Why not ssh tunnel?
也可以,不过frp优势是,无需使用者开ssh.exe,直接访问内网端口
OpenSSL生成证书系列
- subj参照这里 https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
- 准备一个签署底层证书的配置文件,然后先制作CA,然后再制作底层证书
https://superuser.com/questions/738612/openssl-ca-keyusage-extension
# final_cert.txt authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
# CA private key
# Warning: In year 2023, the minimum length should be 3072.
openssl genrsa -out ca.key 4096
# CA public cert
# -x509: Output an X.509 certificate structure instead of a cert request
openssl req -x509 -new -key ca.key -subj "/CN=your.domain.com/C=CN/ST=Shanghai/L=Shanghai" -days 3650 -out ca.crt
# Generate sub-cert and use CA to sign it
openssl genrsa -out frp_n1.key 2048
openssl req -new -key frp_n1.key -out frp_n1.csr
openssl x509 -req -in frp_n1.csr -out frp_n1.crt -days 365 \
-CAcreateserial -CA ./ca.crt -CAkey ./ca.key \
-CAserial serial -extfile final_cert.txtfrp参数
- 如果配置了TLS,仅保证frpc-frps之间安全访问
- 如果代理SSH/RemoteDesktop等协议,自带加密了,TLS多此一举,直接暴露端口即可
- 如果FRPServer端在公网,代理的内容可以对外发布(如对外的网站),也无需TLS
如果FRPServer端在安全的局域网,代理的内容也是对内的,此时需要TLS
- 例如公司网关运行frps,有一个远程主机运行frpc,可以将远程主机所在的网络环境暴露给公司,类似VPN从远程主机拨入公司网关
- 其他用法见官方文档