github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #671] nginx https转发frps #528

New issue
Closed
opened 2026-05-05 12:20:39 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 12:20:39 -06:00
Owner
Copy link

Originally created by @wxlg1117 on GitHub (Mar 21, 2018).
Original GitHub issue: https://github.com/fatedier/frp/issues/671

What version of frp are you using (./frpc -v or ./frps -v)?
0.16

What operating system and processor architecture are you using (go env)?
centos 7.4

Configures you used:

Steps to reproduce the issue:
一,启动frps;
frps.ini
bind_port = 7000
vhost_http_port = 7080
vhost_https_port = 7443
subdomain_host = testtest.com

二,nginx的配置 nginx.ini;

server {
server_name *.testtest.com;
listen 443;
ssl on;
ssl_certificate /etc/ssl/testtest.com/fullchain.pem;
ssl_certificate_key /etc/ssl/testtest.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_pass https://127.0.0.1:7443;
#proxy_ssl_server_name on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

三,启动frpc,启动本机8009的https服务;
[test1]
type = https
local_ip = 127.0.0.1
local_port = 8009
subdomain = test1

Describe the results you received:
访问 https://test1.testtest.com:7443正常
访问 https://test1.testtest.com错误,日志输出

get hostname from http/https request error: Unknow error

Additional information you deem important (e.g. issue happens only occasionally):
虽然可以按照(https://github.com/fatedier/frp/issues/610)
写死nginx.ini为:

server_name test1.testtest.com;
proxy_pass https://test1.testtest.com:7443;

这样https://test1.testtest.com:7443https://test1.testtest.com也都能正常,但这样frps配置了subdomain_host且frpc用subdomain 的话就很不方便了.

各大婶有已经解决了的么?
@fatedier @312102021

update20180322:已经在某大神的指点下解决.

Originally created by @wxlg1117 on GitHub (Mar 21, 2018). Original GitHub issue: https://github.com/fatedier/frp/issues/671 **What version of frp are you using (./frpc -v or ./frps -v)?** 0.16 **What operating system and processor architecture are you using (`go env`)?** centos 7.4 **Configures you used:** **Steps to reproduce the issue:** 一,启动frps; frps.ini bind_port = 7000 vhost_http_port = 7080 vhost_https_port = 7443 subdomain_host = testtest.com 二,nginx的配置 nginx.ini; ``` server { server_name *.testtest.com; listen 443; ssl on; ssl_certificate /etc/ssl/testtest.com/fullchain.pem; ssl_certificate_key /etc/ssl/testtest.com/privkey.pem; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass https://127.0.0.1:7443; #proxy_ssl_server_name on; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` 三,启动frpc,启动本机8009的https服务; [test1] type = https local_ip = 127.0.0.1 local_port = 8009 subdomain = test1 **Describe the results you received:** 访问 `https://test1.testtest.com:7443`正常 访问 `https://test1.testtest.com`错误,日志输出 > get hostname from http/https request error: Unknow error **Additional information you deem important (e.g. issue happens only occasionally):** 虽然可以按照(https://github.com/fatedier/frp/issues/610) 写死nginx.ini为: ``` server_name test1.testtest.com; proxy_pass https://test1.testtest.com:7443; ``` 这样`https://test1.testtest.com:7443`和`https://test1.testtest.com`也都能正常,但这样frps配置了subdomain_host且frpc用subdomain 的话就很不方便了. 各大婶有已经解决了的么? @fatedier @312102021 update20180322:已经在某大神的指点下解决.
gitea-mirror commented 2026-05-05 12:20:42 -06:00
Author
Owner
Copy link

@rockts commented on GitHub (May 14, 2018):

你用的免费的ssl证书,免费的证书应该不能绑泛域名,类似*.baidu.com ,一个免费证书只能绑一个一级域名或者一个二级域名,如果你有a.baidu.com和b.baidu.com的话,应该需要申请两个证书

<!-- gh-comment-id:388991709 --> @rockts commented on GitHub (May 14, 2018): 你用的免费的ssl证书,免费的证书应该不能绑泛域名,类似*.baidu.com ,一个免费证书只能绑一个一级域名或者一个二级域名,如果你有a.baidu.com和b.baidu.com的话,应该需要申请两个证书
gitea-mirror commented 2026-05-05 12:20:42 -06:00
Author
Owner
Copy link

@levenkk commented on GitHub (Jul 3, 2018):

@wxlg1117 请问您怎么解决的?

