mirror of
https://github.com/fatedier/frp.git
synced 2025-01-22 09:32:07 +00:00
change default value of tls_enable and disable_custom_tls_first_byte (#3494)
This commit is contained in:
parent
15a245766e
commit
685d7618f3
@ -562,11 +562,9 @@ use_compression = true
|
|||||||
|
|
||||||
#### TLS
|
#### TLS
|
||||||
|
|
||||||
frp supports the TLS protocol between `frpc` and `frps` since v0.25.0.
|
Since v0.50.0, the default value of `tls_enable` and `disable_custom_tls_first_byte` has been changed to true, and tls is enabled by default.
|
||||||
|
|
||||||
For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection.
|
For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `disable_custom_tls_first_byte` to false.
|
||||||
|
|
||||||
Configure `tls_enable = true` in the `[common]` section to `frpc.ini` to enable this feature.
|
|
||||||
|
|
||||||
To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**
|
To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**
|
||||||
|
|
||||||
@ -581,7 +579,6 @@ tls_trusted_ca_file = ca.crt
|
|||||||
**`frps` TLS settings (under the `[common]` section):**
|
**`frps` TLS settings (under the `[common]` section):**
|
||||||
```ini
|
```ini
|
||||||
tls_only = true
|
tls_only = true
|
||||||
tls_enable = true
|
|
||||||
tls_cert_file = certificate.crt
|
tls_cert_file = certificate.crt
|
||||||
tls_key_file = certificate.key
|
tls_key_file = certificate.key
|
||||||
tls_trusted_ca_file = ca.crt
|
tls_trusted_ca_file = ca.crt
|
||||||
|
@ -61,6 +61,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xl.Trace("nathole prepare start")
|
||||||
prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
|
prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
xl.Warn("nathole prepare error: %v", err)
|
xl.Warn("nathole prepare error: %v", err)
|
||||||
@ -80,6 +81,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
|
|||||||
AssistedAddrs: prepareResult.AssistedAddrs,
|
AssistedAddrs: prepareResult.AssistedAddrs,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xl.Trace("nathole exchange info start")
|
||||||
natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
|
natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
xl.Warn("nathole exchange info error: %v", err)
|
xl.Warn("nathole exchange info error: %v", err)
|
||||||
|
@ -266,11 +266,13 @@ func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
|
|||||||
// 4. Create a tunnel session using an underlying UDP connection.
|
// 4. Create a tunnel session using an underlying UDP connection.
|
||||||
func (sv *XTCPVisitor) makeNatHole() {
|
func (sv *XTCPVisitor) makeNatHole() {
|
||||||
xl := xlog.FromContextSafe(sv.ctx)
|
xl := xlog.FromContextSafe(sv.ctx)
|
||||||
|
xl.Trace("makeNatHole start")
|
||||||
if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
|
if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
|
||||||
xl.Warn("nathole precheck error: %v", err)
|
xl.Warn("nathole precheck error: %v", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xl.Trace("nathole prepare start")
|
||||||
prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
|
prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
xl.Warn("nathole prepare error: %v", err)
|
xl.Warn("nathole prepare error: %v", err)
|
||||||
@ -294,6 +296,7 @@ func (sv *XTCPVisitor) makeNatHole() {
|
|||||||
AssistedAddrs: prepareResult.AssistedAddrs,
|
AssistedAddrs: prepareResult.AssistedAddrs,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xl.Trace("nathole exchange info start")
|
||||||
natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
|
natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
listenConn.Close()
|
listenConn.Close()
|
||||||
|
@ -94,7 +94,7 @@ func RegisterCommonFlags(cmd *cobra.Command) {
|
|||||||
cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
|
cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
|
||||||
cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
|
cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
|
||||||
cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
|
cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
|
||||||
cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", false, "enable frpc tls")
|
cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", true, "enable frpc tls")
|
||||||
cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
|
cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -107,7 +107,8 @@ connect_server_local_ip = 0.0.0.0
|
|||||||
# quic_max_idle_timeout = 30
|
# quic_max_idle_timeout = 30
|
||||||
# quic_max_incoming_streams = 100000
|
# quic_max_incoming_streams = 100000
|
||||||
|
|
||||||
# if tls_enable is true, frpc will connect frps by tls
|
# If tls_enable is true, frpc will connect frps by tls.
|
||||||
|
# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
|
||||||
tls_enable = true
|
tls_enable = true
|
||||||
|
|
||||||
# tls_cert_file = client.crt
|
# tls_cert_file = client.crt
|
||||||
@ -140,9 +141,10 @@ udp_packet_size = 1500
|
|||||||
# include other config files for proxies.
|
# include other config files for proxies.
|
||||||
# includes = ./confd/*.ini
|
# includes = ./confd/*.ini
|
||||||
|
|
||||||
# By default, frpc will connect frps with first custom byte if tls is enabled.
|
# If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
|
||||||
# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.
