Merge pull request #1696 from fatedier/dev

bump version to v0.32.0

Author: fatedier

Diff for: .gitignore

@@ -27,6 +27,7 @@ _testmain.go
 bin/
 packages/
 test/bin/
+vendor/
 
 # Cache
 *.swp

Diff for: .travis.yml

@@ -3,6 +3,7 @@ language: go
 
 go:
     - 1.12.x
+    - 1.13.x
 
 install:
     - make

Diff for: Makefile

@@ -1,4 +1,5 @@
 export PATH := $(GOPATH)/bin:$(PATH)
+export GO111MODULE=on
 
 all: fmt build
 

Diff for: README.md

@@ -30,7 +30,11 @@ frp also has a P2P connect mode.
     * [Using Environment Variables](#using-environment-variables)
     * [Dashboard](#dashboard)
     * [Admin UI](#admin-ui)
+    * [Monitor](#monitor)
+        * [Prometheus](#prometheus)
     * [Authenticating the Client](#authenticating-the-client)
+        * [Token Authentication](#token-authentication)
+        * [OIDC Authentication](#oidc-authentication)
     * [Encryption and Compression](#encryption-and-compression)
         * [TLS](#tls)
     * [Hot-Reloading frpc configuration](#hot-reloading-frpc-configuration)
@@ -49,9 +53,10 @@ frp also has a P2P connect mode.
     * [Get Real IP](#get-real-ip)
         * [HTTP X-Forwarded-For](#http-x-forwarded-for)
         * [Proxy Protocol](#proxy-protocol)
-    * [Require HTTP Basic auth (password) for web services](#require-http-basic-auth-password-for-web-services)
-    * [Custom subdomain names](#custom-subdomain-names)
-    * [URL routing](#url-routing)
+    * [Require HTTP Basic Auth (Password) for Web Services](#require-http-basic-auth-password-for-web-services)
+    * [Custom Subdomain Names](#custom-subdomain-names)
+    * [URL Routing](#url-routing)
+    * [TCP Port Multiplexing](#tcp-port-multiplexing)
     * [Connecting to frps via HTTP PROXY](#connecting-to-frps-via-http-proxy)
     * [Range ports mapping](#range-ports-mapping)
     * [Client Plugins](#client-plugins)
@@ -435,9 +440,59 @@ admin_pwd = admin
 
 Then visit `http://127.0.0.1:7400` to see admin UI, with username and password both being `admin` by default.
 
+### Monitor
+
+When dashboard is enabled, frps will save monitor data in cache. It will be cleared after process restart.
+
+Prometheus is also supported.
+
+#### Prometheus
+
+Enable dashboard first, then configure `enable_prometheus = true` in `frps.ini`.
+
+`http://{dashboard_addr}/metrics` will provide prometheus monitor data.
+
 ### Authenticating the Client
 
-Always use the same `token` in the `[common]` section in `frps.ini` and `frpc.ini`.
+There are 2 authentication methods to authenticate frpc with frps. 
+
+You can decide which one to use by configuring `authentication_method` under `[common]` in `frpc.ini` and `frps.ini`.
+
+Configuring `authenticate_heartbeats = true` under `[common]` will use the configured authentication method to add and validate authentication on every heartbeat between frpc and frps.
+
+Configuring `authenticate_new_work_conns = true` under `[common]` will do the same for every new work connection between frpc and frps.
+
+#### Token Authentication
+
+When specifying `authentication_method = token` under `[common]` in `frpc.ini` and `frps.ini` - token based authentication will be used.
+
+Make sure to specify the same `token` in the `[common]` section in `frps.ini` and `frpc.ini` for frpc to pass frps validation
+
+#### OIDC Authentication
+
+When specifying `authentication_method = oidc` under `[common]` in `frpc.ini` and `frps.ini` - OIDC based authentication will be used.
+
+OIDC stands for OpenID Connect, and the flow used is called [Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4).
+
+To use this authentication type - configure `frpc.ini` and `frps.ini` as follows:
+
+```ini
+# frps.ini
+[common]
+authentication_method = oidc
+oidc_issuer = https://example-oidc-issuer.com/
+oidc_audience = https://oidc-audience.com/.default
+```
+
+```ini
+# frpc.ini
+[common]
+authentication_method = oidc
+oidc_client_id = 98692467-37de-409a-9fac-bb2585826f18 # Replace with OIDC client ID
+oidc_client_secret = oidc_secret
+oidc_audience = https://oidc-audience.com/.default
+oidc_token_endpoint_url = https://example-oidc-endpoint.com/oauth2/v2.0/token
+```
 
 ### Encryption and Compression
 
@@ -461,6 +516,8 @@ Config `tls_enable = true` in the `[common]` section to `frpc.ini` to enable thi
 
 For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection.
 
