FRP内网穿透详解

FRP内网穿透详解

我们家中用的宽带一般都是没有外网IP的，这就要访问家中的服务和设备（如NAS、摄像头、数据库）时很不方便；我们今天就来介绍内网穿透，让我们能轻松访问家中的服务和设备。

基础介绍

参考：

• 官方：https://github.com/fatedier/frp
• 官方：概览 | frp (gofrp.org)
• 老版本的中文版手册

是什么？

frp是一个快速反向代理，允许您将位于NAT或防火墙后面的本地服务器暴露给Internet。它目前支持TCP和UDP，以及HTTP和HTTPS协议，使请求能够通过域名转发到内部服务。

为什么使用 frp？

通过在具有公网 IP 的节点上部署 frp 服务端，可以轻松地将内网服务穿透到公网，同时提供诸多专业的功能特性，这包括：

• 客户端服务端通信支持 TCP、KCP 以及 Websocket 等多种协议。
• 采用 TCP 连接流式复用，在单个连接间承载更多请求，节省连接建立时间。
• 代理组间的负载均衡。
• 端口复用，多个服务通过同一个服务端端口暴露。
• 多个原生支持的客户端插件（静态文件查看，HTTP、SOCK5 代理等），便于独立使用 frp 客户端完成某些工作。
• 高度扩展性的服务端插件系统，方便结合自身需求进行功能扩展。
• 服务端和客户端 UI 页面。

原理

看下官方的架构：frp 主要由 客户端(frpc) 和 服务端(frps) 组成，服务端通常部署在具有公网 IP 的机器上，客户端通常部署在需要穿透的内网服务所在的机器上。

通俗理解：frps 服务端有点像接线员【具备公网IP】的角色，frpc客户端就好比家里的座机【只有局域网IP，但可以主动访问互联网】，当我们在外部使用公共电话拨打时，先到接线员这里，要求转接到某某座机【就是端口】，接线员就从座机列表中【管理的客户端连接池】，找到对应的座机，转接过去，这样就完成了从外部互联网访问内部服务器的过程。

补充一点自己的认识：

1. 客户端主动向服务端发起请求（服务端是公网ip，是暴露的，肯定能访问到）；
2. 两者建立起长连接（一般tcp）
3. 从外网访问服务端，服务端再将请求转发到客户端

对应到本项目的架构如下：

使用示例

• 通过 SSH 访问内网机器
• 通过自定义域名访问内网的 Web 服务
• 转发 DNS 查询请求
• 转发 Unix 域套接字
• 对外提供简单的文件访问服务
• 为本地 HTTP 服务启用 HTTPS
• 安全地暴露内网服务
• 点对点内网穿透

关于配置文件说明

推荐使用 TOML, YAML, JSON 这3种格式，目前还支持 INI 格式，但未来是会被删除的。

Since v0.52.0, we support TOML, YAML, and JSON for configuration. Please note that INI is deprecated and will be removed in future releases. New features will only be available in TOML, YAML, or JSON. Users wanting these new features should switch their configuration format accordingly.

Read the full example configuration files to find out even more features not described here.

Examples use TOML format, but you can still use YAML or JSON.

frps_full_example.toml

shell 复制代码

# This configuration file is for reference only. Please do not use this configuration directly to run the program as it may have various issues.

# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# For single "bindAddr" field, no need square brackets, like `bindAddr = "::"`.
bindAddr = "0.0.0.0"
bindPort = 7000

# udp port used for kcp protocol, it can be same with 'bindPort'.
# if not set, kcp is disabled in frps.
kcpBindPort = 7000

# udp port used for quic protocol.
# if not set, quic is disabled in frps.
# quicBindPort = 7002

# Specify which address proxy will listen for, default value is same with bindAddr
# proxyBindAddr = "127.0.0.1"

# quic protocol options
# transport.quic.keepalivePeriod = 10
# transport.quic.maxIdleTimeout = 30
# transport.quic.maxIncomingStreams = 100000

# Heartbeat configure, it's not recommended to modify the default value
# The default value of heartbeatTimeout is 90. Set negative value to disable it.
# transport.heartbeatTimeout = 90

# Pool count in each proxy will keep no more than maxPoolCount.
transport.maxPoolCount = 5

# If tcp stream multiplexing is used, default is true
# transport.tcpMux = true

# Specify keep alive interval for tcp mux.
# only valid if tcpMux is true.
# transport.tcpMuxKeepaliveInterval = 60

# tcpKeepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
# If negative, keep-alive probes are disabled.
# transport.tcpKeepalive = 7200

