bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42a39b961b21c205d940798d342e361e3d6b3b83
docs/Docker & Kubernetes/Docker/Docker Compose/Firefox.md

3.0 KiB
Raw Blame History

Purpose: Sometimes you just want an instance of Firefox running on an Alpine Linux container, that has persistence (Extensions, bookmarks, history, etc) outside of the container (with bind-mapped folders). This is useful for a number of reasons, but insecure by default, so you have to protect it behind something like a Keycloak Server so it is not misused.

Docker Configuration

version: '3'
services:
  firefox:
    image: jlesage/firefox # Docker image for Firefox
    environment:
      - TZ=America/Denver # Timezone setting
      - DARK_MODE=1 # Enable dark mode
      - WEB_AUDIO=1 # Enable web audio
      - KEEP_APP_RUNNING=1 # Keep the application running
    ports:
      - "5800:5800" # Port mapping for VNC WebUI
    volumes:
      - /srv/containers/firefox:/config:rw # Persistent storage for configuration
    restart: always # Always restart the container in case of failure
    network_mode: host # Use the host network

N/A

Local Firewall Hardening

It is important, due to how this browser just allows anyone to access it, to lock it down to only allow access to the SSH port and port 5800 to specifically-allowed devices, in this case, the Traefik Reverse Proxy. This ensures that it only allows the proxy to communicate with Firefox's container, keeping it securely protected behind Keycloak's middware in Traefik.

These rules will drop all traffic by default, allow port 22, and restrict access to port 5800.

# Set the default zone to drop
sudo firewall-cmd --set-default-zone=drop

# Create a new zone named custom-trusted
sudo firewall-cmd --permanent --new-zone=traefik-proxy

# Allow traffic to port 5800 only from 192.168.5.29 in the traefik-proxy zone
sudo firewall-cmd --permanent --zone=traefik-proxy --add-source=192.168.5.29
sudo firewall-cmd --permanent --zone=traefik-proxy --add-port=5800/tcp

# Allow SSH traffic on port 22 from any IP in the drop zone
sudo firewall-cmd --permanent --zone=drop --add-service=ssh

# Reload FirewallD to apply the changes
sudo firewall-cmd --reload

Traefik Reverse Proxy Configuration

If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.

http:
  routers:
    work-environment:
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: work-environment
      rule: Host(`work-environment.bunny-lab.io`)
      middlewares:
        - work-environment  # Referencing the Keycloak Server

  services:
    work-environment:
      loadBalancer:
        servers:
          - url: http://192.168.5.4:5800
        passHostHeader: true
        # Adding forwardingTimeouts to set the send and read timeouts to 1 hour (3600 seconds)
        forwardingTimeouts:
          dialTimeout: "3600s"
          responseHeaderTimeout: "3600s"