change default value of tls_enable and disable_custom_tls_first_byte (#3494)

This commit is contained in:
fatedier 2023-06-26 00:10:27 +08:00 committed by GitHub
parent 15a245766e
commit 685d7618f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 95 additions and 87 deletions

View File

@ -562,11 +562,9 @@ use_compression = true
#### TLS #### TLS
frp supports the TLS protocol between `frpc` and `frps` since v0.25.0. Since v0.50.0, the default value of `tls_enable` and `disable_custom_tls_first_byte` has been changed to true, and tls is enabled by default.
For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `disable_custom_tls_first_byte` to false.
Configure `tls_enable = true` in the `[common]` section to `frpc.ini` to enable this feature.
To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.** To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**
@ -581,7 +579,6 @@ tls_trusted_ca_file = ca.crt
**`frps` TLS settings (under the `[common]` section):** **`frps` TLS settings (under the `[common]` section):**
```ini ```ini
tls_only = true tls_only = true
tls_enable = true
tls_cert_file = certificate.crt tls_cert_file = certificate.crt
tls_key_file = certificate.key tls_key_file = certificate.key
tls_trusted_ca_file = ca.crt tls_trusted_ca_file = ca.crt

View File

@ -61,6 +61,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
return return
} }
xl.Trace("nathole prepare start")
prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer}) prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
if err != nil { if err != nil {
xl.Warn("nathole prepare error: %v", err) xl.Warn("nathole prepare error: %v", err)
@ -80,6 +81,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
AssistedAddrs: prepareResult.AssistedAddrs, AssistedAddrs: prepareResult.AssistedAddrs,
} }
xl.Trace("nathole exchange info start")
natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second) natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
if err != nil { if err != nil {
xl.Warn("nathole exchange info error: %v", err) xl.Warn("nathole exchange info error: %v", err)

View File

@ -266,11 +266,13 @@ func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
// 4. Create a tunnel session using an underlying UDP connection. // 4. Create a tunnel session using an underlying UDP connection.
func (sv *XTCPVisitor) makeNatHole() { func (sv *XTCPVisitor) makeNatHole() {
xl := xlog.FromContextSafe(sv.ctx) xl := xlog.FromContextSafe(sv.ctx)
xl.Trace("makeNatHole start")
if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil { if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
xl.Warn("nathole precheck error: %v", err) xl.Warn("nathole precheck error: %v", err)
return return
} }
xl.Trace("nathole prepare start")
prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer}) prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
if err != nil { if err != nil {
xl.Warn("nathole prepare error: %v", err) xl.Warn("nathole prepare error: %v", err)
@ -294,6 +296,7 @@ func (sv *XTCPVisitor) makeNatHole() {
AssistedAddrs: prepareResult.AssistedAddrs, AssistedAddrs: prepareResult.AssistedAddrs,
} }
xl.Trace("nathole exchange info start")
natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second) natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
if err != nil { if err != nil {
listenConn.Close() listenConn.Close()

View File

@ -94,7 +94,7 @@ func RegisterCommonFlags(cmd *cobra.Command) {
cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path") cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days") cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console") cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", false, "enable frpc tls") cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", true, "enable frpc tls")
cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one") cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
} }

View File

@ -107,7 +107,8 @@ connect_server_local_ip = 0.0.0.0
# quic_max_idle_timeout = 30 # quic_max_idle_timeout = 30
# quic_max_incoming_streams = 100000 # quic_max_incoming_streams = 100000
# if tls_enable is true, frpc will connect frps by tls # If tls_enable is true, frpc will connect frps by tls.
# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
tls_enable = true tls_enable = true
# tls_cert_file = client.crt # tls_cert_file = client.crt
@ -140,9 +141,10 @@ udp_packet_size = 1500
# include other config files for proxies. # include other config files for proxies.
# includes = ./confd/*.ini # includes = ./confd/*.ini
# By default, frpc will connect frps with first custom byte if tls is enabled. # If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte. # first custom byte when tls is enabled.
disable_custom_tls_first_byte = false # Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
disable_custom_tls_first_byte = true
# Enable golang pprof handlers in admin listener. # Enable golang pprof handlers in admin listener.
# Admin port must be set first. # Admin port must be set first.

View File

@ -127,6 +127,7 @@ type ClientCommonConf struct {
// TLSEnable specifies whether or not TLS should be used when communicating // TLSEnable specifies whether or not TLS should be used when communicating
// with the server. If "tls_cert_file" and "tls_key_file" are valid, // with the server. If "tls_cert_file" and "tls_key_file" are valid,
// client will load the supplied tls configuration. // client will load the supplied tls configuration.
// Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
TLSEnable bool `ini:"tls_enable" json:"tls_enable"` TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
// TLSCertPath specifies the path of the cert file that client will // TLSCertPath specifies the path of the cert file that client will
// load. It only works when "tls_enable" is true and "tls_key_file" is valid. // load. It only works when "tls_enable" is true and "tls_key_file" is valid.
@ -142,8 +143,9 @@ type ClientCommonConf struct {
// TLSServerName specifies the custom server name of tls certificate. By // TLSServerName specifies the custom server name of tls certificate. By
// default, server name if same to ServerAddr. // default, server name if same to ServerAddr.
TLSServerName string `ini:"tls_server_name" json:"tls_server_name"` TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