# transport.tls.force specifies whether to only accept TLS-encrypted connections. By default, the value is false.
tls.force = false

# transport.tls.certFile = "server.crt"
# transport.tls.keyFile = "server.key"
# transport.tls.trustedCaFile = "ca.crt"

# If you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bindPort
vhostHTTPPort = 80
vhostHTTPSPort = 443

# Response header timeout(seconds) for vhost http server, default is 60s
# vhostHTTPTimeout = 60

# tcpmuxHTTPConnectPort specifies the port that the server listens for TCP
# HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
# requests on one single port. If it's not - it will listen on this value for
# HTTP CONNECT requests. By default, this value is 0.
# tcpmuxHTTPConnectPort = 1337

# If tcpmuxPassthrough is true, frps won't do any update on traffic.
# tcpmuxPassthrough = false

# Configure the web server to enable the dashboard for frps.
# dashboard is available only if webServer.port is set.
webServer.addr = "127.0.0.1"
webServer.port = 7500
webServer.user = "admin"
webServer.password = "admin"
# webServer.tls.certFile = "server.crt"
# webServer.tls.keyFile = "server.key"
# dashboard assets directory(only for debug mode)
# webServer.assetsDir = "./static"

# Enable golang pprof handlers in dashboard listener.
# Dashboard port must be set first
webServer.pprofEnable = false

# enablePrometheus will export prometheus metrics on webServer in /metrics api.
enablePrometheus = true

# console or real logFile path like ./frps.log
log.to = "./frps.log"
# trace, debug, info, warn, error
log.level = "info"
log.maxDays = 3
# disable log colors when log.to is console, default is false
log.disablePrintColor = false

# DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.
detailedErrorsToClient = true

# auth.method specifies what authentication method to use authenticate frpc with frps.
# If "token" is specified - token will be read into login message.
# If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".
auth.method = "token"

# auth.additionalScopes specifies additional scopes to include authentication information.
# Optional values are HeartBeats, NewWorkConns.
# auth.additionalScopes = ["HeartBeats", "NewWorkConns"]

# auth token
auth.token = "12345678"

# oidc issuer specifies the issuer to verify OIDC tokens with.
auth.oidc.issuer = ""
# oidc audience specifies the audience OIDC tokens should contain when validated.
auth.oidc.audience = ""
# oidc skipExpiryCheck specifies whether to skip checking if the OIDC token is expired.
auth.oidc.skipExpiryCheck = false
# oidc skipIssuerCheck specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.
auth.oidc.skipIssuerCheck = false

# userConnTimeout specifies the maximum time to wait for a work connection.
# userConnTimeout = 10

# Only allow frpc to bind ports you list. By default, there won't be any limit.
allowPorts = [
  { start = 2000, end = 3000 },
  { single = 3001 },
  { single = 3003 },
  { start = 4000, end = 50000 }
]

# Max ports can be used for each client, default value is 0 means no limit
maxPortsPerClient = 0

# If subDomainHost is not empty, you can set subdomain when type is http or https in frpc's configure file
# When subdomain is est, the host used by routing is test.frps.com
subDomainHost = "frps.com"

# custom 404 page for HTTP requests
# custom404Page = "/path/to/404.html"

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udpPacketSize = 1500

# Retention time for NAT hole punching strategy data.
natholeAnalysisDataReserveHours = 168

# ssh tunnel gateway
# If you want to enable this feature, the bindPort parameter is required, while others are optional.
# By default, this feature is disabled. It will be enabled if bindPort is greater than 0.
# sshTunnelGateway.bindPort = 2200
# sshTunnelGateway.privateKeyFile = "/home/frp-user/.ssh/id_rsa"
# sshTunnelGateway.autoGenPrivateKeyPath = ""
# sshTunnelGateway.authorizedKeysFile = "/home/frp-user/.ssh/authorized_keys"

[[httpPlugins]]
name = "user-manager"
addr = "127.0.0.1:9000"
path = "/handler"
ops = ["Login"]

[[httpPlugins]]
name = "port-manager"
addr = "127.0.0.1:9001"
path = "/handler"
ops = ["NewProxy"]

frpc_full_example.toml

shell 复制代码

# This configuration file is for reference only. Please do not use this configuration directly to run the program as it may have various issues.

