多节点穿透方案
- 注册/v1或/node1,同时将非注册uri留给管理后台,链路通,但是后续使用会有问题,/v1/v1这种
- 管理后台和每个节点一个独立子域名,可行,nginx配置会麻烦一点
客户端 - 程序 frpc - ubuntu
# 程序
mkdir -p /usr/local/frp
wget -P ~/tmp https://github.com/fatedier/frp/releases/download/v0.68.0/frp_0.68.0_linux_amd64.tar.gz -e "https_proxy=http://192.168.1.120:7890"
sudo tar -zxvf ~/tmp/frp_0.68.0_linux_amd64.tar.gz -C /usr/local
sudo mv /usr/local/frp_0.68.0_linux_amd64/frpc /usr/local/bin/
# 配置文件
sudo vi ~/gguf/frpc8080.toml
# 运行
frpc -c ~/gguf/frpc8080.toml
# 后台运行
nohup frpc -c ~/gguf/frpc8080.toml > ~/gguf/frpc8080.log 2>&1 &
# 查看进程
ps -ef | grep frpc
# 进程资源
top -p $(pgrep frpc)
# 结束进程
pkill -f frpc8080.toml
客户端 - 程序 frpc - 配置frpc8080.toml
# 这里的 serverAddr 填你 VPS 的公网 IP 或域名
serverAddr = "openai.atibm.com"
serverPort = 3300
auth.token = "你在frps里设置的强密码"
[[proxies]]
name = "v1008080"
type = "http"
localIP = "127.0.0.1"
localPort = 8080
customDomains = ["v1008080.atibm.com"]
# locations = ["/node1"] # 认领 /node1 路径,子域名管理不需要通过uri标记
客户端 - 程序 frpc - win
-----------------安装------------------
C:\windows\system32>scoop install main/frp
Installing 'frp' (0.68.0) [64bit] from 'main' bucket
frp_0.68.0_windows_amd64.zip (13.4 MB) [====================] 100%
Checking hash of frp_0.68.0_windows_amd64.zip ... ok.
Extracting frp_0.68.0_windows_amd64.zip ... done.
Linking ~\scoop\apps\frp\current => ~\scoop\apps\frp\0.68.0
Creating shim for 'frpc'.
Creating shim for 'frps'.
Persisting frpc.toml
Persisting frps.toml
'frp' (0.68.0) was installed successfully!
-----------------配置穿透------------------
notepad %USERPROFILE%\scoop\persist\frp\frpc.toml
-----------------手动启动------------------
frpc -c %USERPROFILE%\scoop\persist\frp\frpc.toml
-----------------安装为系统服务------------------
# 安装 服务工具
scoop install nssm
# 创建 服务
nssm install frpc4060 "C:\Users\cat\scoop\apps\frp\current\frpc.exe" "-c C:\Users\cat\scoop\apps\frp\current\frpc4060.toml"
nssm set frpc4060 DisplayName "FRP内网穿透-4060" # 设置名称
nssm set frpc4060 Description "FRP内网穿透,开机自启,配置frpc4060.toml" # 设置描述
nssm set frpc4060 AppStdout "C:\Users\cat\scoop\apps\frp\current\frpc_nssm.log" # 设置日志
nssm set frpc4060 AppStderr "C:\Users\cat\scoop\apps\frp\current\frpc_nssm.log" # 设置日志
nssm set frpc4060 Start SERVICE_AUTO_START # 开机自启
-----------------nssm服务管理------------------
# 状态
nssm status frpc4060
# 获取日志
nssm get frpc4060 AppStdout
tail -f "C:/Users/cat/scoop/apps/frp/current/frpc_nssm.log"
# 启动
nssm start frpc4060 /v
nssm restart frpc4060
# 卸载
nssm remove frpc4060
客户端 - 配置 frpc.toml
# 这里的 serverAddr 填你 VPS 的公网 IP 或域名
serverAddr = "openai.atibm.com"
serverPort = 3300
auth.token = "你在frps里设置的强密码"
[[proxies]]
name = "4060"
type = "http"
localIP = "127.0.0.1"
localPort = 1234
customDomains = ["4060.atibm.com"]
# locations = ["/node1"] # 认领 /node1 路径,子域名管理不需要通过uri标记
服务端 - 容器 docker-compose.yml
services:
frps:
image: snowdreamtech/frps:alpine3.23
container_name: frps
