示例文件:https://github.com/fatedier/frp/blob/v0.52.3/conf/frps_full_example.toml
# 服务端监听地址,用于接收 frpc 的连接,默认监听 0.0.0.0
bindAddr = "0.0.0.0"
# 服务端监听端口,默认值为 7000
bindPort = 7000
# 服务端监听 KCP 协议端口,用于接收配置了使用 KCP 协议的 frpc 连接。端口可和 bindPort 相同,未配置时默认禁用 KCP
kcpBindPort = 7000
# 服务端监听 QUIC 协议端口,用于接收配置了使用 QUIC 协议的 frpc 连接。未配置时默认禁用 QUIC
quicBindPort = 7002
# 代理监听地址,可以使代理监听在不同的网卡地址,默认情况下同 bindAddr。
proxyBindAddr = "127.0.0.1"
# HTTP 类型代理监听的端口,启用后才能支持 HTTP 类型的代理。端口可和 bindPort 相同。
vhostHTTPPort = 80
# HTTPS 类型代理监听的端口,启用后才能支持 HTTPS 类型的代理。端口可和 bindPort 相同。
vhostHTTPSPort = 443
# HTTP 类型代理在服务端的 ResponseHeader 超时时间,默认为 60s。
vhostHTTPTimeout = 60
# tcpmux 类型且复用器为 httpconnect 的代理监听的端口。
tcpmuxHTTPConnectPort = 1337
# 对于 tcpmux 类型的代理是否透传 CONNECT 请求。
tcpmuxPassthrough = false
# 鉴权配置
## 鉴权方式,可选值为 token 或 oidc,默认为 token。
auth.method = "token"
## 鉴权信息附加范围,可选值为 HeartBeats 和 NewWorkConns
auth.additionalScopes = ["HeartBeats", "NewWorkConns"]
## 在 method 为 token 时生效,客户端需要设置一样的值才能鉴权通过。
auth.token = "12345678"
## oidc 鉴权配置。
### oidc issuer specifies the issuer to verify OIDC tokens with.
auth.oidc.issuer = ""
### oidc audience specifies the audience OIDC tokens should contain when validated.
auth.oidc.audience = ""
### oidc skipExpiryCheck specifies whether to skip checking if the OIDC token is expired.
auth.oidc.skipExpiryCheck = false
### oidc skipIssuerCheck specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.
auth.oidc.skipIssuerCheck = false
# 日志配置
## 日志输出文件路径,如果为 console,则会将日志打印在标准输出中。
log.to = "./frps.log"
## 日志级别,可选值为 trace, debug, info, warn, error,默认级别为 info。
log.level = "info"
## 日志文件最多保留天数,默认为 3 天。
log.maxDays = 3
## 禁用标准输出中的日志颜色。
log.disablePrintColor = false
# 服务端 Dashboard 配置。
## webServer 监听地址,默认为 127.0.0.1。
webServer.addr = "127.0.0.1"
## webServer 监听端口。
webServer.port = 7500
## HTTP BasicAuth 用户名。
webServer.user = "admin"
## HTTP BasicAuth 密码。
webServer.password = "admin"
## 静态资源目录,Dashboard 使用的资源默认打包在二进制文件中,通过指定此参数使用自定义的静态资源。
webServer.assetsDir = "./static"
## 启动 Go HTTP pprof,用于应用调试。
webServer.pprofEnable = false
## Dashboard 启用 HTTPS 的 TLS 相关配置。
### TLS 证书文件路径。
webServer.tls.certFile = "server.crt"
### TLS 密钥文件路径。
webServer.tls.keyFile = "server.key"
# 网络层配置。
## 允许客户端设置的最大连接池大小,如果客户端配置的值大于此值,会被强制修改为最大值,默认为 5。
transport.maxPoolCount = 5
## 服务端和客户端心跳连接的超时时间,单位秒,默认为 90 秒。
transport.heartbeatTimeout = 90
## 和客户端底层 TCP 连接的 keepalive 间隔时间,单位秒,配置为负数表示不启用。
transport.tcpKeepalive = 7200
