Hi @reaperofpower thanks for the question!

This is a great question. Easiest way is to use a reverse proxy right now but that does not seem ideal, so I'd like to expand a bit on the reasoning and maybe speculate as to other ways we could do this.

An alternate "fix" for now is you can "hide" the port by embedding the actual resource (in the example below, https://example.com:8002/login?token=example-token) in an iframe, like so:

https://example.com/index.html:

<!DOCTYPE html>
<meta name=viewport content="initial-scale=1,width=device-width">
<title>Browser</title>
<style>
  :root, body {
    margin: 0;
    padding: 0;
    height: 100%;
    overflow: hidden;
  }
</style>
<iframe 
  src="https://example.com:8002/login?token=example-token"
  style="width: 100%; height: 100%; margin: 0; border: 0; padding: 0"
  allowfullscreen
  allow="
    accelerometer;
    camera;
    encrypted-media;
    display-capture;
    geolocation;
    gyroscope;
    microphone;
    midi;
    clipboard-read;
    clipboard-write;
    web-share;
    fullscreen;
  "
  sandbox="
    allow-same-origin
    allow-forms 
    allow-scripts
    allow-top-navigation-by-user-activation
    allow-storage-access-by-user-activation
    allow-popups
    allow-popups-to-escape-sandbox
    allow-downloads
    allow-modals 
    allow-pointer-lock
  " 
></iframe>

In that case, it should just work. If it doesn't, you might need to update ALLOWED_3RD_PARTY_EMBEDDERS in ./src/common.js to add your domain pattern.

To brainstorm about possible alternatives or better ways, it's helpful to recap the reasons for the current design. These are:

• BB typically runs multiple instances per server, under non-privileged users, so binding system ports (<1024) is normally off limits without sudo. While you can have some superuser run sudo setcap 'cap_net_bind_service=+ep $(which node) to bind 443 and other ports less than 1024 without root privileges, this is still not possible for BB with the current config, for reasons that hopefully become clear below.
• BB actually is a collection of 5 services running on 5 ports: the back-end browser (PORT-3000), the audio service (PORT-2), the document viewer service (PORT-1), the main application (PORT), the DevTools service (PORT+1).
• BB runs the browser on a port that is 3000 less than the main application port. This means that, by default, running the app on 443, would attempt to run that browser on port -2557 which wouldn't work. For that reason, the minimum port is 4024, so neither browser nor app need privileges nor setcap, and both run on valid ports.
• The reason for the 3000 port difference is, when setting firewall rules on cloud providers (our typical deployment environment), it's easy to set a block of ports. In addition, it's helpful to have simple rules for firewall ports in general, cloud provider or not, to make it easy to verify correctness and limit maintenance difficulties. The result is we can open up ports 8000 - 10999, and applications running in that range will run their browsers on ports in the range 5000 - 7999. In this way browser ports will not overlap with app ports, and we can put browser ports in a range that we do not open in the firewall. Even tho the browsers only bind to the local interface (and not 0.0.0.0), it's good practice to keep the port blocks isolated from each other, with clear firewall rules to lock down access.

So, given the above considerations for the present design, what alternatives might permit an easy utilization of the conventional port for HTTPS, 443?

• We could modify the code in places where 3000 is hardcoded to replace it with a reference to the browser port. Which could become, say, 10000 above, rather than 3000 below, giving all the benefits of easy firewall maintenance and secure local binding, while not limiting the minimum app port.
• We could update deploy-scripts/_setup_bbpro.sh to permit a minimum port lower than the currently allowed 4024.
• If the port is within the system port privilege range of 0 - 1023, we could show a message saying that running setcap on the node binary is required.

It seems the above modifications would permit something like the conventional binding to 443 that you seem to desire.

Hope this helps! :)