# your proxy name will be changed to {user}.{proxy}
user = "your_name"

# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# For single serverAddr field, no need square brackets, like serverAddr = "::".
serverAddr = "0.0.0.0"
serverPort = 7000

# STUN server to help penetrate NAT hole.
# natHoleStunServer = "stun.easyvoip.com:3478"

# Decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
loginFailExit = true

# console or real logFile path like ./frpc.log
log.to = "./frpc.log"
# trace, debug, info, warn, error
log.level = "info"
log.maxDays = 3
# disable log colors when log.to is console, default is false
log.disablePrintColor = false

auth.method = "token"
# auth.additionalScopes specifies additional scopes to include authentication information.
# Optional values are HeartBeats, NewWorkConns.
# auth.additionalScopes = ["HeartBeats", "NewWorkConns"]

# auth token
auth.token = "12345678"

# oidc.clientID specifies the client ID to use to get a token in OIDC authentication.
# auth.oidc.clientID = ""
# oidc.clientSecret specifies the client secret to use to get a token in OIDC authentication.
# auth.oidc.clientSecret = ""
# oidc.audience specifies the audience of the token in OIDC authentication.
# auth.oidc.audience = ""
# oidc.scope specifies the permissions of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
# auth.oidc.scope = ""
# oidc.tokenEndpointURL specifies the URL which implements OIDC Token Endpoint.
# It will be used to get an OIDC token.
# auth.oidc.tokenEndpointURL = ""

# oidc.additionalEndpointParams specifies additional parameters to be sent to the OIDC Token Endpoint.
# For example, if you want to specify the "audience" parameter, you can set as follow.
# frp will add "audience=<value>" "var1=<value>" to the additional parameters.
# auth.oidc.additionalEndpointParams.audience = "https://dev.auth.com/api/v2/"
# auth.oidc.additionalEndpointParams.var1 = "foobar"

# Set admin address for control frpc's action by http api such as reload
webServer.addr = "127.0.0.1"
webServer.port = 7400
webServer.user = "admin"
webServer.password = "admin"
# Admin assets directory. By default, these assets are bundled with frpc.
# webServer.assetsDir = "./static"

# Enable golang pprof handlers in admin listener.
webServer.pprofEnable = false

# The maximum amount of time a dial to server will wait for a connect to complete. Default value is 10 seconds.
# transport.dialServerTimeout = 10

# dialServerKeepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
# If negative, keep-alive probes are disabled.
# transport.dialServerKeepalive = 7200

# connections will be established in advance, default value is zero
transport.poolCount = 5

# If tcp stream multiplexing is used, default is true, it must be same with frps
# transport.tcpMux = true

# Specify keep alive interval for tcp mux.
# only valid if tcpMux is enabled.
# transport.tcpMuxKeepaliveInterval = 60

# Communication protocol used to connect to server
# supports tcp, kcp, quic, websocket and wss now, default is tcp
transport.protocol = "tcp"

# set client binding ip when connect server, default is empty.
# only when protocol = tcp or websocket, the value will be used.
transport.connectServerLocalIP = "0.0.0.0"

# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set proxyURL here or in global environment variables
# it only works when protocol is tcp
# transport.proxyURL = "http://user:passwd@192.168.1.128:8080"
# transport.proxyURL = "socks5://user:passwd@192.168.1.128:1080"
# transport.proxyURL = "ntlm://user:passwd@192.168.1.128:2080"

# quic protocol options
# transport.quic.keepalivePeriod = 10
# transport.quic.maxIdleTimeout = 30
# transport.quic.maxIncomingStreams = 100000

# If tls.enable is true, frpc will connect frps by tls.
# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
transport.tls.enable = true

# transport.tls.certFile = "client.crt"
# transport.tls.keyFile = "client.key"
# transport.tls.trustedCaFile = "ca.crt"
# transport.tls.serverName = "example.com"

# If the disableCustomTLSFirstByte is set to false, frpc will establish a connection with frps using the
# first custom byte when tls is enabled.
# Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
# transport.tls.disableCustomTLSFirstByte = true

# Heartbeat configure, it's not recommended to modify the default value.
# The default value of heartbeatInterval is 10 and heartbeatTimeout is 90. Set negative value
# to disable it.
# transport.heartbeatInterval = 30
# transport.heartbeatTimeout = 90

