guoswork/frp
1
0
Fork 0
mirror of https://gitee.com/IrisVega/frp.git synced 2024-11-01 22:31:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

change default value of tls_enable and disable_custom_tls_first_byte (#3494)

Browse Source
This commit is contained in:
fatedier 2023-06-26 00:10:27 +08:00 committed by GitHub
parent 15a245766e
commit 685d7618f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 95 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -562,11 +562,9 @@ use_compression = true
#### TLS #### TLS
frp supports the TLS protocol between `frpc` and `frps` since v0.25.0. Since v0.50.0, the default value of `tls_enable` and `disable_custom_tls_first_byte` has been changed to true, and tls is enabled by default.
For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `disable_custom_tls_first_byte` to false.
Configure `tls_enable = true` in the `[common]` section to `frpc.ini` to enable this feature.
To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.** To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**
@ -581,7 +579,6 @@ tls_trusted_ca_file = ca.crt
**`frps` TLS settings (under the `[common]` section):** **`frps` TLS settings (under the `[common]` section):**
```ini ```ini
tls_only = true tls_only = true
tls_enable = true
tls_cert_file = certificate.crt tls_cert_file = certificate.crt
tls_key_file = certificate.key tls_key_file = certificate.key
tls_trusted_ca_file = ca.crt tls_trusted_ca_file = ca.crt

2
client/proxy/xtcp.go
View File

@ -61,6 +61,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
return return
} }
xl.Trace("nathole prepare start")
prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer}) prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
if err != nil { if err != nil {
xl.Warn("nathole prepare error: %v", err) xl.Warn("nathole prepare error: %v", err)
@ -80,6 +81,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
AssistedAddrs: prepareResult.AssistedAddrs, AssistedAddrs: prepareResult.AssistedAddrs,
} }
xl.Trace("nathole exchange info start")
natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second) natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
if err != nil { if err != nil {
xl.Warn("nathole exchange info error: %v", err) xl.Warn("nathole exchange info error: %v", err)

3
client/visitor/xtcp.go
View File

@ -266,11 +266,13 @@ func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
// 4. Create a tunnel session using an underlying UDP connection. // 4. Create a tunnel session using an underlying UDP connection.
func (sv *XTCPVisitor) makeNatHole() { func (sv *XTCPVisitor) makeNatHole() {
xl := xlog.FromContextSafe(sv.ctx) xl := xlog.FromContextSafe(sv.ctx)
xl.Trace("makeNatHole start")
if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil { if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
xl.Warn("nathole precheck error: %v", err) xl.Warn("nathole precheck error: %v", err)
return return
} }
xl.Trace("nathole prepare start")
prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer}) prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
if err != nil { if err != nil {
xl.Warn("nathole prepare error: %v", err) xl.Warn("nathole prepare error: %v", err)
@ -294,6 +296,7 @@ func (sv *XTCPVisitor) makeNatHole() {
AssistedAddrs: prepareResult.AssistedAddrs, AssistedAddrs: prepareResult.AssistedAddrs,
} }
xl.Trace("nathole exchange info start")
natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second) natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
if err != nil { if err != nil {
listenConn.Close() listenConn.Close()

2
cmd/frpc/sub/root.go
View File

@ -94,7 +94,7 @@ func RegisterCommonFlags(cmd *cobra.Command) {
cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path") cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days") cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console") cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", false, "enable frpc tls") cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", true, "enable frpc tls")
cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one") cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
} }

10
conf/frpc_full.ini
View File

@ -107,7 +107,8 @@ connect_server_local_ip = 0.0.0.0
# quic_max_idle_timeout = 30 # quic_max_idle_timeout = 30
# quic_max_incoming_streams = 100000 # quic_max_incoming_streams = 100000
# if tls_enable is true, frpc will connect frps by tls # If tls_enable is true, frpc will connect frps by tls.
# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
tls_enable = true tls_enable = true
# tls_cert_file = client.crt # tls_cert_file = client.crt
@ -140,9 +141,10 @@ udp_packet_size = 1500
# include other config files for proxies. # include other config files for proxies.
# includes = ./confd/*.ini # includes = ./confd/*.ini
# By default, frpc will connect frps with first custom byte if tls is enabled. # If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte. # first custom byte when tls is enabled.
