You can follow the steps outlined below to set up and install FRP (Fast Reverse Proxy) as a reverse proxy on Ubuntu. Also, you’ll be able to secure it with Let’s Encrypt SSL. Let’s start.
Part 1: Install FRP
Download the latest version of FRP from its Github releases page here. You will need to download the version appropriate for your server’s architecture. For example:
wget https://github.com/fatedier/frp/releases/download/v0.49.0/frp_0.49.0_linux_amd64.tar.gz Replace 0.49.0 with the latest version number.
Extract the downloaded file with the following command:
tar -xvzf frp_0.49.0_linux_amd64.tar.gz
Change into the newly created directory:
Inside, you will find two binary files,
frpc, for the server and client, respectively. Move these files to your path so you can run them from anywhere:
sudo mv frps /usr/local/bin sudo mv frpc /usr/local/bin
Part 2: Configure FRP
FRP requires two sides to work:
the client and
2.1 Server Configuration
On the server side:
Create a new configuration file for the FRP server:
sudo nano /etc/frp/frps.ini
Paste the following into the file:
[common] bind_port = 7000
Save and close the file.
Start the FRP server with the following command:
frps -c /etc/frp/frps.ini
2.2 Client Configuration
On the client side:
Create a new configuration file for the FRP client:
sudo nano /etc/frp/frpc.ini
Paste the following into the file:
[common] server_addr = YOUR_SERVER_IP server_port = 7000 [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 6000
YOUR_SERVER_IP with the actual IP address of your server. Save and close the file.
Start the FRP client with the following command:
frpc -c /etc/frp/frpc.ini
You should now be able to access your local SSH server via the FRP server’s IP and the remote port you specified (
6000 in this case).
Part 3: Secure FRP with Let’s Encrypt To secure your FRP server with Let’s Encrypt, you will need a domain name pointing to your server. Then you can use Certbot to obtain a free SSL certificate.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python3-certbot-nginx
Obtain a new SSL certificate:
sudo certbot --nginx
Follow the prompts to install your certificate. Certbot will automatically modify your Nginx configuration to use SSL.
In the FRP server configuration (
frps.ini) you will need to specify the location of the certificate and private key:
[common] bind_port = 7000 tls_cert_file = /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem tls_key_file = /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
YOUR_DOMAIN with your actual domain name. This will secure the connection between the FRP server and the client.
Part 4: Configure for Various Scenarios
The example above shows how to configure FRP for SSH access. You can modify the client configuration (
frpc.ini) for different use cases:
Accessing Internal Web Services with Custom Domains in LAN To access internal web services, use an HTTP/HTTPS type:
[web] type = http local_ip = 127.0.0.1 local_port = 8080 custom_domains = web.yourdomain.com
Forward DNS Query Requests To forward DNS query requests, use a TCP type:
[dns] type = tcp local_ip = 127.0.0.1 local_port = 53 remote_port = 6053
Forward Unix Domain Socket
To forward a Unix domain socket, specify the
local_port as the path to the socket:
[socket] type = tcp local_ip = /var/run/docker.sock remote_port = 6001
Expose a Simple HTTP File Server
To expose a simple HTTP file server, use an HTTP type:
[files] type = http local_ip = 127.0.0.1 local_port = 8080
Enable HTTPS for a Local HTTP(S) Service
To enable HTTPS, use an HTTPS type and specify the certificate and key:
[https] type = https local_ip = 127.0.0.1 local_port = 8080 custom_domains = yourdomain.com tls_cert_file = /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem tls_key_file = /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
Expose Your Service Privately
To expose your service privately, add
privilege_mode = true to your FRP client configuration, and
privilege_allow_ports = 6000-7000 to your FRP server configuration. This will expose your service only to clients connected to the FRP server.
For P2P connections, you can use the
[p2p_ssh] type = xtcp local_ip = 127.0.0.1 local_port = 22
This type of connection requires the
stcp feature to be enabled on the FRP server.
Remember to replace
web.yourdomain.com with your actual domain name, and
127.0.0.1:8080 with the real IP and port of your local service.
Configuration files (
frps.ini for the server,
frpc.ini for the client) are used to set up and customize the behavior of FRP. They use the INI file format, consisting of sections containing key-value pairs.
Using Environment Variables
You can use environment variables in the configuration file by referencing them with
$(ENV_VAR_NAME). They will be replaced by the actual value of the environment variable at runtime.
Split Configures Into Different Files
FRP supports splitting the configuration into different files. This can be done using the include directive in the configuration file, which allows the content of other configuration files to be included.
The FRP dashboard is a web-based user interface that provides real-time status monitoring and management of the FRP server. You can enable the dashboard by setting
dashboard_user / dashboard_pwd in the server configuration.