# Specify a dns server, so frpc will use this instead of default one
# dnsServer = "8.8.8.8"

# Proxy names you want to start.
# Default is empty, means all proxies.
# start = ["ssh", "dns"]

# Specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udpPacketSize = 1500

# Additional metadatas for client.
metadatas.var1 = "abc"
metadatas.var2 = "123"

# Include other config files for proxies.
# includes = ["./confd/*.ini"]

[[proxies]]
# 'ssh' is the unique proxy name
# If global user is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
# Limit bandwidth for this proxy, unit is KB and MB
transport.bandwidthLimit = "1MB"
# Where to limit bandwidth, can be 'client' or 'server', default is 'client'
transport.bandwidthLimitMode = "client"
# If true, traffic of this proxy will be encrypted, default is false
transport.useEncryption = false
# If true, traffic will be compressed
transport.useCompression = false
# Remote port listen by frps
remotePort = 6001
# frps will load balancing connections for proxies in same group
loadBalancer.group = "test_group"
# group should have same group key
loadBalancer.groupKey = "123456"
# Enable health check for the backend service, it supports 'tcp' and 'http' now.
# frpc will connect local service's port to detect it's healthy status
healthCheck.type = "tcp"
# Health check connection timeout
healthCheck.timeoutSeconds = 3
# If continuous failed in 3 times, the proxy will be removed from frps
healthCheck.maxFailed = 3
# every 10 seconds will do a health check
healthCheck.intervalSeconds = 10
# additional meta info for each proxy
metadatas.var1 = "abc"
metadatas.var2 = "123"

[[proxies]]
name = "ssh_random"
type = "tcp"
localIP = "192.168.31.100"
localPort = 22
# If remotePort is 0, frps will assign a random port for you
remotePort = 0

[[proxies]]
name = "dns"
type = "udp"
localIP = "114.114.114.114"
localPort = 53
remotePort = 6002

# Resolve your domain names to [serverAddr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[[proxies]]
name = "web01"
type = "http"
localIP = "127.0.0.1"
localPort = 80
# http username and password are safety certification for http protocol
# if not set, you can access this customDomains without certification
httpUser = "admin"
httpPassword = "admin"
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://web01.frps.com
subdomain = "web01"
customDomains = ["web01.yourdomain.com"]
# locations is only available for http type
locations = ["/", "/pic"]
# route requests to this service if http basic auto user is abc
# routeByHTTPUser = abc
hostHeaderRewrite = "example.com"
requestHeaders.set.x-from-where = "frp"
healthCheck.type = "http"
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
healthCheck.path = "/status"
healthCheck.intervalSeconds = 10
healthCheck.maxFailed = 3
healthCheck.timeoutSeconds = 3

[[proxies]]
name = "web02"
type = "https"
localIP = "127.0.0.1"
localPort = 8000
subdomain = "web02"
customDomains = ["web02.yourdomain.com"]
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
transport.proxyProtocolVersion = "v2"

[[proxies]]
name = "tcpmuxhttpconnect"
type = "tcpmux"
multiplexer = "httpconnect"
localIP = "127.0.0.1"
localPort = 10701
customDomains = ["tunnel1"]
# routeByHTTPUser = "user1"

[[proxies]]
name = "plugin_unix_domain_socket"
type = "tcp"
remotePort = 6003
# if plugin is defined, localIP and localPort is useless
# plugin will handle connections got from frps
[proxies.plugin]
type = "unix_domain_socket"
unixPath = "/var/run/docker.sock"

[[proxies]]
name = "plugin_http_proxy"
type = "tcp"
remotePort = 6004
[proxies.plugin]
type = "http_proxy"
httpUser = "abc"
httpPassword = "abc"

[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 6005
[proxies.plugin]
type = "socks5"
username = "abc"
password = "abc"

[[proxies]]
name = "plugin_static_file"
type = "tcp"
remotePort = 6006
[proxies.plugin]
type = "static_file"
localPath = "/var/www/blog"
stripPrefix = "static"
httpUser = "abc"
httpPassword = "abc"

[[proxies]]
name = "plugin_https2http"
type = "https"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:80"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"

[[proxies]]
name = "plugin_https2https"
type = "https"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "https2https"
localAddr = "127.0.0.1:443"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"

[[proxies]]
name = "plugin_http2https"
type = "http"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "http2https"
localAddr = "127.0.0.1:443"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"

[[proxies]]
name = "secret_tcp"
# If the type is secret tcp, remotePort is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = "stcp"
# secretKey is used for authentication for visitors
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allowUsers = ["*"]

