Frp: nginx https转发frps

Created on 21 Mar 2018  ·  6Comments  ·  Source: fatedier/frp

What version of frp are you using (./frpc -v or ./frps -v)?
0.16

What operating system and processor architecture are you using (go env)?
centos 7.4

Configures you used:

Steps to reproduce the issue:
一,启动frps;
frps.ini
bind_port = 7000
vhost_http_port = 7080
vhost_https_port = 7443
subdomain_host = testtest.com

二,nginx的配置 nginx.ini;

server {
server_name *.testtest.com;
listen 443;
ssl on;
ssl_certificate /etc/ssl/testtest.com/fullchain.pem;
ssl_certificate_key /etc/ssl/testtest.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_pass https://127.0.0.1:7443;
#proxy_ssl_server_name on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

三,启动frpc,启动本机8009的https服务;
[test1]
type = https
local_ip = 127.0.0.1
local_port = 8009
subdomain = test1

Describe the results you received:
访问 https://test1.testtest.com:7443正常
访问 https://test1.testtest.com错误,日志输出

get hostname from http/https request error: Unknow error

Additional information you deem important (e.g. issue happens only occasionally):
虽然可以按照(https://github.com/fatedier/frp/issues/610)
写死nginx.ini为:

server_name test1.testtest.com;
proxy_pass https://test1.testtest.com:7443;

这样https://test1.testtest.com:7443https://test1.testtest.com也都能正常,但这样frps配置了subdomain_host且frpc用subdomain 的话就很不方便了.

各大婶有已经解决了的么?
@fatedier @312102021

update20180322:已经在某大神的指点下解决.

Most helpful comment

折腾了一下,https转发算是能正常用了,证书用的是免费的let's encrypt,支持泛域名。
可访问形如 https://xxxxx.frp.yourdomain.com 的域名

nginx.conf

server {
    listen 443 ssl http2;
    server_name *.frp.yourdomain.com;
    ssl_certificate ../ssl/cert.pem;
    ssl_certificate_key ../ssl/privkey.pem;
    location / {
        resolver 127.0.0.1; #通过配置/etc/dnsmasq.conf,本地解析域名
        proxy_ssl_server_name on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass https://$host:7443; #通过域名访问frp服务
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
}

在本地映射域名解析
/etc/dnsmasq.conf

address=/.yourdomain.com/127.0.0.1
address=/.frp.yourdomain.com/127.0.0.1

frps.ini

[common]
bind_port = 7000
subdomain_host = frp.yourdomain.com
vhost_http_port = 7080
vhost_https_port = 7443
dashboard_port = 7500
token=yourtoken

All 6 comments

你用的免费的ssl证书,免费的证书应该不能绑泛域名,类似*.baidu.com ,一个免费证书只能绑一个一级域名或者一个二级域名,如果你有a.baidu.com和b.baidu.com的话,应该需要申请两个证书

@wxlg1117 请问您怎么解决的?

同问您怎么解决的?

折腾了一下,https转发算是能正常用了,证书用的是免费的let's encrypt,支持泛域名。
可访问形如 https://xxxxx.frp.yourdomain.com 的域名

nginx.conf

server {
    listen 443 ssl http2;
    server_name *.frp.yourdomain.com;
    ssl_certificate ../ssl/cert.pem;
    ssl_certificate_key ../ssl/privkey.pem;
    location / {
        resolver 127.0.0.1; #通过配置/etc/dnsmasq.conf,本地解析域名
        proxy_ssl_server_name on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass https://$host:7443; #通过域名访问frp服务
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
}

在本地映射域名解析
/etc/dnsmasq.conf

address=/.yourdomain.com/127.0.0.1
address=/.frp.yourdomain.com/127.0.0.1

frps.ini

[common]
bind_port = 7000
subdomain_host = frp.yourdomain.com
vhost_http_port = 7080
vhost_https_port = 7443
dashboard_port = 7500
token=yourtoken

@wxlg1117,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢!

1、服务器不需要运行frpc,frpc是运行在客户端的
2、SSL安装都是服务器端就可以,客户端不需要安装

在 2018年10月14日,11:44,whdlut notifications@github.com 写道:

@wxlg1117 https://github.com/wxlg1117,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢!


You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/fatedier/frp/issues/671#issuecomment-429594075, or mute the thread https://github.com/notifications/unsubscribe-auth/AJUFNHjoM5dMHkJRVVugSizjZ8dagfqhks5ukrMngaJpZM4SzJ4I.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

SandyLu picture SandyLu  ·  4Comments

ssdphp picture ssdphp  ·  3Comments

Geilivable picture Geilivable  ·  4Comments

n0trace picture n0trace  ·  3Comments

yj7778826 picture yj7778826  ·  3Comments