github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4530] 咨询一些安全实践的问题 #3578

New issue
Closed
opened 2026-05-05 14:17:56 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 14:17:56 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Nov 10, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4530

Describe the feature request

我是在公网服务器配置了nginx反向代理到frps的remote port端口,用户与公网服务器之间由nginx的https负责加密,后来我🙏公网服务器与我内网服务器之间通讯岂不是未加密的?于是我在frpc配置服务的时候开启了https类型的代理,并在frpc开了一个vhosthttpsport,然后将指定端口反代到vhosthttpsport上,查看链接已经建立,但是死活路由不到正确的地方,请问是什么原因呢?
如果我直接访问subdomain:remote port可以正确的访问,但是再经过一层nginx的反代就无法正确访问了。
后来看到frp自带frpc与frps的加密,想问这种是比较安全的吗,下面的这种架构:
image

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @ghost on GitHub (Nov 10, 2024). Original GitHub issue: https://github.com/fatedier/frp/issues/4530 ### Describe the feature request 我是在公网服务器配置了nginx反向代理到frps的remote port端口,用户与公网服务器之间由nginx的https负责加密,后来我🙏公网服务器与我内网服务器之间通讯岂不是未加密的?于是我在frpc配置服务的时候开启了https类型的代理,并在frpc开了一个vhosthttpsport,然后将指定端口反代到vhosthttpsport上,查看链接已经建立,但是死活路由不到正确的地方,请问是什么原因呢? 如果我直接访问subdomain:remote port可以正确的访问,但是再经过一层nginx的反代就无法正确访问了。 后来看到frp自带frpc与frps的加密,想问这种是比较安全的吗,下面的这种架构: ![image](https://github.com/user-attachments/assets/7cf45996-d81d-4c52-ac04-99887979a3d9) ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror commented 2026-05-05 14:17:59 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Nov 11, 2024):

frpc 和 frps 之间的通信默认是 TLS 加密的,你的场景中不需要使用 https,保持原来的配置即可。

<!-- gh-comment-id:2467155131 --> @fatedier commented on GitHub (Nov 11, 2024): frpc 和 frps 之间的通信默认是 TLS 加密的,你的场景中不需要使用 https,保持原来的配置即可。
gitea-mirror commented 2026-05-05 14:18:00 -06:00
Author
Owner
Copy link

@Matthew-Harris-36 commented on GitHub (Dec 16, 2024):

@fatedier 哪怕一点都没做安全相关的设置,frps 和 frpc 之间的数据传输也是加密的吗?很抱歉我需要多问一嘴,因为我在 snowdream 的群组里、另一个VPS群组询问,他们都讲不会加密。
image
image

<!-- gh-comment-id:2544731315 --> @Matthew-Harris-36 commented on GitHub (Dec 16, 2024): @fatedier 哪怕一点都没做安全相关的设置,frps 和 frpc 之间的数据传输也是加密的吗?很抱歉我需要多问一嘴,因为我在 snowdream 的群组里、另一个VPS群组询问,他们都讲不会加密。 ![image](https://github.com/user-attachments/assets/6e874ee1-df1e-4411-b6ec-b49b99b17a53) ![image](https://github.com/user-attachments/assets/57eb3c37-0661-4853-8e91-87ca85f895e6)
gitea-mirror commented 2026-05-05 14:18:01 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 16, 2024):

@fatedier 哪怕一点都没做安全相关的设置,frps 和 frpc 之间的数据传输也是加密的吗?很抱歉我需要多问一嘴,因为我在 snowdream 的群组里、另一个VPS群组询问,他们都讲不会加密。 image image

用户侧向公网服务器发起请求由nginx配置的tls负责加密,对外只暴露nginx监听443端口,由nginx路由到frps,frps根据host字段与frpc通讯,过程中使用frp的内置加密算法aes-128-cfb,需要在配置中打开transport.useEncryption = true,打开这个frps与frpc就是加密的了,详情可查看官网:通信安全及优化

