github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 16:15:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2009] TLS when TLS is terminated before reaching server #1596

New issue
Closed
opened 2026-05-05 13:01:02 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 13:01:02 -06:00
Owner
Copy link

Originally created by @levavakian on GitHub (Sep 24, 2020).
Original GitHub issue: https://github.com/fatedier/frp/issues/2009

I might be trying to do something not supported, so feel free to close issue. I am trying to run the frp server in an aws ec2 instance with a network balancer handling the TLS termination and then forward to the frp server. If I set tls_enable on the frp client I get [W] [service.go:102] login to server failed hello: connection write timeout and if I don't set it I get [W] [service.go:102] login to server failed hello: i/o deadline reached

What version of frp are you using (./frpc -v or ./frps -v)?
0.34.0

What operating system and processor architecture are you using (go env)?
linux/amd64

Configures you used:

frpc.ini
[common]
server_addr = xxx
server_port = 443
tls_enable = {true|false}

[web]
type = http
local_port = 8443
custom_domains = xxx

./frps --bind_port 443 --vhost_http_port 443

Steps to reproduce the issue:

  1. Run frp server in ec2 with a network balancer handling tls termination
  2. Run frp client with settings to connect to that frp server

Describe the results you received:
Connections through the tls terminated url do not succeed, but if I remove the tls termination everythign works fine.

Describe the results you expected:
TLS to be terminated at the network balancer and for the client and server to connect as if no tls was in place.

Originally created by @levavakian on GitHub (Sep 24, 2020). Original GitHub issue: https://github.com/fatedier/frp/issues/2009 I might be trying to do something not supported, so feel free to close issue. I am trying to run the frp server in an aws ec2 instance with a network balancer handling the TLS termination and then forward to the frp server. If I set `tls_enable` on the frp client I get `[W] [service.go:102] login to server failed hello: connection write timeout` and if I don't set it I get `[W] [service.go:102] login to server failed hello: i/o deadline reached` **What version of frp are you using (./frpc -v or ./frps -v)?** 0.34.0 **What operating system and processor architecture are you using (`go env`)?** linux/amd64 **Configures you used:** ``` frpc.ini [common] server_addr = xxx server_port = 443 tls_enable = {true|false} [web] type = http local_port = 8443 custom_domains = xxx ``` ./frps --bind_port 443 --vhost_http_port 443 **Steps to reproduce the issue:** 1. Run frp server in ec2 with a network balancer handling tls termination 2. Run frp client with settings to connect to that frp server **Describe the results you received:** Connections through the tls terminated url do not succeed, but if I remove the tls termination everythign works fine. **Describe the results you expected:** TLS to be terminated at the network balancer and for the client and server to connect as if no tls was in place.
gitea-mirror commented 2026-05-05 13:01:05 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 25, 2020):

awsのLoad Balancing→Load Balances→choose target Load balnacer→Listeners→add listener and config ssl cert

<!-- gh-comment-id:698768129 --> @limaofu commented on GitHub (Sep 25, 2020): awsのLoad Balancing→Load Balances→choose target Load balnacer→Listeners→add listener and config ssl cert
gitea-mirror commented 2026-05-05 13:01:06 -06:00
Author
Owner
Copy link

@levavakian commented on GitHub (Sep 25, 2020):

@limaofu the aws load balancer already has an ssl cert, and I can visit the frps web page fine on the ssl secured page, it is the frp client that fails, presumably because the ssl is terminated at the load balancer and continues on as a non-ssl connection to the server.

<!-- gh-comment-id:698771246 --> @levavakian commented on GitHub (Sep 25, 2020): @limaofu the aws load balancer already has an ssl cert, and I can visit the frps web page fine on the ssl secured page, it is the frp client that fails, presumably because the ssl is terminated at the load balancer and continues on as a non-ssl connection to the server.
gitea-mirror commented 2026-05-05 13:01:07 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 25, 2020):

I see, because the requested data was not HTTP protocol, so aws filtered it.,frpc only use tls

<!-- gh-comment-id:698815489 --> @limaofu commented on GitHub (Sep 25, 2020): I see, because the requested data was not HTTP protocol, so aws filtered it.,frpc only use tls
gitea-mirror commented 2026-05-05 13:01:09 -06:00
Author
Owner
Copy link

