[GH-ISSUE #3214] [Question] how to expose a local HTTP server with frp and nginx as HTTPS? #2579

New issue

Closed

opened 2026-05-05 13:39:34 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 13:39:34 -06:00

Owner

Copy link

Originally created by @shabakett on GitHub (Dec 17, 2022).
Original GitHub issue: https://github.com/fatedier/frp/issues/3214

how to expose a local HTTP server with frp and nginx as HTTPS?

frps.ini

[common]
bind_port = 7000
vhost_https_port = 7001
subdomain_host = example.com

frpc.ini

[common]
server_addr = example.com
server_port = 7000
user = client1

[https]
type = https
local_port = 8080
subdomain = client1

nginx

server {
	listen 443 ssl;
	server_name *.example.com;
	
	client_max_body_size 100M;

	proxy_max_temp_file_size 0;
	proxy_read_timeout 3600;
	proxy_send_timeout 3600;

	proxy_set_header HOST $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	 
	location / {
		proxy_pass http://127.0.0.1:7001/;
	}
}

https://client1.example.com/ returns 502 Bad Gateway

Originally created by @shabakett on GitHub (Dec 17, 2022). Original GitHub issue: https://github.com/fatedier/frp/issues/3214 how to expose a local `HTTP` server with frp and nginx as `HTTPS`? frps.ini ``` [common] bind_port = 7000 vhost_https_port = 7001 subdomain_host = example.com ``` frpc.ini ``` [common] server_addr = example.com server_port = 7000 user = client1 [https] type = https local_port = 8080 subdomain = client1 ``` nginx ``` server { listen 443 ssl; server_name *.example.com; client_max_body_size 100M; proxy_max_temp_file_size 0; proxy_read_timeout 3600; proxy_send_timeout 3600; proxy_set_header HOST $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; location / { proxy_pass http://127.0.0.1:7001/; } } ``` `https://client1.example.com/` returns `502 Bad Gateway`

gitea-mirror closed this issue 2026-05-05 13:39:35 -06:00

gitea-mirror commented 2026-05-05 13:39:36 -06:00

Author

Owner

Copy link

@Becods commented on GitHub (Dec 18, 2022):

local_port = 8080
listen 443 ssl;

Check your configuration.

<!-- gh-comment-id:1356658444 --> @Becods commented on GitHub (Dec 18, 2022): ```local_port = 8080``` ```listen 443 ssl;``` Check your configuration.

gitea-mirror commented 2026-05-05 13:39:37 -06:00

Author

Owner

Copy link

@shabakett commented on GitHub (Dec 18, 2022):

working options:

option1: [http service]----[frpc]----(vhost_http_port)----[frps]----(proxy_pass http://127.0.0.1:vhost_http_port/ )----[nginx https]---(https://host/ )----[remote client]

option2: [https service]---[frpc]----(vhost_https_port)---[frps]----(https://host:vhost_https_port/ )----------------------------------------------------[remote client]

<!-- gh-comment-id:1356696587 --> @shabakett commented on GitHub (Dec 18, 2022): working options: option1: [`http service`]----[`frpc`]----(vhost_http_port)----[`frps`]----(proxy_pass http://127.0.0.1:vhost_http_port/ )----[`nginx https`]---(https://host/ )----[`remote client`] option2: [`https service`]---[`frpc`]----(vhost_https_port)---[`frps`]----(https://host:vhost_https_port/ )----------------------------------------------------[`remote client`]

gitea-mirror commented 2026-05-05 13:39:39 -06:00

Author

Owner

Copy link

@MelBourbon commented on GitHub (Feb 10, 2023):

Hi @shabakett I currently are facing the same issue. I want to enable the server to serve http as well as https services via nginx.

For [https service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com it is working with the configuration (/etc/frp/https.ini) below.

But I receive 502 Bad Gateway if I want to serve [http service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com with this configuration (/etc/frp/http.ini). Can you share your final configuration?

Option 1 will not work for me as then I'm only able to serve http services on my local client.

/etc/frp/frps.ini:

[common]
bind_addr = 0.0.0.0
bind_port = 7000
proxy_bind_addr = 0.0.0.0
vhost_http_port = 7080
vhost_https_port = 7443
token = <my-token>

/etc/nginx/conf.d/tunnel.conf:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name my.domain.com;

    ssl_certificate /etc/letsencrypt/my.domain.com/rsa/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/my.domain.com/rsa/key.pem;
    ssl_certificate /etc/letsencrypt/my.domain.com/ecc/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/my.domain.com/ecc/key.pem;

    ssl_trusted_certificate /etc/letsencrypt/my.domain.com/ecc/ca.pem;