<!-- gh-comment-id:2544739085 --> @ghost commented on GitHub (Dec 16, 2024): > @fatedier 哪怕一点都没做安全相关的设置,frps 和 frpc 之间的数据传输也是加密的吗?很抱歉我需要多问一嘴,因为我在 snowdream 的群组里、另一个VPS群组询问,他们都讲不会加密。 ![image](https://private-user-images.githubusercontent.com/62049321/395987278-6e874ee1-df1e-4411-b6ec-b49b99b17a53.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzMzE5MTEsIm5iZiI6MTczNDMzMTYxMSwicGF0aCI6Ii82MjA0OTMyMS8zOTU5ODcyNzgtNmU4NzRlZTEtZGYxZS00NDExLWI2ZWMtYjQ5Yjk5YjE3YTUzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA2NDY1MVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWRkMjI4ODNlMDJjMTZlZjFiMDRkZWQyNWUwYjBiMjQzM2RkMzM4OTc4ODI5MjVlMTlkODRlZTA1Nzg5N2MzY2UmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.xOfceJ40KWQJVJFA9Zqa43E5_HHoeeDnBT_rY6UicUE) ![image](https://private-user-images.githubusercontent.com/62049321/395987334-57eb3c37-0661-4853-8e91-87ca85f895e6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzMzE5MTEsIm5iZiI6MTczNDMzMTYxMSwicGF0aCI6Ii82MjA0OTMyMS8zOTU5ODczMzQtNTdlYjNjMzctMDY2MS00ODUzLThlOTEtODdjYTg1Zjg5NWU2LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA2NDY1MVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTY4NDFlMmIxYmY2NmQxNzQ3ZTU1MzlhZDExNDdiNGRkODAxYTE5M2ZhY2IxZGRlNjAyZjQxOGIyYTRjZjNmNDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.xjyP1bBU1gaIgAkt_Vow6kViIBLitZ8pikDIw-K5Khk) 用户侧向公网服务器发起请求由nginx配置的tls负责加密,对外只暴露nginx监听443端口,由nginx路由到frps,frps根据host字段与frpc通讯,过程中使用frp的内置加密算法aes-128-cfb,需要在配置中打开transport.useEncryption = true,打开这个frps与frpc就是加密的了,详情可查看官网:[通信安全及优化](https://gofrp.org/zh-cn/docs/features/common/network/network/)。
gitea-mirror commented 2026-05-05 14:18:02 -06:00
Author
Owner
Copy link

@Matthew-Harris-36 commented on GitHub (Dec 16, 2024):

@MasterKe2003 你好,我添加了这行配置,可是 frps 面板里显示的还是未加密、未压缩。

image
image

<!-- gh-comment-id:2544767374 --> @Matthew-Harris-36 commented on GitHub (Dec 16, 2024): @MasterKe2003 你好,我添加了这行配置,可是 frps 面板里显示的还是未加密、未压缩。 ![image](https://github.com/user-attachments/assets/dad70522-e76a-47fe-a6af-d1a174d977a7) ![image](https://github.com/user-attachments/assets/fa974bc4-d3a3-4243-a80d-26e8414b20b2)
gitea-mirror commented 2026-05-05 14:18:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 16, 2024):

@MasterKe2003 你好,我添加了这行配置,可是 frps 面板里显示的还是未加密、未压缩。

image image

模式改成http试试

<!-- gh-comment-id:2544783229 --> @ghost commented on GitHub (Dec 16, 2024): > @MasterKe2003 你好,我添加了这行配置,可是 frps 面板里显示的还是未加密、未压缩。 > > ![image](https://private-user-images.githubusercontent.com/62049321/395993678-dad70522-e76a-47fe-a6af-d1a174d977a7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzMzM1NzUsIm5iZiI6MTczNDMzMzI3NSwicGF0aCI6Ii82MjA0OTMyMS8zOTU5OTM2NzgtZGFkNzA1MjItZTc2YS00N2ZlLWE2YWYtZDFhMTc0ZDk3N2E3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA3MTQzNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTYzOWFlOTJjODRlYWE2NDlkOGE5YWRhZTNiYjU1NWNmM2M2YTIwMzk4MjYyOTE1NzE5NWZkZjdhMzdiOTRkN2YmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.0_8D_8v1AgAuaKqcWQOm1cIA-tAasoXcCY2tVn0G_QM) ![image](https://private-user-images.githubusercontent.com/62049321/395993733-fa974bc4-d3a3-4243-a80d-26e8414b20b2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzMzM1NzUsIm5iZiI6MTczNDMzMzI3NSwicGF0aCI6Ii82MjA0OTMyMS8zOTU5OTM3MzMtZmE5NzRiYzQtZDNhMy00MjQzLWE4MGQtMjZlODQxNGIyMGIyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA3MTQzNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTMyNzAzYTU1NmY0M2EyYmZhYjY1ZTJiZjMyOGE3YTM1MzdkNGMzNzZjM2IwYWJiZTQzMjFmNjlmM2I3ZDMwYmQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.92lo0-lYC0qTLw49qZKOzYh6UC_2lcAQg8ZwnBp008M) 模式改成http试试
gitea-mirror commented 2026-05-05 14:18:02 -06:00
Author
Owner
Copy link