disable_custom_tls_first_byte = false # Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
disable_custom_tls_first_byte = true
# Enable golang pprof handlers in admin listener. # Enable golang pprof handlers in admin listener.
# Admin port must be set first. # Admin port must be set first.

60
pkg/config/client.go
View File

@ -127,6 +127,7 @@ type ClientCommonConf struct {
// TLSEnable specifies whether or not TLS should be used when communicating // TLSEnable specifies whether or not TLS should be used when communicating
// with the server. If "tls_cert_file" and "tls_key_file" are valid, // with the server. If "tls_cert_file" and "tls_key_file" are valid,
// client will load the supplied tls configuration. // client will load the supplied tls configuration.
// Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
TLSEnable bool `ini:"tls_enable" json:"tls_enable"` TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
// TLSCertPath specifies the path of the cert file that client will // TLSCertPath specifies the path of the cert file that client will
// load. It only works when "tls_enable" is true and "tls_key_file" is valid. // load. It only works when "tls_enable" is true and "tls_key_file" is valid.
@ -142,8 +143,9 @@ type ClientCommonConf struct {
// TLSServerName specifies the custom server name of tls certificate. By // TLSServerName specifies the custom server name of tls certificate. By
// default, server name if same to ServerAddr. // default, server name if same to ServerAddr.
TLSServerName string `ini:"tls_server_name" json:"tls_server_name"` TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
// By default, frpc will connect frps with first custom byte if tls is enabled. // If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
// If DisableCustomTLSFirstByte is true, frpc will not send that custom byte. // first custom byte when tls is enabled.
// Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"` DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"`
// HeartBeatInterval specifies at what interval heartbeats are sent to the // HeartBeatInterval specifies at what interval heartbeats are sent to the
// server, in seconds. It is not recommended to change this value. By // server, in seconds. It is not recommended to change this value. By
@ -168,32 +170,34 @@ type ClientCommonConf struct {
// GetDefaultClientConf returns a client configuration with default values. // GetDefaultClientConf returns a client configuration with default values.
func GetDefaultClientConf() ClientCommonConf { func GetDefaultClientConf() ClientCommonConf {
return ClientCommonConf{ return ClientCommonConf{
ClientConfig: auth.GetDefaultClientConf(), ClientConfig: auth.GetDefaultClientConf(),
ServerAddr: "0.0.0.0", ServerAddr: "0.0.0.0",
ServerPort: 7000, ServerPort: 7000,
NatHoleSTUNServer: "stun.easyvoip.com:3478", NatHoleSTUNServer: "stun.easyvoip.com:3478",
DialServerTimeout: 10, DialServerTimeout: 10,
DialServerKeepAlive: 7200, DialServerKeepAlive: 7200,
HTTPProxy: os.Getenv("http_proxy"), HTTPProxy: os.Getenv("http_proxy"),
LogFile: "console", LogFile: "console",
LogWay: "console", LogWay: "console",
LogLevel: "info", LogLevel: "info",
LogMaxDays: 3, LogMaxDays: 3,
AdminAddr: "127.0.0.1", AdminAddr: "127.0.0.1",
PoolCount: 1, PoolCount: 1,
TCPMux: true, TCPMux: true,
TCPMuxKeepaliveInterval: 60, TCPMuxKeepaliveInterval: 60,
LoginFailExit: true, LoginFailExit: true,
Start: make([]string, 0), Start: make([]string, 0),
Protocol: "tcp", Protocol: "tcp",
QUICKeepalivePeriod: 10, QUICKeepalivePeriod: 10,
QUICMaxIdleTimeout: 30, QUICMaxIdleTimeout: 30,
