Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: feat: private location #153

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

wip: feat: private location #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/01-inventory/01-introduction/03-how.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ The setup process is virtually instantaneous:

As a SaaS platform, there are no specific setup requirements to begin using Escape's Inventory. However, for organizations looking to extend inventory capabilities to internal APIs and secrets:

- **Repeater Proxy**: Optionally, you can install the Repeater Proxy within your network to detect and catalog internal APIs and secrets. This lightweight agent can be set up in just a few minutes and works across all standard networks.
- **Private Location Worker**: Optionally, you can install the Private Location Worker within your network to detect and catalog internal APIs and secrets. This lightweight agent can be set up in just a few minutes and works across all standard networks.

### User Access and Permissions

Expand Down
2 changes: 1 addition & 1 deletion docs/01-inventory/02-where/04-intranet.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ To securely integrate your internal networks and services into Escape's Inventor
- **Docker Deployment**: The reverse proxy is packaged as a Docker image, making it easy to deploy in any environment that supports Docker.
- **Secure Configuration**: It is designed with security in mind, ensuring that all communications between your internal services and Escape's Inventory are encrypted and authenticated.

For detailed installation instructions, configuration options, and best practices, please refer to the [Escape Reverse Proxy Documentation](/platform/enterprise/repeater).
For detailed installation instructions, configuration options, and best practices, please refer to the [Escape Reverse Proxy Documentation](/platform/enterprise/private-location).

By utilizing the Escape reverse proxy, organizations can seamlessly include internal APIs and services within their overall inventory scope, enhancing visibility into hidden or isolated parts of the network and ensuring that all elements are secured and managed effectively.
4 changes: 2 additions & 2 deletions docs/02-testing/01-getting-started/05-improve-scan-coverage.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,11 +87,11 @@ Make sure to provide an up-to-date schema that respects the most recent standard
If you provide escape an old schema, we might try to access endpoints that do not exist anymore.
They will count in the `[Total Number of Endpoints]` part of the coverage formula and so reducing the coverage.

### Fix Redirection Errors Using the Escape Repeater
### Fix Redirection Errors Using Private Locations

If you see a lot of redirection errors, it can be a sign that your endpoint or your schema is not perfectly configured.

For security reasons, Escape only follows redirection using the Repeater.
For security reasons, Escape only follows redirection using Private Locations.

For example if you see a redirection for the `/user` route to `/user/`, you may want to update your schema to reflect this change.

Expand Down
4 changes: 2 additions & 2 deletions docs/02-testing/07-advanced-usage/06-internal-apis.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,6 @@ client:

Check the [Client](https://docs.escape.tech/advanced-usage/parameters-reference#client) for more details.

## Using the Escape Repeater
## Using Private Locations

Enterprise Customers also have the ability to scan their Internal VPN through [Escape's Agent](/platform/enterprise/repeater).
Enterprise Customers also have the ability to scan their Internal VPN through [Escape's Agent](/platform/enterprise/private-location).
44 changes: 22 additions & 22 deletions ...03-platform/03-enterprise/07-repeater.mdx → ...orm/03-enterprise/07-private-location.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: Repeater Proxy
title: Private Locations
---

:::warning Enterprise Feature
Expand All @@ -10,34 +10,34 @@ This feature is only available to Enterprise Customers. Contact us via email or

## Overview

Escape's Repeater Proxy allows you to scan scan Internal Apps behind your organization's firewall or VPN.
Private Locations allow you to scan scan Internal Apps behind your organization's firewall or VPN.

This repeater creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.
The Private Location Worker creates a private tunnel between Escape and one of your servers. All the Ecape requests will comes from this server.

Here is a schema of the infrastructure :

![Escape repeater](./img/repeater.drawio.svg)
![Escape Private Locations](./img/repeater.drawio.svg)

First, the repeater client you have deployed locally will connect to the Repeater manager (1).
First, the Private Location Worker you have deployed locally will connect to the Private Locations manager (1).
When you start a scan on Escape, instead of sending the requests directly to your server, Escape will send them to the Repeater manager (2).
Your client will receive the requests and send them to your server (3 & 4).
The results are sent back to Escape to allow you to see scans results.

## Resources

The Repeater Proxy is an open source docker image available on Github [Escape-Technologies/Repeater](https://github.com/Escape-Technologies/Repeater/).
The Private Location Worker is an open source Docker image available on Github [Escape-Technologies/Repeater](https://github.com/Escape-Technologies/Repeater/).

