[GH-ISSUE #4717] 转发 HTTPS 连接时出现握手中断（RST），导致 curl 获取失败 #3725

New issue

Closed

opened 2026-05-05 14:23:17 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 14:23:17 -06:00

Owner

Copy link

Originally created by @Fadouse on GitHub (Mar 16, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4717

Bug Description

描述

在使用 FRP 将内网 Caddy 服务器的 TLS 服务（监听端口 443）映射到阿里云服务器公网 (监听端口 4433) 后，通过 curl 进行连接时，发现握手过程中连接被对端复位（RST），提示“Recv failure: Connection was reset”。但在浏览器中访问时，握手和连接均能正常完成。

环境信息

• Caddy 版本：例如 v2.6.x（已启用 TLS 1.3，证书正常）

预期行为

curl 客户端使用 TLS 1.3 进行连接时，应与浏览器一样，成功完成 TLS 握手并建立加密连接，而不应被中途复位。

实际行为

使用 curl，在发送 Client Hello 后连接被中断，导致握手失败，出现“Connection reset by peer”错误；而浏览器使用相同协议时连接正常。

附加信息

• 我已经尝试升级 curl，并在命令中加入了浏览器常用的请求头，但问题仍然存在。
• 使用浏览器直接访问时（同一网络环境下），TLS 握手和连接均正常。

frpc Version

0.61.1

frps Version

0.61.2

System Architecture

frpc: windows/amd64 frps: linux/amd64

Configurations

 ```ini
 [caddy]
 type = tcp
 local_ip = 192.168.195.135
 local_port = 443
 remote_port = 4433
 ```

Logs

• curl 命令返回错误：(35) Recv failure: Connection was reset
• Caddy 日志中显示 TLS 握手过程中成功匹配了证书，但随即收到 EOF（连接中断），如以下日志摘录：

  2025/03/16 14:13:04.826 DEBUG   http.stdlib     http: TLS handshake error from [客户端IP]:57271: EOF
  2025/03/16 14:13:06.846 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.195.1", "remote_port": "57274", ...}
  2025/03/16 14:13:06.847 DEBUG   http.stdlib     http: TLS handshake error from [客户端IP]:57274: EOF
  

Steps to reproduce

1. 服务器端配置
   • Caddy 部署在内网：

     {
              auto_https off
              debug
          }
     
     
          # ==============================
          # fleet.example.com
          # ==============================
           fleet.example.com:443 {
              tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem
     
              reverse_proxy https://localhost:8220 {
                  transport http {
                      tls_insecure_skip_verify
                  }
              }
          }
     
          # ==============================
          # es.example.com
          # ==============================
          es.example.com:443 {
              tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem
     
              reverse_proxy https://localhost:9200 {
                  transport http {
                      tls_insecure_skip_verify
                  }
              }
          }
     
          # ==============================
          # kibana.example.com
          # ==============================
          kibana.example.com:443 {
              tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem
              reverse_proxy 192.168.195.135:5601
          }
     

2. FRP 配置
   • FRP 配置：

     [caddy]
     type = tcp
     local_ip = 192.168.195.135
     local_port = 443
     remote_port = 4433
     

3. 测试请求
   • 使用 curl 添加常用浏览器的请求头：

     curl -v --tlsv1.3 \
       -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" \
       -H "Accept-Language: en-US,en;q=0.9" \
       "https://fleet.example.com:4433/"
     

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

Originally created by @Fadouse on GitHub (Mar 16, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4717 ### Bug Description ### 描述 在使用 FRP 将内网 Caddy 服务器的 TLS 服务（监听端口 443）映射到阿里云服务器公网 (监听端口 4433) 后，通过 curl 进行连接时，发现握手过程中连接被对端复位（RST），提示“Recv failure: Connection was reset”。但在浏览器中访问时，握手和连接均能正常完成。 ### 环境信息 - **Caddy 版本**：例如 v2.6.x（已启用 TLS 1.3，证书正常） ### 预期行为 curl 客户端使用 TLS 1.3 进行连接时，应与浏览器一样，成功完成 TLS 握手并建立加密连接，而不应被中途复位。 ### 实际行为 使用 curl，在发送 Client Hello 后连接被中断，导致握手失败，出现“Connection reset by peer”错误；而浏览器使用相同协议时连接正常。 ### 附加信息 - 我已经尝试升级 curl，并在命令中加入了浏览器常用的请求头，但问题仍然存在。 - 使用浏览器直接访问时（同一网络环境下），TLS 握手和连接均正常。 ### frpc Version 0.61.1 ### frps Version 0.61.2 ### System Architecture frpc: windows/amd64 frps: linux/amd64 ### Configurations ```ini [caddy] type = tcp local_ip = 192.168.195.135 local_port = 443 remote_port = 4433 ``` ### Logs - curl 命令返回错误：`(35) Recv failure: Connection was reset` - Caddy 日志中显示 TLS 握手过程中成功匹配了证书，但随即收到 EOF（连接中断），如以下日志摘录： ``` 2025/03/16 14:13:04.826 DEBUG http.stdlib http: TLS handshake error from [客户端IP]:57271: EOF 2025/03/16 14:13:06.846 DEBUG tls.handshake matched certificate in cache {"remote_ip": "192.168.195.1", "remote_port": "57274", ...} 2025/03/16 14:13:06.847 DEBUG http.stdlib http: TLS handshake error from [客户端IP]:57274: EOF ``` ### Steps to reproduce 1. **服务器端配置** - Caddy 部署在内网： ```caddyfile { auto_https off debug } # ============================== # fleet.example.com # ============================== fleet.example.com:443 { tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem reverse_proxy https://localhost:8220 { transport http { tls_insecure_skip_verify } } } # ============================== # es.example.com # ============================== es.example.com:443 { tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem reverse_proxy https://localhost:9200 { transport http { tls_insecure_skip_verify } } } # ============================== # kibana.example.com # ============================== kibana.example.com:443 { tls /home/elastic/cert/example.com/fullchain.pem /home/elastic/cert/example.com/privkey.pem reverse_proxy 192.168.195.135:5601 } ``` 2. **FRP 配置** - FRP 配置： ```ini [caddy] type = tcp local_ip = 192.168.195.135 local_port = 443 remote_port = 4433 ``` 3. **测试请求** - 使用 curl 添加常用浏览器的请求头： ```bash curl -v --tlsv1.3 \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" \ -H "Accept-Language: en-US,en;q=0.9" \ "https://fleet.example.com:4433/" ``` ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [x] User Experience - [x] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror closed this issue 2026-05-05 14:23:18 -06:00

