Can not access to client of frp 0.61.1

[Leo2442926161]

Bug Description

after setup the frps(c), I can access to http://qaure.com:7500, but I can access to the http client, I put my log and steps of reproduction below, could anyone help me take a look? thanks.

frpc Version

frp 0.61.1

frps Version

frp 0.61.1

System Architecture

frp_0.61.1_linux_amd64

Configurations

for Frps:

bindAddr = "0.0.0.0"
bindPort = 7000

# If you want to support virtual host, you must set the http port for listening (optional)
# Note: http port and https port can be same with bindPort
vhostHTTPPort = 8089
vhostHTTPSPort = 4450

# If subDomainHost is not empty, you can set subdomain when type is http or https in frpc's configure file
# When subdomain is test, the host used by routing is test.frps.com
subDomainHost = "qaure.com"

# trace, debug, info, warn, error
log.level = "trace"

# The default value is 127.0.0.1. Change it to 0.0.0.0 when you want to access it from a public network.
webServer.addr = "0.0.0.0"
webServer.port = 7500
# dashboard's username and password are both optional
webServer.user = "admin"
webServer.password = "admin"

for frpc:

serverAddr = "www.qaure.com"
serverPort = 7000


# Set admin address for control frpc's action by http api such as reload
webServer.addr = "0.0.0.0"
webServer.port = 7400
webServer.user = "admin"
webServer.password = "admin"

[[proxies]]
name = "client2"
type = "http"
localIP = "127.0.0.1"
localPort = 80
subdomain = "client2"
locations = ["/"]
# customDomains = ["client2.qaure-sub.com"]

Logs

frps log:

ubuntu@VM-8-8-ubuntu:~/frpc$ ./frps -c frps.toml 
2025-01-07 15:40:55.150 [I] [frps/root.go:105] frps uses config file: frps.toml
2025-01-07 15:40:55.340 [I] [server/service.go:237] frps tcp listen on 0.0.0.0:7000
2025-01-07 15:40:55.340 [I] [server/service.go:305] http service listen on 0.0.0.0:8089
2025-01-07 15:40:55.340 [I] [server/service.go:319] https service listen on 0.0.0.0:4450
2025-01-07 15:40:55.340 [I] [frps/root.go:114] frps started successfully
2025-01-07 15:40:55.340 [I] [server/service.go:351] dashboard listen on 0.0.0.0:7500
2025-01-07 15:41:16.377 [T] [server/service.go:495] start check TLS connection...
2025-01-07 15:41:16.377 [T] [server/service.go:505] check TLS connection success, isTLS: true custom: false internal: false
2025-01-07 15:41:16.388 [I] [server/service.go:576] [a33a0828fd909801] client login info: ip [113.90.245.14:13104] version [0.61.1] hostname [] os [linux] arch [amd64]
2025-01-07 15:41:16.398 [D] [server/control.go:243] [a33a0828fd909801] new work connection registered
2025-01-07 15:41:16.399 [I] [proxy/http.go:144] [a33a0828fd909801] [client2] http proxy listen for host [client2.qaure.com] location [] group [], routeByHTTPUser []
2025-01-07 15:41:16.399 [I] [server/control.go:399] [a33a0828fd909801] new proxy [client2] type [http] success
2025-01-07 15:42:53.762 [D] [server/service.go:525] Accept new mux stream error: EOF
2025-01-07 15:42:53.762 [I] [proxy/proxy.go:115] [a33a0828fd909801] [client2] proxy closing
2025-01-07 15:42:53.762 [I] [server/control.go:357] [a33a0828fd909801] client exit success
2025-01-07 15:42:54.581 [T] [server/service.go:495] start check TLS connection...
2025-01-07 15:42:54.581 [T] [server/service.go:505] check TLS connection success, isTLS: true custom: false internal: false
2025-01-07 15:42:54.593 [I] [server/service.go:576] [83a0b9ecfdb771e8] client login info: ip [113.90.245.14:27903] version [0.61.1] hostname [] os [linux] arch [amd64]
2025-01-07 15:42:54.603 [I] [proxy/http.go:144] [83a0b9ecfdb771e8] [client2] http proxy listen for host [client2.qaure.com] location [/] group [], routeByHTTPUser []
2025-01-07 15:42:54.603 [I] [server/control.go:399] [83a0b9ecfdb771e8] new proxy [client2] type [http] success
2025-01-07 15:42:54.603 [D] [server/control.go:243] [83a0b9ecfdb771e8] new work connection registered

frpc log:

leo@leo:~/leoWork/software/frp/frp_0.61.1_linux_amd64$ ./frpc -c frpc2.toml 
2025-01-07 15:42:54.519 [I] [sub/root.go:142] start frpc service for config file [frpc2.toml]
2025-01-07 15:42:54.519 [I] [client/service.go:295] try to connect to server...
2025-01-07 15:42:54.519 [I] [client/service.go:174] admin server listen on 0.0.0.0:7400
2025-01-07 15:42:54.624 [I] [client/service.go:287] [83a0b9ecfdb771e8] login to server success, get run id [83a0b9ecfdb771e8]
2025-01-07 15:42:54.624 [I] [proxy/proxy_manager.go:173] [83a0b9ecfdb771e8] proxy added: [client2]
2025-01-07 15:42:54.634 [I] [client/control.go:168] [83a0b9ecfdb771e8] [client2] start proxy success

