frp + nginx deploy http intranet penetration service

Keywords: Nginx network firewall Windows

frp + nginx deploy http intranet penetration service

1, Foreword

frp is a high-performance reverse proxy application developed in Go language, which can be used for intranet penetration. It supports tcp, udp, http and
https. A web service deployed on the local machine can be mapped to an external network. This article mainly talks about how to configure http based on frp + nginx
The intranet penetration service, which hosts multiple users simultaneously, supports the local development and debugging of WeChat public number and WeChat applet.

Resource requirements:
A public network server or VPS (the host of Tencent cloud I use)
A domain name pointing to this public network server (this article takes as an example)
The environment involved in this paper
nginx 1.10.1
frp 0.22.0
Windows 10

2, frp principle

Frp request process

First, after the frpc starts, connect to the frps, and send a request login(), and then keep the long connection. If it is disconnected, try again
After receiving the request, frps will establish a listener to listen to the request from the public network
When frp receives the request, it will check whether there is a connection available locally (frp can set the connection pool). If not, it will issue an msg.StartWorkConn and wait for the request from frp
After the frpc receives the request, it sends a request to the frps. The request will initially name which proxy the connection is going to
After frps receives the connection from frpc, it transfers the newly established connection and the connection from the public network to each other
If the request is disconnected, disconnect the request at the other end

Take my frp intranet penetration service as an example:
Step 1: when the configuration is correct, the frp server and the frp client are started successively to establish a communication tunnel, among which:
The frp server listens to the http 7071 port (this port can be customized), and receives all requests from users on the Internet under this port
In this paper, port 8585 and port 8686 are taken as examples
Step 2: by configuring nginx reverse proxy, map the subdomain name under of the public server to port 7071 of the server, which is the port that frp listens to. Internet users access the subdomain name under, for example:
It is the same as accessing 7071, which will trigger the interaction between the frp server and the client, so that the http request is passed from the frp server to the frp client
Step 3: after receiving the http request, the frp client will do the following processing based on the custom configuration:
If the domain name in the http request is, the request will be forwarded to my local 8585 web service port
If the domain name in the http request is, the request will be forwarded to my local 8686 web service port
Step 4: after the local web service receives the http request, it processes the request and completes the response
Step 5: the frp client will return the response result to the frp server. The server finally sends the response back to the Internet users
Step 6: the final measured results are:
Visiting is the same as visiting my local localhost:8585
Visiting is the same as visiting my local localhost:8686

3, Preparations

3.1 configure subdomain name in domain name resolution background
This paper takes as an example:
Log in the domain name resolution background, and add two A records under dev, *. Dev. the record value is the ip of the public network server where the frp server is deployed.
Represents all subdomains under, which will all point to this public network server.
3.2 about go language environment
Because this article uses a green installation, there is no need to configure the go language environment. Thank you, Tylerrrkd

4, Server configuration

4.1 installation and configuration of FRP server
Download decompression

# download

# decompression
 tar -zxvf frp_0.32.1_linux_amd64.tar.gz 

Modify profile
After decompression, enter the decompression directory, find the frps.ini file, and make the following configuration. Please refer to corresponding notes for configuration description

# The port on which frp listens. It is used for communication between server and client
bind_port = 7000

# Through this port, the server listens and receives http requests from public network users
vhost_http_port = 7071

# frp provides a console that can be accessed through this port. You can view how many proxy connections frp currently has and the corresponding status
dashboard_port = 7500

# The subdomain host of the server needs to be used with the subdomain and local port in the client configuration file,
# May pass{subdomain}.{subdomain_host} Domain name format to access their own local web Service.
# If the subdomain_host of the server is,In a configuration group of the client
# subdomain is a,local_port by8585,
# Then:
# Visit ,Equivalent to accessing local localhost:8585

subdomain_host =

Start the frp server

nohup ./frps -c ./frpc.ini &

4.2 nginx reverse proxy configuration
(for more details on how to install nginx, please refer to Nginx Linux detailed installation and deployment tutorial)
Modify nginx.conf file

   # The reverse proxy of frp to receive http requests
    server {
        listen 80;
        server_name *;

        location / {
            # 7071Port is frp Monitoring http port
            proxy_set_header Host $host:80;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            proxy_connect_timeout 7d;
            proxy_send_timeout 7d;
            proxy_read_timeout 7d;

        # Prevent crawling
        if ($http_user_agent ~* "360Spider|JikeSpider|Spider|spider|bot|Bot|2345Explorer|curl|wget|webZIP|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|NSPlayer|bingbot")
                return 403;

Let nginx reload the configuration file

/usr/local/nginx/sbin/nginx   -s reload

4.3 open the firewall port

# Open firewall port   7000Port and7071The port is the one configured above bind_port and vhost_http_port port
firewall-cmd --zone=public --add-port=7000/tcp --permanent
firewall-cmd --zone=public --add-port=7071/tcp --permanent

# Restart the firewall after opening, so that the modification just took effect
firewall-cmd --reload

5, Client installation configuration

Download client
Go to GitHub to download the latest version of the Windows client , find FRP 0.23.1 windows, and click download
(for Mac users, please download the Mac version of the client)
After unzipping, edit the frpc.ini file

# Deploy the ip of the public network server of the frp server
server_addr = ****
# Consistent with the bind port of the server
server_port = 7000

# Agent service I,[]The proxy service name in is globally unique. Each proxy service of each person cannot have the same name,
# Otherwise, normal use will be affected.
type = http
# Local port represents the local web service port you want to expose to the Internet
local_port = 8585
# To ensure that subdomain is unique in the global scope, the subdomain of each agent service cannot have the same name, otherwise normal use will be affected.
# The subdomain of the client needs to be used with the subdomain of the server
subdomain = www

# Agent service II. Please refer to configuration group I for configuration instructions
type = http
local_port = 8686
subdomain = b

Start client
Right click in the frp decompression directory to open powershell or cmd, and execute the following command

 ./frpc.exe -c .\frpc.ini

If the window prompts "start proxy success", the communication tunnel between the frp server and the frp client is successfully established

Test access

Visit in the browser to test whether the local HTTP service has been exposed to the Internet

Open self starting

Add ` 'in / etc/rc.local (the specific path of the file is filled in according to the actual situation),

/root/frp_0.32.1_linux_amd64/frpc -c /root/frp_0.32.1_linux_amd64/frpc.ini > /root/frp_0.32.1_linux_amd64/log.log 2>&1

Enter the following command in the terminal, or download the file back to local modification and upload the overwriting source file again. Then execute

chmod +x /etc/rc.d/rc.local, restart to verify whether the machine starts automatically

Test address

You can view request response data and monitor services.
Published 5 original articles, won praise 0, visited 1413
Private letter follow

Posted by djlfreak on Fri, 07 Feb 2020 02:40:24 -0800