# 是否启用 tcp mux
transport.tcpMux = true
## tcp mux 的心跳检查间隔时间,单位秒。
transport.tcpMuxKeepaliveInterval = 60
## QUIC 协议配置参数。
transport.quic.keepalivePeriod = 10
transport.quic.maxIdleTimeout = 30
transport.quic.maxIncomingStreams = 100000
## 服务端 TLS 协议配置。
### 是否只接受启用了 TLS 的客户端连接。
tls.force = false
### TLS 协议配置
#### TLS 证书文件路径。
transport.tls.certFile = "server.crt"
#### TLS 密钥文件路径。
transport.tls.keyFile = "server.key"
#### CA 证书文件路径。
transport.tls.trustedCaFile = "ca.crt"
# 是否提供 Prometheus 监控接口,需要同时启用了 webServer 后才会生效。
enablePrometheus = true
# 服务端返回详细错误信息给客户端,默认为 true。
detailedErrorsToClient = true
# 用户建立连接后等待客户端响应的超时时间,单位秒,默认为 10 秒。
# userConnTimeout = 10
# 允许代理绑定的服务端端口。
allowPorts = [
{ start = 2000, end = 3000 },
{ single = 3001 },
{ single = 3003 },
{ start = 4000, end = 50000 }
]
# 限制单个客户端最大同时存在的代理数,默认无限制。
maxPortsPerClient = 0
# 二级域名后缀。
subDomainHost = "frps.com"
# 自定义 404 错误页面地址。
custom404Page = "/path/to/404.html"
# 代理 UDP 服务时支持的最大包长度,默认为 1500,服务端和客户端的值需要一致。
udpPacketSize = 1500
# 打洞策略数据的保留时间,默认为 168 小时,即 7 天。
natholeAnalysisDataReserveHours = 168
# 服务端 HTTP 插件配置。
[[httpPlugins]]
## 插件名称。
name = "user-manager"
## 插件接口的地址。
addr = "127.0.0.1:9000"
## 插件接口的 Path。
path = "/handler"
## 插件需要生效的操作列表,具体可选值请参考服务端插件的说明文档。
ops = ["Login"]
[[httpPlugins]]
name = "port-manager"
addr = "127.0.0.1:9001"
path = "/handler"
ops = ["NewProxy"]
示例文件:https://github.com/fatedier/frp/blob/v0.52.3/conf/frpc_full_example.toml
# 用户名,设置此参数后,代理名称会被修改为 {user}.{proxyName},避免代理名称和其他用户冲突。
user = "your_name"
# 连接服务端的地址。
serverAddr = "0.0.0.0"
# 连接服务端的端口,默认为 7000。
serverPort = 7000
# 鉴权配置
## 鉴权方式,可选值为 token 或 oidc,默认为 token。
auth.method = "token"
## 鉴权信息附加范围,可选值为 HeartBeats 和 NewWorkConns
auth.additionalScopes = ["HeartBeats", "NewWorkConns"]
## 在 method 为 token 时生效,客户端需要设置一样的值才能鉴权通过。
auth.token = "12345678"
## oidc 鉴权配置。
### oidc.clientID specifies the client ID to use to get a token in OIDC authentication.
auth.oidc.clientID = ""
### oidc.clientSecret specifies the client secret to use to get a token in OIDC authentication.
auth.oidc.clientSecret = ""
### oidc.audience specifies the audience of the token in OIDC authentication.
auth.oidc.audience = ""
### oidc.scope specifies the permisssions of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
auth.oidc.scope = ""
### oidc.tokenEndpointURL specifies the URL which implements OIDC Token Endpoint.It will be used to get an OIDC token.
auth.oidc.tokenEndpointURL = ""
