github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4558] [Feature Request] add support in frpc for demultiplexing (vhost) multiple HTTPS targets (based on SNI) #3604

New issue
Closed
opened 2026-05-05 14:18:53 -06:00 by gitea-mirror · 15 comments
gitea-mirror commented 2026-05-05 14:18:53 -06:00
Owner
Copy link

Originally created by @ofirc on GitHub (Nov 25, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4558

Describe the feature request

Is there a way to implement SNI-based routing, that is to demultiplex a single connection onto different targets?

This is how I currently implement it with Caddy and Caddy L4 plugin:

{
   admin :2019
   debug
    layer4 {
        :4000 {
            @secure tls sni backend-a
            route @secure {
                proxy backend-a:6000
            }
            @secured tls sni backend-b
            route @secured {
                proxy backend-b:8000
            }
        }
    }
}

I put this in front of the backend servers and it allows to listen on a single port, 4000, and route it to the right backend by peeking at the SNI value.

I was wondering if there is an option to eliminate the Caddy reverse proxy altogether and implement it via the frpc.ini or frps.ini.

Thanks!

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @ofirc on GitHub (Nov 25, 2024). Original GitHub issue: https://github.com/fatedier/frp/issues/4558 ### Describe the feature request Is there a way to implement SNI-based routing, that is to demultiplex a single connection onto different targets? This is how I currently implement it with [Caddy](https://caddyserver.com/) and [Caddy L4 plugin](github.com/mholt/caddy-l4): ``` { admin :2019 debug layer4 { :4000 { @secure tls sni backend-a route @secure { proxy backend-a:6000 } @secured tls sni backend-b route @secured { proxy backend-b:8000 } } } } ``` I put this in front of the backend servers and it allows to listen on a single port, 4000, and route it to the right backend by peeking at the SNI value. I was wondering if there is an option to eliminate the Caddy reverse proxy altogether and implement it via the frpc.ini or frps.ini. Thanks! ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [X] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [X] Client Plugin - [ ] Server Plugin - [X] Extensions - [ ] Others
gitea-mirror 2026-05-05 14:18:53 -06:00
gitea-mirror commented 2026-05-05 14:18:56 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Nov 26, 2024):

Currently, frp does not support SNI-based routing to demultiplex a single connection to different targets. However, this is a valuable suggestion, and we plan to consider it in future updates.

Thank you for sharing your use case!

<!-- gh-comment-id:2499582045 --> @fatedier commented on GitHub (Nov 26, 2024): Currently, frp does not support SNI-based routing to demultiplex a single connection to different targets. However, this is a valuable suggestion, and we plan to consider it in future updates. Thank you for sharing your use case!
gitea-mirror commented 2026-05-05 14:18:57 -06:00
Author
Owner
Copy link

@ofirc commented on GitHub (Dec 5, 2024):

Hi @fatedier thanks for the prompt response, appreciate that and will stay tuned!

<!-- gh-comment-id:2518801635 --> @ofirc commented on GitHub (Dec 5, 2024): Hi @fatedier thanks for the prompt response, appreciate that and will stay tuned!
gitea-mirror commented 2026-05-05 14:18:57 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Dec 20, 2024):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

<!-- gh-comment-id:2556019794 --> @github-actions[bot] commented on GitHub (Dec 20, 2024): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.
gitea-mirror commented 2026-05-05 14:18:58 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 14, 2025):

+1. I'm also interested to get such SNI-based feature. I do it in haproxy:

use_backend bckd if { req_ssl_sni -i a.example.com }
backend bckd
mode tcp
server frps IP:PORT_a

I don't need to do it for https as there is the option "vhostHTTPSPort".

Such implementation would be extremely valuable because it would allow to get rid of Caddy and/or HaProxy.

<!-- gh-comment-id:3403708042 --> @gregoiregentil commented on GitHub (Oct 14, 2025): +1. I'm also interested to get such SNI-based feature. I do it in haproxy: use_backend bckd if { req_ssl_sni -i a.example.com } backend bckd mode tcp server frps IP:PORT_a I don't need to do it for https as there is the option "vhostHTTPSPort". Such implementation would be extremely valuable because it would allow to get rid of Caddy and/or HaProxy.
gitea-mirror commented 2026-05-05 14:18:58 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Oct 15, 2025):

frp already supports SNI-based routing through the vhostHTTPSPort feature. You can configure multiple proxies with different domains, and frps will route traffic based on the SNI field in the TLS Client Hello.

