Write on the front
Because before intranet penetration has been usedngrok, used
ngrokThe latest version of 1. X
1.7.1There is a serious memory leak, and 1. X is no longer under maintenance,
ngrok 2.xIt is no longer open source, so consider changing an intranet penetration tool.
1、 Business scenarios
- One alicloud server (Windows Server 2012) and public IP.
- Three intranet servers, including two windows servers and one CentOS.
- A first level domain name, which has been resolved to the public IP.
demand: you can access the data of three intranet deployment through domain name or IP
httpService, remote desktop or Internet service that can communicate with three intranet through domain name or IP
- Open source, frequent maintenance.
- Support TCP, UDP, HTTP, HTTPS, STCP and other protocols.
GoLangThe development occupies less memory and the agent is stable.
- Configuration is simple and convenient, user-defined plug-in configuration and plug-in development of their own business needs.
- It provides many functions such as safely exposing intranet services, encryption and compression, optional KCP protocol for underlying communication, port reuse, load balancing, health check, URL routing, range port mapping, request header processing and so on.
Before the first time, you can also view the status of FRP and the display of agent statistics through the browser. On the proxy server, you can access the visual dashboard of each agent status in the browser.
Intranet penetration server can view the penetration status, dynamic online configuration, hot update configuration function.
3、 Server configuration
1. Open the port of the cloud server
Log in to the alicloud service platform, enter the instance security group, and open the ports required by the penetration agent. First, open the ports as follows:
- Open TCP port, 7000 to 7010 port, 7000 port is
frpThe default port of proxy communication on the server side is port 7001 to 7010, which can act as the port of TCP application of intranet server. If it is not enough, the port can continue to be extended.
- Open the TCP port, 7080 and 7443 port to facilitate HTTP and HTTPS proxy. Because the 80 and 443 ports of the cloud server have been occupied by other applications, the name suffix 80 and 443 is convenient for memory maintenance.
- Open UDP port and 7001 port. If necessary, point-to-point intranet penetration can be opened.
The above ports are not specified and can be configured flexibly.
get intofrpGitHub releases address, view the latest version, the above has provided the common operating system architecture compiled package, download the corresponding version of the cloud server system.
You can also download the source code and install it
GoLangEnvironment for their own compilation.
After downloading, unzip and open the folder, find the frps.ini file to configure the server-side proxy rules. The file at the beginning of FRPC will not be used on the proxy server, but will be used on the intranet server.
The basic contents of frps.ini configuration are as follows:
[common] #Setting address and communication port bind_addr = 0.0.0.0 bind_port = 7000 #Set default UDP port bind_udp_port = 7001 #Monitor port 7080 and 7443 for HTTP and HTTPS proxy. The HTTP and HTTPS ports can be set as the same vhost_http_port = 7080 vhost_https_port = 7443 #Set and view the service address and port of dashboard_ Addr is not set. It is the same as bind by default_ Addr, if you don't set the dashboard_ Port will not open this service dashboard_addr = 0.0.0.0 dashboard_port = 7500 #Set the login account and password of the dashboard service. If it is not set, the default is admin dashboard_user = admin dashboard_pwd = admin #Set the domain name of the cloud server to facilitate the simple configuration. The proxy services can be accessed through the subdomain name subdomain_host = example.com #Set token, try to configure more complex, configuration FRPC will use token = 123456789 #Set log file record path log_file = ./logs/frps.log #Set the logging level, including trace, debug, info, warn and error log_level = info #Set the maximum number of days for logging log_max_days = 1
4. Start up
frpsThe service is very simple. Enter the following command to start the proxy server.
./frps -c ./frps.ini
frpsConfigure as a system service
If the server is a Windows system, it is recommended to usewinswTools will
frpsConfigured as a system service.
- downloadWinSW.exe or WinSW.zip, change the name of winsw.exe to frps-service.exe
Write frps-service.xml configuration file
<service> <id>frps</id> <name>frps</name> <description>frps</description> <logmode>roll</logmode> <depend></depend> <executable>path/frps.exe</executable> <arguments>-c frps.ini</arguments> <delayedAutoStart/> <onfailure action="restart" delay="20 sec"/> </service>
frpsTo system services
- Start the service
If the server is a Linux system, download the
frpIt is already provided under the SYSTEMd directory of the decompression directory
frps Files configured as system services.
4、 Client configuration
get intofrpGitHub releases address, view the latest version that has been compiled, and download the version of the corresponding agent system.
After downloading, unzip and open the folder, find the frpc.ini file to configure the server proxy rules. Similarly, the file beginning with FRPs will not be used on the intranet server.
The basic content of frpc.ini configuration is as follows:
[common] #IP address of cloud server and communication port set in FRPs server_addr = x.x.x.x server_port = 7000 #The authorization token is the same as the FRPs configuration token = 123456789 #Set log file record path log_file = ./logs/frps.log #Set the logging level, including trace, debug, info, warn and error log_level = info #Set the maximum number of days for logging log_max_days = 1 #Set the hot update service that can be configured in the browser admin_addr = 127.0.0.1 admin_port = 7400 admin_user = admin admin_pwd = admin #TCP range 7001-7010 #RDP, remote desktop, windows RDP default port is 3389, the protocol is TCP [rdp] type = tcp local_ip = 127.0.0.1 local_port = 3389 remote_port = 7001 subdomain = rdp #SMB, the protocol used by windows file sharing, the default port number is 445 and the protocol is TCP. This rule can realize remote file access. #[smb] #type = tcp #local_ip = 127.0.0.1 #local_port = 445 #remote_port = 7002 #Proxy native SSH #[ssh] #type = tcp #local_ip = 127.0.0.1 #local_port = 22 #remote_port = 7003 #Set the proxy for the local port 80 HTTP service #Subdomains that can be configured in FRPs_ Host domain name #Visit test.example.com and HTTP proxy port, namely http://test.example.com :7080 [web_test] type = http local_port = 80 subdomain = test
4. Start up
frpcServices and services
./frpc -c ./frpc.ini
In the end, you can access and test the remote connection, SSH, web services, etc.
frpcConfigure as a system service
It will not be repeated here, and the configuration will be changed
frpsThe configuration is similar to the system service.
4、 HTTPS configuration
There are two main ways to configure HTTP service of Intranet penetration as HTTPS
https2httpThe plug-in enables the local HTTP service with HTTPS, which is more convenient and simple to configure the services that need HTTPS controllably. However, if there are many services that need to be penetrated by HTTPS in each internal and external server, it is necessary to generate and configure a certificate for each penetration service, which is more cumbersome.
- Through the generation of Pan domain name certificate, nginx is configured on the external server to forward the web services penetrated from the internal network.
This paper mainly introduces the second way to configure HTTPS
- Generate pan domain name certificate
- Configure nginx
- Certificate update
Original starting addresshttps://github.com/liuvigongzuoshi/blog