-
-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to make it clear: do I need to copy Let's Encrypt certificates every 3 months to get TLS to work for BOTH the server and the client? #4621
Comments
By default, traffic between frpc and frps is encrypted using randomly generated certificates. You only need to provide your own certificates if you require additional authentication. Whether you need to update certificates on frpc depends on whether you require mutual TLS (mTLS) for bidirectional authentication. Without mTLS, it’s sufficient to configure certificates only on frps. This simplifies the setup, as you don't need to distribute certificates to all clients unless mutual authentication is a strict requirement in your environment. |
Thanks for trying to help. But maybe I simplified the problem too much. I try to explain again (sorry for possible misunderstanding before):I setup a web service on my laptop, that serves only by HTTP. It is I need FRP to reverse proxy to this HTTP service only by HTTPS. Can FRP do this? Currently, I have such configs (more detailed):
Details
webServer.addr = "0.0.0.0"
webServer.port = 7400
webServer.user = "user"
webServer.password = "password"
serverAddr = "subdomain.example.tld"
serverPort = 7000
auth.method = "token"
auth.token = "sometoken"
transport.tls.enable = true
transport.tls.certFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.crt"
transport.tls.keyFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.key"
transport.tls.serverName = "subdomain.example.tld"
[[proxies]]
name = "mylaptop"
type = "tcp"
localIP = "127.0.0.1"
localPort = 23001
remotePort = 22001
[[proxies]]
name = "mylaptop_restic_server"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8010
remotePort = 22002
Details
bindPort = 7000
vhostHTTPPort = 8080
vhostHTTPSPort = 8443
allowPorts = [
{ start = 22001, end = 22089 }
]
webServer.addr = "0.0.0.0"
webServer.port = 7500
webServer.user = "user"
webServer.password = "password"
auth.method = "token"
auth.token = "sometoken"
transport.tls.force = true
transport.tls.certFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.crt"
transport.tls.keyFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.key" Right now, it gets error from Details
$kenyawest: ~/backup-restic-node/autorestic ❯ sudo scripts/update.sh
Using config: /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.yaml
Using env: /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.env
Using lock: /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.lock.yml
Backing up location "home_user"
Backend: server
> Executing: /usr/local/bin/restic backup --tag ar:location:home_user /home/kenyawest
Fatal: unable to open config file: Head "https://user:***@subdomain.example.tld:22002/config": http: server gave HTTP response to HTTPS client
Is there a repository at the following location?
rest:https://user:***@subdomain.example.tld:22002/
home_user@server:
Fatal: unable to open config file: Head "https://user:***@subdomain.example.tld:22002/config": http: server gave HTTP response to HTTPS client
Is there a repository at the following location?
rest:https://user:***@subdomain.example.tld:22002/
exit status 1
Error: 1 errors were found The documentation has a paragraphs about my exact specific use case: Details
Enable HTTPS for a local HTTP(S) serviceYou may substitute
# frpc.toml
serverAddr = "x.x.x.x"
serverPort = 7000
[[proxies]]
name = "test_https2http"
type = "https"
customDomains = ["test.example.com"]
[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:80"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"
But even with the same certificates both on client and server, FRP cannot wrap/transform/remap HTTP traffic to HTTPS one. Does that mean it is not FRP's job? |
Thanks. Sorry for asking you like it is tech support. But you have more experience in this. I will be glad if you look at this. I think I setup it correctly but the service still not available: frpc.toml
webServer.addr = "0.0.0.0"
webServer.port = 7400
webServer.user = "user"
webServer.password = "password"
serverAddr = "sub.example.tld"
serverPort = 7000
auth.method = "token"
auth.token = "sometoken"
[[proxies]]
name = "kw-ubuntu"
type = "tcp"
localPort = 23001
remotePort = 22001
[[proxies]]
name = "kw-ubuntu_restic_server"
type = "https"
customDomains = ["sub.example.tld"]
[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:8010" # web service listening on this port (restic, to be precise)
crtPath = "/etc/frp/certs/sub.example.tld/sub.example.tld.crt"
keyPath = "/etc/frp/certs/sub.example.tld/sub.example.tld.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp" frps.toml
bindPort = 7000
vhostHTTPPort = 8080
vhostHTTPSPort = 8443
allowPorts = [
{ start = 22001, end = 22089 }
]
webServer.addr = "0.0.0.0"
webServer.port = 7500
webServer.user = "user"
webServer.password = "password"
auth.method = "token"
auth.token = "sometoken" And looks like it is setup correctly according to logs and FRPS dashboard: But the connection is still not happening: $kenyawest: ~ ❯ curl https://sub.example.tld:8443 -v
* Trying 91.108.243.8:8443...
* connect to 91.108.243.8 port 8443 failed: Connection refused
* Failed to connect to sub.example.tld port 8443 after 130 ms: Connection refused
* Closing connection 0 Locally, it works, web service replies correctly. UFW is disabled or properly setup on both client and server. How do I debug this? |
You should check whether the server-side port is properly open, provide necessary logs, and perform preliminary troubleshooting to save time. |
You were right, I forgot to double-check But I still have some architectural questions regarding this setup:
|
|
Looks like I am starting to understand this wonderful world of proxying. Thanks for rapid responses, and thanks for developing FRP project! I will continue to discover things there. Since this issue is resolved, I close it because there nothing to discuss regarding this topic. |
Describe the feature request
I have a setup like this:
Configs are (templated by Jinja2):
Details
frps.toml:
frpc.toml:
So far so good without TLS. But I want to switch to TLS-only connections.
Caddy updates certificates on time and (as for now) just proxies for FRPS dashboard with SSL.
The actual
frps<---[tcp]--->frpc
connections FRPS does by itself without any TLS.If I switch to SSL/TLS only, I need to copy Let's Encrypt certs from Caddy to both FRPS and FRPC, right? Or do I need to set certificates only in
frps.toml
, and the client will automatically switch to TLS?Making certificates accessible for one server is OK. But to distribute certs for all the clients on regular basis adds unnecessary complexity to an already complicated infrastructure.
Describe alternatives you've considered
Alternative is to sit still and being happy without TLS
Affected area
The text was updated successfully, but these errors were encountered: