You can follow the steps outlined below to set up and install FRP (Fast Reverse Proxy) as a reverse proxy on Ubuntu. Also, you’ll be able to secure it with Let’s Encrypt SSL. Let’s start.

Part 1: Install FRP

Download the latest version of FRP from its Github releases page here. You will need to download the version appropriate for your server’s architecture. For example:

wget https://github.com/fatedier/frp/releases/download/v0.49.0/frp_0.49.0_linux_amd64.tar.gz
Replace 0.49.0 with the latest version number.

Extract the downloaded file with the following command:

tar -xvzf frp_0.49.0_linux_amd64.tar.gz

Change into the newly created directory:

cd frp_0.49.0_linux_amd64

Inside, you will find two binary files, frps and frpc, for the server and client, respectively. Move these files to your path so you can run them from anywhere:

sudo mv frps /usr/local/bin
sudo mv frpc /usr/local/bin

Part 2: Configure FRP

FRP requires two sides to work: the client and the server.

2.1 Server Configuration

On the server side:

Create a new configuration file for the FRP server:

sudo nano /etc/frp/frps.ini

Paste the following into the file:

[common]
bind_port = 7000

Save and close the file.

Start the FRP server with the following command:

frps -c /etc/frp/frps.ini

2.2 Client Configuration

On the client side:

Create a new configuration file for the FRP client:

sudo nano /etc/frp/frpc.ini

Paste the following into the file:

[common]
server_addr = YOUR_SERVER_IP
server_port = 7000

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

Replace YOUR_SERVER_IP with the actual IP address of your server. Save and close the file.

Start the FRP client with the following command:

frpc -c /etc/frp/frpc.ini

You should now be able to access your local SSH server via the FRP server’s IP and the remote port you specified (6000 in this case).

Part 3: Secure FRP with Let’s Encrypt To secure your FRP server with Let’s Encrypt, you will need a domain name pointing to your server. Then you can use Certbot to obtain a free SSL certificate.

Install Certbot:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx

Obtain a new SSL certificate:

sudo certbot --nginx

Follow the prompts to install your certificate. Certbot will automatically modify your Nginx configuration to use SSL.

In the FRP server configuration (frps.ini) you will need to specify the location of the certificate and private key:

[common]
bind_port = 7000
tls_cert_file = /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
tls_key_file = /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem

Replace YOUR_DOMAIN with your actual domain name. This will secure the connection between the FRP server and the client.

Part 4: Configure for Various Scenarios

The example above shows how to configure FRP for SSH access. You can modify the client configuration (frpc.ini) for different use cases:

Accessing Internal Web Services with Custom Domains in LAN To access internal web services, use an HTTP/HTTPS type:

[web]
type = http
local_ip = 127.0.0.1
local_port = 8080
custom_domains = web.yourdomain.com

Forward DNS Query Requests To forward DNS query requests, use a TCP type:

[dns]
type = tcp
local_ip = 127.0.0.1
local_port = 53
remote_port = 6053

Forward Unix Domain Socket

To forward a Unix domain socket, specify the local_port as the path to the socket:

[socket]
type = tcp
local_ip = /var/run/docker.sock
remote_port = 6001

Expose a Simple HTTP File Server

To expose a simple HTTP file server, use an HTTP type:

[files]
type = http
local_ip = 127.0.0.1
local_port = 8080

Enable HTTPS for a Local HTTP(S) Service

To enable HTTPS, use an HTTPS type and specify the certificate and key:

[https]
type = https
local_ip = 127.0.0.1
local_port = 8080
custom_domains = yourdomain.com
tls_cert_file = /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
tls_key_file = /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem

Expose Your Service Privately

To expose your service privately, add privilege_mode = true to your FRP client configuration, and privilege_allow_ports = 6000-7000 to your FRP server configuration. This will expose your service only to clients connected to the FRP server.

P2P Mode

For P2P connections, you can use the xtcp or stcp type:

[p2p_ssh]
type = xtcp
local_ip = 127.0.0.1
local_port = 22

This type of connection requires the xtcp or stcp feature to be enabled on the FRP server.

Remember to replace yourdomain.com and web.yourdomain.com with your actual domain name, and 127.0.0.1:8080 with the real IP and port of your local service.

Main features

Configuration Files

Configuration files (frps.ini for the server, frpc.ini for the client) are used to set up and customize the behavior of FRP. They use the INI file format, consisting of sections containing key-value pairs.

Using Environment Variables

You can use environment variables in the configuration file by referencing them with $(ENV_VAR_NAME). They will be replaced by the actual value of the environment variable at runtime.

Split Configures Into Different Files

FRP supports splitting the configuration into different files. This can be done using the include directive in the configuration file, which allows the content of other configuration files to be included.

Dashboard

The FRP dashboard is a web-based user interface that provides real-time status monitoring and management of the FRP server. You can enable the dashboard by setting dashboard_port and dashboard_user / dashboard_pwd in the server configuration.

