``` ├── .circleci/ ├── config.yml ├── .github/ ├── FUNDING.yml ├── ISSUE_TEMPLATE/ ├── bug_report.yaml ├── config.yml ├── feature_request.yaml ├── pull_request_template.md ├── workflows/ ├── build-and-push-image.yml ├── golangci-lint.yml ├── goreleaser.yml ├── stale.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── LICENSE ├── Makefile ├── Makefile.cross-compiles ├── README.md ├── README_zh.md ├── Release.md ├── assets/ ├── assets.go ├── frpc/ ├── embed.go ├── static/ ├── favicon.ico ├── index-bLBhaJo8.js ``` ## /.circleci/config.yml ```yml path="/.circleci/config.yml" version: 2 jobs: go-version-latest: docker: - image: cimg/go:1.23-node resource_class: large steps: - checkout - run: make - run: make alltest workflows: version: 2 build_and_test: jobs: - go-version-latest ``` ## /.github/FUNDING.yml ```yml path="/.github/FUNDING.yml" # These are supported funding model platforms github: [fatedier] custom: ["https://afdian.com/a/fatedier"] ``` ## /.github/ISSUE_TEMPLATE/bug_report.yaml ```yaml path="/.github/ISSUE_TEMPLATE/bug_report.yaml" name: Bug report description: Report a bug to help us improve frp body: - type: markdown attributes: value: | Thanks for taking the time to fill out this bug report! - type: textarea id: bug-description attributes: label: Bug Description description: Tell us what issues you ran into placeholder: Include information about what you tried, what you expected to happen, and what actually happened. The more details, the better! validations: required: true - type: input id: frpc-version attributes: label: frpc Version description: Include the output of `frpc -v` validations: required: true - type: input id: frps-version attributes: label: frps Version description: Include the output of `frps -v` validations: required: true - type: input id: system-architecture attributes: label: System Architecture description: Include which architecture you used, such as `linux/amd64`, `windows/amd64` validations: required: true - type: textarea id: config attributes: label: Configurations description: Include what configurrations you used and ran into this problem placeholder: Pay attention to hiding the token and password in your output validations: required: true - type: textarea id: log attributes: label: Logs description: Prefer you providing releated error logs here placeholder: Pay attention to hiding your personal informations - type: textarea id: steps-to-reproduce attributes: label: Steps to reproduce description: How to reproduce it? It's important for us to find the bug value: | 1. 2. 3. ... - type: checkboxes id: area attributes: label: Affected area options: - label: "Docs" - label: "Installation" - label: "Performance and Scalability" - label: "Security" - label: "User Experience" - label: "Test and Release" - label: "Developer Infrastructure" - label: "Client Plugin" - label: "Server Plugin" - label: "Extensions" - label: "Others" ``` ## /.github/ISSUE_TEMPLATE/config.yml ```yml path="/.github/ISSUE_TEMPLATE/config.yml" blank_issues_enabled: false ``` ## /.github/ISSUE_TEMPLATE/feature_request.yaml ```yaml path="/.github/ISSUE_TEMPLATE/feature_request.yaml" name: Feature Request description: Suggest an idea to improve frp title: "[Feature Request] " body: - type: markdown attributes: value: | This is only used to request new product features. - type: textarea id: feature-request attributes: label: Describe the feature request description: Tell us what's you want and why it should be added in frp. validations: required: true - type: textarea id: alternatives attributes: label: Describe alternatives you've considered - type: checkboxes id: area attributes: label: Affected area options: - label: "Docs" - label: "Installation" - label: "Performance and Scalability" - label: "Security" - label: "User Experience" - label: "Test and Release" - label: "Developer Infrastructure" - label: "Client Plugin" - label: "Server Plugin" - label: "Extensions" - label: "Others" ``` ## /.github/pull_request_template.md ### WHY ## /.github/workflows/build-and-push-image.yml ```yml path="/.github/workflows/build-and-push-image.yml" name: Build Image and Publish to Dockerhub & GPR on: release: types: [ published ] workflow_dispatch: inputs: tag: description: 'Image tag' required: true default: 'test' permissions: contents: read jobs: image: name: Build Image from Dockerfile and binaries runs-on: ubuntu-latest steps: # environment - name: Checkout uses: actions/checkout@v4 with: fetch-depth: '0' - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # get image tag name - name: Get Image Tag Name run: | if [ x${{ github.event.inputs.tag }} == x"" ]; then echo "TAG_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV else echo "TAG_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV fi - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Login to the GPR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GPR_TOKEN }} # prepare image tags - name: Prepare Image Tags run: | echo "DOCKERFILE_FRPC_PATH=dockerfiles/Dockerfile-for-frpc" >> $GITHUB_ENV echo "DOCKERFILE_FRPS_PATH=dockerfiles/Dockerfile-for-frps" >> $GITHUB_ENV echo "TAG_FRPC=fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV echo "TAG_FRPS=fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV echo "TAG_FRPC_GPR=ghcr.io/fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV echo "TAG_FRPS_GPR=ghcr.io/fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV - name: Build and push frpc uses: docker/build-push-action@v5 with: context: . file: ./dockerfiles/Dockerfile-for-frpc platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x push: true tags: | ${{ env.TAG_FRPC }} ${{ env.TAG_FRPC_GPR }} - name: Build and push frps uses: docker/build-push-action@v5 with: context: . file: ./dockerfiles/Dockerfile-for-frps platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x push: true tags: | ${{ env.TAG_FRPS }} ${{ env.TAG_FRPS_GPR }} ``` ## /.github/workflows/golangci-lint.yml ```yml path="/.github/workflows/golangci-lint.yml" name: golangci-lint on: push: branches: - master - dev pull_request: permissions: contents: read # Optional: allow read access to pull request. Use with `only-new-issues` option. pull-requests: read jobs: golangci: name: lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: '1.23' cache: false - name: golangci-lint uses: golangci/golangci-lint-action@v4 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version version: v1.61 # Optional: golangci-lint command line arguments. # args: --issues-exit-code=0 # Optional: show only new issues if it's a pull request. The default value is `false`. # only-new-issues: true # Optional: if set to true then the all caching functionality will be complete disabled, # takes precedence over all other caching options. # skip-cache: true # Optional: if set to true then the action don't cache or restore ~/go/pkg. # skip-pkg-cache: true # Optional: if set to true then the action don't cache or restore ~/.cache/go-build. # skip-build-cache: true ``` ## /.github/workflows/goreleaser.yml ```yml path="/.github/workflows/goreleaser.yml" name: goreleaser on: workflow_dispatch: jobs: goreleaser: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.23' - name: Make All run: | ./package.sh - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: version: latest args: release --clean --release-notes=./Release.md env: GITHUB_TOKEN: ${{ secrets.GPR_TOKEN }} ``` ## /.github/workflows/stale.yml ```yml path="/.github/workflows/stale.yml" name: "Close stale issues" on: schedule: - cron: "20 0 * * *" workflow_dispatch: inputs: debug-only: description: 'In debug mod' required: false default: 'false' permissions: contents: read jobs: stale: permissions: issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs actions: write runs-on: ubuntu-latest steps: - uses: actions/stale@v9 with: stale-issue-message: 'Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.' stale-pr-message: "PRs go stale after 14d of inactivity. Stale PRs rot after an additional 3d of inactivity and eventually close." stale-issue-label: 'lifecycle/stale' exempt-issue-labels: 'bug,doc,enhancement,future,proposal,question,testing,todo,easy,help wanted,assigned' stale-pr-label: 'lifecycle/stale' exempt-pr-labels: 'bug,doc,enhancement,future,proposal,question,testing,todo,easy,help wanted,assigned' days-before-stale: 14 days-before-close: 3 debug-only: ${{ github.event.inputs.debug-only }} exempt-all-pr-milestones: true exempt-all-pr-assignees: true operations-per-run: 200 ``` ## /.gitignore ```gitignore path="/.gitignore" # Compiled Object files, Static and Dynamic libs (Shared Objects) *.o *.a *.so # Folders _obj _test # Architecture specific extensions/prefixes *.