frp on AWS User Guide
Overview
This image runs frp (Fast Reverse Proxy), the open source high performance reverse proxy that exposes a local service sitting behind NAT or a firewall to the public internet. An frps server runs on a host with a public IP, and frpc clients running next to your private services connect out to it and register named tunnels, so traffic that reaches the public server is forwarded back to the private service over a single persistent connection. No inbound firewall ports need to be opened on the private network.
The frps server binary is installed under /opt/frp and runs as a dedicated unprivileged frp system account under a systemd service that starts it on boot and restarts it on failure. The frpc client binary is installed alongside it so you can test a tunnel from the same host. The server configuration lives in /etc/frp/frps.toml and the server runtime state lives at /var/lib/frp, which is a dedicated, independently resizable EBS data volume.
frps listens on the control port 7000 for frpc clients and exposes a built in web dashboard. The dashboard binds to the loopback interface only and is never exposed directly. An nginx reverse proxy publishes the dashboard on port 80, and frps performs its own HTTP Basic authentication on it. The dashboard password and the server authentication token are both generated on the first boot of every deployed instance, so two instances launched from the same Amazon Machine Image never share credentials. They are written to /root/frp-aws-credentials.txt with mode 0600 so that only the root user can read them.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network, port 80 for the web dashboard, and port 7000 for frpc clients to register
- The AWS CLI (version 2) installed locally if you plan to deploy from the command line
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for frp. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of t3.small or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that opens port 22 from your management network, port 80 for the dashboard, and port 7000 for frpc clients. Leave the root volume at the default size or larger.
Select Launch instance. First boot initialisation takes a few seconds after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg frp Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens ports 22, 80 and 7000 as described above.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type t3.small \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=frp}]'
When the instance reaches the Running state and its status checks pass, note its public IP address or DNS name from the EC2 console or with aws ec2 describe-instances.
Step 3: Connect to Your Instance
Connect over SSH using your key pair and the login user for your operating system variant.
| OS variant | SSH login user |
|---|---|
| Ubuntu 24.04 | ubuntu |
ssh -i <key-name>.pem ubuntu@<public-ip>
Step 4: Retrieve the Dashboard Password and Server Token
The dashboard password and the server authentication token are unique to your instance and were generated on first boot. Read them as root:
sudo cat /root/frp-aws-credentials.txt
The file lists the dashboard URL, the dashboard user (admin) and the generated password, plus the server address, the control port (7000) and the generated server token that frpc clients use to authenticate. Keep this file somewhere safe.
Step 5: Sign In to the frps Web Dashboard
The frps web dashboard is served on port 80 by nginx, and frps applies its own HTTP Basic authentication. In a browser, go to:
http://<instance-public-ip>/
You are prompted for credentials. Sign in as admin with the password from the credentials file. The dashboard opens on the Overview page, which shows the number of connected clients, active proxies, current connections and total traffic, along with the server configuration including the frp version and the bind port.

The Proxies page lists every registered proxy with its type, remote port, owning client and live traffic counters. Each proxy shows whether it is currently online.

The Clients page lists every connected frpc client with its run id, source IP, frp version and online status, so you can see at a glance which clients are registered with the server.

Step 6: Confirm frp Is Running
Over SSH, confirm the server and the nginx proxy are active and that the ports are listening:
sudo systemctl is-active frps nginx
sudo ss -tlnp | grep -E ':(80|7000|7500) '
You should see both services reported as active, frps listening on the control port 7000 for frpc clients, the dashboard listening on 127.0.0.1:7500 (loopback only), and nginx listening on port 80.
You can also query the dashboard server-info API over loopback on the instance. Read the generated dashboard password and call the API:
DASH_PASS=$(sudo grep '^frp.dashboard.pass=' /root/frp-aws-credentials.txt | cut -d= -f2-)
curl -s -u "admin:${DASH_PASS}" http://127.0.0.1/api/serverinfo
The response is JSON reporting the frp version, the bind port and the current client and proxy counts.
Step 7: Register Your First Tunnel with frpc
frpc clients run next to the private service you want to expose and connect out to the frps server on the control port. The frpc client binary is bundled on this instance at /opt/frp/frpc (and on your PATH as frpc) so you can test a tunnel immediately, but in production you run frpc on the machine that hosts the private service.
Create an frpc configuration file. Replace <public-ip> with the instance public IP and <server-token> with the frp.server.token value from the credentials file. This example exposes a local web server (listening on 127.0.0.1:8080 on the frpc host) on the public port 6080 of the frps server:
serverAddr = "<public-ip>"
serverPort = 7000
auth.method = "token"
auth.token = "<server-token>"
[[proxies]]
name = "my-web"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8080
remotePort = 6080
Save it as frpc.toml and start the client:
frpc -c frpc.toml
Once the client registers, the proxy appears on the dashboard Proxies page, and traffic to <public-ip>:6080 is forwarded to the private service on the frpc host. Make sure the public port you choose (here 6080) is open in the instance security group for the clients that should reach the tunnel.
Step 8: Proxy Types
frp supports several proxy types beyond plain TCP. Set the type field of each proxy in your frpc configuration:
- tcp and udp — forward a raw TCP or UDP port, useful for SSH, databases, game servers and similar.
- http and https — virtual host routing by domain name through frp's HTTP and HTTPS vhost listeners.
- stcp, sudp and xtcp — secret and peer to peer tunnels that require a matching visitor configuration and are not published on a public port.
See the frp documentation for the full set of options for each type. The bundled server accepts token authenticated clients on the control port 7000 for every type.
Step 9: The Data Volume
The frps server runtime state lives on a dedicated EBS volume mounted at /var/lib/frp. This keeps the server working directory off the operating system disk and lets you resize or snapshot it independently. Confirm the mount with:
df -h /var/lib/frp
To grow the volume, expand the EBS volume in the AWS console, then grow the filesystem on the instance with sudo resize2fs on the underlying device. frps and nginx start automatically on boot.
Step 10: Rotate the Dashboard Password and Server Token
Both secrets are stored in /etc/frp/frps.toml. To rotate them, edit the webServer.password and auth.token values in that file as root, then restart frps:
sudo systemctl restart frps
After you change auth.token, update the auth.token in every frpc client configuration so clients can continue to register. Update your saved copy of /root/frp-aws-credentials.txt to match.
Step 11: Enable HTTPS
The dashboard is served over plain HTTP on port 80 by nginx. For production use, place it behind TLS. Obtain a certificate for your domain (for example with a managed certificate on an Application Load Balancer in front of the instance, or with Certbot installed on the instance for your-domain), then configure nginx to listen on 443 with your certificate and proxy to 127.0.0.1:7500 exactly as the bundled site does for port 80. Restrict the security group so the dashboard is reachable only from the networks that administer the server.
Step 12: Backup and Maintenance
Back up the server configuration by copying /etc/frp/frps.toml, and snapshot the /var/lib/frp EBS volume to capture the server runtime state. Apply operating system security updates with sudo apt-get update && sudo apt-get upgrade and reboot when a new kernel is installed; frps and nginx start automatically on boot.
Support
This image is published and supported by cloudimg. Support covers deployment, frpc client configuration, proxy type selection, the dashboard, token and dashboard credential rotation, TLS and tuning. Contact cloudimg through the support channel listed on the AWS Marketplace listing.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.