Private Locations
This feature is only available to Enterprise Customers. Contact us via email or your Private Slack Support Channel for more information.
Overview
Private Locations allow you to scan scan Internal Apps behind your organization's firewall or VPN.
The Private Location Worker creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.
Here is a schema of the infrastructure :
First, the Private Location Worker you have deployed locally will connect to the Private Locations manager (1). When you start a scan on Escape, instead of sending the requests directly to your server, Escape will send them to the Repeater manager (2). Your client will receive the requests and send them to your server (3 & 4). The results are sent back to Escape to allow you to see scans results.
Resources
The Private Location Worker is an open source Docker image available on Github Escape-Technologies/Repeater.
The resources needed to run it depends on the trafic you will have. We recommend to start with an instance with 1 vCPU and 2GB of RAM and monitor the usage.
Getting Started with Private Locations
Escape's Private Location Worker is available as a Docker image. You can deploy it on any server that can reach your internal applications. The code can also be found and audited on Github.
As it is a Docker image, you can deploy it using docker cli, docker compose or any other container orchestration tool. In this tutorial, we will use docker cli but for production setup, we recommend you to use a container orchestration tool like docker compose.
You now need to run the Worker with the following environment variables:
ESCAPE_REPEATER_ID: Your Private Location ID.
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
You can find in the example folder more deployment examples. Feel free to contribute and add your own.
Custom CA certificate
If you need to add a custom ca certificate, you can mount it in the container:
docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Allow any SSL certificate
If you want to allow insecure connections, you can set the ESCAPE_REPEATER_INSECURE environment variable to true:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_INSECURE=true \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Using mTLS
mTLS or mutual TLS is a security measure that requires both the client and the server to present a certificate to authenticate each other. This is a more secure way to authenticate the client and the server.
To use mTLS, you need to provide the following environment variables:
ESCAPE_REPEATER_mTLS_CRT_FILE: The path to the mTLS certificate file.ESCAPE_REPEATER_mTLS_KEY_FILE: The path to the mTLS private key.
docker run -it --rm --name escape-repeater \
-v /path/to/mtls.crt:/usr/local/share/mtls.crt \
-v /path/to/mtls.key:/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
-e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
After that, you can authenticate your application using the Private Location Worker by adding the repeater_mtls: true flag.
For example, the following configuration declare two users, one unauthenticated and one with mTLS:
users:
# without mTLS
- name: public
# with mTLS
- name: using-mtls
repeater_mtls: true
Configure your firewall
To allow the Private Location Worker to connect to Escape, you need to allow in your firewall this service to connect to escape services. Make sure the following outgoing connections are allowed by your network configuration:
The Private Location Worker endpoint repeater.escape.tech should be reachable via TCP on port 443.
It is deployed on AWS with high availability, so the IPs can change,
if your firewall only supports IPs, you can run the nslookup repeater.escape.tech command to retrieve the current IPs,
if the Private Location Worker lose connection, check again that the IPs are still the same.
The last updated IPs (2024/09/09) are :
| Address | Protocol | Port |
|---|---|---|
52.6.17.196 | TCP/GRPC | 443 |
44.210.73.138 | TCP/GRPC | 443 |
54.172.108.134 | TCP/GRPC | 443 |
The following IPs are also used by the Private Location Worker to ensure a stable connection:
| Address | Protocol | Port |
|---|---|---|
51.159.205.221 | TCP/HTTP | 80 |
51.159.205.221 | TCP/HTTPS | 443 |
Connect a Private Location
- Go to the Network Configuration page.
- Create a new Private Location or use an existing one.
- Follow the deployment intrusctions directly in the Network page. The Private Location Worker is available via a Docker image accessible on DockerHub.
- The connection status is refreshed every minute in the Last seen column.
Use a Private Location on a new application
While additing a new app to Escape, the Private Locations list will be proposed when try to reach your API. Select the Private Location you want to use.
Use a Private Location on an existing application.
Go to the Advanced Settings of the applications and add the following configuration:
client:
proxy:
type: repeater
target: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Put here your repeater id