This achieves the same SNI demultiplexing as your Caddy L4 setup.

Note: The proxy type name "https" is somewhat misleading - it performs SNI-based TLS passthrough rather than HTTPS termination. The actual TLS handshake happens at your backend servers. This naming may be refined in future versions to better reflect its behavior.

<!-- gh-comment-id:3404431124 --> @fatedier commented on GitHub (Oct 15, 2025): frp already supports SNI-based routing through the vhostHTTPSPort feature. You can configure multiple proxies with different domains, and frps will route traffic based on the SNI field in the TLS Client Hello. This achieves the same SNI demultiplexing as your Caddy L4 setup. Note: The proxy type name "https" is somewhat misleading - it performs SNI-based TLS passthrough rather than HTTPS termination. The actual TLS handshake happens at your backend servers. This naming may be refined in future versions to better reflect its behavior.
gitea-mirror commented 2026-05-05 14:18:59 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 15, 2025):

But this is only for port 443? I want to reroute pop3s (995), imap3s (993) and smtp (465) based on custom domain sent by frpc. Is there another way to do that right now? I have to use haproxy with some specific port for each domain and have frpc to use that specific port.

<!-- gh-comment-id:3404558317 --> @gregoiregentil commented on GitHub (Oct 15, 2025): But this is only for port 443? I want to reroute pop3s (995), imap3s (993) and smtp (465) based on custom domain sent by frpc. Is there another way to do that right now? I have to use haproxy with some specific port for each domain and have frpc to use that specific port.
gitea-mirror commented 2026-05-05 14:18:59 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Oct 15, 2025):

Multiple ports are not supported for now; vhostHTTPSPort can only be configured with a single port.

<!-- gh-comment-id:3404565414 --> @fatedier commented on GitHub (Oct 15, 2025): Multiple ports are not supported for now; vhostHTTPSPort can only be configured with a single port.
gitea-mirror commented 2026-05-05 14:19:00 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 15, 2025):

I have just tried vhostHTTPSPort on port 995 to transmit POP3s and it seems working with a custom domain setup from frpc! I'm positively surprised that it works because it's not a https transmission though a SSL one.

If it really works for any port on vhostHTTPSPort (which seems to be the case), is there a way to have/patch/get multiples vhostHTTPSPort independently? It would really be extremely beneficial to me because I could get rid of haproxy and to have to put certificates on the server side hosting frps (for haproxy).

As it seems to be working, it's more to tweak/patch the config backend, and have mutliple threads/whatever to handle multiple vhostHTTPSPort. What I'm trying to say is that there is no need to develop a complete new feature...

<!-- gh-comment-id:3405243699 --> @gregoiregentil commented on GitHub (Oct 15, 2025): I have just tried vhostHTTPSPort on port 995 to transmit POP3s and it seems working with a custom domain setup from frpc! I'm positively surprised that it works because it's not a https transmission though a SSL one. If it really works for any port on vhostHTTPSPort (which seems to be the case), is there a way to have/patch/get multiples vhostHTTPSPort independently? It would really be extremely beneficial to me because I could get rid of haproxy and to have to put certificates on the server side hosting frps (for haproxy). As it seems to be working, it's more to tweak/patch the config backend, and have mutliple threads/whatever to handle multiple vhostHTTPSPort. What I'm trying to say is that there is no need to develop a complete new feature...
gitea-mirror commented 2026-05-05 14:19:00 -06:00
Author
Owner
Copy link

@shellus commented on GitHub (Oct 15, 2025):

@gregoiregentil This is not possible at the current stage, but you can use docker to run multiple frps instances

<!-- gh-comment-id:3405256444 --> @shellus commented on GitHub (Oct 15, 2025): @gregoiregentil This is not possible at the current stage, but you can use docker to run multiple frps instances
gitea-mirror commented 2026-05-05 14:19:01 -06:00
Author
Owner
Copy link

@shellus commented on GitHub (Oct 15, 2025):

It's worth mentioning that I have also mapped my local https service in some public frps services, which allows me not to upload my https certificate. This is great.