    # Include SSL configuration
    include /etc/nginx/snippets/ssl.conf;

    # Include headers
    include /etc/nginx/snippets/headers.conf;

    # Important: Disable error and access log, so that no IPs get logged
    access_log  off;
    error_log off;

    location / {
        proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_ssl_verify off;
        proxy_pass https://127.0.0.1:7443;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header cookie $http_cookie;
        proxy_set_header Proxy-Connection "";
        proxy_http_version 1.1;
        }
}

/etc/nginx/conf.d/http.conf:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name my.domain.com;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }

    location / {
        proxy_redirect off;
        proxy_pass http://127.0.0.1:7080/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        }
}

/etc/frp/https.ini:

# frp client config frpc.ini
[common]
server_addr = my.domain.com
server_port = 7000
log_file = /var/log/frp/frpc.log
token = <my-token>

[https]
type = https
local_port = 8182
custom_domains = my.domain.com

/etc/frp/http.ini:

# frp client config frpc.ini
[common]
server_addr = my.domain.com
server_port = 7000
log_file = /var/log/frp/frpc.log
token = <my-token>
[http]
type = https
local_port = 80
custom_domains = my.domain.com

<!-- gh-comment-id:1425549823 --> @MelBourbon commented on GitHub (Feb 10, 2023): Hi @shabakett I currently are facing the same issue. I want to enable the server to serve http as well as https services via nginx. For `[https service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com` it is working with the configuration (`/etc/frp/https.ini`) below. But I receive `502 Bad Gateway` if I want to serve `[http service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com` with this configuration (`/etc/frp/http.ini`). Can you share your final configuration? Option 1 will not work for me as then I'm only able to serve http services on my local client. `/etc/frp/frps.ini`: ``` [common] bind_addr = 0.0.0.0 bind_port = 7000 proxy_bind_addr = 0.0.0.0 vhost_http_port = 7080 vhost_https_port = 7443 token = <my-token> ``` `/etc/nginx/conf.d/tunnel.conf`: ``` server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name my.domain.com; ssl_certificate /etc/letsencrypt/my.domain.com/rsa/fullchain.pem; ssl_certificate_key /etc/letsencrypt/my.domain.com/rsa/key.pem; ssl_certificate /etc/letsencrypt/my.domain.com/ecc/fullchain.pem; ssl_certificate_key /etc/letsencrypt/my.domain.com/ecc/key.pem; ssl_trusted_certificate /etc/letsencrypt/my.domain.com/ecc/ca.pem; # Include SSL configuration include /etc/nginx/snippets/ssl.conf; # Include headers include /etc/nginx/snippets/headers.conf; # Important: Disable error and access log, so that no IPs get logged access_log off; error_log off; location / { proxy_ssl_server_name on; proxy_ssl_name $host; proxy_ssl_verify off; proxy_pass https://127.0.0.1:7443; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header cookie $http_cookie; proxy_set_header Proxy-Connection ""; proxy_http_version 1.1; } } ``` `/etc/nginx/conf.d/http.conf`: ``` server { listen 80 default_server; listen [::]:80 default_server; server_name my.domain.com; root /var/www; location ^~ /.well-known/acme-challenge { default_type text/plain; root /var/www/letsencrypt; } location / { proxy_redirect off; proxy_pass http://127.0.0.1:7080/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; } } ``` `/etc/frp/https.ini`: ``` # frp client config frpc.ini [common] server_addr = my.domain.com server_port = 7000 log_file = /var/log/frp/frpc.log token = <my-token> [https] type = https local_port = 8182 custom_domains = my.domain.com ``` `/etc/frp/http.ini`: ``` # frp client config frpc.ini [common] server_addr = my.domain.com server_port = 7000 log_file = /var/log/frp/frpc.log token = <my-token> [http] type = https local_port = 80 custom_domains = my.domain.com ```

gitea-mirror commented 2026-05-05 13:39:40 -06:00

Author

Owner

Copy link

@wangwanjie commented on GitHub (May 22, 2023):

Hi @shabakett I currently are facing the same issue. I want to enable the server to serve http as well as https services via nginx.

For [https service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com it is working with the configuration (/etc/frp/https.ini) below.

But I receive 502 Bad Gateway if I want to serve [http service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com with this configuration (/etc/frp/http.ini). Can you share your final configuration?

Option 1 will not work for me as then I'm only able to serve http services on my local client.

