Remote Browser (no VPN?)
Abstract
If you don't want to setup a VPN, or want client-less access to your LAN resources, then this might be for you...
Kasmweb is a rather funky system that manages the creation of temporary Docker images, which you can use as a "sandpit" to play with, and dispose of when finished with. Why not have a look?
As part of their project, they provide a Chrome browser image which runs Chrome under VNC (remote desktop), which you can run 'standalone' - so you can "browse" into another browser - which provides a handy use case...
If you:
don't want to expose all your Docker containers to the internet (even with Traefik!)
and/orneed "local" access to web accessible resources on your LAN
and/ordon't want to run a VPN
and/orare a bit miffed that Guacamole doesn't provide access to web apps
...then you can create a web accessible browser which is on your LAN, and access that securely (via Traefik) - from anywhere you have an HTML-5 compliant browser :)
Prerequsites
This article assumes you've at least setup Docker, Portainer, Traefik, piHole, oAuth and LetsEncrypt per our article!
Step 1 : Setup Kasmweb Chrome
Login to Portainer
Create a new Container
Name it something like chrome
Use kasmweb/chrome:develop-edge as the image
For the Volumes mount
/etc/timezone as /etc/timezone
/etc/localtime as /etc/localtime
/dev/shm as /dev/shm
For the Network
Use bridge network
Set the hostname to whatever you specified in 2.1 (i.e. chrome)
Add your domain name and DNS IP address
For the Restart-Policy use unless-stopped
For the Labels, use
traefik.enable true
traefik.http.routers.chrome.entryPoints websecure
traefik.http.routers.chrome.middlewares chain-oauth@file, chromeauth
traefik.http.routers.chrome.rule HostHeader(`chrome.yoursubdomain.yourdomain.com`)
traefik.http.routers.chrome.service chrome
traefik.http.routers.chrome.tls true
traefik.http.routers.chrome.tls.certresolver mythicbeasts
traefik.http.routers.chrome.tls.domains[0].sans *.yoursubdomain.yourdomain.com
traefik.http.services.chrome.loadbalancer.server.port 6901
traefik.http.services.chrome.loadbalancer.server.scheme https
Additionally, there is one traefik label which is too long to fit in the table above, which is:
traefik.http.middlewares.chromeauth.headers.customrequestheaders.Authorization
and it should be given the value
Basic a2FzbV91c2VyOnZuY3Bhc3N3b3JkCg
Click Deploy the container
Step 2 : Update Traefik config
To enable Traefik to handle the https connection from the WebVNC part of the chrome image, you need to update it's static configuration. Assuming you followed our guide, and your Traefik configuration is in TOML and your entrypoint is called websecure you should update it to look like the following:
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
insecure=true
You will then need to restart Traefik, via:
docker restart traefik
Step 3 : Setup External DNS
Login to your DNS provider
Add an external CNAME record for chrome.yoursubdomain.yourdomain.com pointing to your public Internet IP address
Step 4 : Test It!
When prompted, use your Google account credentials
Test the browser!
Recap
With the above configuration, you have:
Created a kasmweb/chrome container
Proxied it via Traefik
Told traefik how to connect to the WebVNC port that the container provides on port 6901
Told Traefik that the WebVNC connection only speaks HTTPS
Told Traefik to provide a basic username/password that is required by WebVNC, so you (as a user) don't see it
Created a "browser on your LAN, in a browser" - which doesn't need a VPN
You won't get audio, but you should be able to browse and view video etc
Other Things
If you don't want the container accessible externally, all you need do is:
Remove (or don't setup) the external DNS - and just setup an internal CNAME on piHole to your internal Traefik IP
Replace the chain-oauth@file with blockexternal@file
If you're running WireGuard or a VPN, then as long as you can resolve the internal DNS name, then this will still work.
Happy browsing! :)