Private Locations
Overview
Private Locations enable secure detection, fingerprinting, and scanning of internal applications behind your organization’s firewall or VPN. This is achieved through the Escape Repeater, a lightweight, open-source tool developed in Golang (GitHub). The Repeater establishes a reverse tunnel between Escape and your internal network, providing a secure channel for performing scans and retrieving results.
Infrastructure Workflow
- The locally deployed Repeater connects to the Repeater manager.
- When a scan is initiated, Escape sends requests to the Repeater manager rather than directly to your servers.
- The Repeater manager forwards the requests to the local Repeater, which relays them to your internal applications.
- Scan results are then returned to Escape for reporting and analysis.
Diagram of Private Location Infrastructure:
Getting Started with Private Locations
Escape's Private Locations can be easily deployed using the Repeater, an open-source Docker image, available on GitHub. It can be deployed using Docker CLI, Docker Compose, or other container orchestration tools.
Resource Requirements
The resource requirements depend on expected traffic; a 1 vCPU instance with 2GB RAM is typically sufficient to start, with usage monitored and scaled as necessary.
Connecting a Private Location
- Visit the Private Location Configuration page.
- Create a new Private Location or select an existing one.
- Follow deployment instructions provided below. The Repeater is available on DockerHub.
- Connection status updates every minute in the Last seen column.
Firewall Configuration
To connect your Repeater to Escape, ensure that outgoing connections to repeater.escape.tech on TCP port 443 are allowed. Use the command nslookup repeater.escape.tech to retrieve current IPs if firewall configurations are IP-specific.
Required Outgoing IPs (as of 2024/09/09):
| Address | Protocol | Port |
|---|---|---|
52.6.17.196 | TCP/GRPC | 443 |
44.210.73.138 | TCP/GRPC | 443 |
54.172.108.134 | TCP/GRPC | 443 |
Additional IPs for stability:
| Address | Protocol | Port |
|---|---|---|
51.159.205.221 | TCP/HTTP | 80 |
51.159.205.221 | TCP/HTTPS | 443 |
Deployment Methods
Docker Deployment
To deploy the Repeater, configure it with the following environment variable:
ESCAPE_REPEATER_ID: Unique ID for your Private Location.
Example deployment command:
docker run -it --network host --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
More deployment examples are available in the example folder of the GitHub repository. Contributions for additional configurations are welcome.
Docker Compose Deployment
---
version: '3.8'
services:
repeater:
image: escapetech/repeater
restart: always
environment:
- ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID>
Kubernetes Deployment
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: repeater
labels:
app: repeater
spec:
replicas: 1
selector:
matchLabels:
app: repeater
template:
metadata:
labels:
app: repeater
spec:
containers:
- name: repeater
image: escapetech/repeater:latest
imagePullPolicy: Always
env:
- name: ESCAPE_REPEATER_ID
value: <ESCAPE_REPEATER_ID>
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 500m
memory: 500Mi
Podman Deployment
podman run --name escape-repeater --restart=always -e ESCAPE_REPEATER_ID=<ESCAPE_REPEATER_ID> docker.io/escapetech/repeater:latest
Advanced Configuration Options
Custom CA Certificate
For environments that require a custom CA certificate:
docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Allowing SSL Connections
To allow insecure connections, set ESCAPE_REPEATER_INSECURE=true:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_INSECURE=true \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Using mTLS
To enable mTLS (mutual TLS), configure the following variables:
ESCAPE_REPEATER_mTLS_CRT_FILE: Path to the mTLS certificate.ESCAPE_REPEATER_mTLS_KEY_FILE: Path to the mTLS private key.
Example command:
docker run -it --rm --name escape-repeater \
-v /path/to/mtls.crt:/usr/local/share/mtls.crt \
-v /path/to/mtls.key:/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
-e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
To declare users with and without mTLS, add the repeater_mtls: true flag:
users:
# without mTLS
- name: public
# with mTLS
- name: using-mtls
repeater_mtls: true
Proxy Configuration for Escape Connection
If a proxy is required to connect the Repeater to Escape, configure it using ESCAPE_REPEATER_PROXY_URL. Note: the proxy must support HTTP/2 as gRPC connections are used.
Example:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_PROXY_URL=http://user:pass@my-proxy.server.tld:1234 \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
This concludes the setup and usage guide for Escape’s Private Locations.
Using a Private Location with DAST
Adding to a New Application
When setting up a new application in Escape, choose a Private Location to enable scanning for internal applications.
Configuring for an Existing Application
In the application’s Advanced Settings, add the following configuration to specify the Repeater:
client:
proxy:
type: repeater
target: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Replace with your Repeater ID