[GH-ISSUE #4697] Cannot pass through Http SSL, any issue for this configuration?

gitea-mirror commented

2026-05-05 14:22:47 -06:00

Owner

Originally created by @sj7112 on GitHub (Mar 7, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4697

Bug Description

External Nginx(EN) => FRP => Internal Nginx(IN)

At the beginning, I use the architecture as below, everything works fine, except for the real IP address.

EN: http > server > 443 ssl proxy_pass to https://127.0.0.1:6949
FRP: direct pass (type=TCP; External 6949 - Internal 443)
IN: http > server > 443 ssl proxy_pass to http://internalServer:80

In order to reuse the domain by multi ports, get real IP address and simplify the SSL path-through, change to the new architecture as below.
EN (stream) => FRP (Transparent pass) => IN (SSL termination)

External nginx [ stream ]

map $ssl_preread_server_name $backend {
    pass.mydomain.com 127.0.0.1:6949;
}

server {
    listen 6886; # pass1
    listen 6887; # pass2
    ssl_preread on;
    proxy_protocol on;
    proxy_pass $backend
}

frps / frpc: 0.61.1

[[proxies]]
name = "pass-md-ssl-110"
type = "tcp"
localIP = "127.0.0.1"
localPort = 443
remotePort = 6949
transport.proxyProtocolVersion = "v2"

Internal nginx [ http ]

server {
    listen 443 ssl proxy_protocol;
    http2 on;
    server_name  pass.mydomain.com;

    ssl_certificate /etc/letsencrypt/live/pass.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pass.mydomain.com/privkey.pem;

    set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;

    access_log  /var/log/nginx/pass.access.log  main;

    location / {
        proxy_pass http://vw:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Major differences between method 1 and method 2:

External Nginx changes to stream, change the ports from 443 to 68xx
Install a new version of frps and frpc 0.61.1
Add the statement: transport.proxyProtocolVersion = "v2"
External Nginx changes:
listen 443 ssl; => listen 443 ssl proxy_protocol;
change the Real IP paramater to $proxy_protocol_addr;
other minor changes

issue: Only the proxy part is sent, no real contents show up!
anything may wrong with my configuration?

frpc Version

0.61.1

frps Version

0.61.1

System Architecture

debian12/ubuntu24

Configurations

See above

Logs

172.18.0.1 - - [06/Mar/2025:17:07:42 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9067 6888" 400 157 "-" "-" "-"
172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9132 6888" 400 157 "-" "-" "-"
172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9131 6888" 400 157 "-" "-" "-"

Steps to reproduce

...

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @sj7112 on GitHub (Mar 7, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4697 ### Bug Description External Nginx(EN) => FRP => Internal Nginx(IN) At the beginning, I use the architecture as below, everything works fine, except for the real IP address. EN: http > server > 443 ssl proxy_pass to https://127.0.0.1:6949 FRP: direct pass (type=TCP; External 6949 - Internal 443) IN: http > server > 443 ssl proxy_pass to http://internalServer:80 --- In order to reuse the domain by multi ports, get real IP address and simplify the SSL path-through, change to the new architecture as below. EN (stream) => FRP (Transparent pass) => IN (SSL termination) --- External nginx [ stream ] ``` map $ssl_preread_server_name $backend { pass.mydomain.com 127.0.0.1:6949; } server { listen 6886; # pass1 listen 6887; # pass2 ssl_preread on; proxy_protocol on; proxy_pass $backend } ``` --- frps / frpc: 0.61.1 ``` [[proxies]] name = "pass-md-ssl-110" type = "tcp" localIP = "127.0.0.1" localPort = 443 remotePort = 6949 transport.proxyProtocolVersion = "v2" ``` --- Internal nginx [ http ] ``` server { listen 443 ssl proxy_protocol; http2 on; server_name pass.mydomain.com; ssl_certificate /etc/letsencrypt/live/pass.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/pass.mydomain.com/privkey.pem; set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; access_log /var/log/nginx/pass.access.log main; location / { proxy_pass http://vw:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` ------ Major differences between method 1 and method 2: 1) External Nginx changes to stream, change the ports from 443 to 68xx 2) Install a new version of frps and frpc 0.61.1 Add the statement: transport.proxyProtocolVersion = "v2" 3) External Nginx changes: listen 443 ssl; => listen 443 ssl proxy_protocol; change the Real IP paramater to $proxy_protocol_addr; other minor changes ------ issue: Only the proxy part is sent, no real contents show up! anything may wrong with my configuration? ### frpc Version 0.61.1 ### frps Version 0.61.1 ### System Architecture debian12/ubuntu24 ### Configurations See above ### Logs 172.18.0.1 - - [06/Mar/2025:17:07:42 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9067 6888" 400 157 "-" "-" "-" 172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9132 6888" 400 157 "-" "-" "-" 172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9131 6888" 400 157 "-" "-" "-" ### Steps to reproduce 1. 2. 3. ... ### Affected area - [x] Docs - [x] Installation - [ ] Performance and Scalability - [x] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror

2026-05-05 14:22:47 -06:00

closed this issue
added the
lifecycle/stale
label

gitea-mirror commented

2026-05-05 14:22:51 -06:00

Author

Owner

@fatedier commented on GitHub (Mar 7, 2025):

From gpt-4.5-preview

Your issue is caused by the Proxy Protocol header being added twice, causing the internal Nginx to misinterpret the incoming request and resulting in the 400 errors you've observed.

Root Cause:

External Nginx (stream mode) is already adding the Proxy Protocol header.
FRP with transport.proxyProtocolVersion = "v2" is adding another Proxy Protocol header layer, causing duplication.

Recommended Solution:

Remove the Proxy Protocol configuration from FRP to avoid double headers.
Update your FRP configuration as follows:

[[proxies]]
name = "pass-md-ssl-110"
type = "tcp"
localIP = "127.0.0.1"
localPort = 443
remotePort = 6949
# Remove or comment out this line:
# transport.proxyProtocolVersion = "v2"

This ensures only External Nginx handles the Proxy Protocol header, and internal Nginx receives exactly one header, resolving your problem.

@fatedier commented on GitHub (Mar 7, 2025): *From gpt-4.5-preview* Your issue is caused by the **Proxy Protocol header being added twice**, causing the internal Nginx to misinterpret the incoming request and resulting in the 400 errors you've observed. ### Root Cause: - External Nginx (`stream` mode) is already adding the Proxy Protocol header. - FRP with `transport.proxyProtocolVersion = "v2"` is adding another Proxy Protocol header layer, causing duplication. ### Recommended Solution: Remove the Proxy Protocol configuration from FRP to avoid double headers. Update your FRP configuration as follows: ```toml [[proxies]] name = "pass-md-ssl-110" type = "tcp" localIP = "127.0.0.1" localPort = 443 remotePort = 6949 # Remove or comment out this line: # transport.proxyProtocolVersion = "v2" ``` This ensures only External Nginx handles the Proxy Protocol header, and internal Nginx receives exactly one header, resolving your problem.

gitea-mirror commented

2026-05-05 14:22:52 -06:00

Author

Owner

@github-actions[bot] commented on GitHub (Mar 22, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

@github-actions[bot] commented on GitHub (Mar 22, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.