Public and Private Locations¶
Warning
The private locations are now available through the Escape CLI. If you are using the old repeater
image, please refer to the migration guide below.
Overview¶
By default, all requests sent by Escape will be routed through one of Public Locations defined in your organization. Here is the list of default Public Locations' IPs used by Escape:
IP Address | Region |
---|---|
163.172.177.16 | Europe |
163.172.182.228 | Europe |
163.172.182.47 | Europe |
163.172.178.115 | Europe |
163.172.174.61 | Europe |
163.172.168.233 | Europe |
51.79.24.70 | North America |
51.79.25.196 | North America |
51.79.26.185 | North America |
You can whitelist these IPs in your firewall. Alternatively, you can deploy Private Locations to route requests through your own network. Private Locations enable secure detection, fingerprinting, and scanning of internal applications behind your organization's firewall or VPN.
Infrastructure Workflow¶
- The locally deployed Private Location connects to the Escape platform.
- When a scan is initiated, Escape sends requests to the Private Location service rather than directly to your servers.
- The Private Location forwards the requests to your internal applications.
- Scan results are then returned to Escape for reporting and analysis.
Diagram of Private Location Infrastructure:
Resource Requirements¶
The resource requirements depend on expected traffic; a 1 vCPU instance with 2GB RAM is typically sufficient to start, with usage monitored and scaled as necessary. The more integrations you connect through the Private Location, the more resources you need.
Deploying a Private Location¶
To deploy a private location, you only need to retrieve your API key from the platform. With the API key, you will be able to create locations, list them, and delete them.
To get your API key, go to your profile page. Now save it in your environment variables as ESCAPE_API_KEY=...
.
Using the Escape CLI¶
If you have installed the Escape CLI, you can manage your private locations with the following commands:
This will start a new private location on your computer and will automatically connect it to your Escape account. If the location does not exist, it will be created, and you will be able to see its status in the Escape platform on the Private Locations page.
Using Helm¶
helm repo add escape-cli https://escape-technologies.github.io/cli/
helm repo update
# Get your API key from https://app.escape.tech/user/profile/
helm install escape-private-location escape-cli/private-location --set ESCAPE_API_KEY="${ESCAPE_API_KEY}"
Using Docker¶
You can start a private location with Docker by running:
docker run -e ESCAPE_API_KEY="${ESCAPE_API_KEY}" -it --rm escapetech/cli:latest locations start location-name
Using Podman¶
If you prefer Podman, you can use:
podman run -e ESCAPE_API_KEY="${ESCAPE_API_KEY}" -it --rm escapetech/cli:latest locations start location-name
Docker Compose Deployment¶
---
services:
private-location:
image: escapetech/cli:latest
restart: always
command: locations start -v location-name
environment:
- ESCAPE_API_KEY=<ESCAPE_API_KEY>
Firewall Configuration¶
To connect your private location to Escape, ensure that outgoing connections to private-location.escape.tech
on TCP
port 2222
are allowed. Use the command nslookup private-location.escape.tech
to retrieve current IPs if firewall configurations are IP-specific.
Required Outgoing IPs:
Address | Protocol | Port |
---|---|---|
34.198.143.22 | TCP /SSH | 2222 |
52.6.14.96 | TCP /SSH | 2222 |
44.195.135.65 | TCP /SSH | 2222 |
Additional IPs for stability:
Address | Protocol | Port |
---|---|---|
51.159.205.221 | TCP /HTTP | 80 |
51.159.205.221 | TCP /HTTPS | 443 |
Migration from Legacy Repeater¶
The main difference between the old escapetech/repeater
image and the new escapetech/cli
image is that you don't need to manually create the repeater on the Escape platform and copy-paste it's ID.
If you're using the legacy escapetech/repeater
image, follow these steps to migrate to the new CLI-based approach:
- Retrieve your API key from your profile page
- Update your configuration:
- Remove the
ESCAPE_REPEATER_ID
environment variable - Add the
ESCAPE_API_KEY
environment variable - Update the startup command to
locations start -v location-name
wherelocation-name
is your desired location name
- Remove the
- Switch from the
escapetech/repeater
image to theescapetech/cli:latest
image
Old Repeater setup (deprecated)
Old Repeater setup (deprecated)¶
Escape's Private Locations can be easily deployed using the Repeater, an open-source Docker image, available on GitHub. It can be deployed using Docker CLI, Docker Compose, or other container orchestration tools.
Connecting a Private Location¶
- Visit the Private Location Configuration page.
- Create a new Private Location or select an existing one.
- Follow deployment instructions provided below. The Repeater is available on DockerHub.