|
# first custom byte when tls is enabled.
|
||||||
disable_custom_tls_first_byte = false
|
# Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
|
||||||
|
disable_custom_tls_first_byte = true
|
||||||
|
|
||||||
# Enable golang pprof handlers in admin listener.
|
# Enable golang pprof handlers in admin listener.
|
||||||
# Admin port must be set first.
|
# Admin port must be set first.
|
||||||
|
@ -127,6 +127,7 @@ type ClientCommonConf struct {
|
|||||||
// TLSEnable specifies whether or not TLS should be used when communicating
|
// TLSEnable specifies whether or not TLS should be used when communicating
|
||||||
// with the server. If "tls_cert_file" and "tls_key_file" are valid,
|
// with the server. If "tls_cert_file" and "tls_key_file" are valid,
|
||||||
// client will load the supplied tls configuration.
|
// client will load the supplied tls configuration.
|
||||||
|
// Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
|
||||||
TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
|
TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
|
||||||
// TLSCertPath specifies the path of the cert file that client will
|
// TLSCertPath specifies the path of the cert file that client will
|
||||||
// load. It only works when "tls_enable" is true and "tls_key_file" is valid.
|
// load. It only works when "tls_enable" is true and "tls_key_file" is valid.
|
||||||
@ -142,8 +143,9 @@ type ClientCommonConf struct {
|
|||||||
// TLSServerName specifies the custom server name of tls certificate. By
|
// TLSServerName specifies the custom server name of tls certificate. By
|
||||||
// default, server name if same to ServerAddr.
|
// default, server name if same to ServerAddr.
|
||||||
TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
|
TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
|
||||||
// By default, frpc will connect frps with first custom byte if tls is enabled.
|
// If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
|
||||||
// If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.
|
// first custom byte when tls is enabled.
|
||||||
|
// Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
|
||||||
DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"`
|
DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"`
|
||||||
// HeartBeatInterval specifies at what interval heartbeats are sent to the
|
// HeartBeatInterval specifies at what interval heartbeats are sent to the
|
||||||
// server, in seconds. It is not recommended to change this value. By
|
// server, in seconds. It is not recommended to change this value. By
|
||||||
@ -189,6 +191,8 @@ func GetDefaultClientConf() ClientCommonConf {
|
|||||||
QUICKeepalivePeriod: 10,
|
QUICKeepalivePeriod: 10,
|
||||||
QUICMaxIdleTimeout: 30,
|
QUICMaxIdleTimeout: 30,
|
||||||
QUICMaxIncomingStreams: 100000,
|
QUICMaxIncomingStreams: 100000,
|
||||||
|
TLSEnable: true,
|
||||||
|
DisableCustomTLSFirstByte: true,
|
||||||
HeartbeatInterval: 30,
|
HeartbeatInterval: 30,
|
||||||
HeartbeatTimeout: 90,
|
HeartbeatTimeout: 90,
|
||||||
Metas: make(map[string]string),
|
Metas: make(map[string]string),
|
||||||
|
@ -288,6 +288,7 @@ func Test_LoadClientCommonConf(t *testing.T) {
|
|||||||
TLSKeyFile: "client.key",
|
TLSKeyFile: "client.key",
|
||||||
TLSTrustedCaFile: "ca.crt",
|
TLSTrustedCaFile: "ca.crt",
|
||||||
TLSServerName: "example.com",
|
TLSServerName: "example.com",
|
||||||
|
DisableCustomTLSFirstByte: true,
|
||||||
DNSServer: "8.8.8.9",
|
DNSServer: "8.8.8.9",
|
||||||
Start: []string{"ssh", "dns"},
|
Start: []string{"ssh", "dns"},
|
||||||
HeartbeatInterval: 39,
|
HeartbeatInterval: 39,
|
||||||
|
@ -194,7 +194,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
|
|||||||
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
|
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
log.Trace("handle visitor message, sid [%s]", sid)
|
log.Trace("handle visitor message, sid [%s], server name: %s", sid, m.ProxyName)
|
||||||
|
|
||||||
defer func() {
|
defer func() {
|
||||||
c.mu.Lock()
|
c.mu.Lock()
|
||||||
@ -256,7 +256,7 @@ func (c *Controller) HandleClient(m *msg.NatHoleClient, transporter transport.Me
|
|||||||
if !ok {
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
log.Trace("handle client message, sid [%s]", session.sid)
|
log.Trace("handle client message, sid [%s], server name: %s", session.sid, m.ProxyName)
|
||||||
session.clientMsg = m
|
session.clientMsg = m
|
||||||
session.clientTransporter = transporter
|
session.clientTransporter = transporter
|
||||||
select {
|
select {
|
||||||
|
@ -409,9 +409,13 @@ var _ = ginkgo.Describe("[Feature: Basic]", func() {
|
|||||||
f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf})
|
f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf})
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
|
timeout := time.Second
|
||||||
|
if t == "xtcp" {
|
||||||
|
timeout = 4 * time.Second
|
||||||
|
}
|
||||||
framework.NewRequestExpect(f).
|
framework.NewRequestExpect(f).
