How Browsolate works

Overview

Browsolate allows you to take a URL, and launch it in a Remote Isolated Session in a container in AWS.

sequenceDiagram
  participant User
  participant API as Browsolate API
  participant SecretsManager
  participant Viewer as Browsolate Viewer
  participant ECS as ECS (Browsolate container)

  User->>User: Select site to visit
  User->>API: Generate encrypted URL
  API->>SecretsManager: Retrieve encryption key
  SecretsManager-->>API: Encryption key
  API->>User: Encrypted URL
  User->>Viewer: Navigate to encrypted URL
  Viewer->>SecretsManager: Retrieve decryption key
  SecretsManager-->>Viewer: Decryption key
  Viewer->>ECS: Launch isolated browser session
  ECS-->>Viewer: Browser session launched

  loop Continuous interaction
    Viewer->>User: Stream video of session
    User-->>Viewer: Send keyboard and mouse input
  end

  ECS-->>Viewer: Terminate session
  Viewer-->>User: End video stream
  User->>User: Session terminated

Key Technical Components:

1. Isolated Browser Sessions

• Containerized Environment: Each Browsolate session runs inside an Amazon ECS (Elastic Container Service) container, with processes isolated to ensure security.
• Session Control: You have full control over the size and count of EC2 instances on which Browsolate runs, giving you the ability to scale based on demand.
• Maximum Session Lifetime: The session lifetime is configurable both at deployment and runtime, allowing you to manage resource consumption and costs effectively.

2. URL Encryption and AWS Secrets Manager

• URL Encryption: Browsolate encrypts session configuration data (such as clipboard permissions and time limits) using AES-256-CBC encryption, which is securely passed via URLs.
• Short-Lived Links: URL links can be configured to expire after a set period, adding a layer of security for temporary or sensitive sessions.
• AWS Secrets Manager Integration:
  • Key Storage: Encryption keys are securely stored in AWS Secrets Manager, allowing you to manage multiple keys for different environments or use cases.
  • Key Rotation: Supports key rotation to enhance security. Keys can be rotated without disrupting ongoing sessions.

See Creating an Isolated link to learn more.

3. SSL Certificates and Domain Name Configuration

• Custom SSL Certificates via AWS Secrets Manager: If you choose to use your own SSL certificates, they can be securely stored in AWS Secrets Manager. These certificates are retrieved and used to establish secure HTTPS connections for your domain.
• Domain Options: You can either use your own domain or opt for the default Browsolate domain (browsolate.com). SSL certificates are managed via AWS Secrets Manager.

See Bring your own Certificate to learn more.

4. Window Scaling and Resolution Management

• Window Scaling: Browsolate supports native window scaling, dynamically adjusting the remote browser session to match the resolution and aspect ratio of the client device for a seamless experience.
• Fixed Window Size: For performance optimization, you can configure fixed window sizes to ensure the remote browser session runs at a consistent resolution, reducing potential overhead from dynamic resizing.

See Screen Settings to learn more.

5. Clipboard Air-Gap

• Clipboard Transfer: Browsolate ensures clipboard security by maintaining an air-gap between the local machine and the remote browser environment. Clipboard data is only transferred when explicitly requested by the user, ensuring that no background transfers occur.

See Clipboard Access to learn more.

6. Themes and Customization

• Custom Themes and UI Styling: Browsolate allows you to customize the look and feel of the browser interface by applying your own CSS themes hosted in Amazon S3, giving you flexibility to manage your UI styling for a branded experience.

See Custom Themes to learn more.

7. Proxy Support for Network Traffic

• Proxy Configuration: Browsolate allows traffic to be routed through a proxy, configured at deployment time. You can provide authentication credentials within the proxy URL, such as https://user:password@proxy.example.com, enabling secure or anonymized routing.
• Custom Headers: On a per-request basis, you can add custom headers to outgoing requests. These headers can be used by upstream proxies for purposes such as accounting, routing, or logging, giving you further control over network traffic.

See Configuring a Proxy to learn more.

8. Logging and Monitoring through AWS CloudWatch

• Centralized Logging: Browsolate integrates with AWS CloudWatch to log session activity, including lifecycle events, navigation actions, and resource usage.
• Alerts and Monitoring: CloudWatch can be configured to alert you about anomalies, such as session failures or resource overuse, enabling proactive management.

See Logging to learn more.

9. STUN/TURN Servers for WebRTC Reliability

• Browsolate includes STUN/TURN server support for WebRTC-based applications to ensure reliable communication, even through firewalls or NAT devices.
• The STUN/TURN infrastructure is hosted alongside the browser sessions on AWS, providing low-latency, high-performance connectivity for media streaming, video conferencing, and other WebRTC applications.
• Browsolate can also be configured with alternate STUN/TURN servers

See STUN & TURN Services to learn more.

10. EC2 Instance Control and Resource Management

• Instance Control: You have full control over the type, size, and number of EC2 instances used for Browsolate. This flexibility allows you to tailor the infrastructure to your specific needs, whether you require compute-optimized or memory-optimized instances.
• Auto-Scaling: EC2 instances can be configured to auto-scale based on demand, dynamically adjusting available resources in response to traffic spikes or increased workload.
• Process and Container Resilience: ECS automatically manages process and container recovery, ensuring that browser sessions are restarted to maintain availability in the event of a failure.