restart: unless-stopped
# 外部可见的端口:控制流 7000,以及如果你需要非 80/443 的 TCP 穿透
ports:
- "0.0.0.0:3300:7000" # frpc 连接端口 (引桥)
# - "0.0.0.0:7001-7010:7001-7010" # 预留 10 个 TCP 穿透端口范围
volumes:
- ./data/frps.toml:/etc/frp/frps.toml:ro
networks:
- ghost_net
# 资源限制:防止 AI 流量激增压垮 VPS
deploy:
resources:
limits:
memory: 512M
networks:
ghost_net:
external: true
服务端 - 配置 frps.toml
# [基础通讯]
bindPort = 7000
auth.token = "YOUR_SUPER_STRONG_TOKEN_HERE" # 建议 24 位以上随机字符
# [HTTP 穿透业务端口]
# Nginx 转发到这里
vhostHTTPPort = 8080
# [安全准入控制]
# 限制客户端只能使用 8080 (HTTP) 和预留的 TCP 范围
allowPorts = [
{ single = 8080 },
{ start = 7001, end = 7010 }
]
# [管理后台 Dashboard]
[webServer]
addr = "0.0.0.0"
port = 7500
user = "admin_atibm"
password = "DASHBOARD_STRONG_PASSWORD"
# [日志审计]
[log]
to = "console"
level = "info"
maxDays = 7
服务端 - 后台代理 frps.conf
server {
listen 80;
server_name frps.atibm.com;
# 强制跳转 HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name frps.atibm.com;
# ==================== SSL 证书配置 ====================
ssl_certificate /etc/letsencrypt/live/ghost.atibm.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ghost.atibm.com/privkey.pem;
# SSL 安全优化(标准配置)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://frps:7500; # 对应 frps.toml 里的 webServer.port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
服务端穿透代理 openai.conf
server {
listen 80;
server_name 4060.atibm.com ~^v100808\d\.atibm\.com$;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 4060.atibm.com ~^v100808\d\.atibm\.com$;
# ==================== SSL 证书配置 ====================
ssl_certificate /etc/letsencrypt/live/ghost.atibm.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ghost.atibm.com/privkey.pem;
# SSL 安全优化(标准配置)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# ==============================================
# 1. 最优先:拦截所有恶意路径(黑名单)
# 新增扫描路径只需在这行追加,维护成本极低
# ==============================================
location ~* /(admin|login|dashboard|control|panel|auth|register|reset|forgot|verify|my|account|user|bot|qr|message) { return 444; access_log off; log_not_found off; }
location ~* /(\.env|\.git|\.svn|\.htaccess|wp-config|phpinfo|config|install|setup) { return 444; access_log off; log_not_found off; }
location ~* \.(js|jpg|png|ico|php|php5|php7|asp|aspx|jsp|cgi|pl|py|sh)$ { return 444; access_log off; log_not_found off; }
location ~* \.(bak|old|backup|zip|rar|tar|gz|log)$ { return 444; access_log off; log_not_found off; }
# ==============================================
# 2. 放行所有 OpenAI 标准 API(前缀匹配,无需穷举)
# 兼容所有 /v1/* 端点,包括未来新增的
# ==============================================
location / {
proxy_pass http://frps:8080;
# 关键配置:保持 Host 头不变,让 frps 能够识别
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# AI 流式输出必须关闭缓冲
proxy_buffering off;
proxy_cache off;
# 大模型推理超时时间(300秒 = 5分钟)
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# 保持连接不断开
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}