Developer Documentation

Foilz thor

The Tinfoil Bifrost allows traffic to be proxied through a secure tunnel to inside your network or localhost sites. You can view the bifrost settings and credentials on your Tinfoil Site Dashboard on a site's add-on panel.

The bifrost client is downloaded and installed on a machine inside a network that can send traffic to the private webserver. The tunnel will be accessible to the scanner through a URL of the form TUNNEL_ID.bifrost.tinfoilsecurity.com.

Please note that Bifrost is currently available for our enterprise customers. If you would like access, please email us.


Download

The latest version of the Bifrost client can be downloaded for your platform and requires no pre-requisites to run:

Don't see your platform supported? email us

Usage

Setup

The Bifrost tunnel is available via your site's add-on panel. Activate the add-on to provision a TUNNEL_ID and SECRET KEY for the following steps. Once a tunnel connection has been fully activated, your site's URL will automatically change. Be sure to update the authentication information accordingly! In addition, your site must use relative paths or have configuration to set its URL to your specific TUNNEL_ID.bifrost.tinfoilsecurity.com URL.

Activating a single tunnel

$ tinfoil_bifrost \
-tunnel_id="TUNNEL_ID" \
-secret_key="SECRET_KEY" \
HOST:PORT

HOST - Optional. The hostname to establish a secure tunnel to. Leave blank for localhost.

PORT - Required. The port on the host to establish the tunnel to.

Activating multiple tunnels

Multiple tunnels are configured via YAML configuration file

$ tinfoil_bifrost -config="tunnels.yml" start tunnel1 tunnel2

config - Required. Path to configuration file defining the tunnels to establish.

start - Required. Signal the client to establish tunnels defined in the configuration file.

tunnel1 tunnel2 - Required. One or more tunnels defined in the configuration file.

Command Line Arguments

-config="" - Optional. Path to configuration file.

-log="none" - Optional. Write log messages to this file. 'stdout' and 'none' have special meanings.

-tunnel_id="" - Required. The identification string of this tunnel. The environment variable TINFOIL_TUNNEL_ID can also be used instead.

-secret_key="" - Required. The secret key to authenticate this tunnel with. The environment variable TINFOIL_TUNNEL_SECRET_KEY can also be used instead.

-protocol="" - Optional. The protocol of traffic going over the tunnel. One of http or https. Protocol autodetection is attempted if omitted.

YAML Configuration

tunnels:
  default:
    id: TUNNEL_ID
    secret_key: TUNNEL_SECRET_KEY
  tunnel1:
    id: TUNNEL_ID1
    secret_key: TUNNEL_SECRET_KEY1
    destination: 8080
  tunnel2:
    id: TUNNEL_ID2
    secret_key: TUNNEL_SECRET_KEY2
    destination: private.site.intranet:80
    protocol: http

The default tunnel is merged with command line arguments. Other tunnels must be started via the start command

id - Required. The identification string of this tunnel.

secret_key - Required. The secret key to authenticate this tunnel with.

destination - Required. A port or hostname:port pair to establish the tunnel with.

protocol - Optional. The protocol of traffic going over the tunnel. One of http or https. Protocol autodetection is attempted if omitted.