This is the 8th day of my participation in Gwen Challenge.More article challenges

This article will share a useful Intranet penetration tool, FRP, and some specific usage scenarios.

What is the FRP

FRP is a high-performance reverse proxy application that focuses on Intranet penetration and supports various protocols such as TCP, UDP, HTTP, and HTTPS. Intranet services can be exposed to the public network in a secure and convenient way through the transfer of nodes with public IP addresses.

Why use FRP

The FRP server can be deployed on nodes with public IP addresses to easily connect Intranet services to the public network and provide many professional functions and features, including:

  • The client server supports TCP, KCP, Websocket and other protocols.
  • TCP connection multiplexing is used to load more requests between a single connection, saving the connection establishment time.
  • Load balancing between proxy groups.
  • Port reuse. Multiple services are exposed through the same server port.
  • Multiple natively supported client plug-ins (static file viewing, HTTP, SOCK5 proxy, etc.) facilitate the independent use of FRP clients for some work.
  • Highly extensible server side plug-in system, easy to combine with their own needs for function expansion.
  • Server and client UI pages.

The installation

It can be downloaded from the Github Release page:

Curl - LO, https://github.com/fatedier/frp/releases/download/v0.37.0/frp_0.37.0_linux_amd64.tar.gz tar ZXF Frp_0. 37.0 _linux_amd64. Tar. GzCopy the code

The compressed package contains two executable files on the client and server, and corresponding configuration files:

> tree-l 1 frp_0.37.0_linux_amd64 frp_0.37.0_Linux_Amd64 ├─ FRPC# Client application├ ─ ─ frpc_full. IniA detailed configuration file for the corresponding client program├ ─ ─ FRPC. IniA simple configuration file corresponding to the client program├ ─ ─ FRPS# server application├ ─ ─ frps_full. IniA detailed configuration file for the corresponding server program├ ─ ─ FRPS. IniA simple configuration file corresponding to the server application├── Bass Exercises ─ Systemd ├─ frpc.serviceClient systemd service configuration file├ ─ ─ FRPC @. Service# Client systemd template file├ ─ ─ FRPS. ServiceServer systemd service configuration file└ ─ ─ FRPS @. ServiceServer systemd template file
Copy the code

use

First of all, this tool requires a public network server configuration. The configuration file can be compiled by referring to the detailed configuration file. The configuration in several common scenarios will be described later.

Start the server first:

./frps -c ./frps.ini
Copy the code

Restart the client:

./frpc -c ./frpc.ini
Copy the code

Tip: If you need to run it in the background for a long time, you can use it with SystemD or Supervisor.

Usage scenarios

Unified server configuration

[common]
bind_port = 9999

authentication_method = token
token = yourtokenhere

vhost_http_port = 10001
vhost_https_port = 10002
Copy the code

Configuration description:

  • bind_portIs the port number used by the client to connect.
  • For security, token authentication is added to the server, and the client is required to use the token configured on the server to connect.
  • vhost_http_portvhost_https_portThis is required for custom domain name access.

The following are client configurations in some scenarios based on this server configuration.

SSH Connects to the Intranet server

[common]
server_addr = x.x.x.x
server_port = 9999

token = yourtokenhere

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6666
Copy the code

Configuration description:

  • server_addrIt is the public IP address of the server where the server resides.
  • remote_portSet the port number to be bound to the public network server.

Now we can SSH to the Intranet server:

ssh -p 6666 [email protected]
Copy the code

Expose the Intranet HTTP service

TCP type

Vhost_http_port and vhost_https_port do not need to be set on the server:

[common]
server_addr = x.x.x.x
server_port = 9999

token = yourtokenhere

[web]
type = tcp
local_ip = 127.0.0.1
local_port = 3333
remote_port = 6666
Copy the code

Visit: http://x.x.x.x:6666

HTTP type

This requires setting vhost_HTTP_port = 6666 on the server, which is the same as remote_port configured on the client.

[common]
server_addr = x.x.x.x
server_port = 9999

token = yourtokenhere

[web]
type = http
local_ip = 127.0.0.1
local_port = 3333
remote_port = 6666
custom_domains = x.x.x.x
Copy the code

Also visit: http://x.x.x.x:6666

Static file download service

Before using FRP, the static file server built by Nginx is only suitable for public network server, if it is an internal network, still use FRP! Here is the client configuration for setting up the static file download service using FRP:

[common]
server_addr = x.x.x.x
server_port = 9999

token = yourtokenhere

[file-server]
type = tcp
remote_port = 6666
plugin = static_file
plugin_local_path = /home/k8scat/files
plugin_strip_prefix = download
plugin_http_user = k8scat
plugin_http_passwd = yourpasswd
Copy the code

Configuration description:

  • plugin_local_pathSpecify the path for storing local files.
  • plugin_strip_prefixSpecify the prefix of the URL to download, such as to download/home/k8scat/files/a.tgzFile, so the URL would behttp://x.x.x.x:6666/download/a.tgz.
  • plugin_http_userplugin_http_passwdFor security, you can set up HTTP authentication at download time.