This indicates that the https in frp configuration is actually sni, which indeed misleads the vast majority of people.

<!-- gh-comment-id:3405263200 --> @shellus commented on GitHub (Oct 15, 2025): It's worth mentioning that I have also mapped my local https service in some public frps services, which allows me not to upload my https certificate. This is great. This indicates that the https in frp configuration is actually sni, which indeed misleads the vast majority of people.
gitea-mirror commented 2026-05-05 14:19:01 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Oct 15, 2025):

As it seems to be working, it's more to tweak/patch the config backend, and have mutliple threads/whatever to handle multiple vhostHTTPSPort. What I'm trying to say is that there is no need to develop a complete new feature...

Functionally speaking, yes. However, from the perspective of the current overall architecture design, it is not a feature that can be added easily.
I can only say that it will be supported in the future, but not in the short term.

<!-- gh-comment-id:3405272478 --> @fatedier commented on GitHub (Oct 15, 2025): > As it seems to be working, it's more to tweak/patch the config backend, and have mutliple threads/whatever to handle multiple vhostHTTPSPort. What I'm trying to say is that there is no need to develop a complete new feature... Functionally speaking, yes. However, from the perspective of the current overall architecture design, it is not a feature that can be added easily. I can only say that it will be supported in the future, but not in the short term.
gitea-mirror commented 2026-05-05 14:19:02 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 15, 2025):

@shellus I'm not using docker and my experience is that frpc can connect only to one instance of frps at the same time.

<!-- gh-comment-id:3405318323 --> @gregoiregentil commented on GitHub (Oct 15, 2025): @shellus I'm not using docker and my experience is that frpc can connect only to one instance of frps at the same time.
gitea-mirror commented 2026-05-05 14:19:02 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 15, 2025):

I completely understand the whole story "not simple, not enough time in the short term". I'm almost willing to patch. Would you share some guidance what would be the very strict minimum (even hard-coding some port numbers) to modify? Or is that too complicated? I'm controlling both ends frps and frpc on my systems.

<!-- gh-comment-id:3405340375 --> @gregoiregentil commented on GitHub (Oct 15, 2025): I completely understand the whole story "not simple, not enough time in the short term". I'm almost willing to patch. Would you share some guidance what would be the very strict minimum (even hard-coding some port numbers) to modify? Or is that too complicated? I'm controlling both ends frps and frpc on my systems.
gitea-mirror commented 2026-05-05 14:19:02 -06:00
Author
Owner
Copy link

@shellus commented on GitHub (Oct 15, 2025):

@shellus I'm not using docker and my experience is that frpc can connect only to one instance of frps at the same time.

I think you've already touched it. Yes, many parts of the system are designed to be unique. As you said, your single frpc can only connect to a single frps, and the same goes for the https port.

So I suggest you, like me, use docker compose to use multiple FRPCS and multiple frps

Trust me, it is very difficult to modify frp itself, but the way to switch and use it is very simple

<!-- gh-comment-id:3405357523 --> @shellus commented on GitHub (Oct 15, 2025): > [@shellus](https://github.com/shellus) I'm not using docker and my experience is that frpc can connect only to one instance of frps at the same time. I think you've already touched it. Yes, many parts of the system are designed to be unique. As you said, your single frpc can only connect to a single frps, and the same goes for the https port. So I suggest you, like me, use docker compose to use multiple FRPCS and multiple frps Trust me, it is very difficult to modify frp itself, but the way to switch and use it is very simple
gitea-mirror commented 2026-05-05 14:19:03 -06:00
Author
Owner
Copy link

@gregoiregentil commented on GitHub (Oct 15, 2025):

Unfortunately, docker is not an option at all (too long to explain why...) If patching isn't possible, I would stay with haproxy. At least, it's on server side only.

<!-- gh-comment-id:3405372721 --> @gregoiregentil commented on GitHub (Oct 15, 2025): Unfortunately, docker is not an option at all (too long to explain why...) If patching isn't possible, I would stay with haproxy. At least, it's on server side only.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3604
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?