{"id":18878086,"url":"https://github.com/l4rm4nd/securethejuice","last_synced_at":"2026-02-19T08:30:15.652Z","repository":{"id":194529183,"uuid":"691029148","full_name":"l4rm4nd/SecureTheJuice","owner":"l4rm4nd","description":"OWASP Juice Shop hosted by Traefik SSL Reverse Proxy and Authelia Single-Sign-On (SSO) provider. Comes with Cowrie SSH honeypot.","archived":false,"fork":false,"pushed_at":"2025-02-11T11:04:45.000Z","size":21,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-11T11:35:23.648Z","etag":null,"topics":["authelia","capture-the-flag","ctf","ethical-hacking","hacking","juice-shop","owasp","owasp-top-10","pentesting","traefik","vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l4rm4nd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-13T11:10:41.000Z","updated_at":"2025-02-11T11:04:48.000Z","dependencies_parsed_at":"2024-11-08T06:37:07.059Z","dependency_job_id":null,"html_url":"https://github.com/l4rm4nd/SecureTheJuice","commit_stats":null,"previous_names":["l4rm4nd/juice-shop-authelia-traefik","l4rm4nd/securethejuice"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FSecureTheJuice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FSecureTheJuice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FSecureTheJuice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FSecureTheJuice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l4rm4nd","download_url":"https://codeload.github.com/l4rm4nd/SecureTheJuice/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239841000,"owners_count":19705976,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authelia","capture-the-flag","ctf","ethical-hacking","hacking","juice-shop","owasp","owasp-top-10","pentesting","traefik","vulnerability"],"created_at":"2024-11-08T06:24:07.060Z","updated_at":"2026-02-19T08:30:15.616Z","avatar_url":"https://github.com/l4rm4nd.png","language":null,"funding_links":["https://www.buymeacoffee.com/LRVT"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\" width=\"100%\"\u003e\n    \u003ch1\u003eSecureTheJuice\u003c/h1\u003e\n    \u003cp\u003eOWASP Juice Shop hosted by Traefik SSL Reverse Proxy and Authelia Single-Sign-On (SSO) provider. Comes with Cowrie SSH honeypot too.\u003c/p\u003e\u003cp\u003e\n    \u003ca target=\"_blank\" href=\"https://github.com/l4rm4nd\"\u003e\u003cimg src=\"https://img.shields.io/badge/maintainer-LRVT-orange\" /\u003e\u003c/a\u003e\n    \u003ca target=\"_blank\" href=\"https://GitHub.com/l4rm4nd/SecureTheJuice/graphs/contributors/\"\u003e\u003cimg src=\"https://img.shields.io/github/contributors/l4rm4nd/SecureTheJuice.svg\" /\u003e\u003c/a\u003e\u003cbr\u003e\n    \u003ca target=\"_blank\" href=\"https://GitHub.com/l4rm4nd/SecureTheJuice/commits/\"\u003e\u003cimg src=\"https://img.shields.io/github/last-commit/l4rm4nd/SecureTheJuice.svg\" /\u003e\u003c/a\u003e\n    \u003ca target=\"_blank\" href=\"https://GitHub.com/l4rm4nd/SecureTheJuice/issues/\"\u003e\u003cimg src=\"https://img.shields.io/github/issues/l4rm4nd/SecureTheJuice.svg\" /\u003e\u003c/a\u003e\n    \u003ca target=\"_blank\" href=\"https://github.com/l4rm4nd/SecureTheJuice/issues?q=is%3Aissue+is%3Aclosed\"\u003e\u003cimg src=\"https://img.shields.io/github/issues-closed/l4rm4nd/SecureTheJuice.svg\" /\u003e\u003c/a\u003e\u003cbr\u003e\n        \u003ca target=\"_blank\" href=\"https://github.com/l4rm4nd/SecureTheJuice/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/l4rm4nd/SecureTheJuice.svg?style=social\u0026label=Star\" /\u003e\u003c/a\u003e\n    \u003ca target=\"_blank\" href=\"https://github.com/l4rm4nd/SecureTheJuice/network/members\"\u003e\u003cimg src=\"https://img.shields.io/github/forks/l4rm4nd/SecureTheJuice.svg?style=social\u0026label=Fork\" /\u003e\u003c/a\u003e\n    \u003ca target=\"_blank\" href=\"https://github.com/l4rm4nd/SecureTheJuice/watchers\"\u003e\u003cimg