Secure Intranet Web Access with HTTPS Using Nginx and FRP
This guide shows how to add HTTPS to an internal web service by either routing traffic through Nginx as a reverse proxy or configuring FRP itself with SSL certificates, including detailed server (frps) and client (frpc) settings, firewall tips, and verification steps.
Using Nginx as a Reverse Proxy for HTTPS
One approach is to let Nginx listen on ports 80 and 443, terminate the TLS connection with a certificate, and proxy the request to the FRP server ( frps) that is running on a custom port (for example 7000). Nginx then forwards the traffic to frps, which forwards it to the FRP client ( frpc) that serves the internal HTTP service.
FRP Native HTTPS Support
FRP can also handle TLS termination directly, eliminating the need for Nginx. By configuring frps to occupy the standard HTTP/HTTPS virtual‑host ports and by supplying a certificate on the client side, FRP will serve the public domain over HTTPS.
Server‑side frps Configuration
Edit frps.ini so that frps binds to the custom port and also claims ports 80 and 443 for virtual‑host forwarding:
[common]
bind_port = 7000
token = 12310086
vhost_http_port = 80
vhost_https_port = 443Start the server with the modified configuration: ./frps -c frps.ini Ensure that the host firewall (or any control panel) allows inbound traffic on ports 80, 443 and the custom bind port ( 7000).
Client‑side frpc Configuration
Create frpc.ini on the machine that runs the internal service. Replace SERVER_IP and yourdomain.com with your actual server address and domain name.
[common]
server_addr = SERVER_IP
bind_port = 7000
token = 12310086
[test_https2http]
type = https
custom_domains = yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:8000
# TLS certificate used by FRP (the same files that Nginx would use)
plugin_crt_path = ./ssl/server.crt
plugin_key_path = ./ssl/server.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-From-Where = frpRun the client: ./frpc -c frpc.ini Key parameters:
server_addr : public IP of the FRP server.
bind_port : the port on which the FRP server listens for client connections (must match bind_port in frps.ini).
type = https : tells FRP to expose the service over HTTPS.
custom_domains : the domain name that will be resolved to the FRP server.
plugin = https2http : enables the built‑in HTTPS‑to‑HTTP plugin.
plugin_local_addr : address of the internal HTTP service (e.g., 127.0.0.1:8000).
plugin_crt_path / plugin_key_path : paths to the TLS certificate and private key.
Verification
Point the DNS A record of yourdomain.com to the public IP of the FRP server. After the FRP client is running, accessing https://yourdomain.com in a browser should display the internal web page served on 127.0.0.1:8000 over a valid HTTPS connection. The FRP server console will show a new connection entry for the HTTPS tunnel.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.