[bot] AutoMerging: merge all upstream's changes:

* https://github.com/fatedier/frp: cmd: use hyphen instead of underscore (fatedier#3898) upgrade go-jose and crypto version (fatedier#3895) fix(client): close workConn when authentication err (fatedier#3885) improve e2e port allocator (fatedier#3882) let e2e concurrency configurable (fatedier#3881) fix login retry interval (fatedier#3879) fix lint (fatedier#3877) fix: duplicate call loginFunc (fatedier#3860) (fatedier#3875) fix(backoff): close of closed out channel (fatedier#3871) remove copilot for pr (fatedier#3857) update doc (fatedier#3844) feat: ssh doc (fatedier#3841)
aiastia-dockerhub · Jan 3, 2024 · 40116ba · 40116ba
2 parents 65e91f3 + d01f4a3
commit 40116ba
Show file tree

Hide file tree

Showing 28 changed files with 319 additions and 93 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,6 +1,3 @@
-### Summary
-
-copilot:summary
-
 ### WHY
+
 <!-- author to complete -->
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -22,7 +22,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.53
+          version: v1.55
 
           # Optional: golangci-lint command line arguments.
           # args: --issues-exit-code=0

diff --git a/.gitignore b/.gitignore
@@ -34,6 +34,8 @@ dist/
 .idea/
 .vscode/
 .autogen_ssh_key
+client.crt
+client.key
 
 # Cache
 *.swp
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,5 +1,5 @@
 service:
-  golangci-lint-version: 1.51.x # use the fixed version to not introduce new linters unexpectedly
+  golangci-lint-version: 1.55.x # use the fixed version to not introduce new linters unexpectedly
 
 run:
   concurrency: 4
@@ -132,6 +132,9 @@ issues:
   - linters:
     - revive
     text: "unused-parameter"
+  - linters:
+    - unparam
+    text: "is always false"
 
   # Independently from option `exclude` we use default exclude patterns,
   # it can be disabled by this option. To list all

diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ frp also offers a P2P connect mode.
     * [Using Environment Variables](#using-environment-variables)
     * [Split Configures Into Different Files](#split-configures-into-different-files)
     * [Server Dashboard](#server-dashboard)
-    * [Admin UI](#admin-ui)
+    * [Client Admin UI](#client-admin-ui)
     * [Monitor](#monitor)
         * [Prometheus](#prometheus)
     * [Authenticating the Client](#authenticating-the-client)
@@ -75,9 +75,10 @@ frp also offers a P2P connect mode.
     * [Custom Subdomain Names](#custom-subdomain-names)
     * [URL Routing](#url-routing)
     * [TCP Port Multiplexing](#tcp-port-multiplexing)
-    * [Connecting to frps via HTTP PROXY](#connecting-to-frps-via-http-proxy)
+    * [Connecting to frps via PROXY](#connecting-to-frps-via-proxy)
     * [Client Plugins](#client-plugins)
     * [Server Manage Plugins](#server-manage-plugins)
+    * [SSH Tunnel Gateway](#ssh-tunnel-gateway)
 * [Contributing](#contributing)
 * [Donation](#donation)
     * [GitHub Sponsors](#github-sponsors)
@@ -509,6 +510,7 @@ includes = ["./confd/*.toml"]
 
 ```toml
 # ./confd/test.toml
+
 [[proxies]]
 name = "ssh"
 type = "tcp"
@@ -620,6 +622,7 @@ The features are off by default. You can turn on encryption and/or compression:
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "ssh"
 type = "tcp"
@@ -775,6 +778,7 @@ We would like to try to allow multiple proxies bind a same remote port with diff
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "ssh"
 type = "tcp"
@@ -880,6 +884,7 @@ This feature is only available for types `tcp`, `http`, `tcpmux` now.
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "test1"
 type = "tcp"
@@ -915,6 +920,7 @@ With health check type **tcp**, the service port will be pinged (TCPing):
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "test1"
 type = "tcp"
@@ -934,6 +940,7 @@ With health check type **http**, an HTTP request will be sent to the service and
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "http"
@@ -958,6 +965,7 @@ However, speaking of web servers and HTTP requests, your web server might rely o
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "http"
@@ -974,6 +982,7 @@ Similar to `Host`, You can override other HTTP request headers with proxy type `
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "http"
@@ -1001,6 +1010,7 @@ Here is an example for https service:
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "https"
@@ -1023,6 +1033,7 @@ It can only be enabled when proxy type is http.
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "http"
@@ -1047,6 +1058,7 @@ Resolve `*.frps.com` to the frps server's IP. This is usually called a Wildcard
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web"
 type = "http"
@@ -1066,6 +1078,7 @@ frp supports forwarding HTTP requests to different backend web services by url r
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "web01"
 type = "http"
@@ -1151,6 +1164,7 @@ Using plugin **http_proxy**:
 
 ```toml
 # frpc.toml
+
 [[proxies]]
 name = "http_proxy"
 type = "tcp"
@@ -1169,6 +1183,44 @@ Read the [document](/doc/server_plugin.md).
 