/etc/frp/frps.ini:

[common]
bind_addr = 0.0.0.0
bind_port = 7000
proxy_bind_addr = 0.0.0.0
vhost_http_port = 7080
vhost_https_port = 7443
token = <my-token>

/etc/nginx/conf.d/tunnel.conf:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name my.domain.com;

    ssl_certificate /etc/letsencrypt/my.domain.com/rsa/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/my.domain.com/rsa/key.pem;
    ssl_certificate /etc/letsencrypt/my.domain.com/ecc/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/my.domain.com/ecc/key.pem;

    ssl_trusted_certificate /etc/letsencrypt/my.domain.com/ecc/ca.pem;

    # Include SSL configuration
    include /etc/nginx/snippets/ssl.conf;

    # Include headers
    include /etc/nginx/snippets/headers.conf;

    # Important: Disable error and access log, so that no IPs get logged
    access_log  off;
    error_log off;

    location / {
        proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_ssl_verify off;
        proxy_pass https://127.0.0.1:7443;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header cookie $http_cookie;
        proxy_set_header Proxy-Connection "";
        proxy_http_version 1.1;
        }
}

/etc/nginx/conf.d/http.conf:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name my.domain.com;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }

    location / {
        proxy_redirect off;
        proxy_pass http://127.0.0.1:7080/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        }
}

/etc/frp/https.ini:

# frp client config frpc.ini
[common]
server_addr = my.domain.com
server_port = 7000
log_file = /var/log/frp/frpc.log
token = <my-token>

[https]
type = https
local_port = 8182
custom_domains = my.domain.com

/etc/frp/http.ini:

# frp client config frpc.ini
[common]
server_addr = my.domain.com
server_port = 7000
log_file = /var/log/frp/frpc.log
token = <my-token>
[http]
type = https
local_port = 80
custom_domains = my.domain.com

thanks, you saved me

<!-- gh-comment-id:1557481436 --> @wangwanjie commented on GitHub (May 22, 2023): > Hi @shabakett I currently are facing the same issue. I want to enable the server to serve http as well as https services via nginx. > > For `[https service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com` it is working with the configuration (`/etc/frp/https.ini`) below. > > But I receive `502 Bad Gateway` if I want to serve `[http service] <-> [frpc] <-> [frps] <-> [nginx:433] <-> https://my.domain.com` with this configuration (`/etc/frp/http.ini`). Can you share your final configuration? > > Option 1 will not work for me as then I'm only able to serve http services on my local client. > > `/etc/frp/frps.ini`: > > ``` > [common] > bind_addr = 0.0.0.0 > bind_port = 7000 > proxy_bind_addr = 0.0.0.0 > vhost_http_port = 7080 > vhost_https_port = 7443 > token = <my-token> > ``` > > `/etc/nginx/conf.d/tunnel.conf`: > > ``` > server { > listen 443 ssl http2; > listen [::]:443 ssl http2; > server_name my.domain.com; > > ssl_certificate /etc/letsencrypt/my.domain.com/rsa/fullchain.pem; > ssl_certificate_key /etc/letsencrypt/my.domain.com/rsa/key.pem; > ssl_certificate /etc/letsencrypt/my.domain.com/ecc/fullchain.pem; > ssl_certificate_key /etc/letsencrypt/my.domain.com/ecc/key.pem; > > ssl_trusted_certificate /etc/letsencrypt/my.domain.com/ecc/ca.pem; > > # Include SSL configuration > include /etc/nginx/snippets/ssl.conf; > > # Include headers > include /etc/nginx/snippets/headers.conf; > > # Important: Disable error and access log, so that no IPs get logged > access_log off; > error_log off; > > location / { > proxy_ssl_server_name on; > proxy_ssl_name $host; > proxy_ssl_verify off; > proxy_pass https://127.0.0.1:7443; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header Host $http_host; > proxy_set_header cookie $http_cookie; > proxy_set_header Proxy-Connection ""; > proxy_http_version 1.1; > } > } > ``` > > `/etc/nginx/conf.d/http.conf`: > > ``` > server { > listen 80 default_server; > listen [::]:80 default_server; > server_name my.domain.com; > > root /var/www; > > location ^~ /.well-known/acme-challenge { > default_type text/plain; > root /var/www/letsencrypt; > } > > location / { > proxy_redirect off; > proxy_pass http://127.0.0.1:7080/; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > proxy_set_header Host $host; > } > } > ``` > > `/etc/frp/https.ini`: > > ``` > # frp client config frpc.ini > [common] > server_addr = my.domain.com > server_port = 7000 > log_file = /var/log/frp/frpc.log > token = <my-token> > > [https] > type = https > local_port = 8182 > custom_domains = my.domain.com > ``` > > `/etc/frp/http.ini`: > > ``` > # frp client config frpc.ini > [common] > server_addr = my.domain.com > server_port = 7000 > log_file = /var/log/frp/frpc.log > token = <my-token> > [http] > type = https > local_port = 80 > custom_domains = my.domain.com > ``` thanks, you saved me

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2579

No description provided.