luci-app-frpc: add custom tls protocol encryption (#253)

2025-01-07 07:06:41 +08:00 · 2023-10-12 10:30:19 +08:00 · 2023-10-12 10:30:19 +08:00 · 4ea7eb4785
commit 4ea7eb4785
parent 663e299427
4 changed files with 54 additions and 3 deletions
--- a/applications/luci-app-frpc/luasrc/model/cbi/frp/basic.lua
+++ b/applications/luci-app-frpc/luasrc/model/cbi/frp/basic.lua
@ -73,6 +73,30 @@ e.description = translate("if tls_enable is true, frpc will connect frps by tls.
 e.default = "0"
 e.rmempty = false

+e = t:taboption("other", Flag, "enable_custom_certificate", translate("Custom TLS Protocol Encryption"))
+e.description = translate("Frp supports traffic encryption between frpc and frps through the TLS protocol, and supports client or server unidirectional and bidirectional authentication.")
+e.default = "0"
+e.rmempty = false
+e:depends("tls_enable", 1)
+
+e = t:taboption("other", Value, "tls_cert_file", translate("Client Certificate File"))
+e.description = translate("Frps one-way verifies the identity of frpc.")
+e.placeholder = "/var/etc/frp/client.crt"
+e.optional = false
+e:depends("enable_custom_certificate", 1)
+
+e = t:taboption("other", Value, "tls_key_file", translate("Client Key File"))
+e.description = translate("Frps one-way verifies the identity of frpc.")
+e.placeholder = "/var/etc/frp/client.key"
+e.optional = false
+e:depends("enable_custom_certificate", 1)
+
+e = t:taboption("other", Value, "tls_trusted_ca_file", translate("CA Certificate File"))
+e.description = translate("Frpc one-way verifies the identity of frps.")
+e.placeholder = "/var/etc/frp/ca.crt"
+e.optional = false
+e:depends("enable_custom_certificate", 1)
+
 e = t:taboption("other", ListValue, "protocol", translate("Protocol Type"))
 e.description = translate("Frp support kcp protocol since v0.12.0")
 e.default = "tcp"
--- a/applications/luci-app-frpc/luasrc/model/cbi/frp/config.lua
+++ b/applications/luci-app-frpc/luasrc/model/cbi/frp/config.lua
@ -206,7 +206,7 @@ e:depends("type", "http")
 e:depends("type", "https")

 e = t:taboption("base", Flag, "use_encryption", translate("Use Encryption"))
-e.description = translate("Encrypted the communication between frpc and frps, will effectively prevent the traffic intercepted.")
+e.description = translate("Encrypted the communication between frpc and frps, will effectively prevent the traffic intercepted (If Custom TLS Protocol Encryption is enabled, except that the protocol of xtcp is configured as kcp, you can no longer set Use Encryption to repeat encryption).")
 e.default = "1"
 e.rmempty = false

--- a/applications/luci-app-frpc/po/zh-cn/frp.po
+++ b/applications/luci-app-frpc/po/zh-cn/frp.po
@ -67,6 +67,27 @@ msgstr "TLS 连接"
 msgid "if tls_enable is true, frpc will connect frps by tls."
 msgstr "使用 TLS 协议与服务器连接(若连接服务器异常可以尝试开启)"

+msgid "Custom TLS Protocol Encryption"
+msgstr "自定义TLS协议加密"
+
+msgid "Frp supports traffic encryption between frpc and frps through the TLS protocol, and supports client or server unidirectional and bidirectional authentication."
+msgstr "frp 支持 frpc 和 frps 之间的流量通过 TLS 协议加密，并且支持客户端或服务端单向验证，双向验证等功能。"
+
+msgid "Frps one-way verifies the identity of frpc."
+msgstr "frps 单向验证 frpc 身份。"
+
+msgid "Client Certificate File"
+msgstr "TLS 客户端证书文件路径"
+
+msgid "Client Key File"
+msgstr "TLS 客户端密钥文件路径"
+
+msgid "Frpc one-way verifies the identity of frps."
+msgstr "frpc 单向验证 frps 身份。"
+
+msgid "CA Certificate File"
+msgstr "TLS CA 证书路径"
+
 msgid "Protocol Type"
 msgstr "协议类型"

@ -265,8 +286,8 @@ msgstr "Frp可以用修改后的主机头重写http请求。"
 msgid "Proxy-Protocol Version"
 msgstr "Proxy-Protocol 版本"

-msgid "Encrypted the communication between frpc and frps, will effectively prevent the traffic intercepted."
-msgstr "将 frpc 与 frps 之间的通信内容加密传输，将会有效防止流量被拦截。"
+msgid "Encrypted the communication between frpc and frps, will effectively prevent the traffic intercepted (If Custom TLS Protocol Encryption is enabled, except that the protocol of xtcp is configured as kcp, you can no longer set Use Encryption to repeat encryption)."
+msgstr "将 frpc 与 frps 之间的通信内容加密传输，将会有效防止流量被拦截（启用自定义TLS协议加密后除 xtcp 的 protocol 配置为 kcp 外，可不再设置此项重复加密）。"

 msgid "The contents will be compressed to speed up the traffic forwarding speed, but this will consume some additional cpu resources."
 msgstr "对传输内容进行压缩，加快流量转发速度，但是会额外消耗一些 cpu 资源。"
--- a/applications/luci-app-frpc/root/etc/init.d/frp
+++ b/applications/luci-app-frpc/root/etc/init.d/frp
@ -189,6 +189,7 @@ start() {
 	config_load "frp"
 	local enabled server_addr server_port time privilege_token user tcp_mux enable_cpool tls_enable
 	local pool_count log_level log_max_days login_fail_exit http_proxy protocol admin_port admin_user admin_pwd
+	local tls_cert_file tls_key_file tls_trusted_ca_file

 	config_get_bool enabled common enabled 1

@ -208,6 +209,9 @@ start() {
 	config_get admin_port common admin_port
 	config_get admin_user common admin_user
 	config_get admin_pwd common admin_pwd
+	config_get tls_cert_file common tls_cert_file
+	config_get tls_key_file common tls_key_file
+	config_get tls_trusted_ca_file common tls_trusted_ca_file


 	mkdir -p /var/etc/frp
@ -232,6 +236,8 @@ start() {
 	[ -n "$admin_port" ] && echo "admin_addr=0.0.0.0" >>$tmpconf && echo "admin_port=$admin_port" >>$tmpconf
 	[ -n "$admin_user" ] && echo "admin_user=$admin_user" >>$tmpconf
 	[ -n "$admin_pwd" ] && echo "admin_pwd=$admin_pwd" >>$tmpconf
+	[[ -n "$tls_cert_file" && -n "$tls_key_file" ]] && echo "tls_cert_file=$tls_cert_file" >>$tmpconf && echo "tls_key_file=$tls_key_file" >>$tmpconf
+	[ -n "$tls_trusted_ca_file" ] && echo "tls_trusted_ca_file=$tls_trusted_ca_file" >>$tmpconf


 	config_load "frp"