bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2a4980cc6f8c9652a278e16a904779a4ebb82fc8
docs/Docker & Kubernetes/Docker/Docker Compose/Firefox.md

2.8 KiB
Raw Blame History

Purpose: Sometimes you just want an instance of Firefox running on an Alpine Linux container, that has persistence (Extensions, bookmarks, history, etc) outside of the container (with bind-mapped folders). This is useful for a number of reasons, but insecure by default, so you have to protect it behind something like a Keycloak Server so it is not misused.

Docker Configuration

version: '3'
services:
  firefox:
    environment:
      - TZ=America/Denver
    image: jlesage/firefox
    ports:
      - "5800:5800" # VNC WebUI
    volumes:
      - /srv/containers/firefox:/config:rw
    restart: always
    networks:
        docker_network:
          ipv4_address: 192.168.5.4

networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

N/A

Local Firewall Hardening

It is important, due to how this browser just allows anyone to access it, to lock it down to only allow access to the SSH port and port 5800 to specifically-allowed devices, in this case, the Traefik Reverse Proxy. This ensures that it only allows the proxy to communicate with Firefox's container, keeping it securely protected behind Keycloak's middware in Traefik.

These rules will drop all traffic by default, allow port 22, and restrict access to port 5800.

# Set the default zone to drop
sudo firewall-cmd --set-default-zone=drop

# Create a new zone named custom-trusted
sudo firewall-cmd --permanent --new-zone=traefik-proxy

# Allow traffic to port 5800 only from 192.168.5.29 in the traefik-proxy zone
sudo firewall-cmd --permanent --zone=traefik-proxy --add-source=192.168.5.29
sudo firewall-cmd --permanent --zone=traefik-proxy --add-port=5800/tcp

# Allow SSH traffic on port 22 from any IP in the drop zone
sudo firewall-cmd --permanent --zone=drop --add-service=ssh

# Reload FirewallD to apply the changes
sudo firewall-cmd --reload

Traefik Reverse Proxy Configuration

If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.

http:
  routers:
    work-environment:
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: work-environment
      rule: Host(`work-environment.bunny-lab.io`)
      middlewares:
        - work-environment  # Referencing the Keycloak Server

  services:
    work-environment:
      loadBalancer:
        servers:
          - url: http://192.168.5.4:5800
        passHostHeader: true
        # Adding forwardingTimeouts to set the send and read timeouts to 1 hour (3600 seconds)
        forwardingTimeouts:
          dialTimeout: "3600s"
          responseHeaderTimeout: "3600s"