### oidc.additionalEndpointParams specifies additional parameters to be sent to the OIDC Token Endpoint.
### For example, if you want to specify the "audience" parameter, you can set as follow.
### frp will add "audience=<value>" "var1=<value>" to the additional parameters.
auth.oidc.additionalEndpointParams.audience = "https://dev.auth.com/api/v2/"
auth.oidc.additionalEndpointParams.var1 = "foobar"
# xtcp 打洞所需的 stun 服务器地址,默认为 stun.easyvoip.com:3478。
natHoleStunServer = "stun.easyvoip.com:3478"
# 使用 DNS 服务器地址,默认使用系统配置的 DNS 服务器,指定此参数可以强制替换为自定义的 DNS 服务器地址。
dnsServer = "8.8.8.8"
# 第一次登陆失败后是否退出,默认为 true。
loginFailExit = true
# 日志配置
## 日志输出文件路径,如果为 console,则会将日志打印在标准输出中。
log.to = "./frpc.log"
## 日志级别,可选值为 trace, debug, info, warn, error,默认级别为 info。
log.level = "info"
## 日志文件最多保留天数,默认为 3 天。
log.maxDays = 3
## 禁用标准输出中的日志颜色。
log.disablePrintColor = false
# 客户端 AdminServer 配置。
## webServer 监听地址,默认为 127.0.0.1。
webServer.addr = "127.0.0.1"
## webServer 监听端口。
webServer.port = 7400
## HTTP BasicAuth 用户名。
webServer.user = "admin"
## HTTP BasicAuth 密码。
webServer.password = "admin"
## 静态资源目录,Dashboard 使用的资源默认打包在二进制文件中,通过指定此参数使用自定义的静态资源。
webServer.assetsDir = "./static"
## 启动 Go HTTP pprof,用于应用调试。
webServer.pprofEnable = false
# 客户端网络层配置。
## 连接服务端时所绑定的本地 IP。
transport.connectServerLocalIP = "0.0.0.0"
## 和 frps 之间的通信协议,可选值为 tcp, kcp, quic, websocket, wss。默认为 tcp。
transport.protocol = "tcp"
## 连接服务端的超时时间,默认为 10s。
transport.dialServerTimeout = 10
## 和服务端底层 TCP 连接的 keepalive 间隔时间,单位秒。
transport.dialServerKeepalive = 7200
## 连接池大小。
transport.poolCount = 5
## 向服务端发送心跳包的间隔时间,默认为 30s。建议启用 tcp_mux_keepalive_interval,将此值设置为 -1。
transport.heartbeatInterval = 30
## 和服务端心跳的超时时间,默认为 90s。
transport.heartbeatTimeout = 90
## TCP 多路复用,默认启用。
transport.tcpMux = true
## tcp_mux 的心跳检查间隔时间。
transport.tcpMuxKeepaliveInterval = 60
## 连接服务端使用的代理地址,格式为 {protocol}://user:passwd@192.168.1.128:8080 protocol 目前支持 http、socks5、ntlm。
transport.proxyURL = "http://user:passwd@192.168.1.128:8080"
transport.proxyURL = "socks5://user:passwd@192.168.1.128:1080"
transport.proxyURL = "ntlm://user:passwd@192.168.1.128:2080"
## QUIC 协议配置参数。
transport.quic.keepalivePeriod = 10
transport.quic.maxIdleTimeout = 30
transport.quic.maxIncomingStreams = 100000
## 客户端 TLS 协议配置。
### 是否和服务端之间启用 TLS 连接,默认启用。
transport.tls.enable = true
### 启用 TLS 连接时,不发送 0x17 特殊字节。默认为 true。当配置为 true 时,无法和 vhostHTTPSPort 端口复用。
transport.tls.disableCustomTLSFirstByte = true
### TLS 证书文件路径。
transport.tls.certFile = "client.crt"
### TLS 密钥文件路径。
transport.tls.keyFile = "client.key"
### CA 证书文件路径。
transport.tls.trustedCaFile = "ca.crt"
### TLS Server 名称。
transport.tls.serverName = "example.com"
# 指定启用部分代理,当配置了较多代理,但是只希望启用其中部分时可以通过此参数指定,默认为全部启用。
start = ["ssh", "dns"]
# 代理 UDP 服务时支持的最大包长度,默认为 1500,服务端和客户端需要保持配置一致。
udpPacketSize = 1500