[568vq] [568vq].out *.cgo1.go *.cgo2.c _cgo_defun.c _cgo_gotypes.go _cgo_export.* _testmain.go *.exe *.test *.prof # Self bin/ packages/ release/ test/bin/ vendor/ lastversion/ dist/ .idea/ .vscode/ .autogen_ssh_key client.crt client.key # Cache *.swp ``` ## /.golangci.yml ```yml path="/.golangci.yml" service: golangci-lint-version: 1.61.x # use the fixed version to not introduce new linters unexpectedly run: concurrency: 4 # timeout for analysis, e.g. 30s, 5m, default is 1m timeout: 20m build-tags: - integ - integfuzz linters: disable-all: true enable: - unused - errcheck - copyloopvar - gocritic - gofumpt - goimports - revive - gosimple - govet - ineffassign - lll - misspell - staticcheck - stylecheck - typecheck - unconvert - unparam - gci - gosec - asciicheck - prealloc - predeclared - makezero fast: false linters-settings: errcheck: # report about not checking of errors in type assetions: `a := b.(MyStruct)`; # default is false: such cases aren't reported by default. check-type-assertions: false # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`; # default is false: such cases aren't reported by default. check-blank: false govet: # report about shadowed variables disable: - shadow maligned: # print struct with more effective memory layout or not, false by default suggest-new: true misspell: # Correct spellings using locale preferences for US or UK. # Default is to use a neutral variety of English. # Setting locale to US will correct the British spelling of 'colour' to 'color'. locale: US ignore-words: - cancelled - marshalled lll: # max line length, lines longer will be reported. Default is 120. # '\t' is counted as 1 character by default, and can be changed with the tab-width option line-length: 160 # tab width in spaces. Default to 1. tab-width: 1 gocritic: disabled-checks: - exitAfterDefer unused: check-exported: false unparam: # Inspect exported functions, default is false. Set to true if no external program/library imports your code. # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors: # if it's called for subdir of a project it can't find external interfaces. All text editor integrations # with golangci-lint call it on a directory with the changed file. check-exported: false gci: sections: - standard - default - prefix(github.com/fatedier/frp/) gosec: severity: "low" confidence: "low" excludes: - G401 - G402 - G404 - G501 - G115 # integer overflow conversion issues: # List of regexps of issue texts to exclude, empty list by default. # But independently from this option we use default exclude patterns, # it can be disabled by `exclude-use-default: false`. To list all # excluded by default patterns execute `golangci-lint run --help` # exclude: # - composite literal uses unkeyed fields exclude-rules: # Exclude some linters from running on test files. - path: _test\.go$|^tests/|^samples/ linters: - errcheck - maligned - linters: - revive - stylecheck text: "use underscores in Go names" - linters: - revive text: "unused-parameter" - linters: - unparam text: "is always false" exclude-dirs: - genfiles$ - vendor$ - bin$ exclude-files: - ".*\\.pb\\.go" - ".*\\.gen\\.go" # Independently from option `exclude` we use default exclude patterns, # it can be disabled by this option. To list all # excluded by default patterns execute `golangci-lint run --help`. # Default value for this option is true. exclude-use-default: true # Maximum issues count per one linter. Set to 0 to disable. Default is 50. max-per-linter: 0 # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. max-same-issues: 0 ``` ## /.goreleaser.yml ```yml path="/.goreleaser.yml" builds: - skip: true checksum: name_template: '{{ .ProjectName }}_sha256_checksums.txt' algorithm: sha256 extra_files: - glob: ./release/packages/* release: # Same as for github # Note: it can only be one: either github, gitlab or gitea github: owner: fatedier name: frp draft: false # You can add extra pre-existing files to the release. # The filename on the release will be the last part of the path (base). If # another file with the same name exists, the latest one found will be used. # Defaults to empty. extra_files: - glob: ./release/packages/* ``` ## /LICENSE ``` path="/LICENSE" Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ``` ## /Makefile ``` path="/Makefile" export PATH := $(PATH):`go env GOPATH`/bin export GO111MODULE=on LDFLAGS := -s -w all: env fmt build build: frps frpc env: @go version # compile assets into binary file file: rm -rf ./assets/frps/static/* rm -rf ./assets/frpc/static/* cp -rf ./web/frps/dist/* ./assets/frps/static cp -rf ./web/frpc/dist/* ./assets/frpc/static fmt: go fmt ./... fmt-more: gofumpt -l -w . gci: gci write -s standard -s default -s "prefix(github.com/fatedier/frp/)" ./ vet: go vet ./... frps: env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags frps -o bin/frps ./cmd/frps frpc: env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags frpc -o bin/frpc ./cmd/frpc test: gotest gotest: go test -v --cover ./assets/... go test -v --cover ./cmd/... go test -v --cover ./client/... go test -v --cover ./server/... go test -v --cover ./pkg/... e2e: ./hack/run-e2e.sh e2e-trace: DEBUG=true LOG_LEVEL=trace ./hack/run-e2e.sh e2e-compatibility-last-frpc: if [ ! -d "./lastversion" ]; then \ TARGET_DIRNAME=lastversion ./hack/download.sh; \ fi FRPC_PATH="`pwd`/lastversion/frpc" ./hack/run-e2e.sh rm -r ./lastversion e2e-compatibility-last-frps: if [ ! -d "./lastversion" ]; then \ TARGET_DIRNAME=lastversion ./hack/download.sh; \ fi FRPS_PATH="`pwd`/lastversion/frps" ./hack/run-e2e.sh rm -r ./lastversion alltest: vet gotest e2e clean: rm -f ./bin/frpc rm -f ./bin/frps rm -rf ./lastversion ``` ## /Makefile.cross-compiles ```cross-compiles path="/Makefile.cross-compiles" export PATH := $(PATH):`go env GOPATH`/bin export GO111MODULE=on LDFLAGS := -s -w os-archs=darwin:amd64 darwin:arm64 freebsd:amd64 linux:amd64 linux:arm:7 linux:arm:5 linux:arm64 windows:amd64 windows:arm64 linux:mips64 linux:mips64le linux:mips:softfloat linux:mipsle:softfloat linux:riscv64 linux:loong64 android:arm64 all: build build: app app: @$(foreach n, $(os-archs), \ os=$(shell echo "$(n)" | cut -d : -f 1); \ arch=$(shell echo "$(n)" | cut -d : -f 2); \ extra=$(shell echo "$(n)" | cut -d : -f 3); \ flags=''; \ target_suffix=$${os}_$${arch}; \ if [ "$${os}" = "linux" ] && [ "$${arch}" = "arm" ] && [ "$${extra}" != "" ] ; then \ if [ "$${extra}" = "7" ]; then \ flags=GOARM=7; \ target_suffix=$${os}_arm_hf; \ elif [ "$${extra}" = "5" ]; then \ flags=GOARM=5; \ target_suffix=$${os}_arm; \ fi; \ elif [ "$${os}" = "linux" ] && ([ "$${arch}" = "mips" ] || [ "$${arch}" = "mipsle" ]) && [ "$${extra}" != "" ] ; then \ flags=GOMIPS=$${extra}; \ fi; \ echo "Build $${os}-$${arch}$${extra:+ ($${extra})}..."; \ env CGO_ENABLED=0 GOOS=$${os} GOARCH=$${arch} $${flags} go build -trimpath -ldflags "$(LDFLAGS)" -tags frpc -o ./release/frpc_$${target_suffix} ./cmd/frpc; \ env CGO_ENABLED=0 GOOS=$${os} GOARCH=$${arch} $${flags} go build -trimpath -ldflags "$(LDFLAGS)" -tags frps -o ./release/frps_$${target_suffix} ./cmd/frps; \ echo "Build $${os}-$${arch}$${extra:+ ($${extra})} done"; \ ) @mv ./release/frpc_windows_amd64 ./release/frpc_windows_amd64.exe @mv ./release/frps_windows_amd64 ./release/frps_windows_amd64.exe @mv ./release/frpc_windows_arm64 ./release/frpc_windows_arm64.exe @mv ./release/frps_windows_arm64 ./release/frps_windows_arm64.exe ``` ## /README.md # frp [![Build Status](https://circleci.com/gh/fatedier/frp.svg?style=shield)](https://circleci.com/gh/fatedier/frp) [![GitHub release](https://img.shields.io/github/tag/fatedier/frp.svg?label=release)](https://github.com/fatedier/frp/releases) [![Go Report Card](https://goreportcard.com/badge/github.com/fatedier/frp)](https://goreportcard.com/report/github.com/fatedier/frp) [![GitHub Releases Stats](https://img.shields.io/github/downloads/fatedier/frp/total.svg?logo=github)](https://somsubhra.github.io/github-release-stats/?username=fatedier&repository=frp) [README](README.md) | [中文文档](README_zh.md) ## Sponsors frp is an open source project with its ongoing development made possible entirely by the support of our awesome sponsors. If you'd like to join them, please consider [sponsoring frp's development](https://github.com/sponsors/fatedier).

