufw allow 7500/tcp # 管理界面
ufw allow 80/tcp # HTTP 代理
ufw allow 443/tcp # HTTPS 代理
访问控制
# 端口限制
allowPorts = [{ start = 2000, end = 3000 },{ single = 3389 }
]# 客户端限制
maxPortsPerClient = 5
userConnTimeout = 10
fail2ban 防护
[frp-auth]
enabled = true
filter = frp-auth
logpath = /var/log/frp/frps.log
maxretry = 3
bantime = 3600
项目地址
- GitHub 仓库
- 官方文档
- Release 页面
深入解析)
-转载官方翻译(有修正))
)