+To enforce `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`.
+
 ### Hot-Reloading frpc configuration
 
 The `admin_addr` and `admin_port` fields are required for enabling HTTP API:
@@ -712,7 +769,7 @@ proxy_protocol_version = v2
 
 You can enable Proxy Protocol support in nginx to expose user's real IP in HTTP header `X-Real-IP`, and then read `X-Real-IP` header in your web service for the real IP.
 
-### Require HTTP Basic auth (password) for web services
+### Require HTTP Basic Auth (Password) for Web Services
 
 Anyone who can guess your tunnel URL can access your local web server unless you protect it with a password.
 
@@ -732,7 +789,7 @@ http_pwd = abc
 
 Visit `http://test.example.com` in the browser and now you are prompted to enter the username and password.
 
-### Custom subdomain names
+### Custom Subdomain Names
 
 It is convenient to use `subdomain` configure for http and https types when many people share one frps server.
 
@@ -755,7 +812,7 @@ Now you can visit your web service on `test.frps.com`.
 
 Note that if `subdomain_host` is not empty, `custom_domains` should not be the subdomain of `subdomain_host`.
 
-### URL routing
+### URL Routing
 
 frp supports forwarding HTTP requests to different backend web services by url routing.
 
@@ -778,6 +835,49 @@ locations = /news,/about
 
 HTTP requests with URL prefix `/news` or `/about` will be forwarded to **web02** and other requests to **web01**.
 
+### TCP Port Multiplexing
+
+frp supports receiving TCP sockets directed to different proxies on a single port on frps, similar to `vhost_http_port` and `vhost_https_port`.
+
+The only supported TCP port multiplexing method available at the moment is `httpconnect` - HTTP CONNECT tunnel.
+
+When setting `tcpmux_httpconnect_port` to anything other than 0 in frps under `[common]`, frps will listen on this port for HTTP CONNECT requests.
+
+The host of the HTTP CONNECT request will be used to match the proxy in frps. Proxy hosts can be configured in frpc by configuring `custom_domain` and / or `subdomain` under `type = tcpmux` proxies, when `multiplexer = httpconnect`.
+
+For example:
+
+```ini
+# frps.ini
+[common]
+bind_port = 7000
+tcpmux_httpconnect_port = 1337
+```
+
+```ini
+# frpc.ini
+[common]
+server_addr = x.x.x.x
+server_port = 7000
+
+[proxy1]
+type = tcpmux
+multiplexer = httpconnect
+custom_domains = test1
+
+[proxy2]
+type = tcpmux
+multiplexer = httpconnect
+custom_domains = test2
+```
+
+In the above configuration - frps can be contacted on port 1337 with a HTTP CONNECT header such as:
+
+```
+CONNECT test1 HTTP/1.1\r\n\r\n
+```
+and the connection will be routed to `proxy1`.
+
 ### Connecting to frps via HTTP PROXY
 
 frpc can connect to frps using HTTP proxy if you set OS environment variable `HTTP_PROXY`, or if `http_proxy` is set in frpc.ini file.

Diff for: README_zh.md

@@ -26,7 +26,11 @@ frp 是一个可用于内网穿透的高性能的反向代理应用，支持 tcp
     * [配置文件模版渲染](#配置文件模版渲染)
     * [Dashboard](#dashboard)
     * [Admin UI](#admin-ui)
-    * [身份验证](#身份验证)
+    * [监控](#监控)
+        * [Prometheus](#prometheus)
+    * [客户端身份验证](#客户端身份验证)
+        * [Token](#token)
+        * [OIDC](#oidc)
     * [加密与压缩](#加密与压缩)
         * [TLS](#tls)
     * [客户端热加载配置文件](#客户端热加载配置文件)
@@ -48,6 +52,7 @@ frp 是一个可用于内网穿透的高性能的反向代理应用，支持 tcp
     * [通过密码保护你的 web 服务](#通过密码保护你的-web-服务)
     * [自定义二级域名](#自定义二级域名)
     * [URL 路由](#url-路由)
+    * [TCP 端口复用类型](#tcp-端口复用类型)
     * [通过代理连接 frps](#通过代理连接-frps)
     * [范围端口映射](#范围端口映射)
     * [客户端插件](#客户端插件)
@@ -459,9 +464,56 @@ admin_pwd = admin
 