Admin UI

The Admin UI is part of the dashboard. It provides an interface for managing the server, including viewing current connections, proxies, and traffic statistics and manually controlling the status of proxies.

Monitor

FRP supports monitoring through a web interface and also provides support for Prometheus, a powerful open-source monitoring solution.

Prometheus

You can enable Prometheus metrics by setting enable_prometheus = true them in the server configuration. The metrics will be available at /metrics on the admin server.

Authenticating the Client

FRP supports various methods of client authentication.

Token Authentication

This method involves setting a token in client and server configuration files. The client must provide the token to the server when establishing a connection.

OIDC Authentication

OpenID Connect (OIDC) is a protocol that allows clients to verify the user’s identity based on the authentication performed by an authorization server. FRP supports OIDC, which can be set up by specifying oidc_issuer, oidc_audience, and other related configuration options in the server configuration.

Encryption and Compression

FRP supports data encryption and compression to improve the security and efficiency of data transmission.

TLS

FRP supports Transport Layer Security (TLS) to secure the client and server connection. This can be enabled by setting tls_enable = true and specifying the certificate and private key files in the server configuration.

Hot-Reloading frpc configuration

Hot-reloading allows you to modify and reload the client configuration without restarting it. This can be done using the frpc reload -c /path/to/frpc.ini command.

Get proxy status from the client

You can get the status of a proxy from the client by using the frpc status -n [proxy_name] command.

Only allowing specific ports on the server

You can restrict the ports that the client can use by specifying privilege_allow_ports in the server configuration.

Port Reuse

FRP supports port reuse, which allows multiple proxies to share the same port on the server. This can be enabled by setting use_compression = true in the client configuration.

Bandwidth Limit

FRP supports limiting the bandwidth used by a proxy.

For Each Proxy

You can set a bandwidth limit for each proxy by specifying bandwidth_limit in the proxy configuration in the client configuration.

TCP Stream Multiplexing

TCP stream multiplexing is a feature that allows multiple TCP connections to be multiplexed over a single TCP connection. This can be enabled by setting mux = true in the client configuration.

Support KCP Protocol

FRP supports the KCP protocol, a reliable UDP-based transport protocol that can achieve faster transmission speeds than TCP under conditions of packet loss. This can be enabled by setting protocol = kcp in the client configuration.

Support QUIC Protocol

FRP supports the QUIC protocol, a UDP-based transport protocol that provides security equivalent to TLS and reduces latency compared to TCP. This can be enabled by setting protocol = quic in the client configuration.

Connection Pooling

Connection pooling is a feature that maintains a pool of connections that can be reused, reducing the overhead of establishing a new connection for each request. This can be enabled by setting pool_count in the client configuration.

Load balancing

FRP supports load balancing among multiple proxies with the same name. This can be enabled by setting load_balance_method and group in the client configuration.

Service Health Check

FRP supports health checks to monitor the status of a service. This can be configured by setting health_check_type, health_check_interval, health_check_timeout, and health_check_max_failed in the client configuration.

Rewriting the HTTP Host Header

FRP supports rewriting the HTTP Host header. This can be configured by setting host_header_rewrite in the client configuration.

Setting other HTTP Headers

FRP supports setting other HTTP headers. This can be configured by setting http_headers in the client configuration.

Get Real IP

FRP supports obtaining the actual IP address of the client. This can be done using the following methods:

HTTP X-Forwarded-For

This method involves adding the X-Forwarded-For HTTP header to the request containing the client’s IP address.

Proxy Protocol

The Proxy Protocol is a network protocol for transmitting the client’s address information across multiple layers of proxies. FRP supports Proxy Protocol V2.

Require HTTP Basic Auth (Password) for Web Services

FRP supports HTTP Basic Authentication for web services. This can be configured by setting http_user and http_pwd in the client configuration.

Custom Subdomain Names

FRP supports custom subdomain names. This can be configured by setting a subdomain in the client configuration.

URL Routing

FRP supports URL routing, which allows different URLs to be routed to various local services. This can be configured by defining multiple HTTP/HTTPS type proxies with different custom domains, subdomains, and locations.

TCP Port Multiplexing

FRP supports TCP port multiplexing, which allows multiple services to share the same port. This can be enabled by setting use_mux = true in the client configuration.

Connecting to frps via HTTP PROXY

FRP supports connecting to the FRP server via an HTTP proxy. This can be configured by setting http_proxy in the client configuration.

Range ports mapping

FRP supports range port mapping, which allows a range of ports to be mapped to a range of local ports. This can be configured by setting remote_port and local_port to a range in the client configuration.

Client Plugins

FRP supports client plugins, which can extend the functionality of the FRP client. The plugin configuration can be added under a separate section in the client configuration.

Server Manage Plugins

FRP supports server management plugins, which can extend the functionality of the FRP server. The plugin configuration can be added under a separate section in the server configuration.