// By default, frpc will connect frps with first custom byte if tls is enabled. // If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
// If DisableCustomTLSFirstByte is true, frpc will not send that custom byte. // first custom byte when tls is enabled.
// Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"` DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"`
// HeartBeatInterval specifies at what interval heartbeats are sent to the // HeartBeatInterval specifies at what interval heartbeats are sent to the
// server, in seconds. It is not recommended to change this value. By // server, in seconds. It is not recommended to change this value. By
@ -189,6 +191,8 @@ func GetDefaultClientConf() ClientCommonConf {
QUICKeepalivePeriod: 10, QUICKeepalivePeriod: 10,
QUICMaxIdleTimeout: 30, QUICMaxIdleTimeout: 30,
QUICMaxIncomingStreams: 100000, QUICMaxIncomingStreams: 100000,
TLSEnable: true,
DisableCustomTLSFirstByte: true,
HeartbeatInterval: 30, HeartbeatInterval: 30,
HeartbeatTimeout: 90, HeartbeatTimeout: 90,
Metas: make(map[string]string), Metas: make(map[string]string),

View File

@ -288,6 +288,7 @@ func Test_LoadClientCommonConf(t *testing.T) {
TLSKeyFile: "client.key", TLSKeyFile: "client.key",
TLSTrustedCaFile: "ca.crt", TLSTrustedCaFile: "ca.crt",
TLSServerName: "example.com", TLSServerName: "example.com",
DisableCustomTLSFirstByte: true,
DNSServer: "8.8.8.9", DNSServer: "8.8.8.9",
Start: []string{"ssh", "dns"}, Start: []string{"ssh", "dns"},
HeartbeatInterval: 39, HeartbeatInterval: 39,

View File

@ -194,7 +194,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error())) _ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
return return
} }
log.Trace("handle visitor message, sid [%s]", sid) log.Trace("handle visitor message, sid [%s], server name: %s", sid, m.ProxyName)
defer func() { defer func() {
c.mu.Lock() c.mu.Lock()
@ -256,7 +256,7 @@ func (c *Controller) HandleClient(m *msg.NatHoleClient, transporter transport.Me
if !ok { if !ok {
return return
} }
log.Trace("handle client message, sid [%s]", session.sid) log.Trace("handle client message, sid [%s], server name: %s", session.sid, m.ProxyName)
session.clientMsg = m session.clientMsg = m
session.clientTransporter = transporter session.clientTransporter = transporter
select { select {

View File

@ -409,9 +409,13 @@ var _ = ginkgo.Describe("[Feature: Basic]", func() {
f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf}) f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf})
for _, test := range tests { for _, test := range tests {
timeout := time.Second
if t == "xtcp" {
timeout = 4 * time.Second
}
framework.NewRequestExpect(f). framework.NewRequestExpect(f).
RequestModify(func(r *request.Request) { RequestModify(func(r *request.Request) {
r.Timeout(3 * time.Second) r.Timeout(timeout)
}). }).
Protocol(protocol). Protocol(protocol).
PortName(test.bindPortName). PortName(test.bindPortName).

View File

@ -101,11 +101,13 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"} supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
for _, protocol := range supportProtocols { for _, protocol := range supportProtocols {
tmp := protocol tmp := protocol
defineClientServerTest("TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{ // Since v0.50.0, the default value of tls_enable has been changed to true.
// Therefore, here it needs to be set as false to test the scenario of turning it off.
defineClientServerTest("Disable TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
server: fmt.Sprintf(` server: fmt.Sprintf(`
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(`tls_enable = true client: fmt.Sprintf(`tls_enable = false
protocol = %s protocol = %s
`, protocol), `, protocol),
}) })
@ -113,10 +115,10 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{ defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{
server: "tls_only = true", server: "tls_only = true",
client: "tls_enable = true",
}) })
defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{ defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{
server: "tls_only = true", server: "tls_only = true",
client: "tls_enable = false",
expectError: true, expectError: true,
}) })
}) })
@ -155,7 +157,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
`, renderBindPortConfig(tmp), caCrtPath), `, renderBindPortConfig(tmp), caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
protocol = %s protocol = %s
tls_enable = true
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
`, tmp, clientCrtPath, clientKeyPath), `, tmp, clientCrtPath, clientKeyPath),
@ -172,7 +173,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
`, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath), `, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
protocol = %s protocol = %s
tls_enable = true
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
@ -211,7 +211,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
`, serverCrtPath, serverKeyPath, caCrtPath), `, serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
tls_server_name = example.com tls_server_name = example.com
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
@ -228,7 +227,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
`, serverCrtPath, serverKeyPath, caCrtPath), `, serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
tls_server_name = invalid.com tls_server_name = invalid.com
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
@ -239,7 +237,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
}) })
}) })
ginkgo.Describe("TLS with disable_custom_tls_first_byte", func() { ginkgo.Describe("TLS with disable_custom_tls_first_byte set to false", func() {
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"} supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
for _, protocol := range supportProtocols { for _, protocol := range supportProtocols {
tmp := protocol tmp := protocol
@ -248,9 +246,8 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
protocol = %s protocol = %s
disable_custom_tls_first_byte = true disable_custom_tls_first_byte = false
`, protocol), `, protocol),
}) })
} }
@ -266,9 +263,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
protocol = %s protocol = %s
disable_custom_tls_first_byte = true
`, protocol), `, protocol),
}) })
} }