Repeater Proxy
This feature is only available to Enterprise Customers. Contact us via email or your Private Slack Support Channel for more information.
Overview
Escape's Repeater Proxy allows you to scan scan Internal Apps behind your organization's firewall or VPN.
This repeater creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.
Here is a schema of the infrastructure :
First, the repeater client you have deployed locally will connect to the Repeater manager (1). When you start a scan on Escape, instead of sending the requests directly to your server, Escape will send them to the Repeater manager (2). Your client will receive the requests and send them to your server (3 & 4). The results are sent back to Escape to allow you to see scans results.
Setup a repeater
Escape's Repeater Proxy is available as a Docker image. You can deploy it on any server that can reach your internal applications. The agent's code can also be found on Github.
As it is a Docker image, you can deploy it using docker cli, docker compose or any other container orchestration tool. In this tutorial, we will use docker cli but for production setup, we recommend you to use a container orchestration tool like docker compose.
You now need to run the repeater with the following environment variables:
ESCAPE_REPEATER_ID: Your repeater id.
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
You can find in the example folder more deployment examples. Feel free to contribute and add your own.
Custom CA certificate
If you need to add a custom ca certificate, you can mount it in the container:
docker run -it --rm --name escape-repeater \
-v /path/to/ca.crt:/usr/local/share/ca-certificates/ca.crt \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Allow any SSL certificate
If you want to allow insecure connections, you can set the ESCAPE_REPEATER_INSECURE environment variable to true:
docker run -it --rm --name escape-repeater \
-e ESCAPE_REPEATER_INSECURE=true \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
Using mTLS
mTLS or mutual TLS is a security measure that requires both the client and the server to present a certificate to authenticate each other. This is a more secure way to authenticate the client and the server.
To use mTLS, you need to provide the following environment variables:
ESCAPE_REPEATER_mTLS_CRT_FILE: The path to the mTLS certificate file.ESCAPE_REPEATER_mTLS_KEY_FILE: The path to the mTLS private key.
docker run -it --rm --name escape-repeater \
-v /path/to/mtls.crt:/usr/local/share/mtls.crt \
-v /path/to/mtls.key:/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_mTLS_CRT_FILE=/usr/local/share/mtls.crt \
-e ESCAPE_REPEATER_mTLS_KEY_FILE=/usr/local/share/mtls.key \
-e ESCAPE_REPEATER_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
escapetech/repeater:latest
After that, you can authenticate your application using the repeater by adding the repeater_mtls: true flag.
For example, the following configuration declare two users, one unauthenticated and one with mTLS:
users:
# without mTLS
- name: public
# with mTLS
- name: using-mtls
repeater_mtls: true
Configure your firewall
Make sure the following outgoing connections are allowed by your network configuration:
| Address | Protocol | Port |
|---|---|---|
repeater.escape.tech | TCP/RPC | 443 |
51.159.205.221 | TCP/HTTP | 80 |
51.159.205.221 | TCP/HTTPS | 443 |
Connect a repeater
- Go to the Network Configuration page.
- Create a Repeater or use an existing one.
- Follow the deployment intrusctions directly in the Network page. The Repeater is available via a Docker image accessible on DockerHub.
- The connection status is refreshed every minute in the Last seen column.
Use a repeater on a new application
While additing a new app to Escape, the Repeater list will be proposed when try to reach your API. Select the Repeater you want to use.
Use a repeater on an existing application.
Go to the Advanced Settings of the applications and add the following configuration:
client:
proxy:
type: repeater
target: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Put here your repeater id