[[proxies]]
name = "p2p_tcp"
type = "xtcp"
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allowUsers = ["user1", "user2"]

# frpc role visitor -> frps -> frpc role server
[[visitors]]
name = "secret_tcp_visitor"
type = "stcp"
# the server name you want to visitor
serverName = "secret_tcp"
secretKey = "abcdefg"
# connect this address to visitor stcp server
bindAddr = "127.0.0.1"
# bindPort can be less than 0, it means don't bind to the port and only receive connections redirected from
# other visitors. (This is not supported for SUDP now)
bindPort = 9000

[[visitors]]
name = "p2p_tcp_visitor"
type = "xtcp"
# if the server user is not set, it defaults to the current user
serverUser = "user1"
serverName = "p2p_tcp"
secretKey = "abcdefg"
bindAddr = "127.0.0.1"
# bindPort can be less than 0, it means don't bind to the port and only receive connections redirected from
# other visitors. (This is not supported for SUDP now)
bindPort = 9001
# when automatic tunnel persistence is required, set it to true
keepTunnelOpen = false
# effective when keepTunnelOpen is set to true, the number of attempts to punch through per hour
maxRetriesAnHour = 8
minRetryInterval = 90
# fallbackTo = "stcp_visitor"
# fallbackTimeoutMs = 500

内网穿透实施

远程运维本地虚拟机

服务端配置

1. 从官网下载对应版本和操作系统的安装包（frp_0.52.3_linux_amd64.tar.gz）

2. 通过rz上传到云服务器中，使用tar命令解压即可

   # 转义控制符，从宿主机读取文件到服务中
   rz -e
   # 解压软件
   tar -xvf frp_0.52.3_linux_amd64.tar.gz

3. 使用vi frps.toml编辑frps的配置文件 frps.toml，进行配置：

   # frps的通信端口，提供给客户端找到并发起请求，建立长连接
   bindPort = 7070
   # 与frpc通信的认证方式和token值
   auth.method = "token"
   auth.token = "SQl_7233261"
   
   # 面板的端口、账号和密码
   webServer.addr = "0.0.0.0" #注意该参数，可以接受任意地址
   webServer.port = 7500
   webServer.user = "admin"
   webServer.password = "gogNmGxwEWOEJlOv"

   • 特别说明下 0.0.0.0和127.0.0.1的区别：

   0.0.0.0：
   在网络通信中，0.0.0.0是一个特殊的IP地址，被称为"通配符地址"或"任意地址"。
   当一个网络接口绑定到0.0.0.0时，它表示该网络接口将接受来自任何IP地址的所有数据包。
   在服务器配置中，将服务绑定到0.0.0.0意味着该服务将监听其所在计算机上的所有可用网络接口，以接受来自任何源IP地址的连接请求。
   
   127.0.0.1：
   127.0.0.1是一个保留的IPv4回环地址，通常称为"本地主机"或"回环地址"。
   当你的计算机尝试通过网络协议访问127.0.0.1时，数据包不会通过物理网络接口发送，而是在计算机本地内部传输。
   127.0.0.1通常用于本地主机上部署的服务之间进行通信，例如本地开发环境中的Web服务器与数据库之间的通信。
   
   总结：
   0.0.0.0表示接受来自任何源IP地址的数据包，适用于网络通信和服务器配置。
   127.0.0.1是本地主机地址，用于本地主机上的本地通信，适用于回环测试和本地开发环境。

4. 运行frp的服务端 :

   # 直接运行
   ./frps -c frps.toml 
   # 一般会使用 nohup命令，后台运行
   nohup ./frps -c frps.toml &

   

5. 验证下frps启动情况：

   netstat -nlp | grep frps

   

服务器的防火墙配置

见文章：虚拟机的初始准备及一般操作

服务端配置（docker-compose方式）

1. 安装docker、docker-compose（略）

2. 在适当文件夹建立 ‘./docker-compose/frps’ 文件夹

3. 准备frps.toml文件(根据版本，该文件格式可能不同)

   # frps的通信端口，提供给客户端找到并发起请求，建立长连接
   bindPort = 7070
   # 与frpc通信的认证方式和token值
   auth.method = "token"
   auth.token = "SQl_7233261"
   
   # 面板的端口、账号和密码
   webServer.addr = "0.0.0.0" #注意该参数，可以接受任意地址
   webServer.port = 7500
   webServer.user = "admin"
   webServer.password = "gogNmGxwEWOEJlOv"

