Network security

Network Ports

The following network ports are used by Browsolate:

• Port 443 (TCP): The primary port used for session isolation. All isolated session traffic is secured by the URL encryption mechanism as discussed in Creating an Isolated Link.
• Port 5443 (TCP): This port hosts the optional URL creation API and test/example UI pages for session management and key management. Traffic on this port is protected by HTTPS and Basic Authorization, using the password set during installation in MGMTPasswd (details here). It is recommended to restrict access to this port if exposing it externally is not required.
• Port 80 (TCP): Used periodically when auto-generating HTTPS certificates through Browsolate.
• Port 3478 (TCP/UDP): Used for STUN/TURN services, facilitating WebRTC connections.
• Ports 49160–49200 (TCP/UDP): Additional ports for WebRTC traffic.

The security configuration, as shown in the CloudFormation template, controls which of these ports are exposed to external access.

Restricting Access to Port 5443

For enhanced security, you can restrict access to Port 5443 using AWS Security Groups. By default, this port is used for API and UI access and can be limited to internal networks only if public API access is not required.

API and UI Security

Browsolate offers an API endpoints for URL encryption, and several user interface pages for creatings sessions and managing keys. These are available on Port 5443.

Disabling API and UI Access

To disable the API or UI pages:

• Set the PublicAPIAccess parameter to false to limit API access.
• Disable optional UI pages in the configuration if they are not needed.
  • LauncherUI
  • UrlEncryptionKeysManagerUI

For the highest level of security, you can protect session links with a shared secret stored in AWS Secrets Manager, and completely disable external access to the API, setting PublicAPIAccess to false

See Creating an Isolated Link to learn more about using Browsolate with AWS Secrets Manager.