Outbound Internet Traffic
Rigor's private location test agent will need outbound access to the following resources via HTTPS:
- qapi.rigor.com -- Rigor's agent API for orchestration and status reporting
- AWS S3 in us-east-1 -- Test result payloads will be uploaded directly to S3 storage and Docker image binary data
- AWS SQS in us-east-1 -- Runners obtain units of work via SQS
- docker.rigor.com -- Rigor's private Docker registry to pull the Docker image
- api.rollbar.com -- We use the Rollbar API for error logging and reporting
Discovering IP address ranges for AWS services
AWS services have dynamic IP addresses, but the ranges of IPs for each service is published and can be automated. For more information, see AWS IP Ranges in the AWS documentation.
The relevant services in the list of IP ranges are "AMAZON" and "S3" in the us-east-1 region.
Inbound Internet Traffic
Rigor's test agent does not require any inbound connections nor requires any ports to be exposed.
Docker's NET_ADMIN Capability
In order to enable network traffic shaping, our private location docker container must have elevated access to the host system's network stack. This is set by adding the NET_ADMIN capability. Typically, this grants the container process the CAP_NET_ADMIN Linux capability.
Linux's capabilities MAN page provides this information:
CAP_NET_ADMIN
Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting;
- modify routing tables;
- bind to any address for transparent proxying;
- set type-of-service (TOS)
- clear driver statistics;
- set promiscuous mode;
- enabling multicasting;
- use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
It is possible to run our private location agent without the NET_ADMIN capability, but this will result in loss of network shaping functionality and all checks will run unthrottled regardless of the configuration settings in the Rigor UI.
Data Sent to Rigor
As of this time, ALL web content the test agent sees for Real Browser checks are bundled up and sent back to Rigor-- including screenshots, full HTML documents, CSS, and images. It is transferred via HTTPS and encrypted in S3 using the AES256 specification.
While Rigor takes significant steps to secure all of our customer's content, please consider carefully the kind of information visible to the test agents.