# 附加元数据,会传递给服务端插件,提供附加能力。
metadatas.var1 = "abc"
metadatas.var2 = "123"
# 指定额外的配置文件目录,其中的 proxy 和 visitor 配置会被读取加载。
includes = ["./confd/*.ini"]
# 代理配置,不同的代理类型对应不同的配置
## TCP代理配置
[[proxies]]
### 代理名称。
name = "ssh"
### 代理类型,可选值为 tcp, udp, http, https, tcpmux, stcp, sudp, xtcp。
type = "tcp"
### 被代理的本地服务 IP,默认为 127.0.0.1。
localIP = "127.0.0.1"
### 被代理的本地服务端口。
localPort = 22
### 服务端绑定的端口,用户访问服务端此端口的流量会被转发到对应的本地服务。若配置为0则或随机分配端口
remotePort = 6001
### 代理网络层配置。
#### 设置单个 proxy 的带宽限流,单位为 MB 或 KB,0 表示不限制,如果启用,默认会作用于对应的 frpc。
transport.bandwidthLimit = "1MB"
#### 限流类型,客户端限流或服务端限流,可选值为 client 和 server,默认为客户端限流。
transport.bandwidthLimitMode = "client"
#### 是否启用加密功能,启用后该代理和服务端之间的通信内容都会被加密传输,如果 frpc 启用了全局 TLS,则不需要再启用此参数。
transport.useEncryption = false
#### 是否启用压缩功能,启用后该代理和服务端之间的通信内容都会被压缩传输。
transport.useCompression = false
### 负载均衡配置。
#### 负载均衡分组名称,用户请求会以轮询的方式发送给同一个 group 中的代理。
loadBalancer.group = "test_group"
#### 负载均衡分组密钥,用于对负载均衡分组进行鉴权,groupKey 相同的代理才会被加入到同一个分组中。
loadBalancer.groupKey = "123456"
### 健康检查配置。
#### 健康检查类型,可选值为 tcp 和 http,配置后启用健康检查功能,tcp 是连接成功则认为服务健康,http 要求接口返回 2xx 的状态码则认为服务健康。
healthCheck.type = "tcp"
#### 健康检查超时时间(秒),默认为 3s。
healthCheck.timeoutSeconds = 3
#### 健康检查连续错误次数,连续检查错误多少次认为服务不健康,默认为 1。
healthCheck.maxFailed = 3
#### 健康检查周期(秒),每隔多长时间进行一次健康检查,默认为 10s。
healthCheck.intervalSeconds = 10
### 附加元数据,会传递给服务端插件,提供附加能力。
metadatas.var1 = "abc"
metadatas.var2 = "123"
## UDP代理配置
[[proxies]]
name = "dns"
type = "udp"
localIP = "114.114.114.114"
localPort = 53
remotePort = 6002
## HTTP 配置
[[proxies]]
name = "web01"
type = "http"
localIP = "127.0.0.1"
localPort = 80
### HTTP Basic Auth 用户名。
httpUser = "admin"
### HTTP Basic Auth 密码。
httpPassword = "admin"
### 子域名。
subdomain = "web01"
### 自定义域名列表。
customDomains = ["web01.yourdomain.com"]
### URL 路由配置。
locations = ["/", "/pic"]
### 根据 HTTP Basic Auth user 路由。
routeByHTTPUser = abc
### 替换 Host Header。
hostHeaderRewrite = "example.com"
### 对请求 Header 的操作配置。
#### 在 Header 中设置指定的 KV 值。
requestHeaders.set.x-from-where = "frp"
### 健康检查配置。
healthCheck.type = "http"
#### 健康检查的 HTTP 接口,如果健康检查类型是 http,则需要配置此参数,指定发送 http 请求的 path,例如 /health。
healthCheck.path = "/status"
healthCheck.intervalSeconds = 10
healthCheck.maxFailed = 3
healthCheck.timeoutSeconds = 3
## HTTPS 配置
[[proxies]]
name = "web02"
type = "https"
localIP = "127.0.0.1"
localPort = 8000
subdomain = "web02"
customDomains = ["web02.yourdomain.com"]
# 启用 proxy protocol 协议的版本,可选值为 v1 和 v2。如果启用,则 frpc 和本地服务建立连接后会发送 proxy protocol 的协议,包含了原请求的 IP 地址和端口等内容。
transport.proxyProtocolVersion = "v2"
## TCPMux 配置
[[proxies]]
name = "tcpmuxhttpconnect"
type = "tcpmux"
multiplexer = "httpconnect"
localIP = "127.0.0.1"
localPort = 10701
customDomains = ["tunnel1"]
# routeByHTTPUser = "user1"
[[proxies]]
