/SecureTheJuice

OWASP Juice Shop hosted by Traefik SSL Reverse Proxy and Authelia Single-Sign-On (SSO) provider.

SecureTheJuice

OWASP Juice Shop hosted by Traefik SSL Reverse Proxy and Authelia Single-Sign-On (SSO) provider.



Buy Me A Coffee

✨ Requirements

  • Docker for Linux
  • Docker Compose for Linux
  • Valid domain or proper /etc/hosts setup for fictive domain

🎓 Configuration

  1. Adjust the docker-compose.yml file to your needs. Especially adjust the traefik labels and example domain fictive.local to your valid domain, if available.
  2. Adjust the traefik/fileConfig.yml to your needs.
  3. Adjust the authelia/config/configuration.yml to your needs. Especially adjust the Authelia example domain fictive.local to your valid domain, if available and all default secrets.
  4. Adjust the authelia/config/user_database.yml to your needs. Especially adjust the default users and secrets.

If you do not have an own domain and registrar for DNS setup, you may keep using the fictive.local domain as is. If so, please ensure to properly setup your Linux's /etc/hosts file. I recommend the following entries:

127.0.0.1       fictive.local auth.fictive.local juice.fictive.local traefik.fictive.local

💎 SSL Certificates

Traefik is configured to use HTTP challenge. You will obtain valid Let's Encrypt SSL certificates if:

  • You use your own domain with proper DNS entries setup
  • You run this project on your server, which has the IP address that your domain is publicly resolved to
  • You expose TCP/80 of the Traefik reverse proxy to the public Internet

As an alternative, you may adjust the Traefik configuration to use DNS challenge. This setup is not part of this GitHub repo though.

If the HTTP challenge fails, Traefik will issue self-signed SSL certificates.

🏃 Running

docker network create proxy
docker compose up -d

The OWASP Juice Shop web application is run behind Traefik + Authelia. Only TCP/80 (HTTP) and TCP/443 (HTTPS) of the Traefik container are mapped onto the Docker host.

If you haven't changed the project files and ensured proper /etc/hosts entries, you will be able to access:

🔑 Authentication via Authelia

In order to access the Juice Shop, you will have to authenticate against Authelia first.

The default Authelia users are:

Username Password
SecureTheJuice SecureTheJuice

You can freely adjust users and groups at authelia/config/users_database.yml.

🔏 Authorization via Authelia

In order to access the Juice Shop, you will have to authenticate against Authelia first.

The access controls are defined in Authelia's configuration file authelia/config/configuration.yml.

The default user group fruitlovers is allowed to gain access. The user SecureTheJuice is member of this group.