Docker container running Brave browser in a secure, isolated environment accessible via RDP, VNC, or web browser.
Client (RDP/VNC/Web)
│
├── RDP :3389 ──→ xrdp ──→ libvnc ──→ x11vnc ──→ Xvfb
├── VNC :5910 ──→ x11vnc ──→ Xvfb (virtual framebuffer)
└── Web :8080 ──→ websockify ──→ x11vnc ──→ Xvfb ↑
openbox + Brave
- Xvfb — virtual X11 framebuffer (no physical display required)
- x11vnc — exports the framebuffer over VNC protocol
- xrdp — translates RDP to VNC (allows native RDP clients like macOS Windows App)
- noVNC + websockify — browser-based VNC client with WebSocket transport
- openbox — minimal window manager (maximized, no decorations)
- Brave — privacy-focused Chromium browser with optional Tor integration
docker compose up -d| Method | Address | Credentials |
|---|---|---|
| RDP | localhost:3389 |
kiosk / kiosk |
| VNC | localhost:5910 |
password: kiosk |
| Web | http://localhost:8080 |
password: kiosk |
All settings are controlled via environment variables in docker-compose.yml:
| Variable | Default | Description |
|---|---|---|
KIOSK_URL |
about:blank |
URL to open on startup |
RESOLUTION |
1920x1080 |
Virtual display resolution |
VNC_PASSWORD |
kiosk |
Password for VNC/web/RDP access |
USE_TOR |
false |
Enable Brave's built-in Tor mode |
environment:
- KIOSK_URL=https://search.brave.com
- USE_TOR=trueenvironment:
- KIOSK_URL=https://example.com
- USE_TOR=false| Port | Protocol | Service |
|---|---|---|
| 3389 | TCP | RDP (Microsoft Remote Desktop, Windows App) |
| 5910 | TCP | VNC (any VNC client) |
| 8080 | TCP | HTTP/WebSocket (noVNC web client) |
- Browser runs as non-root user (
kiosk, UID 1000) - No
seccomp:unconfinedrequired - Window manager hides all decorations (no minimize/maximize/close buttons)
- VNC password-protected on all access methods
- TLS certificates auto-generated for RDP
- Container restarts automatically if browser process exits (
restart: unless-stopped)
- English locale forced (UI + Accept-Language header)
- Brave onboarding/welcome pages suppressed
- Brave Rewards, News, Wallet disabled
- Privacy Sandbox prompts suppressed
- System titlebar mode (decorations hidden by openbox)
- No sandbox mode (required for containerized Chromium)
.
├── Dockerfile # Multi-layer build: Debian bookworm-slim + Brave + services
├── docker-compose.yml # Container orchestration and environment config
├── entrypoint.sh # Service startup and Brave configuration
├── openbox-rc.xml # Window manager: fullscreen, no decorations
└── noVNC-index.html # Custom web client with auth and auto-scaling
docker compose buildWait a few seconds — Brave takes time to initialize on first launch, especially with Tor enabled.
The xrdp service needs x11vnc to be ready first. A 2-second delay is configured; increase delay_ms in xrdp.ini if needed.
Brave downloads Tor binaries on first use. Ensure the container has internet access. First Tor connection may take 10-30 seconds.
MIT