RedFox Bastion Features

Complete list of modules and capabilities.

Browser-based access

SSH terminal

Full terminal emulator (xterm.js) over WebSocket. Copy/paste, resize, UTF-8, colour support. No client software or VPN required.

RDP access

Remote Desktop via custom Rust proxy (IronRDP). Clipboard, file transfer, multi-monitor. Rendered in the browser with no ActiveX or plugin.

Application Access (ZTNA) Enterprise

Secure reverse proxy for internal web applications (Grafana, Kibana, admin panels). Identity-aware routing with per-app policy enforcement, no VPN required.

Database proxy Enterprise

Proxied access to PostgreSQL, MySQL, MSSQL. Query logging, role-based restrictions, no direct database exposure.

Identity & access control

Entra ID authentication (OIDC)

Native OpenID Connect with Microsoft Entra ID. SSO, MFA enforcement inherited from Conditional Access policies. No local passwords.

SAML & LDAP Enterprise

Federate with any SAML 2.0 IdP or LDAP directory. Attribute mapping, group sync, multi-IdP support.

RBAC

Role-based access control: define roles, assign targets per role, restrict by time window or IP range.

JIT access Enterprise

Just-in-time privilege elevation with configurable TTL. Approval workflows, automatic revocation, audit trail.

Security & audit

WORM audit logs

Immutable, append-only log for every connection, command and session event. Tamper-proof by design — compliant with SOC 2, ISO 27001, NIS2.

Session recording

Full SSH session replay (asciinema-compatible). Searchable by user, target, date. Exportable for forensic review.

Credential vault Enterprise

AES-256 encrypted storage for SSH keys and service accounts. Users never see secrets — RedFox injects credentials at connection time.

Secrets & HSM

Envelope encryption

All connection credentials are encrypted AES-256-GCM with a KEK derived via Argon2id from a master passphrase. The proxy never persists secrets — credentials are used and scrubbed in memory.

PKCS#11 HSM provider Enterprise

Pluggable CryptoProvider interface. The optional PKCS#11 implementation performs AES-GCM encrypt/decrypt entirely inside an HSM — the key never leaves the token. Compatible with SoftHSM2, Thales nShield, YubiHSM 2, AWS CloudHSM. Build with -tags pkcs11.

Operations

Docker Compose deployment

All services are built and run via a single docker-compose.yml. Non-root containers, CI vulnerability scanning (Trivy, cargo-deny, gosec).

HA deployment Enterprise

High-availability via docker-compose-ha.yml: PostgreSQL streaming replication, Redis Sentinel, 2x API instances, Loki + Promtail + Grafana monitoring.

Offline licence verification

RedFox verifies the Coderaft RSA-SHA256 licence signature locally (no internet required as primary path). Fallback to online validation if the embedded public key is unavailable. Suitable for air-gapped and restricted environments.

Licence hot-swap

Replace the licence key on a live deployment without restarting. POST /v1/setup/license/update validates and applies the new key immediately — feature gates update in memory with no service interruption.

Platform Dashboard integration

Dashboard mode (REDFOX_DASHBOARD_MODE=true) accepts unified Coderaft platform JWTs alongside native RedFox JWTs, enabling the Global Dashboard to access RedFox without requiring a separate Entra ID app-role.