A secure, Docker-based remote desktop environment featuring XFCE4, KasmVNC, and Traefik reverse proxy.
- Desktop: Ubuntu 24.04 with XFCE4.
- VNC: KasmVNC for high-performance, browser-based access.
- Security:
- Traefik Proxy: Handles all incoming traffic via HTTPS (443).
- Hashed Auth: BasicAuth using hashed credentials (
users.htpasswd). - Dynamic Certs: Self-signed wildcards generated on deployment.
- Zero-Trust Host: No cleartext passwords stored on the host.
- Resource Limits: CPU, 2GB RAM, and 500 PID limits for all user containers.
- Seccomp Sandboxing: Fine-grained syscall filtering for all services.
- Capability Management: Minimal privileges (ALL caps dropped by default).
- Isolation: Dedicated containers for each user on isolated tier networks.
- Tier 1 (Traefik): Host-level proxy (
remote-dev-box-traefik). Listens on ports 80/443. Routes traffic based on username subdomains (desktop.<user>.DOMAIN). - Tier 2 (rdb-proxy): Container-level proxy (
remote-dev-box-proxy). Listens on port 8080 inside the container. Routes traffic based on application subdomains or paths. See Remote Dev Box Proxy. - KasmVNC Containers: Run on the
remote-dev-net-userprivate network. Accessible only via the tiered proxy system. - Infrastructure Tier: Services like
remote-dev-box-dnsandremote-dev-box-proxy(host-side) run onremote-dev-net-infra. - Dynamic Config: Traefik watches the
dynamic/directory for runtime configuration changes. - Sandboxing: Containers run with custom Seccomp profiles for layered security.