Repeater Proxy
This feature is only available to Enterprise Customers. Contact us via email or your Private Slack Support Channel for more information.
Overview
Escape's Repeater Proxy allows you to scan scan Internal Apps behind your organization's firewall or VPN.
This repeater creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.
Here is a schema of the infrastructure :
First, the repeater client you have deployed locally will connect to the Repeater manager (1). When you start a scan on Escape, instead of sending the requests directly to your server, Escape will send them to the Repeater manager (2). Your client will receive the requests and send them to your server (3 & 4). The results are sent back to Escape to allow you to see scans results.
Resources
The Repeater Proxy is an open source docker image available on Github Escape-Technologies/Repeater.
The resources needed to run it depends on the trafic you will have. We recommend to start with an instance with 1 vCPU and 2GB of RAM and monitor the usage.
Setup a repeater
Escape's Repeater Proxy is available as a Docker image. You can deploy it on any server that can reach your internal applications. The agent's code can also be found on Github.
As it is a Docker image, you can deploy it using docker cli, docker compose or any other container orchestration tool. In this tutorial, we will use docker cli but for production setup, we recommend you to use a container orchestration tool like docker compose.
You now need to run the repeater with the following environment variables:
ESCAPE_REPEATER_ID
: Your repeater id.
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
You can find in the example folder more deployment examples. Feel free to contribute and add your own.
Custom CA certificate
If you need to add a custom ca certificate, you can mount it in the container:
docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Allow any SSL certificate
If you want to allow insecure connections, you can set the ESCAPE_REPEATER_INSECURE
environment variable to true
:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_INSECURE=true \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Using mTLS
mTLS or mutual TLS is a security measure that requires both the client and the server to present a certificate to authenticate each other. This is a more secure way to authenticate the client and the server.
To use mTLS, you need to provide the following environment variables:
ESCAPE_REPEATER_mTLS_CRT_FILE
: The path to the mTLS certificate file.ESCAPE_REPEATER_mTLS_KEY_FILE
: The path to the mTLS private key.
docker run -it --rm --name escape-repeater \
-v /path/to/mtls.crt:/usr/local/share/mtls.crt \
-v /path/to/mtls.key:/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
-e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
After that, you can authenticate your application using the repeater by adding the repeater_mtls: true
flag.
For example, the following configuration declare two users, one unauthenticated and one with mTLS:
users:
# without mTLS
- name: public
# with mTLS
- name: using-mtls
repeater_mtls: true
Use a custom proxy to connect to escape
As this software use two types of connections : connection for the repeater to escape and connection from the repeater to your internal APIs, we ignore the HTTP_PROXY
and HTTPS_PROXY
environment variables.
If you want to connect to the escape tenant (repeater.escape.tech
) via a proxy, you can use the ESCAPE_REPEATER_PROXY_URL
environment variable.
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_PROXY_URL=http://user:pass@my-proxy.server.tld:1234 \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Note that as we use gRPC, the proxy must support it. You so need an HTTP/2 proxy.
Configure your firewall
To allow the Repeater to connect to Escape, you need to allow in your firewall this service to connect to escape services. Make sure the following outgoing connections are allowed by your network configuration:
The repeater endpoint repeater.escape.tech
should be reachable via TCP
on port 443
.
It is deployed on AWS with high availability, so the IPs can change,
if your firewall only supports IPs, you can run the nslookup repeater.escape.tech
command to retrieve the current IPs,
if the repeater lose connection, check again that the IPs are still the same.
The last updated IPs (2024/09/09
) are :
Address | Protocol | Port |
---|---|---|
52.6.17.196 | TCP /GRPC | 443 |
44.210.73.138 | TCP /GRPC | 443 |
54.172.108.134 | TCP /GRPC | 443 |
The following IPs are also used by the repeater to ensure a stable connection:
Address | Protocol | Port |
---|---|---|
51.159.205.221 | TCP /HTTP | 80 |
51.159.205.221 | TCP /HTTPS | 443 |
Connect a repeater
- Go to the Network Configuration page.
- Create a Repeater or use an existing one.
- Follow the deployment intrusctions directly in the Network page. The Repeater is available via a Docker image accessible on DockerHub.
- The connection status is refreshed every minute in the Last seen column.
Use a repeater on a new application
While additing a new app to Escape, the Repeater list will be proposed when try to reach your API. Select the Repeater you want to use.
Use a repeater on an existing application.
Go to the Advanced Settings of the applications and add the following configuration:
client:
proxy:
type: repeater
target: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Put here your repeater id