Developer Documentation
Website Scanner
The Tinfoil Bifrost allows traffic to be proxied through a secure tunnel to inside your network or localhost sites. You can view the bifrost settings and credentials on your Tinfoil Web Scanner Site Dashboard on a site's add-on panel.
The bifrost client is downloaded and installed on a machine inside a network that can send traffic to the private webserver. The tunnel will be accessible to the scanner through a URL of the form TUNNEL_ID.bifrost.tinfoilsecurity.com.
Please note that Bifrost is currently available for our enterprise customers. If you would like access, please email us.
Download
The latest version of the Bifrost client can be downloaded for your platform and requires no pre-requisites to run:
Don't see your platform supported? email us
Usage
Setup
The Bifrost tunnel is available via your site's add-on panel.
Activate the add-on to provision a TUNNEL_ID and SECRET KEY for the following steps.
Once a tunnel connection has been fully activated, your site's URL will automatically change.
Be sure to update the authentication information accordingly!
In addition, your site must use relative paths or have configuration to set its URL to your specific TUNNEL_ID.bifrost.tinfoilsecurity.com URL.
The website you are trying to forward to must be accessible from the machine you are running Bifrost from, and you must keep Bifrost running for the duration of your scan.
Activating a single tunnel
$ tinfoil_bifrost \ -tunnel_id="TUNNEL_ID" \ -secret_key="SECRET_KEY" \ HOST:PORT
HOST - Optional. The hostname to establish a secure tunnel to. Leave blank for localhost.
PORT - Required. The port on the host to establish the tunnel to.
If your company intranet exposes a website at "http://staging.mycompany.local:5000" you would use "staging.mycompany.local" as the HOST and "5000" as the PORT.
Activating multiple tunnels
Multiple tunnels are configured via YAML configuration file
$ tinfoil_bifrost -config="tunnels.yml" start tunnel1 tunnel2
config - Required. Path to configuration file defining the tunnels to establish.
start - Required. Signal the client to establish tunnels defined in the configuration file.
tunnel1 tunnel2 - Required. One or more tunnels defined in the configuration file.
Command Line Arguments
-config="" - Optional. Path to configuration file.
-log="none" - Optional. Write log messages to this file. 'stdout' and 'none' have special meanings.
-tunnel_id="" - Required. The identification string of this tunnel. The environment variable TINFOIL_TUNNEL_ID can also be used instead.
-secret_key="" - Required. The secret key to authenticate this tunnel with. The environment variable TINFOIL_TUNNEL_SECRET_KEY can also be used instead.
-protocol="" - Optional. The protocol of traffic going over the tunnel. One of http or https. Protocol autodetection is attempted if omitted.
YAML Configuration
tunnels:
default:
id: TUNNEL_ID
secret_key: TUNNEL_SECRET_KEY
tunnel1:
id: TUNNEL_ID1
secret_key: TUNNEL_SECRET_KEY1
destination: 8080
tunnel2:
id: TUNNEL_ID2
secret_key: TUNNEL_SECRET_KEY2
destination: private.site.intranet:80
protocol: http
The default tunnel is merged with command line arguments.
Other tunnels must be started via the start command
id - Required. The identification string of this tunnel.
secret_key - Required. The secret key to authenticate this tunnel with.
destination - Required. A port or hostname:port pair to establish the tunnel with.
protocol - Optional. The protocol of traffic going over the tunnel. One of http or https. Protocol autodetection is attempted if omitted.