Skip to content

Public and Private Locations

Overview

By default, all requests sent by Escape will be routed through one of Public Locations defined in your organization. Here is the list of default Public Locations' IPs used by Escape:

IP Address Region
163.172.177.16 Europe
163.172.182.228 Europe
163.172.182.47 Europe
163.172.178.115 Europe
163.172.174.61 Europe
163.172.168.233 Europe
51.79.24.70 North America
51.79.25.196 North America
51.79.26.185 North America

You can whitelist these IPs in your firewall. You can also deploy Private Locations to route requests through your own IP. Private Locations enable secure detection, fingerprinting, and scanning of internal applications behind your organization's firewall or VPN. This is achieved through the Escape Repeater, a lightweight, open-source tool developed in Golang (GitHub). The Repeater establishes a reverse tunnel between Escape and your internal network, providing a secure channel for performing scans and retrieving results.

Infrastructure Workflow

  1. The locally deployed Repeater connects to the Repeater manager.
  2. When a scan is initiated, Escape sends requests to the Repeater manager rather than directly to your servers.
  3. The Repeater manager forwards the requests to the local Repeater, which relays them to your internal applications.
  4. Scan results are then returned to Escape for reporting and analysis.

Diagram of Private Location Infrastructure:

Escape Private Locations

Getting Started with Private Locations

Escape's Private Locations can be easily deployed using the Repeater, an open-source Docker image, available on GitHub. It can be deployed using Docker CLI, Docker Compose, or other container orchestration tools.

Resource Requirements

The resource requirements depend on expected traffic; a 1 vCPU instance with 2GB RAM is typically sufficient to start, with usage monitored and scaled as necessary. The more integrations you connect through the Private Location, the more resources you need.

Connecting a Private Location

  1. Visit the Private Location Configuration page.
  2. Create a new Private Location or select an existing one.
  3. Follow deployment instructions provided below. The Repeater is available on DockerHub.
  4. Connection status updates every minute in the Last seen column.

Firewall Configuration

To connect your Repeater to Escape, ensure that outgoing connections to repeater.escape.tech on TCP port 443 are allowed. Use the command nslookup repeater.escape.tech to retrieve current IPs if firewall configurations are IP-specific.

Required Outgoing IPs:

Address Protocol Port
52.6.17.196 TCP/GRPC 443
44.210.73.138 TCP/GRPC 443
54.172.108.134 TCP/GRPC 443

Additional IPs for stability:

Address Protocol Port
51.159.205.221 TCP/HTTP 80
51.159.205.221 TCP/HTTPS 443

Deployment Methods

Autoprovisioning in Kubernetes with Helm

You can deploy the Repeater automatically using an API Key and providing it's name. At program start, it will automatically retrieve the location ID from the Escape API or create it if it doesn't exist.

helm repo add escape https://escape-technologies.github.io/repeater/
helm repo update

# Set a unique location name, for example the name of the Kubernetes cluster
export ESCAPE_REPEATER_NAME="k8s-$(kubectl config current-context)"
# Set your API key from https://app.escape.tech/user/profile/
export ESCAPE_API_KEY=...

helm install escape-test-helm escape/escape-repeater --set ESCAPE_REPEATER_NAME="${ESCAPE_REPEATER_NAME}" --set ESCAPE_API_KEY="${ESCAPE_API_KEY}"

Manual Provisioning in Kubernetes with Helm

You can also manually inject the ESCAPE_REPEATER_ID variable by creating a Private Location on Escape Private Location configuration page.

helm repo add escape https://escape-technologies.github.io/repeater/
helm repo update

# Set your API key from https://app.escape.tech/user/profile/
export ESCAPE_API_KEY=...

helm install escape-test-helm escape/escape-repeater --set ESCAPE_REPEATER_ID="${ESCAPE_REPEATER_ID}"

Docker Deployment

To deploy the Repeater, configure it with the following environment variable:

  • ESCAPE_REPEATER_ID: Unique ID for your Private Location.

Example deployment command:

docker run -it --network host --rm --name escape-repeater \
    -e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    escapetech/repeater:latest

More deployment examples are available in the example folder of the GitHub repository. Contributions for additional configurations are welcome.

Docker Compose Deployment

---
version: '3.8'
services:
  repeater:
    image: escapetech/repeater
    restart: always
    environment:
      - ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID>

Podman Deployment

podman run --name escape-repeater --restart=always -e ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID> docker.io/escapetech/repeater:latest

Advanced Configuration Options

Custom CA Certificate

For environments that require a custom CA certificate:

docker run -it --rm --name escape-repeater \
    -v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
    -e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    escapetech/repeater:latest

Allowing SSL Connections

To allow insecure connections, set ESCAPE_REPEATER_INSECURE=true:

docker run -it --rm --name escape-repeater \
    -e ESCAPE_REPEATER_INSECURE=true \
    -e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    escapetech/repeater:latest

Using mTLS

To enable mTLS (mutual TLS), configure the following variables:

  • ESCAPE_REPEATER_mTLS_CRT_FILE: Path to the mTLS certificate.
  • ESCAPE_REPEATER_mTLS_KEY_FILE: Path to the mTLS private key.

Example command:

docker run -it --rm --name escape-repeater \
    -v /path/to/mtls.crt:/usr/local/share/mtls.crt \
    -v /path/to/mtls.key:/usr/local/share/mtls.key \
    -e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
    -e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
    -e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    escapetech/repeater:latest

To declare users with and without mTLS, add the repeater_mtls: true flag:

users:
  # without mTLS
  - name: public

  # with mTLS
  - name: using-mtls
    repeater_mtls: true

Proxy Configuration for Escape Connection

If a proxy is required to connect the Repeater to Escape, configure it using ESCAPE_REPEATER_PROXY_URL. Note: the proxy must support HTTP/2 as gRPC connections are used.

Example:

docker run -it --rm --name escape-repeater \
    -e ESCAPE_REPEATER_PROXY_URL=http://user:pass@my-proxy.server.tld:1234 \
    -e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    escapetech/repeater:latest

This concludes the setup and usage guide for Escape's Private Locations.

Health Checks with Liveness Probes

The Repeater includes a built-in health check endpoint that can be used to monitor its status. To enable health checks, set the HEALTH_CHECK_PORT environment variable to specify the port on which the Repeater should listen for health check requests.

For example:

export HEALTH_CHECK_PORT=8080

Once configured, the Repeater will expose a /health endpoint on the specified port that returns the current health status.

When deploying the Repeater in Kubernetes, you can leverage this health check endpoint by configuring liveness probes in your deployment manifest. Here's an example configuration:

  livenessProbe:
    httpGet:
      path: /health
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 10

This configuration:

  • Uses HTTP GET requests to check the /health endpoint
  • Waits 10 seconds before starting health checks (initialDelaySeconds)
  • Performs checks every 10 seconds (periodSeconds)

The health check will help Kubernetes ensure your Repeater is running properly and can automatically restart the pod if issues are detected.