The resources needed to run it depends on the trafic you will have. We recommend to start with an instance with 1 vCPU and 2GB of RAM and monitor the usage.

## Setup a repeater
## Getting Started with Private Locations

Escape's Repeater Proxy is available as a Docker image. You can deploy it on any server that can reach your internal applications. The agent's code can also be found on [Github](https://github.com/Escape-Technologies/repeater).
Escape's Private Location Worker is available as a Docker image. You can deploy it on any server that can reach your internal applications. The code can also be found and audited on [Github](https://github.com/Escape-Technologies/repeater).

As it is a Docker image, you can deploy it using docker cli, docker compose or any other container orchestration tool. In this tutorial, we will use docker cli but for production setup, we recommend you to use a container orchestration tool like docker compose.

You now need to run the repeater with the following environment variables:
You now need to run the Worker with the following environment variables:

- `ESCAPE_REPEATER_ID`: Your repeater id.
- `ESCAPE_REPEATER_ID`: Your Private Location ID.

```bash
docker run -it --rm --name escape-repeater \
Expand Down Expand Up @@ -89,7 +89,7 @@ docker run -it --rm --name escape-repeater \
escapetech/repeater:latest
```

After that, you can authenticate your application using the repeater by adding the `repeater_mtls: true` flag.
After that, you can authenticate your application using the Private Location Worker by adding the `repeater_mtls: true` flag.
For example, the following configuration declare two users, one unauthenticated and one with mTLS:

```yaml
Expand All @@ -104,13 +104,13 @@ users:

### Configure your firewall

To allow the Repeater to connect to Escape, you need to allow in your firewall this service to connect to escape services.
To allow the Private Location Worker to connect to Escape, you need to allow in your firewall this service to connect to escape services.
Make sure the following **outgoing** connections are allowed by your network configuration:

The repeater endpoint `repeater.escape.tech` should be reachable via `TCP` on port `443`.
The Private Location Worker endpoint `repeater.escape.tech` should be reachable via `TCP` on port `443`.
It is deployed on AWS with high availability, so the IPs can change,
if your firewall only supports IPs, you can run the `nslookup repeater.escape.tech` command to retrieve the current IPs,
if the repeater lose connection, check again that the IPs are still the same.
if the Private Location Worker lose connection, check again that the IPs are still the same.

The last updated IPs (`2024/09/09`) are :

Expand All @@ -120,26 +120,26 @@ The last updated IPs (`2024/09/09`) are :
| `44.210.73.138` | `TCP`/`GRPC` | `443` |
| `54.172.108.134` | `TCP`/`GRPC` | `443` |

The following IPs are also used by the repeater to ensure a stable connection:
The following IPs are also used by the Private Location Worker to ensure a stable connection:

| Address | Protocol | Port |
| ---------------- | ------------- | ----- |
| `51.159.205.221` | `TCP`/`HTTP` | `80` |
| `51.159.205.221` | `TCP`/`HTTPS` | `443` |

### Connect a repeater
### Connect a Private Location

1. Go to the [Network Configuration](https://app.staging.escape.tech/organization/network/) page.
2. Create a Repeater or use an existing one.
3. Follow the deployment intrusctions directly in the Network page. The Repeater is available via a Docker image accessible on [DockerHub](https://hub.docker.com/r/escapetech/repeater).
2. Create a new Private Location or use an existing one.
3. Follow the deployment intrusctions directly in the Network page. The Private Location Worker is available via a Docker image accessible on [DockerHub](https://hub.docker.com/r/escapetech/repeater).
4. The connection status is refreshed every minute in the **Last seen** column.

### Use a repeater on a new application
### Use a Private Location on a new application

While additing a new app to Escape, the Repeater list will be proposed when try to reach your API.
Select the Repeater you want to use.
While additing a new app to Escape, the Private Locations list will be proposed when try to reach your API.
Select the Private Location you want to use.

### Use a repeater on an existing application.
### Use a Private Location on an existing application.

Go to the Advanced Settings of the applications and add the following configuration:

Expand Down
3 changes: 2 additions & 1 deletion docusaurus.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,8 @@ const config = {
from: "/authentication/presets/curlsequence",
to: "/testing/authentication/presets/curlsequence",
},
{ from: "/enterprise/repeater", to: "/platform/enterprise/repeater" },
{ from: "/enterprise/repeater", to: "/platform/enterprise/private-location" },
{ from: "/platform/enterprise/repeater", to: "/platform/enterprise/private-location" },
{
from: "/enterprise/deployment-options",
to: "/platform/enterprise/deployment-options",
Expand Down