---
myst:
  html_meta:
    "description lang=en": "Serving up web applications in a protected isolated container with Kasm Workspaces."
    "keywords": "Kasm, How to, How-to, Web App Gateway, Zero Trust, Remote Access, Isolated Browser"
    "property=og:locale": "en_US"
---
```{title} Web App Gateway
```

# Web App Gateway

Kasm Workspaces can be used to serve web applications to end users through isolated browser containers. This may be
helpful if the administrator wishes to provided external users access to the web app while utilizing the robust
authentication, security and DLP protections of Workspaces. While most commonly this is used to provide access to internal
web applications, any web app can be accessed in the same manner as long as the Kasm Workspaces deployment has network access to it.

The following steps can be used to serve isolated Web App Workspaces:

1. {ref}`browser-workspace`
2. {ref}`kiosk-mode`
3. {ref}`web-app-filter-policy`

(browser-workspace)=

## Configuring a browser-based workspace.

1. Log into the Kasm UI as an administrator.

2. Select **Workspaces** > **Workspaces**.

3. Select **Clone** next to one of the browser-based Workspaces from the arrow menu (e.g Chrome).

```{figure} /images/isolated_web_apps/clone.webp
:align: center
**Clone the Chrome Workspace**
```

4. Give the workspace a Friendly Name. In this case we will configure the workspace to open Wikipedia, so we will use that as the name.
Changing the icon can also be a nice touch, but is optional. Often the website's favicon is a good choice (e.g `https://www.wikipedia.org/favicon.ico`)

5. In the Docker Run Config, replace the contents with the following entry which will define a `LAUNCH_URL` which will be used to
automatically navigate the browser to the desired page (e.g `https://wikipedia.org`). Click Save.
   
  ```JSON
  {
    "environment": {
      "LAUNCH_URL": "https://wikipedia.org"
    }
  }
  ```

```{figure} /images/isolated_web_apps/docker_run_config.webp
:align: center
**Run Config Normal**
```

6. Back at the launcher, the Workspace will be shown.

```{figure} /images/isolated_web_apps/launcher.png
:align: center
**Launcher in User Dashboard**
```

7. Launch the Workspace. The Chrome browser will launch inside the session and navigate directly to the desired webpage (e.g `https://wikipedia.org`)

```{figure} /images/isolated_web_apps/standard_mode.png
:align: center
**Workspace View Normal**
```

(kiosk-mode)=

## (Optional) Kiosk and App Modes

In the previous example, you will notice the "browser in browser" view, since the user is being presented the full
Chrome browser inside the session container. You may wish to change this user experience and run the Chrome browser
in **kiosk** mode. This feature and **app** mode (discussed later) are supported by all Chromium based browsers
(e.g Chromium, Chrome, Brave, Vivaldi, Edge).

```{warning}
Utilzing kiosk mode should be considered with care, as it may be confiusing for users who don't understand they are
operating in a Kasm session.
```

1. Update the previously created Workspace. Update the `LAUNCH_URL` variable in the Docker Run Config to include
`--kiosk`.

```JSON
{
  "environment": {
    "LAUNCH_URL": "--kiosk https://wikipedia.org"
  }
}
```

```{figure} /images/isolated_web_apps/docker_run_config_kiosk.webp
:align: center
**Run Config Kiosk**
```

2. Launch a new instance of the Workspace from the launcher. Notice the Chrome browser navigation bar is no longer shown.

```{figure} /images/isolated_web_apps/kiosk_mode.png
:align: center
**Workspace View Kiosk**
```

3. Chrome also offers an **app** mode which is similar to kiosk mode, but adds a title bar. Update the `LAUNCH_URL`
 variable with `--app=`.

```JSON
{
  "environment": {
    "LAUNCH_URL": "--app=https://wikipedia.org"
  }
}
```

```{figure} /images/isolated_web_apps/docker_run_config_app.webp
:align: center
**Run Config App Mode**
```


```{figure} /images/isolated_web_apps/app_mode.png
:align: center
**Workspace View App Mode**
```

(web-app-filter-policy)=
## (Optional) Assign a Web Filter Policy

Often, when creating web app based workspaces, its desirable to restrict the user to only access the specific site.
To accomplish this, administrators may wish to create a Web Filter Policy that denies all sites by default, and only 
allows a small subset to be visited.

Please see {doc}`Configuring a Web Filter Policy <../guide/web_filtering>` for more details.

It is important to note, that often websites load resources from additional domains. In the case of Wikipedia, it
loads additional resources from `wikimedia.org`, so this domain will also need to be added to the Web Filter Policy. You 
will want to inspect the behavior of your site to ensure all needed domains are allowed for the site to fully function.


```{figure} /images/isolated_web_apps/web_filter_triage.png
:align: center
**Inspecting a web page for additional domains visited**
```

```{figure} /images/isolated_web_apps/web_filter_policy.webp
:align: center
**Denying all sites by default except for a subset specificly utilized by Wikipedia**
```

Once defined, update the Workspace definition to utilize the Web Filter Policy.

```{figure} /images/isolated_web_apps/workspace_web_filter_policy.webp
:align: center
**Workspace Setting for Web Filter**
```

Trying to access sites not approved by the policy, will result in an **Access Denied** page.


```{figure} /images/isolated_web_apps/access_denied.png
:align: center
**Access Denied Page**
```