frp ssl 宝塔

局域网Web服务配置frp穿透与SSL证书

Posted by chunpat on February 11, 2020

搭建frp穿透结构图与ssl思路

结构图

Fu0ZUUtbHNQ0b4nh7d2QN4_LJvtB

SSL思路

Frp(https://github.com/fatedier/frp)有提供ssl设置。但是为了方便管理,把证书设置都放在nginx中。然后外网frp server到局域网都是用的是http type服务而不是https type,然后我们只需要在外网的nginx配置就可以了。

配置

1、局域网服务器frpc.ini

frps.ini 设置:
[common]
bind_port = 7000
token = jq666
vhost_http_port = 8000

2、外网服务器frps.ini设置

[common]
server_addr = xxx.xx.188.48//外网ip
server_port = 7000
token = jq666

[web1]
type = http
local_ip = 127.0.0.1
local_port = 80
custom_domains = gitlab.xxx.com

[web2]
type = http
local_ip = 127.0.0.1
local_port = 80
custom_domains = packagist.xxx.com

3、公网服务器nginx配置

server {
    listen 80;
	listen 443 ssl http2;
    server_name gitlab.xxx.com;
    
    #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    ssl_certificate    /etc/letsencrypt/live/gitlab.xxx.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/gitlab.xxx.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    error_page 497  https://$host$request_uri;
    #SSL-END
    
    #ERROR-PAGE-START  错误页配置,可以注释、删除或修改
    error_page 404 /404.html;
    error_page 502 /502.html;
    #ERROR-PAGE-END
    
    #PHP-INFO-START  PHP引用配置,可以注释或修改
    include enable-php-00.conf;
    #PHP-INFO-END
    
    #REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
    include /www/server/panel/vhost/rewrite/gitlab.xxx.com.conf;
    #REWRITE-END
    
    location / {
      client_max_body_size 0;
      gzip off;

      proxy_read_timeout      300;
      proxy_connect_timeout   300;
      proxy_redirect          off;

      proxy_http_version 1.1;

      proxy_set_header    Host                $http_host;
      #proxy_set_header	Host 				$host:$server_port;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-Ssl     on;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Proto   $scheme;
      proxy_pass http://127.0.0.1:8000;
 	}
    
    access_log  /www/wwwlogs/gitlab.xxx.com.log;
    error_log  /www/wwwlogs/gitlab.xxx.com.error.log;
 }

4、内网服务器nginx配置

上面的举例,去掉ssl设置即是

宝塔证书申请

1、到宝塔管理后台,申请ssl证书

1.1、申请域名,dns验证

1.2、如下图,点击详情可以看到要在域名解析里加多条TXT解析,添加后点击验证域名

1.3、阿里云域名解析

迭代

  • 2020年02月11日 21:54:00 初稿
Creative Commons License
本作品采用CC BY-NC-ND 4.0进行许可。转载,请注明原作者 chunpat 及本文源链接。