name = "plugin_unix_domain_socket"
type = "tcp"
remotePort = 6003
# if plugin is defined, localIP and localPort is useless
# plugin will handle connections got from frps
[proxies.plugin]
type = "unix_domain_socket"
unixPath = "/var/run/docker.sock"
[[proxies]]
name = "plugin_http_proxy"
type = "tcp"
remotePort = 6004
[proxies.plugin]
type = "http_proxy"
httpUser = "abc"
httpPassword = "abc"
[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 6005
[proxies.plugin]
type = "socks5"
username = "abc"
password = "abc"
[[proxies]]
name = "plugin_static_file"
type = "tcp"
remotePort = 6006
[proxies.plugin]
type = "static_file"
localPath = "/var/www/blog"
stripPrefix = "static"
httpUser = "abc"
httpPassword = "abc"
[[proxies]]
name = "plugin_https2http"
type = "https"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:80"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"
[[proxies]]
name = "plugin_https2https"
type = "https"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "https2https"
localAddr = "127.0.0.1:443"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"
[[proxies]]
name = "plugin_http2https"
type = "http"
customDomains = ["test.yourdomain.com"]
[proxies.plugin]
type = "http2https"
localAddr = "127.0.0.1:443"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"
[[proxies]]
name = "secret_tcp"
# If the type is secret tcp, remotePort is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = "stcp"
# secretKey is used for authentication for visitors
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allowUsers = ["*"]
[[proxies]]
name = "p2p_tcp"
type = "xtcp"
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allowUsers = ["user1", "user2"]
# 访问者配置,不同的访问者类型对应不同的配置
## STCP 配置
[[visitors]]
### 访问者名称。
name = "secret_tcp_visitor"
### 访问者类型,可选值为 stcp, sudp, xtcp。
type = "stcp"
### 要访问的 proxy 名称。
serverName = "secret_tcp"
### 密钥,服务端和访问端的密钥需要一致,访问端才能访问到服务端。
secretKey = "abcdefg"
### visitor 监听的本地地址,通过访问监听的地址和端口,连接到远端代理的服务。
bindAddr = "127.0.0.1"
### visitor 监听的本地端口,如果为 -1,表示不需要监听物理端口,通常可以用于作为其他 visitor 的 fallback。
bindPort = 9000
## XTCP 配置
[[visitors]]
name = "p2p_tcp_visitor"
type = "xtcp"
### 要访问的 proxy 所属的用户名,如果为空,则默认为当前用户。
serverUser = "user1"
serverName = "p2p_tcp"
secretKey = "abcdefg"
bindAddr = "127.0.0.1"
bindPort = 9001
### 是否保持隧道打开,如果开启,会定期检查隧道状态并尝试保持打开。
keepTunnelOpen = false
### 每小时尝试打开隧道的次数,默认值为 8。
maxRetriesAnHour = 8
### 重试打开隧道的最小间隔时间,单位: 秒,默认为 90s。
minRetryInterval = 90
### 回退到的其他 visitor 名称。
fallbackTo = "stcp_visitor"
### 连接建立超过多长时间(ms) 后回退到其他 visitor。
fallbackTimeoutMs = 500
示例文件:https://github.com/fatedier/frp/blob/v0.51.3/conf/frps_full.ini
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# For single "bind_addr" field, no need square brackets, like "bind_addr = ::".