@limaofu commented on GitHub (Sep 25, 2020):

you may change the HTTPS:443 's Listener to N/A security policy,
just bypass through 443 port

<!-- gh-comment-id:698821763 --> @limaofu commented on GitHub (Sep 25, 2020): you may change the HTTPS:443 's Listener to N/A security policy, just bypass through 443 port
gitea-mirror commented 2026-05-05 13:01:09 -06:00
Author
Owner
Copy link

@levavakian commented on GitHub (Sep 25, 2020):

The network balancer is set to be a tcp port. Here is the configuration for it in terraform:

resource "aws_lb_target_group" "target2" {
  name     = "httpstarget"
  port     = var.server_port_https
  protocol = "TCP"
  vpc_id   = aws_vpc.default.id
  target_type = "ip"
  stickiness {
    enabled = false
    type = "lb_cookie"
  }
}

resource "aws_lb_target_group_attachment" "attachment2" {
  target_group_arn = aws_lb_target_group.target2.arn
  target_id        = aws_instance.web.private_ip
  port             = var.server_port_https
}

resource "aws_lb_listener" "listener2" {
  load_balancer_arn = aws_lb.web.arn
  port           = var.public_port_https
  protocol       = "TLS"
  certificate_arn = aws_acm_certificate_validation.cert.certificate_arn

  default_action {
    target_group_arn = aws_lb_target_group.target2.id
    type = "forward"
  }
}

The TCP only (non-TLS) alternative to this works great, so it is just the TLS termination that is causing issues as far as I can tell.

<!-- gh-comment-id:699052143 --> @levavakian commented on GitHub (Sep 25, 2020): The network balancer is set to be a tcp port. Here is the configuration for it in terraform: ``` resource "aws_lb_target_group" "target2" { name = "httpstarget" port = var.server_port_https protocol = "TCP" vpc_id = aws_vpc.default.id target_type = "ip" stickiness { enabled = false type = "lb_cookie" } } resource "aws_lb_target_group_attachment" "attachment2" { target_group_arn = aws_lb_target_group.target2.arn target_id = aws_instance.web.private_ip port = var.server_port_https } resource "aws_lb_listener" "listener2" { load_balancer_arn = aws_lb.web.arn port = var.public_port_https protocol = "TLS" certificate_arn = aws_acm_certificate_validation.cert.certificate_arn default_action { target_group_arn = aws_lb_target_group.target2.id type = "forward" } } ``` The TCP only (non-TLS) alternative to this works great, so it is just the TLS termination that is causing issues as far as I can tell.
gitea-mirror commented 2026-05-05 13:01:10 -06:00
Author
Owner
Copy link

@levavakian commented on GitHub (Sep 25, 2020):

It looked like it was getting hung up on the yamux session open, so I tried setting tcp_mux = false on both server and client and now I get this error: login to server failed: EOF

It looks like it might be related to this issue https://github.com/fatedier/frp/issues/810 but I can't read the comments unfortunately.

<!-- gh-comment-id:699136413 --> @levavakian commented on GitHub (Sep 25, 2020): It looked like it was getting hung up on the yamux session open, so I tried setting `tcp_mux = false` on both server and client and now I get this error: `login to server failed: EOF` It looks like it might be related to this issue https://github.com/fatedier/frp/issues/810 but I can't read the comments unfortunately.
gitea-mirror commented 2026-05-05 13:01:10 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 26, 2020):

@levavakian You can't do that now since frp use a wrapped TLS connection with custom first byte. AWS won't dectect it.

You can only use 4 layers load balancer.

<!-- gh-comment-id:699336666 --> @fatedier commented on GitHub (Sep 26, 2020): @levavakian You can't do that now since frp use a wrapped TLS connection with custom first byte. AWS won't dectect it. You can only use 4 layers load balancer.
gitea-mirror commented 2026-05-05 13:01:10 -06:00
Author
Owner
Copy link

@levavakian commented on GitHub (Sep 26, 2020):

@fatedier thank you for letting me know. I will try letting frp handle the ssl termination instead.

<!-- gh-comment-id:699475865 --> @levavakian commented on GitHub (Sep 26, 2020): @fatedier thank you for letting me know. I will try letting frp handle the ssl termination instead.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#1596
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?