- Connection status updates every minute in the Last seen column.
Firewall Configuration¶
To connect your Repeater to Escape, ensure that outgoing connections to repeater.escape.tech
on TCP
port 443
are allowed. Use the command nslookup repeater.escape.tech
to retrieve current IPs if firewall configurations are IP-specific.
Required Outgoing IPs:
Address | Protocol | Port |
---|---|---|
52.6.17.196 | TCP /GRPC | 443 |
44.210.73.138 | TCP /GRPC | 443 |
54.172.108.134 | TCP /GRPC | 443 |
Additional IPs for stability:
Address | Protocol | Port |
---|---|---|
51.159.205.221 | TCP /HTTP | 80 |
51.159.205.221 | TCP /HTTPS | 443 |
Deployment Methods¶
Autoprovisioning in Kubernetes with Helm¶
You can deploy the Repeater automatically using an API Key and providing it's name. At program start, it will automatically retrieve the location ID from the Escape API or create it if it doesn't exist.
helm repo add escape https://escape-technologies.github.io/repeater/
helm repo update
# Set a unique location name, for example the name of the Kubernetes cluster
export ESCAPE_REPEATER_NAME="k8s-$(kubectl config current-context)"
# Set your API key from https://app.escape.tech/user/profile/
export ESCAPE_API_KEY=...
helm install escape-test-helm escape/escape-repeater --set ESCAPE_REPEATER_NAME="${ESCAPE_REPEATER_NAME}" --set ESCAPE_API_KEY="${ESCAPE_API_KEY}"
Manual Provisioning in Kubernetes with Helm¶
You can also manually inject the ESCAPE_REPEATER_ID
variable by creating a Private Location on Escape Private Location configuration page.
helm repo add escape https://escape-technologies.github.io/repeater/
helm repo update
# Set your API key from https://app.escape.tech/user/profile/
export ESCAPE_API_KEY=...
helm install escape-test-helm escape/escape-repeater --set ESCAPE_REPEATER_ID="${ESCAPE_REPEATER_ID}"
Docker Deployment¶
To deploy the Repeater, configure it with the following environment variable:
ESCAPE_REPEATER_ID
: Unique ID for your Private Location.
Example deployment command:
docker run -it --network host --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
More deployment examples are available in the example folder of the GitHub repository. Contributions for additional configurations are welcome.
Docker Compose Deployment¶
---
version: '3.8'
services:
repeater:
image: escapetech/repeater
restart: always
environment:
- ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID>
Podman Deployment¶
podman run --name escape-repeater --restart=always -e ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID> docker.io/escapetech/repeater:latest
Advanced Configuration Options¶
Custom CA Certificate¶
For environments that require a custom CA certificate:
docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Allowing SSL Connections¶
To allow insecure connections, set ESCAPE_REPEATER_INSECURE=true
:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_INSECURE=true \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Using mTLS¶
To enable mTLS (mutual TLS), configure the following variables:
ESCAPE_REPEATER_mTLS_CRT_FILE
: Path to the mTLS certificate.ESCAPE_REPEATER_mTLS_KEY_FILE
: Path to the mTLS private key.
Example command:
docker run -it --rm --name escape-repeater \
-v /path/to/mtls.crt:/usr/local/share/mtls.crt \
-v /path/to/mtls.key:/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
-e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
To declare users with and without mTLS, add the repeater_mtls: true
flag:
Proxy Configuration for Escape Connection¶
If a proxy is required to connect the Repeater to Escape, configure it using ESCAPE_REPEATER_PROXY_URL
. Note: the proxy must support HTTP/2 as gRPC connections are used.
Example:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_PROXY_URL=http://user:pass@my-proxy.server.tld:1234 \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
This concludes the setup and usage guide for Escape's Private Locations.
Health Checks with Liveness Probes¶
The Repeater includes a built-in health check endpoint that can be used to monitor its status. To enable health checks, set the HEALTH_CHECK_PORT
environment variable to specify the port on which the Repeater should listen for health check requests.
For example:
Once configured, the Repeater will expose a /health
endpoint on the specified port that returns the current health status.
When deploying the Repeater in Kubernetes, you can leverage this health check endpoint by configuring liveness probes in your deployment manifest. Here's an example configuration:
This configuration:
- Uses HTTP GET requests to check the
/health
endpoint - Waits 10 seconds before starting health checks (
initialDelaySeconds
) - Performs checks every 10 seconds (
periodSeconds
)
The health check will help Kubernetes ensure your Repeater is running properly and can automatically restart the pod if issues are detected.