bind_addr = 0.0.0.0
bind_port = 7000
# udp port used for kcp protocol, it can be same with 'bind_port'.
# if not set, kcp is disabled in frps.
kcp_bind_port = 7000
# udp port used for quic protocol.
# if not set, quic is disabled in frps.
# quic_bind_port = 7002
# quic protocol options
# quic_keepalive_period = 10
# quic_max_idle_timeout = 30
# quic_max_incoming_streams = 100000
# specify which address proxy will listen for, default value is same with bind_addr
# proxy_bind_addr = 127.0.0.1
# if you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bind_port
vhost_http_port = 80
vhost_https_port = 443
# response header timeout(seconds) for vhost http server, default is 60s
# vhost_http_timeout = 60
# tcpmux_httpconnect_port specifies the port that the server listens for TCP
# HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
# requests on one single port. If it's not - it will listen on this value for
# HTTP CONNECT requests. By default, this value is 0.
# tcpmux_httpconnect_port = 1337
# If tcpmux_passthrough is true, frps won't do any update on traffic.
# tcpmux_passthrough = false
# set dashboard_addr and dashboard_port to view dashboard of frps
# dashboard_addr's default value is same with bind_addr
# dashboard is available only if dashboard_port is set
dashboard_addr = 0.0.0.0
dashboard_port = 7500
# dashboard user and passwd for basic auth protect
dashboard_user = admin
dashboard_pwd = admin
# dashboard TLS mode
dashboard_tls_mode = false
# dashboard_tls_cert_file = server.crt
# dashboard_tls_key_file = server.key
# enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.
enable_prometheus = true
# dashboard assets directory(only for debug mode)
# assets_dir = ./static
# console or real logFile path like ./frps.log
log_file = ./frps.log
# trace, debug, info, warn, error
log_level = info
log_max_days = 3
# disable log colors when log_file is console, default is false
disable_log_color = false
# DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.
detailed_errors_to_client = true
# authentication_method specifies what authentication method to use authenticate frpc with frps.
# If "token" is specified - token will be read into login message.
# If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".
authentication_method = token
# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false
# AuthenticateNewWorkConns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false
# auth token
token = 12345678
# oidc_issuer specifies the issuer to verify OIDC tokens with.
# By default, this value is "".
oidc_issuer =
# oidc_audience specifies the audience OIDC tokens should contain when validated.
# By default, this value is "".
oidc_audience =
# oidc_skip_expiry_check specifies whether to skip checking if the OIDC token is expired.
# By default, this value is false.
oidc_skip_expiry_check = false
# oidc_skip_issuer_check specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.
# By default, this value is false.
oidc_skip_issuer_check = false
# heartbeat configure, it's not recommended to modify the default value
# the default value of heartbeat_timeout is 90. Set negative value to disable it.
# heartbeat_timeout = 90
# user_conn_timeout configure, it's not recommended to modify the default value
# the default value of user_conn_timeout is 10
# user_conn_timeout = 10
# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
allow_ports = 2000-3000,3001,3003,4000-50000
# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
max_pool_count = 5
# max ports can be used for each client, default value is 0 means no limit
max_ports_per_client = 0
# tls_only specifies whether to only accept TLS-encrypted connections. By default, the value is false.
tls_only = false
# tls_cert_file = server.crt
# tls_key_file = server.key
# tls_trusted_ca_file = ca.crt
# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
# when subdomain is test, the host used by routing is test.frps.com
subdomain_host = frps.com
# if tcp stream multiplexing is used, default is true
# tcp_mux = true
# specify keep alive interval for tcp mux.
# only valid if tcp_mux is true.
# tcp_mux_keepalive_interval = 60
# tcp_keepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
# If negative, keep-alive probes are disabled.
# tcp_keepalive = 7200
# custom 404 page for HTTP requests
# custom_404_page = /path/to/404.html
# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500
# Enable golang pprof handlers in dashboard listener.
# Dashboard port must be set first
pprof_enable = false
# Retention time for NAT hole punching strategy data.
nat_hole_analysis_data_reserve_hours = 168
[plugin.user-manager]
addr = 127.0.0.1:9000
path = /handler
ops = Login
[plugin.port-manager]
addr = 127.0.0.1:9001
path = /handler
ops = NewProxy
示例文件:https://github.com/fatedier/frp/blob/v0.51.3/conf/frpc_full.ini
# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# For single "server_addr" field, no need square brackets, like "server_addr = ::".
