Update Docker & Kubernetes/Docker/Docker Compose/Firefox.md
This commit is contained in:
@ -29,6 +29,29 @@ networks:
|
|||||||
N/A
|
N/A
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Local Firewall Hardening
|
||||||
|
It is important, due to how this browser just allows anyone to access it, to lock it down to only allow access to the SSH port and port 5800 to specifically-allowed devices, in this case, the Traefik Reverse Proxy. This ensures that it only allows the proxy to communicate with Firefox's container, keeping it securely protected behind Keycloak's middware in Traefik.
|
||||||
|
|
||||||
|
These rules will drop all traffic by default, allow port 22, and restrict access to port 5800.
|
||||||
|
|
||||||
|
``` sh
|
||||||
|
# Set the default zone to drop
|
||||||
|
sudo firewall-cmd --set-default-zone=drop
|
||||||
|
|
||||||
|
# Create a new zone named custom-trusted
|
||||||
|
sudo firewall-cmd --permanent --new-zone=traefik-proxy
|
||||||
|
|
||||||
|
# Allow traffic to port 5800 only from 192.168.5.29 in the traefik-proxy zone
|
||||||
|
sudo firewall-cmd --permanent --zone=traefik-proxy --add-source=192.168.5.29
|
||||||
|
sudo firewall-cmd --permanent --zone=traefik-proxy --add-port=5800/tcp
|
||||||
|
|
||||||
|
# Allow SSH traffic on port 22 from any IP in the drop zone
|
||||||
|
sudo firewall-cmd --permanent --zone=drop --add-service=ssh
|
||||||
|
|
||||||
|
# Reload FirewallD to apply the changes
|
||||||
|
sudo firewall-cmd --reload
|
||||||
|
```
|
||||||
|
|
||||||
## Traefik Reverse Proxy Configuration
|
## Traefik Reverse Proxy Configuration
|
||||||
If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.
|
If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.
|
||||||
``` yaml
|
``` yaml
|
||||||
|
|||||||
Reference in New Issue
Block a user