Gold Sponsors

## What is frp? frp is a fast reverse proxy that allows you to expose a local server located behind a NAT or firewall to the Internet. It currently supports **TCP** and **UDP**, as well as **HTTP** and **HTTPS** protocols, enabling requests to be forwarded to internal services via domain name. frp also offers a P2P connect mode. ## Table of Contents * [Development Status](#development-status) * [About V2](#about-v2) * [Architecture](#architecture) * [Example Usage](#example-usage) * [Access your computer in a LAN network via SSH](#access-your-computer-in-a-lan-network-via-ssh) * [Multiple SSH services sharing the same port](#multiple-ssh-services-sharing-the-same-port) * [Accessing Internal Web Services with Custom Domains in LAN](#accessing-internal-web-services-with-custom-domains-in-lan) * [Forward DNS query requests](#forward-dns-query-requests) * [Forward Unix Domain Socket](#forward-unix-domain-socket) * [Expose a simple HTTP file server](#expose-a-simple-http-file-server) * [Enable HTTPS for a local HTTP(S) service](#enable-https-for-a-local-https-service) * [Expose your service privately](#expose-your-service-privately) * [P2P Mode](#p2p-mode) * [Features](#features) * [Configuration Files](#configuration-files) * [Using Environment Variables](#using-environment-variables) * [Split Configures Into Different Files](#split-configures-into-different-files) * [Server Dashboard](#server-dashboard) * [Client Admin UI](#client-admin-ui) * [Monitor](#monitor) * [Prometheus](#prometheus) * [Authenticating the Client](#authenticating-the-client) * [Token Authentication](#token-authentication) * [OIDC Authentication](#oidc-authentication) * [Encryption and Compression](#encryption-and-compression) * [TLS](#tls) * [Hot-Reloading frpc configuration](#hot-reloading-frpc-configuration) * [Get proxy status from client](#get-proxy-status-from-client) * [Only allowing certain ports on the server](#only-allowing-certain-ports-on-the-server) * [Port Reuse](#port-reuse) * [Bandwidth Limit](#bandwidth-limit) * [For Each Proxy](#for-each-proxy) * [TCP Stream Multiplexing](#tcp-stream-multiplexing) * [Support KCP Protocol](#support-kcp-protocol) * [Support QUIC Protocol](#support-quic-protocol) * [Connection Pooling](#connection-pooling) * [Load balancing](#load-balancing) * [Service Health Check](#service-health-check) * [Rewriting the HTTP Host Header](#rewriting-the-http-host-header) * [Setting other HTTP Headers](#setting-other-http-headers) * [Get Real IP](#get-real-ip) * [HTTP X-Forwarded-For](#http-x-forwarded-for) * [Proxy Protocol](#proxy-protocol) * [Require HTTP Basic Auth (Password) for Web Services](#require-http-basic-auth-password-for-web-services) * [Custom Subdomain Names](#custom-subdomain-names) * [URL Routing](#url-routing) * [TCP Port Multiplexing](#tcp-port-multiplexing) * [Connecting to frps via PROXY](#connecting-to-frps-via-proxy) * [Port range mapping](#port-range-mapping) * [Client Plugins](#client-plugins) * [Server Manage Plugins](#server-manage-plugins) * [SSH Tunnel Gateway](#ssh-tunnel-gateway) * [Virtual Network (VirtualNet)](#virtual-network-virtualnet) * [Feature Gates](#feature-gates) * [Available Feature Gates](#available-feature-gates) * [Enabling Feature Gates](#enabling-feature-gates) * [Feature Lifecycle](#feature-lifecycle) * [Related Projects](#related-projects) * [Contributing](#contributing) * [Donation](#donation) * [GitHub Sponsors](#github-sponsors) * [PayPal](#paypal) ## Development Status frp is currently under development. You can try the latest release version in the `master` branch, or use the `dev` branch to access the version currently in development. We are currently working on version 2 and attempting to perform some code refactoring and improvements. However, please note that it will not be compatible with version 1. We will transition from version 0 to version 1 at the appropriate time and will only accept bug fixes and improvements, rather than big feature requests. ### About V2 The complexity and difficulty of the v2 version are much higher than anticipated. I can only work on its development during fragmented time periods, and the constant interruptions disrupt productivity significantly. Given this situation, we will continue to optimize and iterate on the current version until we have more free time to proceed with the major version overhaul. The concept behind v2 is based on my years of experience and reflection in the cloud-native domain, particularly in K8s and ServiceMesh. Its core is a modernized four-layer and seven-layer proxy, similar to envoy. This proxy itself is highly scalable, not only capable of implementing the functionality of intranet penetration but also applicable to various other domains. Building upon this highly scalable core, we aim to implement all the capabilities of frp v1 while also addressing the functionalities that were previously unachievable or difficult to implement in an elegant manner. Furthermore, we will maintain efficient development and iteration capabilities. In addition, I envision frp itself becoming a highly extensible system and platform, similar to how we can provide a range of extension capabilities based on K8s. In K8s, we can customize development according to enterprise needs, utilizing features such as CRD, controller mode, webhook, CSI, and CNI. In frp v1, we introduced the concept of server plugins, which implemented some basic extensibility. However, it relies on a simple HTTP protocol and requires users to start independent processes and manage them on their own. This approach is far from flexible and convenient, and real-world demands vary greatly. It is unrealistic to expect a non-profit open-source project maintained by a few individuals to meet everyone's needs. Finally, we acknowledge that the current design of modules such as configuration management, permission verification, certificate management, and API management is not modern enough. While we may carry out some optimizations in the v1 version, ensuring compatibility remains a challenging issue that requires a considerable amount of effort to address. We sincerely appreciate your support for frp. ## Architecture ![architecture](/doc/pic/architecture.png) ## Example Usage To begin, download the latest program for your operating system and architecture from the [Release](https://github.com/fatedier/frp/releases) page. Next, place the `frps` binary and server configuration file on Server A, which has a public IP address. Finally, place the `frpc` binary and client configuration file on Server B, which is located on a LAN that cannot be directly accessed from the public internet. Some antiviruses improperly mark frpc as malware and delete it. This is due to frp being a networking tool capable of creating reverse proxies. Antiviruses sometimes flag reverse proxies due to their ability to bypass firewall port restrictions. If you are using antivirus, then you may need to whitelist/exclude frpc in your antivirus settings to avoid accidental quarantine/deletion. See [issue 3637](https://github.com/fatedier/frp/issues/3637) for more details. ### Access your computer in a LAN network via SSH 1. Modify `frps.toml` on server A by setting the `bindPort` for frp clients to connect to: ```toml # frps.toml bindPort = 7000 ``` 2. Start `frps` on server A: `./frps -c ./frps.toml` 3. Modify `frpc.toml` on server B and set the `serverAddr` field to the public IP address of your frps server: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = 6000 ``` Note that the `localPort` (listened on the client) and `remotePort` (exposed on the server) are used for traffic going in and out of the frp system, while the `serverPort` is used for communication between frps and frpc. 4. Start `frpc` on server B: `./frpc -c ./frpc.toml` 5. To access server B from another machine through server A via SSH (assuming the username is `test`), use the following command: `ssh -oPort=6000 test@x.x.x.x` ### Multiple SSH services sharing the same port This example implements multiple SSH services exposed through the same port using a proxy of type tcpmux. Similarly, as long as the client supports the HTTP Connect proxy connection method, port reuse can be achieved in this way. 1. Deploy frps on a machine with a public IP and modify the frps.toml file. Here is a simplified configuration: ```toml bindPort = 7000 tcpmuxHTTPConnectPort = 5002 ``` 2. Deploy frpc on the internal machine A with the following configuration: ```toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "ssh1" type = "tcpmux" multiplexer = "httpconnect" customDomains = ["machine-a.example.com"] localIP = "127.0.0.1" localPort = 22 ``` 3. Deploy another frpc on the internal machine B with the following configuration: ```toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "ssh2" type = "tcpmux" multiplexer = "httpconnect" customDomains = ["machine-b.example.com"] localIP = "127.0.0.1" localPort = 22 ``` 4. To access internal machine A using SSH ProxyCommand, assuming the username is "test": `ssh -o 'proxycommand socat - PROXY:x.x.x.x:%h:%p,proxyport=5002' test@machine-a.example.com` 5. To access internal machine B, the only difference is the domain name, assuming the username is "test": `ssh -o 'proxycommand socat - PROXY:x.x.x.x:%h:%p,proxyport=5002' test@machine-b.example.com` ### Accessing Internal Web Services with Custom Domains in LAN Sometimes we need to expose a local web service behind a NAT network to others for testing purposes with our own domain name. Unfortunately, we cannot resolve a domain name to a local IP. However, we can use frp to expose an HTTP(S) service. 1. Modify `frps.toml` and set the HTTP port for vhost to 8080: ```toml # frps.toml bindPort = 7000 vhostHTTPPort = 8080 ``` If you want to configure an https proxy, you need to set up the `vhostHTTPSPort`. 2. Start `frps`: `./frps -c ./frps.toml` 3. Modify `frpc.toml` and set `serverAddr` to the IP address of the remote frps server. Specify the `localPort` of your web service: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "web" type = "http" localPort = 80 customDomains = ["www.example.com"] ``` 4. Start `frpc`: `./frpc -c ./frpc.toml` 5. Map the A record of `www.example.com` to either the public IP of the remote frps server or a CNAME record pointing to your original domain. 6. Visit your local web service using url `http://www.example.com:8080`. ### Forward DNS query requests 1. Modify `frps.toml`: ```toml # frps.toml bindPort = 7000 ``` 2. Start `frps`: `./frps -c ./frps.toml` 3. Modify `frpc.toml` and set `serverAddr` to the IP address of the remote frps server. Forward DNS query requests to the Google Public DNS server `8.8.8.8:53`: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "dns" type = "udp" localIP = "8.8.8.8" localPort = 53 remotePort = 6000 ``` 4. Start frpc: `./frpc -c ./frpc.toml` 5. Test DNS resolution using the `dig` command: `dig @x.x.x.x -p 6000 www.google.com` ### Forward Unix Domain Socket Expose a Unix domain socket (e.g. the Docker daemon socket) as TCP. Configure `frps` as above. 1. Start `frpc` with the following configuration: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "unix_domain_socket" type = "tcp" remotePort = 6000 [proxies.plugin] type = "unix_domain_socket" unixPath = "/var/run/docker.sock" ``` 2. Test the configuration by getting the docker version using `curl`: `curl http://x.x.x.x:6000/version` ### Expose a simple HTTP file server Expose a simple HTTP file server to access files stored in the LAN from the public Internet. Configure `frps` as described above, then: 1. Start `frpc` with the following configuration: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "test_static_file" type = "tcp" remotePort = 6000 [proxies.plugin] type = "static_file" localPath = "/tmp/files" stripPrefix = "static" httpUser = "abc" httpPassword = "abc" ``` 2. Visit `http://x.x.x.x:6000/static/` from your browser and specify correct username and password to view files in `/tmp/files` on the `frpc` machine. ### Enable HTTPS for a local HTTP(S) service You may substitute `https2https` for the plugin, and point the `localAddr` to a HTTPS endpoint. 1. Start `frpc` with the following configuration: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "test_https2http" type = "https" customDomains = ["test.example.com"] [proxies.plugin] type = "https2http" localAddr = "127.0.0.1:80" crtPath = "./server.crt" keyPath = "./server.key" hostHeaderRewrite = "127.0.0.1" requestHeaders.set.x-from-where = "frp" ``` 2. Visit `https://test.example.com`. ### Expose your service privately To mitigate risks associated with exposing certain services directly to the public network, STCP (Secret TCP) mode requires a preshared key to be used for access to the service from other clients. Configure `frps` same as above. 1. Start `frpc` on machine B with the following config. This example is for exposing the SSH service (port 22), and note the `secretKey` field for the preshared key, and that the `remotePort` field is removed here: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "secret_ssh" type = "stcp" secretKey = "abcdefg" localIP = "127.0.0.1" localPort = 22 ``` 2. Start another `frpc` (typically on another machine C) with the following config to access the SSH service with a security key (`secretKey` field): ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[visitors]] name = "secret_ssh_visitor" type = "stcp" serverName = "secret_ssh" secretKey = "abcdefg" bindAddr = "127.0.0.1" bindPort = 6000 ``` 3. On machine C, connect to SSH on machine B, using this command: `ssh -oPort=6000 127.0.0.1` ### P2P Mode **xtcp** is designed to transmit large amounts of data directly between clients. A frps server is still needed, as P2P here only refers to the actual data transmission. Note that it may not work with all types of NAT devices. You might want to fallback to stcp if xtcp doesn't work. 1. Start `frpc` on machine B, and expose the SSH port. Note that the `remotePort` field is removed: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 # set up a new stun server if the default one is not available. # natHoleStunServer = "xxx" [[proxies]] name = "p2p_ssh" type = "xtcp" secretKey = "abcdefg" localIP = "127.0.0.1" localPort = 22 ``` 2. Start another `frpc` (typically on another machine C) with the configuration to connect to SSH using P2P mode: ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 # set up a new stun server if the default one is not available. # natHoleStunServer = "xxx" [[visitors]] name = "p2p_ssh_visitor" type = "xtcp" serverName = "p2p_ssh" secretKey = "abcdefg" bindAddr = "127.0.0.1" bindPort = 6000 # when automatic tunnel persistence is required, set it to true keepTunnelOpen = false ``` 3. On machine C, connect to SSH on machine B, using this command: `ssh -oPort=6000 127.0.0.1` ## Features ### Configuration Files Since v0.52.0, we support TOML, YAML, and JSON for configuration. Please note that INI is deprecated and will be removed in future releases. New features will only be available in TOML, YAML, or JSON. Users wanting these new features should switch their configuration format accordingly. Read the full example configuration files to find out even more features not described here. Examples use TOML format, but you can still use YAML or JSON. These configuration files is for reference only. Please do not use this configuration directly to run the program as it may have various issues. [Full configuration file for frps (Server)](./conf/frps_full_example.toml) [Full configuration file for frpc (Client)](./conf/frpc_full_example.toml) ### Using Environment Variables Environment variables can be referenced in the configuration file, using Go's standard format: ```toml # frpc.toml serverAddr = "{{ .Envs.FRP_SERVER_ADDR }}" serverPort = 7000 [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = "{{ .Envs.FRP_SSH_REMOTE_PORT }}" ``` With the config above, variables can be passed into `frpc` program like this: ``` export FRP_SERVER_ADDR=x.x.x.x export FRP_SSH_REMOTE_PORT=6000 ./frpc -c ./frpc.toml ``` `frpc` will render configuration file template using OS environment variables. Remember to prefix your reference with `.Envs`. ### Split Configures Into Different Files You can split multiple proxy configs into different files and include them in the main file. ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 includes = ["./confd/*.toml"] ``` ```toml # ./confd/test.toml [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = 6000 ``` ### Server Dashboard Check frp's status and proxies' statistics information by Dashboard. Configure a port for dashboard to enable this feature: ```toml # The default value is 127.0.0.1. Change it to 0.0.0.0 when you want to access it from a public network. webServer.addr = "0.0.0.0" webServer.port = 7500 # dashboard's username and password are both optional webServer.user = "admin" webServer.password = "admin" ``` Then visit `http://[serverAddr]:7500` to see the dashboard, with username and password both being `admin`. Additionally, you can use HTTPS port by using your domains wildcard or normal SSL certificate: ```toml webServer.port = 7500 # dashboard's username and password are both optional webServer.user = "admin" webServer.password = "admin" webServer.tls.certFile = "server.crt" webServer.tls.keyFile = "server.key" ``` Then visit `https://[serverAddr]:7500` to see the dashboard in secure HTTPS connection, with username and password both being `admin`. ![dashboard](/doc/pic/dashboard.png) ### Client Admin UI The Client Admin UI helps you check and manage frpc's configuration. Configure an address for admin UI to enable this feature: ```toml webServer.addr = "127.0.0.1" webServer.port = 7400 webServer.user = "admin" webServer.password = "admin" ``` Then visit `http://127.0.0.1:7400` to see admin UI, with username and password both being `admin`. ### Monitor When web server is enabled, frps will save monitor data in cache for 7 days. It will be cleared after process restart. Prometheus is also supported. #### Prometheus Enable dashboard first, then configure `enablePrometheus = true` in `frps.toml`. `http://{dashboard_addr}/metrics` will provide prometheus monitor data. ### Authenticating the Client There are 2 authentication methods to authenticate frpc with frps. You can decide which one to use by configuring `auth.method` in `frpc.toml` and `frps.toml`, the default one is token. Configuring `auth.additionalScopes = ["HeartBeats"]` will use the configured authentication method to add and validate authentication on every heartbeat between frpc and frps. Configuring `auth.additionalScopes = ["NewWorkConns"]` will do the same for every new work connection between frpc and frps. #### Token Authentication When specifying `auth.method = "token"` in `frpc.toml` and `frps.toml` - token based authentication will be used. Make sure to specify the same `auth.token` in `frps.toml` and `frpc.toml` for frpc to pass frps validation #### OIDC Authentication When specifying `auth.method = "oidc"` in `frpc.toml` and `frps.toml` - OIDC based authentication will be used. OIDC stands for OpenID Connect, and the flow used is called [Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4). To use this authentication type - configure `frpc.toml` and `frps.toml` as follows: ```toml # frps.toml auth.method = "oidc" auth.oidc.issuer = "https://example-oidc-issuer.com/" auth.oidc.audience = "https://oidc-audience.com/.default" ``` ```toml # frpc.toml auth.method = "oidc" auth.oidc.clientID = "98692467-37de-409a-9fac-bb2585826f18" # Replace with OIDC client ID auth.oidc.clientSecret = "oidc_secret" auth.oidc.audience = "https://oidc-audience.com/.default" auth.oidc.tokenEndpointURL = "https://example-oidc-endpoint.com/oauth2/v2.0/token" ``` ### Encryption and Compression The features are off by default. You can turn on encryption and/or compression: ```toml # frpc.toml [[proxies]] name = "ssh" type = "tcp" localPort = 22 remotePort = 6000 transport.useEncryption = true transport.useCompression = true ``` #### TLS Since v0.50.0, the default value of `transport.tls.enable` and `transport.tls.disableCustomTLSFirstByte` has been changed to true, and tls is enabled by default. For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `transport.tls.disableCustomTLSFirstByte` to false. To **enforce** `frps` to only accept TLS connections - configure `transport.tls.force = true` in `frps.toml`. **This is optional.** **`frpc` TLS settings:** ```toml transport.tls.enable = true transport.tls.certFile = "certificate.crt" transport.tls.keyFile = "certificate.key" transport.tls.trustedCaFile = "ca.crt" ``` **`frps` TLS settings:** ```toml transport.tls.force = true transport.tls.certFile = "certificate.crt" transport.tls.keyFile = "certificate.key" transport.tls.trustedCaFile = "ca.crt" ``` You will need **a root CA cert** and **at least one SSL/TLS certificate**. It **can** be self-signed or regular (such as Let's Encrypt or another SSL/TLS certificate provider). If you using `frp` via IP address and not hostname, make sure to set the appropriate IP address in the Subject Alternative Name (SAN) area when generating SSL/TLS Certificates. Given an example: * Prepare openssl config file. It exists at `/etc/pki/tls/openssl.cnf` in Linux System and `/System/Library/OpenSSL/openssl.cnf` in MacOS, and you can copy it to current path, like `cp /etc/pki/tls/openssl.cnf ./my-openssl.cnf`. If not, you can build it by yourself, like: ``` cat > my-openssl.cnf << EOF [ ca ] default_ca = CA_default [ CA_default ] x509_extensions = usr_cert [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only [ req_distinguished_name ] [ req_attributes ] [ usr_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:true EOF ``` * build ca certificates: ``` openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt ``` * build frps certificates: ``` openssl genrsa -out server.key 2048 openssl req -new -sha256 -key server.key \ -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \ -reqexts SAN \ -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com")) \ -out server.csr openssl x509 -req -days 365 -sha256 \ -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com") \ -out server.crt ``` * build frpc certificates: ``` openssl genrsa -out client.key 2048 openssl req -new -sha256 -key client.key \ -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \ -reqexts SAN \ -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com,DNS:example.client.com")) \ -out client.csr openssl x509 -req -days 365 -sha256 \ -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \ -out client.crt ``` ### Hot-Reloading frpc configuration The `webServer` fields are required for enabling HTTP API: ```toml # frpc.toml webServer.addr = "127.0.0.1" webServer.port = 7400 ``` Then run command `frpc reload -c ./frpc.toml` and wait for about 10 seconds to let `frpc` create or update or remove proxies. **Note that global client parameters won't be modified except 'start'.** You can run command `frpc verify -c ./frpc.toml` before reloading to check if there are config errors. ### Get proxy status from client Use `frpc status -c ./frpc.toml` to get status of all proxies. The `webServer` fields are required for enabling HTTP API. ### Only allowing certain ports on the server `allowPorts` in `frps.toml` is used to avoid abuse of ports: ```toml # frps.toml allowPorts = [ { start = 2000, end = 3000 }, { single = 3001 }, { single = 3003 }, { start = 4000, end = 50000 } ] ``` ### Port Reuse `vhostHTTPPort` and `vhostHTTPSPort` in frps can use same port with `bindPort`. frps will detect the connection's protocol and handle it correspondingly. What you need to pay attention to is that if you want to configure `vhostHTTPSPort` and `bindPort` to the same port, you need to first set `transport.tls.disableCustomTLSFirstByte` to false. We would like to try to allow multiple proxies bind a same remote port with different protocols in the future. ### Bandwidth Limit #### For Each Proxy ```toml # frpc.toml [[proxies]] name = "ssh" type = "tcp" localPort = 22 remotePort = 6000 transport.bandwidthLimit = "1MB" ``` Set `transport.bandwidthLimit` in each proxy's configure to enable this feature. Supported units are `MB` and `KB`. Set `transport.bandwidthLimitMode` to `client` or `server` to limit bandwidth on the client or server side. Default is `client`. ### TCP Stream Multiplexing frp supports tcp stream multiplexing since v0.10.0 like HTTP2 Multiplexing, in which case all logic connections to the same frpc are multiplexed into the same TCP connection. You can disable this feature by modify `frps.toml` and `frpc.toml`: ```toml # frps.toml and frpc.toml, must be same transport.tcpMux = false ``` ### Support KCP Protocol KCP is a fast and reliable protocol that can achieve the transmission effect of a reduction of the average latency by 30% to 40% and reduction of the maximum delay by a factor of three, at the cost of 10% to 20% more bandwidth wasted than TCP. KCP mode uses UDP as the underlying transport. Using KCP in frp: 1. Enable KCP in frps: ```toml # frps.toml bindPort = 7000 # Specify a UDP port for KCP. kcpBindPort = 7000 ``` The `kcpBindPort` number can be the same number as `bindPort`, since `bindPort` field specifies a TCP port. 2. Configure `frpc.toml` to use KCP to connect to frps: ```toml # frpc.toml serverAddr = "x.x.x.x" # Same as the 'kcpBindPort' in frps.toml serverPort = 7000 transport.protocol = "kcp" ``` ### Support QUIC Protocol QUIC is a new multiplexed transport built on top of UDP. Using QUIC in frp: 1. Enable QUIC in frps: ```toml # frps.toml bindPort = 7000 # Specify a UDP port for QUIC. quicBindPort = 7000 ``` The `quicBindPort` number can be the same number as `bindPort`, since `bindPort` field specifies a TCP port. 2. Configure `frpc.toml` to use QUIC to connect to frps: ```toml # frpc.toml serverAddr = "x.x.x.x" # Same as the 'quicBindPort' in frps.toml serverPort = 7000 transport.protocol = "quic" ``` ### Connection Pooling By default, frps creates a new frpc connection to the backend service upon a user request. With connection pooling, frps keeps a certain number of pre-established connections, reducing the time needed to establish a connection. This feature is suitable for a large number of short connections. 1. Configure the limit of pool count each proxy can use in `frps.toml`: ```toml # frps.toml transport.maxPoolCount = 5 ``` 2. Enable and specify the number of connection pool: ```toml # frpc.toml transport.poolCount = 1 ``` ### Load balancing Load balancing is supported by `group`. This feature is only available for types `tcp`, `http`, `tcpmux` now. ```toml # frpc.toml [[proxies]] name = "test1" type = "tcp" localPort = 8080 remotePort = 80 loadBalancer.group = "web" loadBalancer.groupKey = "123" [[proxies]] name = "test2" type = "tcp" localPort = 8081 remotePort = 80 loadBalancer.group = "web" loadBalancer.groupKey = "123" ``` `loadBalancer.groupKey` is used for authentication. Connections to port 80 will be dispatched to proxies in the same group randomly. For type `tcp`, `remotePort` in the same group should be the same. For type `http`, `customDomains`, `subdomain`, `locations` should be the same. ### Service Health Check Health check feature can help you achieve high availability with load balancing. Add `healthCheck.type = "tcp"` or `healthCheck.type = "http"` to enable health check. With health check type **tcp**, the service port will be pinged (TCPing): ```toml # frpc.toml [[proxies]] name = "test1" type = "tcp" localPort = 22 remotePort = 6000 # Enable TCP health check healthCheck.type = "tcp" # TCPing timeout seconds healthCheck.timeoutSeconds = 3 # If health check failed 3 times in a row, the proxy will be removed from frps healthCheck.maxFailed = 3 # A health check every 10 seconds healthCheck.intervalSeconds = 10 ``` With health check type **http**, an HTTP request will be sent to the service and an HTTP 2xx OK response is expected: ```toml # frpc.toml [[proxies]] name = "web" type = "http" localIP = "127.0.0.1" localPort = 80 customDomains = ["test.example.com"] # Enable HTTP health check healthCheck.type = "http" # frpc will send a GET request to '/status' # and expect an HTTP 2xx OK response healthCheck.path = "/status" healthCheck.timeoutSeconds = 3 healthCheck.maxFailed = 3 healthCheck.intervalSeconds = 10 ``` ### Rewriting the HTTP Host Header By default frp does not modify the tunneled HTTP requests at all as it's a byte-for-byte copy. However, speaking of web servers and HTTP requests, your web server might rely on the `Host` HTTP header to determine the website to be accessed. frp can rewrite the `Host` header when forwarding the HTTP requests, with the `hostHeaderRewrite` field: ```toml # frpc.toml [[proxies]] name = "web" type = "http" localPort = 80 customDomains = ["test.example.com"] hostHeaderRewrite = "dev.example.com" ``` The HTTP request will have the `Host` header rewritten to `Host: dev.example.com` when it reaches the actual web server, although the request from the browser probably has `Host: test.example.com`. ### Setting other HTTP Headers Similar to `Host`, You can override other HTTP request and response headers with proxy type `http`. ```toml # frpc.toml [[proxies]] name = "web" type = "http" localPort = 80 customDomains = ["test.example.com"] hostHeaderRewrite = "dev.example.com" requestHeaders.set.x-from-where = "frp" responseHeaders.set.foo = "bar" ``` In this example, it will set header `x-from-where: frp` in the HTTP request and `foo: bar` in the HTTP response. ### Get Real IP #### HTTP X-Forwarded-For This feature is for `http` proxies or proxies with the `https2http` and `https2https` plugins enabled. You can get user's real IP from HTTP request headers `X-Forwarded-For`. #### Proxy Protocol frp supports Proxy Protocol to send user's real IP to local services. It support all types except UDP. Here is an example for https service: ```toml # frpc.toml [[proxies]] name = "web" type = "https" localPort = 443 customDomains = ["test.example.com"] # now v1 and v2 are supported transport.proxyProtocolVersion = "v2" ``` You can enable Proxy Protocol support in nginx to expose user's real IP in HTTP header `X-Real-IP`, and then read `X-Real-IP` header in your web service for the real IP. ### Require HTTP Basic Auth (Password) for Web Services Anyone who can guess your tunnel URL can access your local web server unless you protect it with a password. This enforces HTTP Basic Auth on all requests with the username and password specified in frpc's configure file. It can only be enabled when proxy type is http. ```toml # frpc.toml [[proxies]] name = "web" type = "http" localPort = 80 customDomains = ["test.example.com"] httpUser = "abc" httpPassword = "abc" ``` Visit `http://test.example.com` in the browser and now you are prompted to enter the username and password. ### Custom Subdomain Names It is convenient to use `subdomain` configure for http and https types when many people share one frps server. ```toml # frps.toml subDomainHost = "frps.com" ``` Resolve `*.frps.com` to the frps server's IP. This is usually called a Wildcard DNS record. ```toml # frpc.toml [[proxies]] name = "web" type = "http" localPort = 80 subdomain = "test" ``` Now you can visit your web service on `test.frps.com`. Note that if `subdomainHost` is not empty, `customDomains` should not be the subdomain of `subdomainHost`. ### URL Routing frp supports forwarding HTTP requests to different backend web services by url routing. `locations` specifies the prefix of URL used for routing. frps first searches for the most specific prefix location given by literal strings regardless of the listed order. ```toml # frpc.toml [[proxies]] name = "web01" type = "http" localPort = 80 customDomains = ["web.example.com"] locations = ["/"] [[proxies]] name = "web02" type = "http" localPort = 81 customDomains = ["web.example.com"] locations = ["/news", "/about"] ``` HTTP requests with URL prefix `/news` or `/about` will be forwarded to **web02** and other requests to **web01**. ### TCP Port Multiplexing frp supports receiving TCP sockets directed to different proxies on a single port on frps, similar to `vhostHTTPPort` and `vhostHTTPSPort`. The only supported TCP port multiplexing method available at the moment is `httpconnect` - HTTP CONNECT tunnel. When setting `tcpmuxHTTPConnectPort` to anything other than 0 in frps, frps will listen on this port for HTTP CONNECT requests. The host of the HTTP CONNECT request will be used to match the proxy in frps. Proxy hosts can be configured in frpc by configuring `customDomains` and / or `subdomain` under `tcpmux` proxies, when `multiplexer = "httpconnect"`. For example: ```toml # frps.toml bindPort = 7000 tcpmuxHTTPConnectPort = 1337 ``` ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 [[proxies]] name = "proxy1" type = "tcpmux" multiplexer = "httpconnect" customDomains = ["test1"] localPort = 80 [[proxies]] name = "proxy2" type = "tcpmux" multiplexer = "httpconnect" customDomains = ["test2"] localPort = 8080 ``` In the above configuration - frps can be contacted on port 1337 with a HTTP CONNECT header such as: ``` CONNECT test1 HTTP/1.1\r\n\r\n ``` and the connection will be routed to `proxy1`. ### Connecting to frps via PROXY frpc can connect to frps through proxy if you set OS environment variable `HTTP_PROXY`, or if `transport.proxyURL` is set in frpc.toml file. It only works when protocol is tcp. ```toml # frpc.toml serverAddr = "x.x.x.x" serverPort = 7000 transport.proxyURL = "http://user:pwd@192.168.1.128:8080" ``` ### Port range mapping *Added in v0.56.0* We can use the range syntax of Go template combined with the built-in `parseNumberRangePair` function to achieve port range mapping. The following example, when run, will create 8 proxies named `test-6000, test-6001 ... test-6007`, each mapping the remote port to the local port. ``` {{- range $_, $v := parseNumberRangePair "6000-6006,6007" "6000-6006,6007" }} [[proxies]] name = "tcp-{{ $v.First }}" type = "tcp" localPort = {{ $v.First }} remotePort = {{ $v.Second }} {{- end }} ``` ### Client Plugins frpc only forwards requests to local TCP or UDP ports by default. Plugins are used for providing rich features. There are built-in plugins such as `unix_domain_socket`, `http_proxy`, `socks5`, `static_file`, `http2https`, `https2http`, `https2https` and you can see [example usage](#example-usage). Using plugin **http_proxy**: ```toml # frpc.toml [[proxies]] name = "http_proxy" type = "tcp" remotePort = 6000 [proxies.plugin] type = "http_proxy" httpUser = "abc" httpPassword = "abc" ``` `httpUser` and `httpPassword` are configuration parameters used in `http_proxy` plugin. ### Server Manage Plugins Read the [document](/doc/server_plugin.md). Find more plugins in [gofrp/plugin](https://github.com/gofrp/plugin). ### SSH Tunnel Gateway *added in v0.53.0* frp supports listening to an SSH port on the frps side and achieves TCP protocol proxying through the SSH -R protocol, without relying on frpc. ```toml # frps.toml sshTunnelGateway.bindPort = 2200 ``` When running `./frps -c frps.toml`, a private key file named `.autogen_ssh_key` will be automatically created in the current working directory. This generated private key file will be used by the SSH server in frps. Executing the command ```bash ssh -R :80:127.0.0.1:8080 v0@{frp address} -p 2200 tcp --proxy_name "test-tcp" --remote_port 9090 ``` sets up a proxy on frps that forwards the local 8080 service to the port 9090. ```bash frp (via SSH) (Ctrl+C to quit) User: ProxyName: test-tcp Type: tcp RemoteAddress: :9090 ``` This is equivalent to: ```bash frpc tcp --proxy_name "test-tcp" --local_ip 127.0.0.1 --local_port 8080 --remote_port 9090 ``` Please refer to this [document](/doc/ssh_tunnel_gateway.md) for more information. ### Virtual Network (VirtualNet) *Alpha feature added in v0.62.0* The VirtualNet feature enables frp to create and manage virtual network connections between clients and visitors through a TUN interface. This allows for IP-level routing between machines, extending frp beyond simple port forwarding to support full network connectivity. For detailed information about configuration and usage, please refer to the [VirtualNet documentation](/doc/virtual_net.md). ## Feature Gates frp supports feature gates to enable or disable