Steps to reproduce

1. run ./frps -c frps.toml on the internet server
2. run ./frpc -c frpc2.toml on device
3. I can access to http://qaure.com:7500 but I can not access to the http client (http://client2.qaure.com/)

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

[fatedier]

Summary of Possible Causes and Solutions:

1. DNS Configuration

   • Make sure client2.qaure.com (or *.qaure.com if using a wildcard) has a valid A record that points to the same public IP as qaure.com.
   • Verify via ping or nslookup that client2.qaure.com resolves to the correct IP.

2. HTTP Port vs. 80 Port

   • You set vhostHTTPPort = 8089 in frps.toml. By default, visiting http://client2.qaure.com tries to connect on port 80, but FRP is listening on 8089.
   • Either add a port forwarding (e.g., using Nginx) from 80 to 8089, or change vhostHTTPPort to 80 in the FRP config, and ensure port 80 is open.

3. Firewall / Security Group

   • Confirm that ports 7000 (FRP TCP), 8089 (FRP HTTP), and/or 80 are open on both the server’s firewall and in any cloud security group settings.

4. Other Factors

   • Ensure the local service on 127.0.0.1:80 is actually running where frpc is installed.
   • Keep FRP versions consistent (both frpc and frps at version 0.61.1).

Most likely, the main issue is either a missing/incorrect DNS record for client2.qaure.com or the fact that the external HTTP port is set to 8089 but not forwarded from port 80.

[Leo2442926161]

Hi Fatediler,
Thank you very much for your quick response and help.

I guess so, the main issue probably is port 8089, how to remove the port 8089?

if I remove the port 8089, it shows an error below:
[client2] start error: type [http] not supported when vhost http port is not set

if I change the Vhost port to 80, it can not create the listerner:
create vhost http listener error, listen tcp 0.0.0.0:80: bind: permission denied

that's why I add vhostHTTPPort = 8089 and vhostHTTPSPort = 4450 to the script, what exactly the vhost is thoough?

[fatedier]

What is vhost in FRP?

• In FRP, “vhost” stands for “virtual host.” When you set type = "http" (or https), FRP uses HTTP host headers (e.g., Host: client2.qaure.com) to decide which proxy to route the request to. In other words, multiple subdomains (like client1.qaure.com, client2.qaure.com, etc.) can share the same IP address and port, and FRP will internally direct each one to the appropriate local service.

Why do I need vhostHTTPPort or vhostHTTPSPort?

• FRP needs a dedicated port to listen for incoming HTTP (or HTTPS) requests that match your subdomains. By default, typical HTTP traffic would arrive on port 80, but on most systems binding to port 80 requires root privileges.
• If FRP can’t bind to port 80, it will throw the “bind: permission denied” error. That’s why changing vhostHTTPPort to 80 fails unless you run FRP with root privileges or configure special permissions (e.g., using setcap on Linux).

Why do I see “type [http] not supported when vhost http port is not set”?

• Because FRP’s HTTP-based proxies require a dedicated port (the “virtual host” port) to listen on. If you remove the vhostHTTPPort completely, FRP doesn’t know which port to use for HTTP routing.

---

How can I use port 80 (without getting “permission denied”)?

1. Run FRP as root (not always recommended for security, but straightforward).
2. Use setcap on Linux to allow a non-root binary to bind to privileged ports (e.g., sudo setcap 'cap_net_bind_service=+ep' ./frps). This lets FRPS bind to port 80 without requiring root permissions to run.

# Example (assuming your FRPS binary is named "frps")
sudo setcap 'cap_net_bind_service=+ep' /path/to/frps
./frps -c frps.toml

3. Use a reverse proxy (e.g., Nginx) in front of FRP. Nginx can listen on port 80 and forward traffic to FRP’s 8089 port. That way, you don’t have to modify FRP’s permissions.

---

If I keep vhostHTTPPort = 8089, how do I access my site?

• You must either:
  1. Include the port in your URL (e.g., http://client2.qaure.com:8089).
  2. Or have a layer that redirects/forwards traffic from port 80 to port 8089.

Otherwise, when users go to http://client2.qaure.com, it tries port 80 by default, which FRP isn’t listening on.

---

Summary

• vhostHTTPPort is how FRP sets up a virtual host for HTTP subdomain routing.
• You either use a non-privileged port (like 8089) and include it in your URL (or forward from port 80), or grant FRP permission to bind to port 80 directly.

[Leo2442926161]

Hi Fatediler,
Thank you for the detailed explanation, that seems very helpful, I am trying it and will let you know the result.

[fatedier]

The above content is all generated by chatgpt o1 model. You can also prioritize seeking solutions through an LLM.