Intranet penetration: use frp to configure public and intranet servers

Enterprise 2023-08-19 21:33:03 views: null

The unit's public network IP has not yet been applied for, but the project needs to go online for testing. The current status is that the project website or interface can be accessed by connecting to WIFI in the research institute. This is called intranet access or LAN access. Developers cannot access it when they go home. Therefore, before opening the public network IP, we First use intranet penetration to allow external networks to access our projects.

Intranet penetration

The so-called intranet penetration refers to exposing certain interfaces and services of the intranet to external network access.

Scenarios that require intranet penetration are as follows:

  • IPv4 in this world is limited, and it is seriously insufficient now. Before v6 was popularized, home broadband and most corporate broadband used dynamic IP, which means that China Telecom reserves an IP pool and allocates a public network IP when your broadband goes online. Once the broadband goes offline, the IP is recycled. Therefore, the IP address of your home broadband is difficult to determine and is dynamic. This IP can be directly searched for IP in Baidu.
  • Since your family and work unit have multiple devices, these devices all need to go online, so you map the public network IP mentioned in the previous article on the intranet, and divide the network into multiple lines (wired, wireless) through routers and gateway devices ) to each device that needs to access the Internet. These devices belong to the same intranet and are managed by the router. Generally, they are 192.168.xx. Such an IP can be called an internal network IP, and finally summarized and sent to the public network IP (dynamic) in the previous article.

question:

  • These devices with intranet IP can access the external network, that is, they can access the Internet.
  • These devices can access each other through intranet IP: 192.168.xx
  • These devices cannot be accessed from the external network, and it is impossible for others to enter an IP such as 192.168.xx in the browser
  • When you query the real IP of your devices (for example, Baidu queries your own IP), you find that all the devices have the same IP, so from the public network, these requests come from the same IP, which is the public network IP assigned to your broadband.
  • Previous article, the public network IP will change! So even if you use a router to map the port to the public network IP, access timeliness problems are still prone to occur. Especially if the domain name is bound, if it keeps changing, the DNS will always be changed. If the DNS is cached, there is no solution.

Use intranet penetration to solve:

  • You need a constant public IP, static IP
  • You need a penetrating software that can perform point-to-point communication, including client and server
  • No matter how the client changes the network environment, it can access the server, so set a device with a static IP as the server
  • Send the request to the server (public network IP), the server communicates with the client through the penetration software, and assigns the request to the client
  • The client refers to the server on our intranet.
  • These internal network servers can be accessed by the external network through a server on the public network
  • The public network server is equivalent to a reverse proxy

configuration penetration

Let's take frp, a penetration software, as an example to expose our unit's services to external network access and solve the problem of being unable to access project services when leaving the unit.

a cloud server

Buy a cloud server with a static public IP, such as Alibaba Cloud and Tencent Cloud servers. The following uses ubuntu 18.04 as an example.

Go here to download the frp package:

https://github.com/fatedier/frp/releases

wget https://github.com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_linux_amd64.tar.gz
tar -xvf 包名

Configure the server, edit frps.ini

[common]
bind_port = 7000
dashboard_port = 7500
# dashboard's username and password are both optional,if not set, default is admin.
dashboard_user = admin
dashboard_pwd = admin

The first one is the port used by frp, which is used for public and intranet communication.

The second is the control panel port, you can check the running status of frp by visiting this URL.

Test start frp service:

./frps -c ./frps.ini

Note that frps is started here, which means the frp server, and the other frpc is the client, which will be mentioned below

start frp at boot

Modify frps.service under sysytemd

[Unit]
Description=Frp Server Service
After=network.target

[Service]
Restart=on-failure
RestartSec=5s
ExecStart=/root/frp/frps -c /root/frp/frps.ini

[Install]
WantedBy=multi-user.target

Here, since the directory name of my frp program has been changed to frp and placed in the root user directory, you should change ExecStart to the address where your frp is located.

Save and exit, copy the edited service file to systemd/system service:

cp ./systemd/frps.service /etc/systemd/system/

Start the service:

#刷新服务列表:
systemctl daemon-reload

#设置开机自启
systemctl enable frps
#关闭开机自启
systemctl disable frps

#启动服务
systemctl start frps
#停止服务
systemctl stop frps

So far, the server on the public network has been configured and added to boot.

Intranet server

Similarly, we need to configure frpc.ini for the intranet server:

c in frpc means client

[common]
server_addr = 10.220.23.66
server_port = 7000

[ssh http]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 8000

# [ssh http2]
# .....

Here, local_ip is the local ip, localhost generally does not need to be changed, local_port is the port exposed by this server in the LAN, here is an example of 80, remote_port is the port for accessing the public network server, here is an example of 8000. It means that when you visit 10.220.23.66:8000, it will be mapped to port 192.168.xx:80 on the intranet. So you need to run the service on port 80 of the internal network server, and the external network can be accessed through penetration.

The same is true for other ports. You can configure multiple ssh to map multiple services to the external network.

Configure startup:

Similarly, modify frpc.service under systemd

[Unit]
Description=Frp Client Service
After=network.target
Wants=network.target

[Service]
Restart=on-failure
RestartSec=5s
ExecStart=/home/devil/App/frp/frpc -c /home/devil/App/frp/frpc.ini
ExecReload=/home/devil/App/frp/frpc reload -c /home/devil/App/frp/frpc.ini

[Install]
WantedBy=multi-user.target

Copy it to the system systemd:

cp ./systemd/frpc.service /etc/systemd/system/

complete! In this way, it can still be accessed after leaving the LAN.

Guess you like

Origin blog.csdn.net/u014466109/article/details/110867996
Recommended
Ranking
Likou-continuous sub-array sum (detailed official solution three)
Description of the database structure eshop5
DS string algorithm application --KMP
Operation log function on implementation experience
Smart home (4)---Fire alarm thread packaging
Zhaoxin began to submit patches to the Linux kernel to support the "Yongfeng" architecture
Distributed development (3)---Redis must know
CSS (six) version of the heart and layout process
How does Java tell if an object is dead?
Why is the version number added to the file imported by the project?
Daily
More
2024-07-06(0)
2024-07-05(0)
2024-07-04(0)
2024-07-03(0)
2024-07-02(0)
2024-07-01(0)
2024-06-30(0)
2024-06-29(0)
2024-06-28(0)
2024-06-27(0)

Code World

© 2018 codetd.com