1 - intranet penetration
Intranet penetration, that is, intranet mapping, can turn the LAN into a public network, so that the external network can access the services in the local LAN. There are several intranet penetration principles and technologies:
1. Forward through public network server, which is the intranet penetration service mode of most three parties in the market.
2. P2P penetration and end-to-end connection communication, commonly known as UDP hole drilling, have a low probability of success due to the impact of domestic complex network environment.
3. Respond to the penetration of the two-end handshake through the public network server. When the penetration is successful, the two-end P2P will be connected directly.
There are many intranet penetration tools, such as Ngrok, peanut shell and frp. The principle is basically the same.
Here we mainly learn about FRP. FRP is divided into client and server. frps is the server and frpc is the client.
github
https://github.com/fatedier/frp
Complete documentation
https://gofrp.org/docs/
Use case
https://gofrp.org/docs/examples/
When configuring, the port firewall must be open and the corresponding security group to be configured
2 - premise of use
There is an alicloud or similar server
3 - access intranet machines through TCP
3.1 - server configuration and use
# Download corresponding files. Each file has corresponding server and client # Different architectures correspond to different systems https://github.com/fatedier/frp/releases # View system architecture uname -a # This is CentOS 7, and the server of frp downloads it wget https://github.com/fatedier/frp/releases/download/v0.38.0/frp_0.38.0_linux_amd64.tar.gz # decompression tar -zxvf frp_0.38.0_linux_amd64.tar.gz # Configure FRPs ini vim frps.ini # The configuration is as follows [common] # The port should be the same as the client bind_port = 9000 # Visualization of frp dashboard_port = 9500 # Specify the user name to access the Dashboard dashboard_user = admin11 # Specify the port to access the Dashboard dashboard_pwd = admin11 log_file = ./frps.log log_level = info log_max_days = 3 privilege_mode = true # Used to verify the server and client privilege_token = 12345678 max_pool_count = 50 # Running server ./frps -c ./frps.ini # Background operation nohup ./frps -c ./frps.ini &
3.2 - client configuration and use
# If the client here is a mac, download it wget https://github.com/fatedier/frp/releases/download/v0.38.0/frp_0.38.0_darwin_amd64.tar.gz # decompression tar -zxvf frp_0.38.0_darwin_amd64.tar.gz # Configure FRPC ini vim frpc.ini # Configuration content [common] # Alibaba cloud server ip server_addr = 43.255.1.136 # The port agreed by the server and client of frp server_port = 9000 # token agreed between server and client of frp privilege_token = 12345678 [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 18221 [nginx] type = tcp local_ip = 127.0.0.1 local_port = 80 remote_port = 10080 [web] type = http local_port = 80 custom_domains = rick.aismartlink.com [mysql] type = tcp local_ip = 127.0.0.1 local_port = 3306 remote_port = 18336 [nacos] type = tcp local_ip = 127.0.0.1 local_port = 8848 remote_port = 18848 [rabbitmq5672] type = tcp local_ip = 127.0.0.1 local_port = 5672 remote_port = 5672 [rabbitmq15672] type = tcp local_ip = 127.0.0.1 local_port = 15672 remote_port = 15672 [rabbitmq25672] type = tcp local_ip = 127.0.0.1 local_port = 25672 remote_port = 25672 # Run client ./frpc -c ./frpc.ini # Background operation nohup ./frpc -c ./frpc.ini &
3.3 - Links
# If the link is not successful, you can check it 1-Native firewall 2-Security group of Internet server # xx1 user name to log in to the machine # xx2 Alibaba cloud server ip ssh -oPort=8900 xx1@xx2 # Or use ssh -p 8900 xx1@xx2
Use FileZilla to link and transfer files
4 - access Web services deployed in Intranet through custom domain name
Now this function can be easily realized through FRP. Take HTTP service as an example: first modify the [FRP server] configuration file through vhost_http_port parameter to set the HTTP access port. Here, set the HTTP access port to 8080.
# The configuration is as follows [common] # The port should be the same as the client bind_port = 9000 # Visualization of frp dashboard_port = 9500 # Specify the user name to access the Dashboard dashboard_user = admin11 # Specify the port to access the Dashboard dashboard_pwd = admin11 # Set HTTP access port vhost_http_port = 8080 log_file = ./frps.log log_level = info log_max_days = 3 privilege_mode = true # Used to verify the server and client privilege_token = 12345678 max_pool_count = 50
Then modify the client file. Here via local_port and custom_ The domains parameter is used to set the corresponding port and custom domain name of the Web service on the local machine. Here, we set the port to 80 and the corresponding domain name to mm like. com
# Configuration content [common] # Alibaba cloud server ip server_addr = 43.255.1.136 # The port agreed by the server and client of frp server_port = 9000 # token agreed between server and client of frp privilege_token = 12345678 [ssh] type = tcp # There can be multiple services locally, and the local machine can be connected here local_ip = 127.0.0.1 local_port = 22 # Port to write when remote ssh remote_port = 8900 [web] type = http local_port = 80 custom_domains = mm.like.com
Finally, add mm like. The domain name A record of. Com is resolved to the public IP of the FRP server, which can now be passed through http://mm.like.com:8080 This URL accesses the corresponding Web service on the intranet machine
The HTTPS service configuration method is similar to that of Vhost_ http_ Replace port with vhost_https_port and type can be set to HTTPS
5 - linked database
New [mysql] for frp client
[mysql] type = tcp local_ip = 127.0.0.1 #Which database ip address of Intranet machine local_port = 3306 # mysql port of Intranet machine remote_port = 1006 # mysql port accessed through public network
Access: mysql -uxx1 -hxx2 -P1006 -pxx3
xx1 user name
X ip server
xx3 database password
Two common methods of configuring automatic startup
1 - use systemctl to control startup, taking the server as an example
sudo vim /lib/systemd/system/frps.service # In FRPs Write the following in the service [Unit] Description=fraps service After=network.target network-online.target syslog.target Wants=network.target network-online.target [Service] Type=simple #Command to start the service (write the actual installation directory of your frps here) ExecStart= nohup /your/path/frps -c /your/path/frps.ini & [Install] WantedBy=multi-user.target
The service systemctl script of Centos7 is stored in: / usr/lib/systemd / directory, which can be divided into system and user. Generally, the program that can run without login after startup is stored in / usr/lib/systemd/system / directory.
Then, we put the script in the / usr/lib/systemd/system / directory, and then run the following two commands to update the systemd configuration file and start the service
# Reload configuration systemctl daemon-reload # Set boot restart systemctl enable auto_run_script.service # Restart the machine reboot
2 - modify / etc / rc d/rc. Local file
# /etc/rc. d/rc. The local file will be run after all services of the Linux system are started. So if you want your script to be run after startup, you can add your script path to the file # First, make sure you have permission to run this file ls -lart chmod +x /etc/rc.d/rc.local # To demonstrate, we created a script that, when executed, will write a file with specific information in the home directory $ vim auto_run_script.sh #!/bin/bash date >> /home/alvin/output.txt hostname >> /home/alvin/output.txt # Save and exit, and then grant executable permission chmod +x auto_run_script.sh # Then we add the script to / etc / RC d/rc. Last line of local file $ vim /etc/rc.d/rc.local /home/alvin/auto_run_script.sh # Next, we can try the effect. Just restart the system directly sudo reboot