 Find more plugins in [gofrp/plugin](https://github.com/gofrp/plugin).
 
+### SSH Tunnel Gateway
+
+*added in v0.53.0*
+
+frp supports listening to an SSH port on the frps side and achieves TCP protocol proxying through the SSH -R protocol, without relying on frpc.
+
+```toml
+# frps.toml
+sshTunnelGateway.bindPort = 2200
+```
+
+When running `./frps -c frps.toml`, a private key file named `.autogen_ssh_key` will be automatically created in the current working directory. This generated private key file will be used by the SSH server in frps.
+
+Executing the command
+
+```bash
+ssh -R :80:127.0.0.1:8080 v0@{frp address} -p 2200 tcp --proxy_name "test-tcp" --remote_port 9090
+```
+
+sets up a proxy on frps that forwards the local 8080 service to the port 9090.
+
+```bash
+frp (via SSH) (Ctrl+C to quit)
+
+User:
+ProxyName: test-tcp
+Type: tcp
+RemoteAddress: :9090
+```
+
+This is equivalent to:
+
+```bash
+frpc tcp --proxy_name "test-tcp" --local_ip 127.0.0.1 --local_port 8080 --remote_port 9090
+```
+
+Please refer to this [document](/doc/ssh_tunnel_gateway.md) for more information.
+
 ## Contributing
 
 Interested in getting involved? We would like to help you!

diff --git a/Release.md b/Release.md
@@ -1,11 +1,3 @@
-### Features
+### Deprecation Notices
 
-* The new command line parameter `--strict_config` has been added to enable strict configuration validation mode. It will throw an error for unknown fields instead of ignoring them. In future versions, we will set the default value of this parameter to true to avoid misconfigurations.
-* Support `SSH reverse tunneling`. With this feature, you can expose your local service without running frpc, only using SSH. The SSH reverse tunnel agent has many functional limitations compared to the frpc agent. The currently supported proxy types are tcp, http, https, tcpmux, and stcp.
-* The frpc tcpmux command line parameters have been updated to support configuring `http_user` and `http_pwd`.
-* The frpc stcp/sudp/xtcp command line parameters have been updated to support configuring `allow_users`.
-
-### Fixes
-
-* frpc: Return code 1 when the first login attempt fails and exits.
-* When auth.method is `oidc` and auth.additionalScopes contains `HeartBeats`, if obtaining AccessToken fails, the application will be unresponsive.
+* Using an underscore in a flag name is deprecated and has been replaced by a hyphen. The underscore format will remain compatible for some time, until it is completely removed in a future version. For example, `--remote_port` is replaced with `--remote-port`.
diff --git a/client/connector.go b/client/connector.go
@@ -35,7 +35,7 @@ import (
 	"github.com/fatedier/frp/pkg/util/xlog"
 )
 
-// Connector is a interface for establishing connections to the server.
+// Connector is an interface for establishing connections to the server.
 type Connector interface {
 	Open() error
 	Connect() (net.Conn, error)
@@ -59,7 +59,7 @@ func NewConnector(ctx context.Context, cfg *v1.ClientCommonConfig) Connector {
 	}
 }
 
-// Open opens a underlying connection to the server.
+// Open opens an underlying connection to the server.
 // The underlying connection is either a TCP connection or a QUIC connection.
 // After the underlying connection is established, you can call Connect() to get a stream.
 // If TCPMux isn't enabled, the underlying connection is nil, you will get a new real TCP connection every time you call Connect().

diff --git a/client/control.go b/client/control.go
@@ -133,6 +133,7 @@ func (ctl *Control) handleReqWorkConn(_ msg.Message) {
 	}
 	if err = ctl.sessionCtx.AuthSetter.SetNewWorkConn(m); err != nil {
 		xl.Warn("error during NewWorkConn authentication: %v", err)
+		workConn.Close()
 		return
 	}
 	if err = msg.WriteMsg(workConn, m); err != nil {
@@ -239,15 +240,15 @@ func (ctl *Control) heartbeatWorker() {
 	// Users can still enable heartbeat feature by setting HeartbeatInterval to a positive value.
 	if ctl.sessionCtx.Common.Transport.HeartbeatInterval > 0 {
 		// send heartbeat to server
-		sendHeartBeat := func() error {
+		sendHeartBeat := func() (bool, error) {
 			xl.Debug("send heartbeat to server")
 			pingMsg := &msg.Ping{}
 			if err := ctl.sessionCtx.AuthSetter.SetPing(pingMsg); err != nil {
 				xl.Warn("error during ping authentication: %v, skip sending ping message", err)
-				return err
+				return false, err
 			}
 			_ = ctl.msgDispatcher.Send(pingMsg)
-			return nil
+			return false, nil
 		}
 