<!-- gh-comment-id:402048530 --> @levenkk commented on GitHub (Jul 3, 2018): @wxlg1117 请问您怎么解决的?
gitea-mirror commented 2026-05-05 12:20:43 -06:00
Author
Owner
Copy link

@xiasf commented on GitHub (Aug 8, 2018):

同问您怎么解决的?

<!-- gh-comment-id:411520076 --> @xiasf commented on GitHub (Aug 8, 2018): 同问您怎么解决的?
gitea-mirror commented 2026-05-05 12:20:45 -06:00
Author
Owner
Copy link

@levenkk commented on GitHub (Aug 9, 2018):

折腾了一下,https转发算是能正常用了,证书用的是免费的let's encrypt,支持泛域名。
可访问形如 https://xxxxx.frp.yourdomain.com 的域名

nginx.conf

server {
    listen 443 ssl http2;
    server_name *.frp.yourdomain.com;
    ssl_certificate ../ssl/cert.pem;
    ssl_certificate_key ../ssl/privkey.pem;
    location / {
        resolver 127.0.0.1; #通过配置/etc/dnsmasq.conf,本地解析域名
        proxy_ssl_server_name on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass https://$host:7443; #通过域名访问frp服务
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
}

在本地映射域名解析
/etc/dnsmasq.conf

address=/.yourdomain.com/127.0.0.1
address=/.frp.yourdomain.com/127.0.0.1

frps.ini

[common]
bind_port = 7000
subdomain_host = frp.yourdomain.com
vhost_http_port = 7080
vhost_https_port = 7443
dashboard_port = 7500
token=yourtoken
<!-- gh-comment-id:411603777 --> @levenkk commented on GitHub (Aug 9, 2018): 折腾了一下,https转发算是能正常用了,证书用的是免费的let's encrypt,支持泛域名。 可访问形如 https://xxxxx.frp.yourdomain.com 的域名 nginx.conf ``` server { listen 443 ssl http2; server_name *.frp.yourdomain.com; ssl_certificate ../ssl/cert.pem; ssl_certificate_key ../ssl/privkey.pem; location / { resolver 127.0.0.1; #通过配置/etc/dnsmasq.conf,本地解析域名 proxy_ssl_server_name on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_pass https://$host:7443; #通过域名访问frp服务 } location = /favicon.ico { log_not_found off; access_log off; } } ``` 在本地映射域名解析 /etc/dnsmasq.conf ``` address=/.yourdomain.com/127.0.0.1 address=/.frp.yourdomain.com/127.0.0.1 ``` frps.ini ``` [common] bind_port = 7000 subdomain_host = frp.yourdomain.com vhost_http_port = 7080 vhost_https_port = 7443 dashboard_port = 7500 token=yourtoken ```
gitea-mirror commented 2026-05-05 12:20:46 -06:00
Author
Owner
Copy link

@whdlut commented on GitHub (Oct 14, 2018):

@wxlg1117,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢!

<!-- gh-comment-id:429594075 --> @whdlut commented on GitHub (Oct 14, 2018): @wxlg1117,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢!
gitea-mirror commented 2026-05-05 12:20:46 -06:00
Author
Owner
Copy link

@rockts commented on GitHub (Oct 15, 2018):

1、服务器不需要运行frpc,frpc是运行在客户端的
2、SSL安装都是服务器端就可以,客户端不需要安装

在 2018年10月14日,11:44,whdlut notifications@github.com 写道:

@wxlg1117 https://github.com/wxlg1117,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢!


You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/fatedier/frp/issues/671#issuecomment-429594075, or mute the thread https://github.com/notifications/unsubscribe-auth/AJUFNHjoM5dMHkJRVVugSizjZ8dagfqhks5ukrMngaJpZM4SzJ4I.

<!-- gh-comment-id:429826406 --> @rockts commented on GitHub (Oct 15, 2018): 1、服务器不需要运行frpc,frpc是运行在客户端的 2、SSL安装都是服务器端就可以,客户端不需要安装 > 在 2018年10月14日,11:44,whdlut <notifications@github.com> 写道: > > @wxlg1117 <https://github.com/wxlg1117>,您好,想向您请教一下,请问您这个能够正常工作,是不是必须要云端服务器(具有公网IP,运行frps和nginx)和内网的服务器(运行frpc)具有相同的let's encrypt证书(fullchain.pem和privkey.pem),才可以?我个人觉得应该是这样,那么证书是不是要从云端服务器直接拷贝到内网服务器,严格说来,是不是会有潜在的网络安全风险,谢谢! > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub <https://github.com/fatedier/frp/issues/671#issuecomment-429594075>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJUFNHjoM5dMHkJRVVugSizjZ8dagfqhks5ukrMngaJpZM4SzJ4I>. >
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#528
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?