OWASP Juice Shop hosted by Traefik SSL Reverse Proxy and Authelia Single-Sign-On (SSO) provider.
- Docker for Linux
- Docker Compose for Linux
- Valid domain or proper
/etc/hostssetup for fictive domain
- Adjust the
docker-compose.ymlfile to your needs. Especially adjust the traefik labels and example domainfictive.localto your valid domain, if available. - Adjust the
traefik/fileConfig.ymlto your needs. - Adjust the
authelia/config/configuration.ymlto your needs. Especially adjust the Authelia example domainfictive.localto your valid domain, if available and all default secrets. - Adjust the
authelia/config/user_database.ymlto your needs. Especially adjust the default users and secrets.
If you do not have an own domain and registrar for DNS setup, you may keep using the fictive.local domain as is. If so, please ensure to properly setup your Linux's /etc/hosts file. I recommend the following entries:
127.0.0.1 fictive.local auth.fictive.local juice.fictive.local traefik.fictive.local
Traefik is configured to use HTTP challenge. You will obtain valid Let's Encrypt SSL certificates if:
- You use your own domain with proper DNS entries setup
- You run this project on your server, which has the IP address that your domain is publicly resolved to
- You expose TCP/80 of the Traefik reverse proxy to the public Internet
As an alternative, you may adjust the Traefik configuration to use DNS challenge. This setup is not part of this GitHub repo though.
If the HTTP challenge fails, Traefik will issue self-signed SSL certificates.
docker network create proxy
docker compose up -d
The OWASP Juice Shop web application is run behind Traefik + Authelia. Only TCP/80 (HTTP) and TCP/443 (HTTPS) of the Traefik container are mapped onto the Docker host.
If you haven't changed the project files and ensured proper /etc/hosts entries, you will be able to access:
- Authelia Login page at https://auth.fictive.local
- Juice Shop at https://juice.fictive.local
- after Authelia login with default creds
SecureTheJuice:SecureTheJuice
- after Authelia login with default creds
- Traefik API dashboard at https://traefik.fictive.local
- from private class A networks only
In order to access the Juice Shop, you will have to authenticate against Authelia first.
The default Authelia users are:
| Username | Password |
|---|---|
| SecureTheJuice | SecureTheJuice |
You can freely adjust users and groups at authelia/config/users_database.yml.
In order to access the Juice Shop, you will have to authenticate against Authelia first.
The access controls are defined in Authelia's configuration file authelia/config/configuration.yml.
The default user group fruitlovers is allowed to gain access. The user SecureTheJuice is member of this group.