 		go wait.BackoffUntil(sendHeartBeat,

diff --git a/client/service.go b/client/service.go
@@ -192,16 +192,16 @@ func (svr *Service) keepControllerWorking() {
 	// the control immediately exits. It is necessary to limit the frequency of reconnection in this case.
 	// The interval for the first three retries in 1 minute will be very short, and then it will increase exponentially.
 	// The maximum interval is 20 seconds.
-	wait.BackoffUntil(func() error {
+	wait.BackoffUntil(func() (bool, error) {
 		// loopLoginUntilSuccess is another layer of loop that will continuously attempt to
 		// login to the server until successful.
 		svr.loopLoginUntilSuccess(20*time.Second, false)
 		if svr.ctl != nil {
 			<-svr.ctl.Done()
-			return errors.New("control is closed and try another loop")
+			return false, errors.New("control is closed and try another loop")
 		}
 		// If the control is nil, it means that the login failed and the service is also closed.
-		return nil
+		return false, nil
 	}, wait.NewFastBackoffManager(
 		wait.FastBackoffOptions{
 			Duration:        time.Second,
@@ -282,17 +282,16 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 
 func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginExit bool) {
 	xl := xlog.FromContextSafe(svr.ctx)
-	successCh := make(chan struct{})
 
-	loginFunc := func() error {
+	loginFunc := func() (bool, error) {
 		xl.Info("try to connect to server...")
 		conn, connector, err := svr.login()
 		if err != nil {
 			xl.Warn("connect to server error: %v", err)
 			if firstLoginExit {
 				svr.cancel(cancelErr{Err: err})
 			}
-			return err
+			return false, err
 		}
 
 		svr.cfgMu.RLock()
@@ -315,7 +314,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 		if err != nil {
 			conn.Close()
 			xl.Error("NewControl error: %v", err)
-			return err
+			return false, err
 		}
 		ctl.SetInWorkConnCallback(svr.handleWorkConnCb)
 
@@ -327,9 +326,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 		}
 		svr.ctl = ctl
 		svr.ctlMu.Unlock()
-
-		close(successCh)
-		return nil
+		return true, nil
 	}
 
 	// try to reconnect to server until success
@@ -339,9 +336,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 			Factor:      2,
 			Jitter:      0.1,
 			MaxDuration: maxInterval,
-		}),
-		true,
-		wait.MergeAndCloseOnAnyStopChannel(svr.ctx.Done(), successCh))
+		}), true, svr.ctx.Done())
 }
 
 func (svr *Service) UpdateAllConfigurer(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error {

diff --git a/cmd/frpc/sub/root.go b/cmd/frpc/sub/root.go
@@ -97,6 +97,7 @@ func runMultipleClients(cfgDir string) error {
 }
 
 func Execute() {
+	rootCmd.SetGlobalNormalizationFunc(config.WordSepNormalizeFunc)
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)
 	}

diff --git a/cmd/frps/root.go b/cmd/frps/root.go
@@ -92,6 +92,7 @@ var rootCmd = &cobra.Command{
 }
 
 func Execute() {
+	rootCmd.SetGlobalNormalizationFunc(config.WordSepNormalizeFunc)
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)
 	}

diff --git a/conf/frps_full_example.toml b/conf/frps_full_example.toml
@@ -143,6 +143,14 @@ udpPacketSize = 1500
 # Retention time for NAT hole punching strategy data.
 natholeAnalysisDataReserveHours = 168
 
+# ssh tunnel gateway
+# If you want to enable this feature, the bindPort parameter is required, while others are optional.
+# By default, this feature is disabled. It will be enabled if bindPort is greater than 0.
+# sshTunnelGateway.bindPort = 2200
+# sshTunnelGateway.privateKeyFile = "/home/frp-user/.ssh/id_rsa"
+# sshTunnelGateway.autoGenPrivateKeyPath = ""
+# sshTunnelGateway.authorizedKeysFile = "/home/frp-user/.ssh/authorized_keys"
+
 [[httpPlugins]]
 name = "user-manager"
 addr = "127.0.0.1:9000"