experimental features. This allows users to try out new features before they're considered stable. ### Available Feature Gates | Name | Stage | Default | Description | |------|-------|---------|-------------| | VirtualNet | ALPHA | false | Virtual network capabilities for frp | ### Enabling Feature Gates To enable an experimental feature, add the feature gate to your configuration: ```toml featureGates = { VirtualNet = true } ``` ### Feature Lifecycle Features typically go through three stages: 1. **ALPHA**: Disabled by default, may be unstable 2. **BETA**: May be enabled by default, more stable but still evolving 3. **GA (Generally Available)**: Enabled by default, ready for production use ## Related Projects * [gofrp/plugin](https://github.com/gofrp/plugin) - A repository for frp plugins that contains a variety of plugins implemented based on the frp extension mechanism, meeting the customization needs of different scenarios. * [gofrp/tiny-frpc](https://github.com/gofrp/tiny-frpc) - A lightweight version of the frp client (around 3.5MB at minimum) implemented using the ssh protocol, supporting some of the most commonly used features, suitable for devices with limited resources. ## Contributing Interested in getting involved? We would like to help you! * Take a look at our [issues list](https://github.com/fatedier/frp/issues) and consider sending a Pull Request to **dev branch**. * If you want to add a new feature, please create an issue first to describe the new feature, as well as the implementation approach. Once a proposal is accepted, create an implementation of the new features and submit it as a pull request. * Sorry for my poor English. Improvements for this document are welcome, even some typo fixes. * If you have great ideas, send an email to fatedier@gmail.com. **Note: We prefer you to give your advise in [issues](https://github.com/fatedier/frp/issues), so others with a same question can search it quickly and we don't need to answer them repeatedly.** ## Donation If frp helps you a lot, you can support us by: ### GitHub Sponsors Support us by [Github Sponsors](https://github.com/sponsors/fatedier). You can have your company's logo placed on README file of this project. ### PayPal Donate money by [PayPal](https://www.paypal.me/fatedier) to my account **fatedier@gmail.com**. ## /README_zh.md # frp [![Build Status](https://circleci.com/gh/fatedier/frp.svg?style=shield)](https://circleci.com/gh/fatedier/frp) [![GitHub release](https://img.shields.io/github/tag/fatedier/frp.svg?label=release)](https://github.com/fatedier/frp/releases) [![Go Report Card](https://goreportcard.com/badge/github.com/fatedier/frp)](https://goreportcard.com/report/github.com/fatedier/frp) [![GitHub Releases Stats](https://img.shields.io/github/downloads/fatedier/frp/total.svg?logo=github)](https://somsubhra.github.io/github-release-stats/?username=fatedier&repository=frp) [README](README.md) | [中文文档](README_zh.md) frp 是一个专注于内网穿透的高性能的反向代理应用,支持 TCP、UDP、HTTP、HTTPS 等多种协议,且支持 P2P 通信。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网。 ## Sponsors frp 是一个完全开源的项目,我们的开发工作完全依靠赞助者们的支持。如果你愿意加入他们的行列,请考虑 [赞助 frp 的开发](https://github.com/sponsors/fatedier)。

Gold Sponsors

## 为什么使用 frp ? 通过在具有公网 IP 的节点上部署 frp 服务端,可以轻松地将内网服务穿透到公网,同时提供诸多专业的功能特性,这包括: * 客户端服务端通信支持 TCP、QUIC、KCP 以及 Websocket 等多种协议。 * 采用 TCP 连接流式复用,在单个连接间承载更多请求,节省连接建立时间,降低请求延迟。 * 代理组间的负载均衡。 * 端口复用,多个服务通过同一个服务端端口暴露。 * 支持 P2P 通信,流量不经过服务器中转,充分利用带宽资源。 * 多个原生支持的客户端插件(静态文件查看,HTTPS/HTTP 协议转换,HTTP、SOCK5 代理等),便于独立使用 frp 客户端完成某些工作。 * 高度扩展性的服务端插件系统,易于结合自身需求进行功能扩展。 * 服务端和客户端 UI 页面。 ## 开发状态 frp 目前已被很多公司广泛用于测试、生产环境。 master 分支用于发布稳定版本,dev 分支用于开发,您可以尝试下载最新的 release 版本进行测试。 我们正在进行 v2 大版本的开发,将会尝试在各个方面进行重构和升级,且不会与 v1 版本进行兼容,预计会持续较长的一段时间。 现在的 v0 版本将会在合适的时间切换为 v1 版本并且保证兼容性,后续只做 bug 修复和优化,不再进行大的功能性更新。 ### 关于 v2 的一些说明 v2 版本的复杂度和难度比我们预期的要高得多。我只能利用零散的时间进行开发,而且由于上下文经常被打断,效率极低。由于这种情况可能会持续一段时间,我们仍然会在当前版本上进行一些优化和迭代,直到我们有更多空闲时间来推进大版本的重构,或者也有可能放弃一次性的重构,而是采用渐进的方式在当前版本上逐步做一些可能会导致不兼容的修改。 v2 的构想是基于我多年在云原生领域,特别是在 K8s 和 ServiceMesh 方面的工作经验和思考。它的核心是一个现代化的四层和七层代理,类似于 envoy。这个代理本身高度可扩展,不仅可以用于实现内网穿透的功能,还可以应用于更多领域。在这个高度可扩展的内核基础上,我们将实现 frp v1 中的所有功能,并且能够以一种更加优雅的方式实现原先架构中无法实现或不易实现的功能。同时,我们将保持高效的开发和迭代能力。 除此之外,我希望 frp 本身也成为一个高度可扩展的系统和平台,就像我们可以基于 K8s 提供一系列扩展能力一样。在 K8s 上,我们可以根据企业需求进行定制化开发,例如使用 CRD、controller 模式、webhook、CSI 和 CNI 等。在 frp v1 中,我们引入了服务端插件的概念,实现了一些简单的扩展性。但是,它实际上依赖于简单的 HTTP 协议,并且需要用户自己启动独立的进程和管理。这种方式远远不够灵活和方便,而且现实世界的需求千差万别,我们不能期望一个由少数人维护的非营利性开源项目能够满足所有人的需求。 最后,我们意识到像配置管理、权限验证、证书管理和管理 API 等模块的当前设计并不够现代化。尽管我们可能在 v1 版本中进行一些优化,但确保兼容性是一个令人头疼的问题,需要投入大量精力来解决。 非常感谢您对 frp 的支持。 ## 文档 完整文档已经迁移至 [https://gofrp.org](https://gofrp.org)。 ## 为 frp 做贡献 frp 是一个免费且开源的项目,我们欢迎任何人为其开发和进步贡献力量。 * 在使用过程中出现任何问题,可以通过 [issues](https://github.com/fatedier/frp/issues) 来反馈。 * Bug 的修复可以直接提交 Pull Request 到 dev 分支。 * 如果是增加新的功能特性,请先创建一个 issue 并做简单描述以及大致的实现方法,提议被采纳后,就可以创建一个实现新特性的 Pull Request。 * 欢迎对说明文档做出改善,帮助更多的人使用 frp,特别是英文文档。 * 贡献代码请提交 PR 至 dev 分支,master 分支仅用于发布稳定可用版本。 * 如果你有任何其他方面的问题或合作,欢迎发送邮件至 fatedier@gmail.com 。 **提醒:和项目相关的问题请在 [issues](https://github.com/fatedier/frp/issues) 中反馈,这样方便其他有类似问题的人可以快速查找解决方法,并且也避免了我们重复回答一些问题。** ## 关联项目 * [gofrp/plugin](https://github.com/gofrp/plugin) - frp 插件仓库,收录了基于 frp 扩展机制实现的各种插件,满足各种场景下的定制化需求。 * [gofrp/tiny-frpc](https://github.com/gofrp/tiny-frpc) - 基于 ssh 协议实现的 frp 客户端的精简版本(最低约 3.5MB 左右),支持常用的部分功能,适用于资源有限的设备。 ## 赞助 如果您觉得 frp 对你有帮助,欢迎给予我们一定的捐助来维持项目的长期发展。 ### Sponsors 长期赞助可以帮助我们保持项目的持续发展。 您可以通过 [GitHub Sponsors](https://github.com/sponsors/fatedier) 赞助我们。 国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。 ### 知识星球 如果您想了解更多 frp 相关技术以及更新详解,或者寻求任何 frp 使用方面的帮助,都可以通过微信扫描下方的二维码付费加入知识星球的官方社群: ![zsxq](/doc/pic/zsxq.jpg) ## /Release.md ### Bug Fixes * **VirtualNet:** Resolved various issues related to connection handling, TUN device management, and stability in the virtual network feature. ## /assets/assets.go ```go path="/assets/assets.go" // Copyright 2016 fatedier, fatedier@gmail.com // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package assets import ( "io/fs" "net/http" ) var ( // read-only filesystem created by "embed" for embedded files content fs.FS FileSystem http.FileSystem // if prefix is not empty, we get file content from disk prefixPath string ) // if path is empty, load assets in memory // or set FileSystem using disk files func Load(path string) { prefixPath = path if prefixPath != "" { FileSystem = http.Dir(prefixPath) } else { FileSystem = http.FS(content) } } func Register(fileSystem fs.FS) { subFs, err := fs.Sub(fileSystem, "static") if err == nil { content = subFs } } ``` ## /assets/frpc/embed.go ```go path="/assets/frpc/embed.go" package frpc import ( "embed" "github.com/fatedier/frp/assets" ) //go:embed static/* var content embed.FS func init() { assets.Register(content) } ``` ## /assets/frpc/static/favicon.ico Binary file available at https://raw.githubusercontent.com/fatedier/frp/refs/heads/main/assets/frpc/static/favicon.ico The content has been capped at 50000 tokens, and files over NaN bytes have been omitted. The user could consider applying other filters to refine the result. The better and more specific the context, the better the LLM can follow instructions. If the context seems verbose, the user can refine the filter using uithub. Thank you for using https://uithub.com - Perfect LLM context for any GitHub repo.