gitea-mirror commented 2026-05-05 14:23:20 -06:00

Author

Owner

Copy link

@xqzr commented on GitHub (Mar 17, 2025):

域名未备案。
浏览器使用了 X25519MLKEM768 未被阻断

<!-- gh-comment-id:2730611145 --> @xqzr commented on GitHub (Mar 17, 2025): 域名未备案。 浏览器使用了 `X25519MLKEM768` 未被阻断

gitea-mirror commented 2026-05-05 14:23:21 -06:00

Author

Owner

Copy link

@Fadouse commented on GitHub (Mar 18, 2025):

感谢！

<!-- gh-comment-id:2731305502 --> @Fadouse commented on GitHub (Mar 18, 2025): 感谢！

gitea-mirror commented 2026-05-05 14:23:21 -06:00

Author

Owner

Copy link

@hbliu1985 commented on GitHub (Jun 3, 2025):

我遇到同样的问题，只发生在某些网络环境中，请问怎么解决的？

2025-06-03 16:23:39.372 [D] [proxy/proxy_wrapper.go:265] [ddbf631394bc0c83] [liudoc.https-doc] start a new work connection, localAddr: 192.168.111.36:45965 remoteAddr: 14.103.140.101:7000
2025-06-03 16:23:39.373 [T] [proxy/proxy.go:151] [ddbf631394bc0c83] [liudoc.https-doc] handle tcp work connection, useEncryption: true, useCompression: true
2025-06-03 16:23:39.373 [D] [proxy/proxy.go:219] [ddbf631394bc0c83] [liudoc.https-doc] join connections, localConn(l[192.168.111.182:49412] r[192.168.111.182:443]) workConn(l[192.168.111.36:45965] r[14.103.140.101:7000])
2025-06-03 16:23:39.378 [D] [proxy/proxy.go:231] [ddbf631394bc0c83] [liudoc.https-doc] join connections closed
2025-06-03 16:23:39.379 [T] [proxy/proxy.go:233] [ddbf631394bc0c83] [liudoc.https-doc] join connections errors: [writeto tcp 192.168.111.182:49412->192.168.111.182:443: read tcp 192.168.111.182:49412->192.168.111.182:443: use of closed network connection]

<!-- gh-comment-id:2934107787 --> @hbliu1985 commented on GitHub (Jun 3, 2025): 我遇到同样的问题，只发生在某些网络环境中，请问怎么解决的？   2025-06-03 16:23:39.372 [D] [proxy/proxy_wrapper.go:265] [ddbf631394bc0c83] [liudoc.https-doc] start a new work connection, localAddr: 192.168.111.36:45965 remoteAddr: 14.103.140.101:7000 2025-06-03 16:23:39.373 [T] [proxy/proxy.go:151] [ddbf631394bc0c83] [liudoc.https-doc] handle tcp work connection, useEncryption: true, useCompression: true 2025-06-03 16:23:39.373 [D] [proxy/proxy.go:219] [ddbf631394bc0c83] [liudoc.https-doc] join connections, localConn(l[192.168.111.182:49412] r[192.168.111.182:443]) workConn(l[192.168.111.36:45965] r[14.103.140.101:7000]) 2025-06-03 16:23:39.378 [D] [proxy/proxy.go:231] [ddbf631394bc0c83] [liudoc.https-doc] join connections closed 2025-06-03 16:23:39.379 [T] [proxy/proxy.go:233] [ddbf631394bc0c83] [liudoc.https-doc] join connections errors: [writeto tcp 192.168.111.182:49412->192.168.111.182:443: read tcp 192.168.111.182:49412->192.168.111.182:443: use of closed network connection]

gitea-mirror commented 2026-05-05 14:23:23 -06:00

Author

Owner

Copy link

@xqzr commented on GitHub (Jun 3, 2025):

发生在某些网络环境中，请问怎么解决的？

https://github.com/fatedier/frp/issues/3778#issuecomment-2933491110

<!-- gh-comment-id:2936165452 --> @xqzr commented on GitHub (Jun 3, 2025): > 发生在某些网络环境中，请问怎么解决的？ https://github.com/fatedier/frp/issues/3778#issuecomment-2933491110

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3725

No description provided.