server_addr = 0.0.0.0
server_port = 7000
# STUN server to help penetrate NAT hole.
# nat_hole_stun_server = stun.easyvoip.com:3478
# The maximum amount of time a dial to server will wait for a connect to complete. Default value is 10 seconds.
# dial_server_timeout = 10
# dial_server_keepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
# If negative, keep-alive probes are disabled.
# dial_server_keepalive = 7200
# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:passwd@192.168.1.128:8080
# http_proxy = socks5://user:passwd@192.168.1.128:1080
# http_proxy = ntlm://user:passwd@192.168.1.128:2080
# console or real logFile path like ./frpc.log
log_file = ./frpc.log
# trace, debug, info, warn, error
log_level = info
log_max_days = 3
# disable log colors when log_file is console, default is false
disable_log_color = false
# for authentication, should be same as your frps.ini
# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false
# authenticate_new_work_conns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false
# auth token
token = 12345678
authentication_method =
# oidc_client_id specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_id =
# oidc_client_secret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_secret =
# oidc_audience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
oidc_audience =
# oidc_scope specifies the permisssions of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
oidc_scope =
# oidc_token_endpoint_url specifies the URL which implements OIDC Token Endpoint.
# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
oidc_token_endpoint_url =
# oidc_additional_xxx specifies additional parameters to be sent to the OIDC Token Endpoint.
# For example, if you want to specify the "audience" parameter, you can set as follow.
# frp will add "audience=<value>" "var1=<value>" to the additional parameters.
# oidc_additional_audience = https://dev.auth.com/api/v2/
# oidc_additional_var1 = foobar
# set admin address for control frpc's action by http api such as reload
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static
# connections will be established in advance, default value is zero
pool_count = 5
# if tcp stream multiplexing is used, default is true, it must be same with frps
# tcp_mux = true
# specify keep alive interval for tcp mux.
# only valid if tcp_mux is true.
# tcp_mux_keepalive_interval = 60
# your proxy name will be changed to {user}.{proxy}
user = your_name
# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true
# communication protocol used to connect to server
# supports tcp, kcp, quic, websocket and wss now, default is tcp
protocol = tcp
# set client binding ip when connect server, default is empty.
# only when protocol = tcp or websocket, the value will be used.
connect_server_local_ip = 0.0.0.0
# quic protocol options
# quic_keepalive_period = 10
# quic_max_idle_timeout = 30
# quic_max_incoming_streams = 100000
# If tls_enable is true, frpc will connect frps by tls.
# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
tls_enable = true
# tls_cert_file = client.crt
# tls_key_file = client.key
# tls_trusted_ca_file = ca.crt
# tls_server_name = example.com
# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8
# proxy names you want to start separated by ','
# default is empty, means all proxies
# start = ssh,dns
# heartbeat configure, it's not recommended to modify the default value
# The default value of heartbeat_interval is 10 and heartbeat_timeout is 90. Set negative value
# to disable it.
# heartbeat_interval = 30
# heartbeat_timeout = 90
# additional meta info for client
meta_var1 = 123
meta_var2 = 234
# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500
# include other config files for proxies.
# includes = ./confd/*.ini
# If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
# first custom byte when tls is enabled.
# Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
disable_custom_tls_first_byte = true
# Enable golang pprof handlers in admin listener.
# Admin port must be set first.
pprof_enable = false
# 'ssh' is the unique proxy name
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
type = tcp
local_ip = 127.0.0.1
local_port = 22
# limit bandwidth for this proxy, unit is KB and MB
bandwidth_limit = 1MB
# where to limit bandwidth, can be 'client' or 'server', default is 'client'
bandwidth_limit_mode = client
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
# additional meta info for each proxy
meta_var1 = 123
meta_var2 = 234
[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0
# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false
[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false
[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false
# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[web01]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# if not set, you can access this custom_domains without certification
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://web01.frps.com
subdomain = web01
custom_domains = web01.yourdomain.com
# locations is only available for http type
locations = /,/pic
# route requests to this service if http basic auto user is abc
# route_by_http_user = abc
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3
[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web02
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2
[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock
[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc
[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc
[plugin_https2http]
type = https
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[plugin_https2https]
type = https
custom_domains = test.yourdomain.com
plugin = https2https
plugin_local_addr = 127.0.0.1:443
plugin_crt_path = ./server.crt
plugin_key_path = ./server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[plugin_http2https]
type = http
custom_domains = test.yourdomain.com
plugin = http2https
plugin_local_addr = 127.0.0.1:443
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frp
[secret_tcp]
# If the type is secret tcp, remote_port is useless
# Who want to connect local port should deploy another frpc with stcp proxy and role is visitor
type = stcp
# sk used for authentication for visitors
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allow_users = *
# user of frpc should be same in both stcp server and stcp visitor
[secret_tcp_visitor]
# frpc role visitor -> frps -> frpc role server
role = visitor
type = stcp
# the server name you want to visitor
server_name = secret_tcp
sk = abcdefg
# connect this address to visitor stcp server
bind_addr = 127.0.0.1
# bind_port can be less than 0, it means don't bind to the port and only receive connections redirected from
# other visitors. (This is not supported for SUDP now)
bind_port = 9000
use_encryption = false
use_compression = false
[p2p_tcp]
type = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = false
use_compression = false
# If not empty, only visitors from specified users can connect.
# Otherwise, visitors from same user can connect. '*' means allow all users.
allow_users = user1, user2
[p2p_tcp_visitor]
role = visitor
type = xtcp
# if the server user is not set, it defaults to the current user
server_user = user1
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
# bind_port can be less than 0, it means don't bind to the port and only receive connections redirected from
# other visitors. (This is not supported for SUDP now)
bind_port = 9001
use_encryption = false
use_compression = false
# when automatic tunnel persistence is required, set it to true
keep_tunnel_open = false
# effective when keep_tunnel_open is set to true, the number of attempts to punch through per hour
max_retries_an_hour = 8
min_retry_interval = 90
# fallback_to = stcp_visitor
# fallback_timeout_ms = 500
[tcpmuxhttpconnect]
type = tcpmux
multiplexer = httpconnect
local_ip = 127.0.0.1
local_port = 10701
custom_domains = tunnel1
# route_by_http_user = user1