|
||||||
RequestModify(func(r *request.Request) {
|
RequestModify(func(r *request.Request) {
|
||||||
r.Timeout(3 * time.Second)
|
r.Timeout(timeout)
|
||||||
}).
|
}).
|
||||||
Protocol(protocol).
|
Protocol(protocol).
|
||||||
PortName(test.bindPortName).
|
PortName(test.bindPortName).
|
||||||
|
@ -101,11 +101,13 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
|
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
|
||||||
for _, protocol := range supportProtocols {
|
for _, protocol := range supportProtocols {
|
||||||
tmp := protocol
|
tmp := protocol
|
||||||
defineClientServerTest("TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
|
// Since v0.50.0, the default value of tls_enable has been changed to true.
|
||||||
|
// Therefore, here it needs to be set as false to test the scenario of turning it off.
|
||||||
|
defineClientServerTest("Disable TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
|
||||||
server: fmt.Sprintf(`
|
server: fmt.Sprintf(`
|
||||||
%s
|
%s
|
||||||
`, renderBindPortConfig(protocol)),
|
`, renderBindPortConfig(protocol)),
|
||||||
client: fmt.Sprintf(`tls_enable = true
|
client: fmt.Sprintf(`tls_enable = false
|
||||||
protocol = %s
|
protocol = %s
|
||||||
`, protocol),
|
`, protocol),
|
||||||
})
|
})
|
||||||
@ -113,10 +115,10 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
|
|
||||||
defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{
|
defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{
|
||||||
server: "tls_only = true",
|
server: "tls_only = true",
|
||||||
client: "tls_enable = true",
|
|
||||||
})
|
})
|
||||||
defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{
|
defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{
|
||||||
server: "tls_only = true",
|
server: "tls_only = true",
|
||||||
|
client: "tls_enable = false",
|
||||||
expectError: true,
|
expectError: true,
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
@ -155,7 +157,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
`, renderBindPortConfig(tmp), caCrtPath),
|
`, renderBindPortConfig(tmp), caCrtPath),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
protocol = %s
|
protocol = %s
|
||||||
tls_enable = true
|
|
||||||
tls_cert_file = %s
|
tls_cert_file = %s
|
||||||
tls_key_file = %s
|
tls_key_file = %s
|
||||||
`, tmp, clientCrtPath, clientKeyPath),
|
`, tmp, clientCrtPath, clientKeyPath),
|
||||||
@ -172,7 +173,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
`, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath),
|
`, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
protocol = %s
|
protocol = %s
|
||||||
tls_enable = true
|
|
||||||
tls_cert_file = %s
|
tls_cert_file = %s
|
||||||
tls_key_file = %s
|
tls_key_file = %s
|
||||||
tls_trusted_ca_file = %s
|
tls_trusted_ca_file = %s
|
||||||
@ -211,7 +211,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
tls_trusted_ca_file = %s
|
tls_trusted_ca_file = %s
|
||||||
`, serverCrtPath, serverKeyPath, caCrtPath),
|
`, serverCrtPath, serverKeyPath, caCrtPath),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
tls_enable = true
|
|
||||||
tls_server_name = example.com
|
tls_server_name = example.com
|
||||||
tls_cert_file = %s
|
tls_cert_file = %s
|
||||||
tls_key_file = %s
|
tls_key_file = %s
|
||||||
@ -228,7 +227,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
tls_trusted_ca_file = %s
|
tls_trusted_ca_file = %s
|
||||||
`, serverCrtPath, serverKeyPath, caCrtPath),
|
`, serverCrtPath, serverKeyPath, caCrtPath),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
tls_enable = true
|
|
||||||
tls_server_name = invalid.com
|
tls_server_name = invalid.com
|
||||||
tls_cert_file = %s
|
tls_cert_file = %s
|
||||||
tls_key_file = %s
|
tls_key_file = %s
|
||||||
@ -239,7 +237,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.Describe("TLS with disable_custom_tls_first_byte", func() {
|
ginkgo.Describe("TLS with disable_custom_tls_first_byte set to false", func() {
|
||||||
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
|
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
|
||||||
for _, protocol := range supportProtocols {
|
for _, protocol := range supportProtocols {
|
||||||
tmp := protocol
|
tmp := protocol
|
||||||
@ -248,9 +246,8 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
%s
|
%s
|
||||||
`, renderBindPortConfig(protocol)),
|
`, renderBindPortConfig(protocol)),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
tls_enable = true
|
|
||||||
protocol = %s
|
protocol = %s
|
||||||
disable_custom_tls_first_byte = true
|
disable_custom_tls_first_byte = false
|
||||||
`, protocol),
|
`, protocol),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@ -266,9 +263,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
|
|||||||
%s
|
%s
|
||||||
`, renderBindPortConfig(protocol)),
|
`, renderBindPortConfig(protocol)),
|
||||||
client: fmt.Sprintf(`
|
client: fmt.Sprintf(`
|
||||||
tls_enable = true
|
|
||||||
protocol = %s
|
protocol = %s
|
||||||
disable_custom_tls_first_byte = true
|
|
||||||
`, protocol),
|
`, protocol),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user