frp icon indicating copy to clipboard operation
frp copied to clipboard
verified publisher icon fatedier

0.61可以提供完整的http2https, https2https的例子么

Open shyandsy opened this issue 1 year ago • 3 comments

Bug Description

场景

  1. 内网服务器https://192.168.101.20:6443, 是k8s cluster api
  2. 公网阿里云服务器 47.xx.xx.xx 是我的公网ip
  3. 我希望通过公网https 50080 和 http 55000 端口,访问内网k8s cluster api

尝试http2https,tcp都无法访问内网https服务

frpc Version

0.61.0

frps Version

0.61.0

System Architecture

linux/amd64

Configurations

server配置

bindPort = 50000

vhostHTTPPort = 50080
vhostHTTPSPort = 55000

subdomainHost = "xxx.xxx.com"
log.level = "debug"

client配置

# 方式1 tcp
[[proxies]]
name = "kubectl"
type = "tcp"
localIP = "192.168.101.20"
localPort = 6443
remotePort = 52000

# 方式2 http2https
[[proxies]]
name = "k8s"
type = "http"
#customDomains = ["xxx.xxx.com"]
subDomain = "a"
[proxies.plugin]
type = "http2https"
localAddr = "192.168.101.20:6443"
hostHeaderRewrite = "192.168.101.20"
#requestHeaders.set.x-from-where = "a"

Logs

  1. 尝试tcp方式访问 server debug输出 image

client debug输出 image

  1. 尝试http方式访问 server debug输出 image

client debug输出 image

Steps to reproduce

...

Affected area

  • [ ] Docs
  • [ ] Installation
  • [ ] Performance and Scalability
  • [ ] Security
  • [ ] User Experience
  • [ ] Test and Release
  • [ ] Developer Infrastructure
  • [ ] Client Plugin
  • [ ] Server Plugin
  • [ ] Extensions
  • [ ] Others

shyandsy avatar Dec 09 '24 13:12 shyandsy

配置基本没问题,考虑是运营商或vps服务商的问题。不信,你可以在本地不同的设备上搭建frps和frpc测试,没有公网ipv4就用ipv6测试,应该是可以通的。 现在可以尝试: 1、关闭tls看行不行:transport.tls.enable = false 2、在frps上配置 quicBindPort,采用udp传输,frpc使用 transport.protocol = "quic" 3、尝试换一个https服务试试,随便自己弄一个自签名的https。 注意所有用到的端口在vps上防火墙要打开。

superzjg avatar Dec 10 '24 11:12 superzjg

@superzjg

  1. 使用tcp模式时候,kubectl get ns --skip-tls-verify=true,是可以成功执行的。如果不加--skip-tls-verify=true,内网kube api server会报错,说目标地址应该是192.168.101.20,而不是47.xxxx (阿里云公网地址)。看起来请求里目标ip没有变
  2. 如果使用https模式转发,我最后抓包能看到https请求到达192.168.101.20:6443目标端口,但是kubectl的双向证书认证,似乎没认证通过

shyandsy avatar Dec 12 '24 03:12 shyandsy

@superzjg

  1. 使用tcp模式时候,kubectl get ns --skip-tls-verify=true,是可以成功执行的。如果不加--skip-tls-verify=true,内网kube api server会报错,说目标地址应该是192.168.101.20,而不是47.xxxx (阿里云公网地址)。看起来请求里目标ip没有变
  2. 如果使用https模式转发,我最后抓包能看到https请求到达192.168.101.20:6443目标端口,但是kubectl的双向证书认证,似乎没认证通过

我不太明白你的意思,我用一个简单的 https://192.168.3.6:53412 自签名网页,测试结果没有问题。 访问下面三个网址均可以打开: https://aaa.bbb.com:53430/ https://aaa.bbb.com:53413/ http://aaa.bbb.com:53413/

附带我的配置文件:

Frps v0.60.0:(注:因为我使用的端口一样,所以必须在frpc配置transport.tls.disableCustomTLSFirstByte,否则连不上,不一样的端口不需要)

bindPort = 53413
auth.token = "123456"
vhostHTTPPort = 53413
vhostHTTPSPort = 53413
log.to = "/var/log/frps.log"
log.maxDays = 6

Frpc v0.60.0:

serverAddr = "aaa.bbb.com"
serverPort = 53413
loginFailExit = false
auth.token = "123456"
log.to = "/var/log/frpc.log"
transport.tls.disableCustomTLSFirstByte = false

[[proxies]]
name = "tcp_web_test"
type = "tcp"
localIP = "192.168.3.6"
localPort = 53412
remotePort = 53430

[[proxies]]
name = "https_test"
type = "https"
localIP = "192.168.3.6"
localPort = 53412
customDomains = ["aaa.bbb.com"]

[[proxies]]
name = "http2https_test"
type = "http"
customDomains = ["aaa.bbb.com"]
[proxies.plugin]
type = "http2https"
localAddr = "192.168.3.6:53412"

superzjg avatar Dec 12 '24 06:12 superzjg

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

github-actions[bot] avatar Dec 27 '24 00:12 github-actions[bot]