FRP使用TLS双向加密连接

erballoon 2023-04-08 实用工具

(1)首先是使用双向加密连接时对frps和frpc配置文件的修改

# frpc.ini
[common]
tls_enable = true
tls_cert_file = /to/cert/path/client.crt
tls_key_file = /to/key/path/client.key
tls_trusted_ca_file = /to/ca/path/ca.crt

# frps.ini
[common]
tls_cert_file = /to/cert/path/server.crt
tls_key_file = /to/key/path/server.key
tls_trusted_ca_file = /to/ca/path/ca.crt

(2)创建openssl配置文件

vim my-openssl.cnf

在这个文件中写入以下内容

[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca
string_mask         = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true

(3)生成默认ca

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt

(4)生成frps证书(服务器端证书)

openssl genrsa -out server.key 2048

第一步

openssl req -new -sha256 -key server.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:服务器IP地址")) \
    -out server.csr

第二步

openssl x509 -req -days 365 -sha256 \
	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:localhost,IP:服务器IP地址") \
	-out server.crt

(5)生成frpc证书(客户端证书)

openssl genrsa -out client.key 2048

第一步

openssl req -new -sha256 -key client.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com")) \
    -out client.csr

第二步

openssl x509 -req -days 365 -sha256 \
    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:client.com") \
	-out client.crt

最后把ca.crt,客户端crt和key文件,服务器端crt和key文件上传到指定位置并修改配置文件就可以了

 

本文参考:

鸿儒(Herald Yu)大佬的博客:文章链接

FRP官方文档:链接

THE END
分享
二维码
海报
FRP使用TLS双向加密连接
(1)首先是使用双向加密连接时对frps和frpc配置文件的修改 # frpc.ini [common] tls_enable = true tls_cert_file = /to/cert/path/client.crt tls_key_f……