The Admin UI is part of the dashboard. It provides an interface for managing the server, including viewing current connections, proxies, and traffic statistics and manually controlling the status of proxies.
FRP supports monitoring through a web interface and also provides support for Prometheus, a powerful open-source monitoring solution.
You can enable Prometheus metrics by setting
enable_prometheus = true them in the server configuration. The metrics will be available at /metrics on the admin server.
Authenticating the Client
FRP supports various methods of client authentication.
This method involves setting a token in client and server configuration files. The client must provide the token to the server when establishing a connection.
OpenID Connect (OIDC) is a protocol that allows clients to verify the user’s identity based on the authentication performed by an authorization server. FRP supports OIDC, which can be set up by specifying
oidc_audience, and other related configuration options in the server configuration.
Encryption and Compression
FRP supports data encryption and compression to improve the security and efficiency of data transmission.
FRP supports Transport Layer Security (TLS) to secure the client and server connection. This can be enabled by setting
tls_enable = true and specifying the certificate and private key files in the server configuration.
Hot-Reloading frpc configuration
Hot-reloading allows you to modify and reload the client configuration without restarting it. This can be done using the
frpc reload -c /path/to/frpc.ini command.
Get proxy status from the client
You can get the status of a proxy from the client by using the
frpc status -n [proxy_name] command.
Only allowing specific ports on the server
You can restrict the ports that the client can use by specifying
privilege_allow_ports in the server configuration.
FRP supports port reuse, which allows multiple proxies to share the same port on the server. This can be enabled by setting
use_compression = true in the client configuration.
FRP supports limiting the bandwidth used by a proxy.
For Each Proxy
You can set a bandwidth limit for each proxy by specifying
bandwidth_limit in the proxy configuration in the client configuration.
TCP Stream Multiplexing
TCP stream multiplexing is a feature that allows multiple TCP connections to be multiplexed over a single TCP connection. This can be enabled by setting
mux = true in the client configuration.
Support KCP Protocol
FRP supports the KCP protocol, a reliable UDP-based transport protocol that can achieve faster transmission speeds than TCP under conditions of packet loss. This can be enabled by setting
protocol = kcp in the client configuration.
Support QUIC Protocol
FRP supports the QUIC protocol, a UDP-based transport protocol that provides security equivalent to TLS and reduces latency compared to TCP. This can be enabled by setting
protocol = quic in the client configuration.
Connection pooling is a feature that maintains a pool of connections that can be reused, reducing the overhead of establishing a new connection for each request. This can be enabled by setting
pool_count in the client configuration.
FRP supports load balancing among multiple proxies with the same name. This can be enabled by setting
load_balance_method and group in the client configuration.
Service Health Check
FRP supports health checks to monitor the status of a service. This can be configured by setting
health_check_max_failed in the client configuration.
Rewriting the HTTP Host Header
FRP supports rewriting the HTTP Host header. This can be configured by setting
host_header_rewrite in the client configuration.
Setting other HTTP Headers
FRP supports setting other HTTP headers. This can be configured by setting
http_headers in the client configuration.
Get Real IP
FRP supports obtaining the actual IP address of the client. This can be done using the following methods:
This method involves adding the X-Forwarded-For HTTP header to the request containing the client’s IP address.
The Proxy Protocol is a network protocol for transmitting the client’s address information across multiple layers of proxies. FRP supports Proxy Protocol V2.
Require HTTP Basic Auth (Password) for Web Services
FRP supports HTTP Basic Authentication for web services. This can be configured by setting
http_user and http_pwd in the client configuration.
Custom Subdomain Names
FRP supports custom subdomain names. This can be configured by setting a subdomain in the client configuration.
FRP supports URL routing, which allows different URLs to be routed to various local services. This can be configured by defining multiple HTTP/HTTPS type proxies with different custom domains, subdomains, and locations.
TCP Port Multiplexing
FRP supports TCP port multiplexing, which allows multiple services to share the same port. This can be enabled by setting
use_mux = true in the client configuration.
Connecting to frps via HTTP PROXY
FRP supports connecting to the FRP server via an HTTP proxy. This can be configured by setting
http_proxy in the client configuration.
Range ports mapping
FRP supports range port mapping, which allows a range of ports to be mapped to a range of local ports. This can be configured by setting
local_port to a range in the client configuration.
FRP supports client plugins, which can extend the functionality of the FRP client. The plugin configuration can be added under a separate section in the client configuration.
Server Manage Plugins
FRP supports server management plugins, which can extend the functionality of the FRP server. The plugin configuration can be added under a separate section in the server configuration.