frp 一个高性能的反向代理服务

项目概述

frp（Fast Reverse Proxy）是一个高性能的反向代理服务，专注于内网穿透解决方案。它允许您将位于 NAT 或防火墙后的本地服务器暴露到互联网，支持多种协议和高级功能。

核心特性

• 多协议支持：TCP、UDP、HTTP、HTTPS、KCP、QUIC、WebSocket
• 安全认证：Token、OIDC、TLS 加密传输
• 高性能：TCP 流复用、连接池、压缩传输
• 易于配置：TOML/YAML/JSON 配置格式
• 监控支持：Prometheus 指标、Web 管理界面
• 插件扩展：静态文件、HTTP 代理、SOCKS5 等

系统架构

快速开始

1. 下载安装

# 下载最新版本
wget https://github.com/fatedier/frp/releases/download/v0.53.2/frp_0.53.2_linux_amd64.tar.gz
tar -xzf frp_0.53.2_linux_amd64.tar.gz
cd frp_0.53.2_linux_amd64

2. 服务端快速配置

# 使用简化配置启动服务端
cat > frps.toml << EOF
bindPort = 7000
vhostHTTPPort = 80[auth]
token = "your_token_here"[webServer]
addr = "0.0.0.0"
port = 7500
user = "admin"
password = "admin"
EOF# 启动服务端
./frps -c frps.toml

3. 客户端快速配置

# 配置客户端
cat > frpc.toml << EOF
serverAddr = "your.server.com"
serverPort = 7000[auth]
token = "your_token_here"[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000
EOF# 启动客户端
./frpc -c frpc.toml

4. 验证连接

# 通过代理连接 SSH
ssh -p 6000 username@your.server.com# 访问管理界面
curl http://your.server.com:7500

配置文件说明

# 基础连接配置
serverAddr = "your.server.com"
serverPort = 7000# 认证配置
[auth]
method = "token"
token = "your_secure_token"# 传输层配置
[transport]
protocol = "tcp"
tls.enable = true
tcpMux = true
poolCount = 5# 代理配置示例
[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["www.example.com"]

代理类型

TCP/UDP 代理

适用于任何基于 TCP/UDP 的服务：

# SSH 代理
[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 6000# DNS 代理
[[proxies]]
name = "dns"
type = "udp"
localIP = "127.0.0.1"
localPort = 53
remotePort = 6053

HTTP/HTTPS 代理

支持域名绑定和路径路由：

# Web 应用代理
[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 8080
customDomains = ["www.example.com"]
locations = ["/api", "/admin"]# HTTPS 代理
[[proxies]]
name = "secure_web"
type = "https"
localIP = "127.0.0.1"
localPort = 443
customDomains = ["secure.example.com"]

安全代理 (STCP/SUDP)

需要密钥认证的安全代理：

# 服务端配置
[[proxies]]
name = "secret_ssh"
type = "stcp"
secretKey = "abcdefg123456"
localIP = "127.0.0.1"
localPort = 22# 访问端配置
[[visitors]]
name = "secret_ssh_visitor"
type = "stcp"
serverName = "secret_ssh"
secretKey = "abcdefg123456"
bindIP = "127.0.0.1"
bindPort = 9000

P2P 代理 (XTCP)

客户端间直连，减少服务器带宽：

# P2P 文件传输
[[proxies]]
name = "p2p_transfer"
type = "xtcp"
secretKey = "p2p_secret"
localIP = "127.0.0.1"
localPort = 8080[[visitors]]
name = "p2p_transfer_visitor"
type = "xtcp"
serverName = "p2p_transfer"
secretKey = "p2p_secret"
bindIP = "127.0.0.1"
bindPort = 8081

插件系统

frp 支持多种客户端插件，扩展功能：

静态文件服务

[[proxies]]
name = "static_files"
type = "http"
customDomains = ["files.example.com"][proxies.plugin]
type = "static_file"
localPath = "/var/www/html"
stripPrefix = "files"
httpUser = "admin"
httpPassword = "password"

HTTP/SOCKS5 代理

# HTTP 代理
[[proxies]]
name = "http_proxy"
type = "tcp"
remotePort = 8080[proxies.plugin]
type = "http_proxy"
httpUser = "proxy_user"
httpPassword = "proxy_pass"# SOCKS5 代理
[[proxies]]
name = "socks5_proxy"
type = "tcp"
remotePort = 1080[proxies.plugin]
type = "socks5"
username = "socks_user"
password = "socks_pass"

协议转换

# HTTP 转 HTTPS
[[proxies]]
name = "http_to_https"
type = "http"
customDomains = ["convert.example.com"][proxies.plugin]
type = "http2https"
localAddr = "127.0.0.1:443"
hostHeaderRewrite = "internal.example.com"

使用场景

远程办公

# 企业内网访问
[[proxies]]
name = "office_rdp"
type = "tcp"
localIP = "192.168.1.100"
localPort = 3389
remotePort = 3389[[proxies]]
name = "office_ssh"
type = "tcp"
localIP = "192.168.1.101"
localPort = 22
remotePort = 2222

Web 服务发布

# 个人博客
[[proxies]]
name = "blog"
type = "http"
localIP = "127.0.0.1"
localPort = 4000
customDomains = ["myblog.com"]# API 服务
[[proxies]]
name = "api"
type = "http"
localIP = "127.0.0.1"
localPort = 8080
subDomain = "api"

游戏服务器

# Minecraft 服务器
[[proxies]]
name = "minecraft"
type = "tcp"
localIP = "127.0.0.1"
localPort = 25565
remotePort = 25565[proxies.transport]
bandwidthLimit = "1GB"
useCompression = false

开发环境共享

# 前端开发服务器
[[proxies]]
name = "frontend"
type = "http"
localIP = "127.0.0.1"
localPort = 3000
subDomain = "dev"# 数据库访问
[[proxies]]
name = "database"
type = "tcp"
localIP = "127.0.0.1"
localPort = 5432
remotePort = 5432

监控运维

Prometheus 监控

# prometheus.yml
scrape_configs:- job_name: 'frps'static_configs:- targets: ['localhost:7500']metrics_path: '/metrics'- job_name: 'frpc'static_configs:- targets: ['localhost:7400']

Grafana 仪表板

• 连接数监控
• 流量统计
• 代理状态
• 性能指标

日志管理

# 日志轮转配置
/var/log/frp/*.log {dailyrotate 30compresscopytruncate
}

Web 管理界面

• 服务端：http://your.server.com:7500
• 客户端：http://127.0.0.1:7400

安全配置

认证加强

[auth]
method = "token"
token = "$(openssl rand -base64 32)"
additionalScopes = ["HeartBeats", "NewWorkConns"]# TLS 强制加密
[transport.tls]
force = true
certFile = "/etc/frp/ssl/server.crt"
keyFile = "/etc/frp/ssl/server.key"

防火墙配置

# 基础防火墙规则
ufw allow 7000/tcp  # frp 服务端口
ufw allow 7500/tcp  # 管理界面
ufw allow 80/tcp    # HTTP 代理
ufw allow 443/tcp   # HTTPS 代理

访问控制

# 端口限制
allowPorts = [{ start = 2000, end = 3000 },{ single = 3389 }
]# 客户端限制
maxPortsPerClient = 5
userConnTimeout = 10

fail2ban 防护

[frp-auth]
enabled = true
filter = frp-auth
logpath = /var/log/frp/frps.log
maxretry = 3
bantime = 3600

项目地址

• GitHub 仓库
• 官方文档
• Release 页面