FRP使用TLS双向加密连接

erballoon 2023-04-08 实用工具

(1)首先是使用双向加密连接时对frps和frpc配置文件的修改

# frpc.ini
[common]
tls_enable = true
tls_cert_file = /to/cert/path/client.crt
tls_key_file = /to/key/path/client.key
tls_trusted_ca_file = /to/ca/path/ca.crt

# frps.ini
[common]
tls_cert_file = /to/cert/path/server.crt
tls_key_file = /to/key/path/server.key
tls_trusted_ca_file = /to/ca/path/ca.crt

(2)创建openssl配置文件

vim my-openssl.cnf

在这个文件中写入以下内容

[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca
string_mask         = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true

(3)生成默认ca

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt

(4)生成frps证书(服务器端证书)

openssl genrsa -out server.key 2048

第一步

openssl req -new -sha256 -key server.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:服务器IP地址")) \
    -out server.csr

第二步

openssl x509 -req -days 365 -sha256 \
	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:localhost,IP:服务器IP地址") \
	-out server.crt

(5)生成frpc证书(客户端证书)

openssl genrsa -out client.key 2048

第一步

openssl req -new -sha256 -key client.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com")) \
    -out client.csr

第二步

openssl x509 -req -days 365 -sha256 \
    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:client.com") \
	-out client.crt

最后把ca.crt,客户端crt和key文件,服务器端crt和key文件上传到指定位置并修改配置文件就可以了

以上过程可以用下面的脚本一键生成

#!/bin/bash

# 删除历史证书
rm -f ca.crt client.crt client.key server.crt server.key

# 提示用户输入服务器IP和域名
read -p "请输入服务器IP地址: " SERVER_IP
read -p "请输入服务器域名: " SERVER_DOMAIN

# 验证输入非空
if [[ -z "$SERVER_IP" || -z "$SERVER_DOMAIN" ]]; then
    echo "错误:IP地址和域名不能为空!"
    exit 1
fi

# 创建openssl配置文件
cat > my-openssl.cnf <<EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca
string_mask         = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true
EOF

# 生成CA证书
openssl genrsa -out ca.key 2048 > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca.key -subj "/CN=auto.ca.com" -days 5000 -out ca.crt > /dev/null 2>&1

# 生成私钥
openssl genrsa -out server.key 2048 > /dev/null 2>&1

# 生成CSR(动态添加SAN扩展)
openssl req -new -sha256 -key server.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:$SERVER_IP,DNS:$SERVER_DOMAIN")) \
    -out server.csr > /dev/null 2>&1

# 签名证书(动态添加SAN扩展)
openssl x509 -req -days 365 -sha256 \
    -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
    -extfile <(printf "subjectAltName=DNS:localhost,IP:$SERVER_IP,DNS:$SERVER_DOMAIN") \
    -out server.crt > /dev/null 2>&1

# 生成私钥
openssl genrsa -out client.key 2048 > /dev/null 2>&1

# 生成CSR
openssl req -new -sha256 -key client.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com")) \
    -out client.csr > /dev/null 2>&1

# 签名证书
openssl x509 -req -days 365 -sha256 \
    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
    -extfile <(printf "subjectAltName=DNS:client.com") \
    -out client.crt > /dev/null 2>&1

# 清理临时文件
rm -f server.csr client.csr ca.srl ca.key my-openssl.cnf

echo "所有证书生成完成"

 

本文参考:

鸿儒(Herald Yu)大佬的博客:文章链接

FRP官方文档:链接

THE END
分享
二维码
海报
FRP使用TLS双向加密连接
(1)首先是使用双向加密连接时对frps和frpc配置文件的修改 # frpc.ini [common] tls_enable = true tls_cert_file = /to/cert/path/client.crt tls_key_f……