Bug: Docker websockify localhost bind may break inter-container VNC access #2409
Description
Problem
PR #2350 (#1962) changed websockify bind in `docker-compose.playwright-vnc.yml` from `0.0.0.0:5901` to `localhost:5901` for security hardening. However, Docker containers using this compose file may need `0.0.0.0` for inter-container networking — `localhost` inside a container only binds to the container's loopback, making the port unreachable from other containers or the Docker host.
The same PR also changed x11vnc from `-listen 0.0.0.0` to `-listen localhost` in the Docker compose file.
Location
- `autobot-infrastructure/shared/docker/compose/docker-compose.playwright-vnc.yml` line 52
Proposed Fix
- Keep websockify on `0.0.0.0` inside Docker (security is handled by Docker network isolation + `--ssl-only`)
- Keep x11vnc on `0.0.0.0` inside Docker for same reason
- Only use `localhost` bind on bare-metal/VM deployments where nginx proxies
Discovered During
Reviewing PR #2350 during devops batch session (2026-03-25).
Impact
Medium — Docker-based VNC may be unreachable until fixed. Currently only used in dev, not production fleet.