生命在于编程

生命不息,编程不止

0%

frp配置多域名穿透内网

Posted on

GIT服务器维护

网络架构

            graph TD
            browser[浏览器] -->|域名git.xxx.cc| gateway(公网服务器-175.102.11.86)
gateway --> nginx{nginx}
nginx -->|解析https,加载证书,本地端口转发| frps{frps}
frps --> |frp隧道| inserver(内网服务器,192.168.X.X)
inserver --> frpc{frpc}
frpc --> |转发本地http请求| gitlab[GITLAB]

重点

  • TLS/SSL证书在nginx加载和验证
  • nginx转发到本地frps的VHTTP端口
  • frps服务端穿透到frpc端
  • gitlab是以docker容器方式运行,所以frpc还要转发到本地的gitlab端口

配置文件示例

nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
server {
    listen       443 ssl http2;
    server_name  git.xxx.cc;
    charset utf-8;
    access_log  /var/log/nginx/git.access.log;
    error_log  /var/log/nginx/git.error.log;
    ssl on;
    ssl_certificate         /etc/nginx/ssl/git.xxx.cc.pem;
    ssl_certificate_key     /etc/nginx/ssl/git.xxx.cc.key;
    ssl_session_timeout     10m;
    ssl_session_cache       shared:SSL:10m;
    # 加密算法
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    # 允许SSL协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # 启动加密算法
    ssl_prefer_server_ciphers on;
    client_max_body_size 1000m;
    # 转发到frps vhost端口 7080
    location / {
        proxy_pass  http://127.0.0.1:7080;
        proxy_set_header Host $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

frps.ini

1
2
3
...
vhost_http_port = 7080
...

frpc.ini

1
2
3
4
5
6
7
8
[Domain_Http]
use_compression = true
# 依然支持 http 访问
type = http
# 本地 Web 服务的端口
local_port = 4000
# 需要反向代理的域名(当访客通过此域名访问 A 机器时,才会将请求反向代理到此 Web 服务)
custom_domains = git.xxx.cc