 如果想要在外网环境访问 Admin UI，将 7400 端口映射出去即可，但需要重视安全风险。
 
-### 身份验证
+### 监控
 
-服务端和客户端的 common 配置中的 `token` 参数一致则身份验证通过。
+frps 当启用 Dashboard 后，会默认开启内部的监控，数据存放在内存中，每次重启进程后会清空，监控数据可以通过 dashboard 的地址发送 HTTP 请求获取。
+
+目前还支持 Prometheus 作为可选的监控系统。
+
+#### Prometheus
+
+在 `frps.ini` 中启用 Dashboard，并且设置 `enable_prometheus = true`，则通过 `http://{dashboard_addr}/metrics` 可以获取到 Prometheus 的监控数据。
+
+### 客户端身份验证
+
+目前 frpc 和 frps 之间支持两种身份验证方式，`token` 和 `oidc`。
+
+通过 `frpc.ini` 和 `frps.ini` 中 `[common]` section 的 `authentication_method` 参数配置需要使用的验证方法。
+
+`authenticate_heartbeats = true` 将会在每一个心跳包中附加上鉴权信息。
+
+`authenticate_new_work_conns = true` 将会在每次建立新的工作连接时附加上鉴权信息。
+
+#### Token
+
+当 `authentication_method = token`，将会启用基于 token 的验证方式。
+
+需要在 `frpc.ini` 和 `frps.ini` 的 `[common]` section 中设置相同的 `token`。
+
+#### OIDC
+
+当 `authentication_method = oidc`，将会启用基于 OIDC 的身份验证。
+
+验证流程参考 [Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4)
+
+启用这一验证方式，配置 `frpc.ini` 和 `frps.ini` 如下：
+
+```ini
+# frps.ini
+[common]
+authentication_method = oidc
+oidc_issuer = https://example-oidc-issuer.com/
+oidc_audience = https://oidc-audience.com/.default
+```
+
+```ini
+[common]
+authentication_method = oidc
+oidc_client_id = 98692467-37de-409a-9fac-bb2585826f18 # Replace with OIDC client ID
+oidc_client_secret = oidc_secret
+oidc_audience = https://oidc-audience.com/.default
+oidc_token_endpoint_url = https://example-oidc-endpoint.com/oauth2/v2.0/token
+```
 
 ### 加密与压缩
 
@@ -487,6 +539,8 @@ use_compression = true
 
 为了端口复用，frp 建立 TLS 连接的第一个字节为 0x17。
 
+通过将 frps.ini 的 `[common]` 中 `tls_only` 设置为 true，可以强制 frps 只接受 TLS 连接。
+
 **注意: 启用此功能后除 xtcp 外，不需要再设置 use_encryption。**
 
 ### 客户端热加载配置文件
@@ -824,6 +878,50 @@ locations = /news,/about
 
 按照上述的示例配置后，`web.yourdomain.com` 这个域名下所有以 `/news` 以及 `/about` 作为前缀的 URL 请求都会被转发到 web02，其余的请求会被转发到 web01。
 
+### TCP 端口复用类型
+
+frp 支持将单个端口收到的连接路由到不同的代理，类似 `vhost_http_port` 和 `vhost_https_port`。
+
+目前支持的复用器只有 `httpconnect`。
+
+当在 `frps.ini` 的 `[common]` 中设置 `tcpmux_httpconnect_port`，frps 将会监听在这个端口，接收 HTTP CONNECT 请求。
+
+frps 会根据 HTTP CONNECT 请求中的 host 路由到不同的后端代理。
+
+示例配置如下：
+
+```ini
+# frps.ini
+[common]
+bind_port = 7000
+tcpmux_httpconnect_port = 1337
+```
+
+```ini
+# frpc.ini
+[common]
+server_addr = x.x.x.x
+server_port = 7000
+
+[proxy1]
+type = tcpmux
+multiplexer = httpconnect
+custom_domains = test1
+
+[proxy2]
+type = tcpmux
+multiplexer = httpconnect
+custom_domains = test2
+```
+
+通过上面的配置，frps 如果接收到 HTTP CONNECT 请求内容:
+
+```
+CONNECT test1 HTTP/1.1\r\n\r\n
+```
+
+该连接将会被路由到 proxy1 。
+
 ### 通过代理连接 frps
 
 在只能通过代理访问外网的环境内，frpc 支持通过 HTTP PROXY 和 frps 进行通信。