@Matthew-Harris-36 commented on GitHub (Dec 16, 2024):

@MasterKe2003 连接不上服务器了,提示这个。
image

<!-- gh-comment-id:2544811486 --> @Matthew-Harris-36 commented on GitHub (Dec 16, 2024): @MasterKe2003 连接不上服务器了,提示这个。 ![image](https://github.com/user-attachments/assets/c726f95a-6f82-42ba-a38d-42e851335725)
gitea-mirror commented 2026-05-05 14:18:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 16, 2024):

没有域名么

<!-- gh-comment-id:2544814527 --> @ghost commented on GitHub (Dec 16, 2024): 没有域名么
gitea-mirror commented 2026-05-05 14:18:03 -06:00
Author
Owner
Copy link

@Matthew-Harris-36 commented on GitHub (Dec 16, 2024):

@MasterKe2003 有啊,这域名我已经解析到服务器上了,而且7000和http的8080端口都开放了,但日志里就提示没配。
image
image

<!-- gh-comment-id:2544843484 --> @Matthew-Harris-36 commented on GitHub (Dec 16, 2024): @MasterKe2003 有啊,这域名我已经解析到服务器上了,而且7000和http的8080端口都开放了,但日志里就提示没配。 ![image](https://github.com/user-attachments/assets/463a92a6-4722-4f06-bda5-eae87f79d40f) ![image](https://github.com/user-attachments/assets/79f6609a-c65b-4501-8129-a7a32d82dfaa)
gitea-mirror commented 2026-05-05 14:18:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 16, 2024):

@MasterKe2003 有啊,这域名我已经解析到服务器上了,而且7000和http的8080端口都开放了,但日志里就提示没配。 image image

QQ_1734340828842
frps配置如下字段

<!-- gh-comment-id:2545032507 --> @ghost commented on GitHub (Dec 16, 2024): > @MasterKe2003 有啊,这域名我已经解析到服务器上了,而且7000和http的8080端口都开放了,但日志里就提示没配。 ![image](https://private-user-images.githubusercontent.com/62049321/396006377-463a92a6-4722-4f06-bda5-eae87f79d40f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzNDExMzIsIm5iZiI6MTczNDM0MDgzMiwicGF0aCI6Ii82MjA0OTMyMS8zOTYwMDYzNzctNDYzYTkyYTYtNDcyMi00ZjA2LWJkYTUtZWFlODdmNzlkNDBmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA5MjAzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTljNzA4NmZlNzIwOTc4Y2MwNjlkZmEwNDk1MmE3ZjU0M2ExZTllZmI2OTU3MDhhNzk4NTc0ZGJjYzY3MjI2NGEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.nooeFaUu3lG_eGdpdwW156UJDtvNHrRNaKO6I9kFmcM) ![image](https://private-user-images.githubusercontent.com/62049321/396006623-79f6609a-c65b-4501-8129-a7a32d82dfaa.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzQzNDExMzIsIm5iZiI6MTczNDM0MDgzMiwicGF0aCI6Ii82MjA0OTMyMS8zOTYwMDY2MjMtNzlmNjYwOWEtYzY1Yi00NTAxLTgxMjktYTdhMzJkODJkZmFhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjE2VDA5MjAzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTUwY2Y4ZTBlMmU4ZmVlYTMzMGIxMjQ1MzhlMWZiYTMxZDlmOWE3NjM4MTgyYjJlYWNiNWFlNWZmZDQ0YWZkMTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.wmaRO8szBvqX-etll168iMHq6NmFu4ZVi3ZNPMCG-vw) ![QQ_1734340828842](https://github.com/user-attachments/assets/6a68e5bd-59a1-4544-b650-fdaf46904a65) frps配置如下字段
gitea-mirror commented 2026-05-05 14:18:04 -06:00
Author
Owner
Copy link

@Matthew-Harris-36 commented on GitHub (Dec 17, 2024):

暂时不清楚什么原因, frps 不用 Docker 按官方的部署,现在没问题了。

<!-- gh-comment-id:2547956973 --> @Matthew-Harris-36 commented on GitHub (Dec 17, 2024): 暂时不清楚什么原因, frps 不用 Docker 按官方的部署,现在没问题了。
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3578
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?