QUICMaxIncomingStreams: 100000, QUICMaxIncomingStreams: 100000,
HeartbeatInterval: 30, TLSEnable: true,
HeartbeatTimeout: 90, DisableCustomTLSFirstByte: true,
Metas: make(map[string]string), HeartbeatInterval: 30,
UDPPacketSize: 1500, HeartbeatTimeout: 90,
IncludeConfigFiles: make([]string, 0), Metas: make(map[string]string),
UDPPacketSize: 1500,
IncludeConfigFiles: make([]string, 0),
} }
} }

69
pkg/config/client_test.go
View File

@ -258,40 +258,41 @@ func Test_LoadClientCommonConf(t *testing.T) {
OidcTokenEndpointURL: "endpoint_url", OidcTokenEndpointURL: "endpoint_url",
}, },
}, },
ServerAddr: "0.0.0.9", ServerAddr: "0.0.0.9",
ServerPort: 7009, ServerPort: 7009,
NatHoleSTUNServer: "stun.easyvoip.com:3478", NatHoleSTUNServer: "stun.easyvoip.com:3478",
DialServerTimeout: 10, DialServerTimeout: 10,
DialServerKeepAlive: 7200, DialServerKeepAlive: 7200,
HTTPProxy: "http://user:passwd@192.168.1.128:8080", HTTPProxy: "http://user:passwd@192.168.1.128:8080",
LogFile: "./frpc.log9", LogFile: "./frpc.log9",
LogWay: "file", LogWay: "file",
LogLevel: "info9", LogLevel: "info9",
LogMaxDays: 39, LogMaxDays: 39,
DisableLogColor: false, DisableLogColor: false,
AdminAddr: "127.0.0.9", AdminAddr: "127.0.0.9",
AdminPort: 7409, AdminPort: 7409,
AdminUser: "admin9", AdminUser: "admin9",
AdminPwd: "admin9", AdminPwd: "admin9",
AssetsDir: "./static9", AssetsDir: "./static9",
PoolCount: 59, PoolCount: 59,
TCPMux: true, TCPMux: true,
TCPMuxKeepaliveInterval: 60, TCPMuxKeepaliveInterval: 60,
User: "your_name", User: "your_name",
LoginFailExit: true, LoginFailExit: true,
Protocol: "tcp", Protocol: "tcp",
QUICKeepalivePeriod: 10, QUICKeepalivePeriod: 10,
QUICMaxIdleTimeout: 30, QUICMaxIdleTimeout: 30,
QUICMaxIncomingStreams: 100000, QUICMaxIncomingStreams: 100000,
TLSEnable: true, TLSEnable: true,
TLSCertFile: "client.crt", TLSCertFile: "client.crt",
TLSKeyFile: "client.key", TLSKeyFile: "client.key",
TLSTrustedCaFile: "ca.crt", TLSTrustedCaFile: "ca.crt",
TLSServerName: "example.com", TLSServerName: "example.com",
DNSServer: "8.8.8.9", DisableCustomTLSFirstByte: true,
Start: []string{"ssh", "dns"}, DNSServer: "8.8.8.9",
HeartbeatInterval: 39, Start: []string{"ssh", "dns"},
HeartbeatTimeout: 99, HeartbeatInterval: 39,
HeartbeatTimeout: 99,
Metas: map[string]string{ Metas: map[string]string{
"var1": "123", "var1": "123",
"var2": "234", "var2": "234",

4
pkg/nathole/controller.go
View File

@ -194,7 +194,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error())) _ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
return return
} }
log.Trace("handle visitor message, sid [%s]", sid) log.Trace("handle visitor message, sid [%s], server name: %s", sid, m.ProxyName)
defer func() { defer func() {
c.mu.Lock() c.mu.Lock()
@ -256,7 +256,7 @@ func (c *Controller) HandleClient(m *msg.NatHoleClient, transporter transport.Me
if !ok { if !ok {
return return
} }
log.Trace("handle client message, sid [%s]", session.sid) log.Trace("handle client message, sid [%s], server name: %s", session.sid, m.ProxyName)
session.clientMsg = m session.clientMsg = m
session.clientTransporter = transporter session.clientTransporter = transporter
select { select {

6
test/e2e/basic/basic.go
View File

@ -409,9 +409,13 @@ var _ = ginkgo.Describe("[Feature: Basic]", func() {
f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf}) f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf})
for _, test := range tests { for _, test := range tests {
timeout := time.Second
if t == "xtcp" {
timeout = 4 * time.Second
}
framework.NewRequestExpect(f). framework.NewRequestExpect(f).