4. 准备docker-compose.yml文件

   version: '3'
   
   services:
     frps:
       image: snowdreamtech/frps:0.60
       container_name: frps
       restart: always
       network_mode: host
       volumes:
       # 注意这里将刚才创建的frps.toml文件映射作为该应用的配置文件使用，要注意文件路径
         - ./frps.toml:/etc/frp/frps.toml  

   5. 输入命令安装并启动程序

      docker-compose up -d

   6. 查看程序是否启动成功，端口号是否正确使用

      docker ps -a
      #
      netstat -nlp | grep frps

   7. 配置防火墙

​ 见文章：虚拟机准备及一般操作

客户端配置

1. 和服务端类似，上传并解压软件

   # 转义控制符，从宿主机读取文件到服务中
   rz -e
   # 解压软件
   tar -xvf frp_0.52.3_linux_amd64.tar.gz

2. 编辑客户端frpc的配置文件 frpc.toml：

   user = "fc"
   # frps的地址和通信端口
   serverAddr = "139.155.229.99"
   serverPort = 7070
   # 与frps通信的认证方式和token值
   auth.method = "token"
   auth.token = "SQl_7233261"
   
   [[proxies]]
   name = "ssh_local"
   type = "tcp"
   # 服务的实际ip（比如我们在虚拟机配置了某个服务，就可以将ip和端口修改）
   localIP = "127.0.0.1"
   # 服务的实际端口
   localPort = 80
   # If remotePort is 0, frps will assign a random port for you
   # 这个接口的意思是 我们希望外部可以通过这个接口访问这个服务（即访问 “http://服务端ip:6060”）
   remotePort = 6060

3. 启动客户端配置：

   # 直接运行
   ./frpc -c frpc.toml
   # 一般会使用 nohup命令，后台运行：
   nohup ./frpc -c frpc.toml &

客户端配置（Windows系统Frpc-Desktop方式）

1. 下载并安装Frpc-Desktop

2. 进入’系统配置‘界面，选择frp版本（没有就下载，要下载与服务端frps一致的版本），服务器地址、服务器端口（bindPort）、验证方式按照frps.toml中的对应项配置

   

3. 进入’穿透列表‘界面，点击’新增代理‘，’代理类型‘选择开放防火墙时开放的接口类型（一般是tcp），代理名称自己配置，内网地址和接口即服务实际运行的ip和接口（例如’127.0.0.1‘，’80‘），外网接口是从公网通过该接口访问服务（http://服务端ip:remotePort）

   

4. 进入’连接‘页面，点击’启动‘即可，点击’查看日志‘，可以查看是否代理成功

• 注意：需要去服务端所在的服务器开放配置的外网端口（操作命令见虚拟机的初始准备及一般操作），云服务器还需要去控制台开放端口

systemd 管理 frp 实践

1. 如Linux服务端上没有安装 systemd，可以使用 yum 或 apt 等命令安装 systemd

   # yum
   yum install systemd
   # apt
   apt install systemd

2. 使用文本编辑器，如 vim 创建并编辑 frps.service 文件

   vi /etc/systemd/system/frps.service

3. 写入内容：

   [Unit]
   # 服务名称，可自定义
   Description = frp server
   After = network.target syslog.target
   Wants = network.target
   [Service]
   Type = simple
   # 启动frps的命令，需修改为您的frps的安装路径
   ExecStart = /opt/software/frp/frps -c /opt/software/frp/frps.toml
   [Install]
   WantedBy = multi-user.target

4. 使用 systemd 命令，管理 frps。

   # 启动frp
   systemctl start frps
   # 停止frp
   systemctl stop frps
   # 重启frp
   systemctl restart frps
   # 查看frp状态
   systemctl status frps
   # 配置 frps 开机自启
   systemctl enable frps
   # 禁止开机启动
   systemctl disable frps

5. 配置 frpc的开启启动也类似，服务名改为/etc/systemd/system/frpc.service，启动命令修改为 frpc的即可

   [Unit]
   # 服务名称，可自定义
   Description = frp client
   After = network.target syslog.target
   Wants = network.target
   [Service]
   Type = simple
   # 启动frpc的命令，需修改为您的frpc的安装路径
   ExecStart = /opt/software/frp/frpc -c /opt/software/frp/frpc.toml
   [Install]
   WantedBy = multi-user.target