RequestModify(func(r *request.Request) { RequestModify(func(r *request.Request) {
r.Timeout(3 * time.Second) r.Timeout(timeout)
}). }).
Protocol(protocol). Protocol(protocol).
PortName(test.bindPortName). PortName(test.bindPortName).

19
test/e2e/basic/client_server.go
View File

@ -101,11 +101,13 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"} supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
for _, protocol := range supportProtocols { for _, protocol := range supportProtocols {
tmp := protocol tmp := protocol
defineClientServerTest("TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{ // Since v0.50.0, the default value of tls_enable has been changed to true.
// Therefore, here it needs to be set as false to test the scenario of turning it off.
defineClientServerTest("Disable TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
server: fmt.Sprintf(` server: fmt.Sprintf(`
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(`tls_enable = true client: fmt.Sprintf(`tls_enable = false
protocol = %s protocol = %s
`, protocol), `, protocol),
}) })
@ -113,10 +115,10 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{ defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{
server: "tls_only = true", server: "tls_only = true",
client: "tls_enable = true",
}) })
defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{ defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{
server: "tls_only = true", server: "tls_only = true",
client: "tls_enable = false",
expectError: true, expectError: true,
}) })
}) })
@ -155,7 +157,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
`, renderBindPortConfig(tmp), caCrtPath), `, renderBindPortConfig(tmp), caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
protocol = %s protocol = %s
tls_enable = true
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
`, tmp, clientCrtPath, clientKeyPath), `, tmp, clientCrtPath, clientKeyPath),
@ -172,7 +173,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
`, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath), `, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
protocol = %s protocol = %s
tls_enable = true
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
@ -211,7 +211,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
`, serverCrtPath, serverKeyPath, caCrtPath), `, serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
tls_server_name = example.com tls_server_name = example.com
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
@ -228,7 +227,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
tls_trusted_ca_file = %s tls_trusted_ca_file = %s
`, serverCrtPath, serverKeyPath, caCrtPath), `, serverCrtPath, serverKeyPath, caCrtPath),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
tls_server_name = invalid.com tls_server_name = invalid.com
tls_cert_file = %s tls_cert_file = %s
tls_key_file = %s tls_key_file = %s
@ -239,7 +237,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
}) })
}) })
ginkgo.Describe("TLS with disable_custom_tls_first_byte", func() { ginkgo.Describe("TLS with disable_custom_tls_first_byte set to false", func() {
supportProtocols := []string{"tcp", "kcp", "quic", "websocket"} supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
for _, protocol := range supportProtocols { for _, protocol := range supportProtocols {
tmp := protocol tmp := protocol
@ -248,9 +246,8 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
protocol = %s protocol = %s
disable_custom_tls_first_byte = true disable_custom_tls_first_byte = false
`, protocol), `, protocol),
}) })
} }
@ -266,9 +263,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
%s %s
`, renderBindPortConfig(protocol)), `, renderBindPortConfig(protocol)),
client: fmt.Sprintf(` client: fmt.Sprintf(`
tls_enable = true
protocol = %s protocol = %s
disable_custom_tls_first_byte = true
`, protocol), `, protocol),
}) })
} }