src=\"https://img.shields.io/github/watchers/l4rm4nd/SecureTheJuice.svg?style=social\u0026label=Watch\" /\u003e\u003c/a\u003e\u003cp\u003e\n    \u003ca href=\"https://www.buymeacoffee.com/LRVT\" target=\"_blank\"\u003e\u003cimg src=\"https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png\" alt=\"Buy Me A Coffee\" style=\"height: 41px !important;width: 174px !important;box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;-webkit-box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;\" \u003e\u003c/a\u003e\n\u003c/div\u003e\n\n## ✨ Requirements\n- Docker for Linux\n- Docker Compose for Linux\n- Valid domain or proper `/etc/hosts` setup for fictive domain\n\n## 🎓 Configuration\n\n1. Adjust the `docker-compose.yml` file to your needs. Especially adjust the traefik labels and example domain `fictive.local` to your valid domain, if available.\n2. Adjust the `traefik/fileConfig.yml` to your needs.\n3. Adjust the `authelia/config/configuration.yml` to your needs. Especially adjust the Authelia example domain `fictive.local` to your valid domain, if available and all default secrets.\n4. Adjust the `authelia/config/user_database.yml` to your needs. Especially adjust the default users and secrets.\n5. Adjust the `cowrie/users.txt` to your needs. These are the honeypot user accounts allowed to log into the fake SSH service on TCP/2222.\n\nIf you do not have an own domain and registrar for DNS setup, you may keep using the `fictive.local` domain as is. If so, please ensure to properly setup your Linux's `/etc/hosts` file. I recommend the following entries:\n\n````\n127.0.0.1       fictive.local auth.fictive.local juice.fictive.local traefik.fictive.local\n````\n\n## 💎 SSL Certificates\n\nTraefik is configured to use HTTP challenge. You will obtain valid Let's Encrypt SSL certificates if:\n\n- You use your own domain with proper DNS entries setup\n- You run this project on your server, which has the IP address that your domain is publicly resolved to\n- You expose TCP/80 of the Traefik reverse proxy to the public Internet\n\nAs an alternative, you may adjust the Traefik configuration to use DNS challenge. This setup is not part of this GitHub repo though.\n\nIf the HTTP challenge fails, Traefik will issue self-signed SSL certificates.\n\n## 🏃 Running\n\n````\n# clone this repo\ngit clone https://github.com/l4rm4nd/SecureTheJuice \u0026\u0026 cd SecureTheJuice\n\n# create docker network\ndocker network create proxy\n\n# spawn the container stack\ndocker compose up -d\n````\n\nThe OWASP Juice Shop web application is run behind Traefik + Authelia. Only TCP/80 (HTTP) and TCP/443 (HTTPS) of the Traefik container are mapped onto the Docker host. Additionally, a Cowrie SSH honeypot is exposed on TCP/2222.\n\nIf you haven't changed the project files and ensured proper `/etc/hosts` entries, you will be able to access:\n\n- Authelia Login page at https://auth.fictive.local\n- Juice Shop at https://juice.fictive.local\n    - after Authelia login with default creds `SecureTheJuice:SecureTheJuice` \n- Traefik API dashboard at https://traefik.fictive.local\n    - from private class A networks only\n- Cowrie SSH Honeypot at TCP/2222\n    - allows logins with pre-defined credentials based on Juice Shop users\n\n## 🔑 Authentication via Authelia\n\nIn order to access the Juice Shop, you will have to authenticate against Authelia first.\n\nThe default Authelia users are:\n\n| Username | Password |\n| :---------- | :--------- |\n| SecureTheJuice  | SecureTheJuice  |\n\nYou can freely adjust users and groups at `authelia/config/users_database.yml`.\n\n## 🔏 Authorization via Authelia\n\nIn order to access the Juice Shop, you will have to authenticate against Authelia first.\n\nThe access controls are defined in Authelia's configuration file `authelia/config/configuration.yml`.\n\nThe default user group `fruitlovers` is allowed to gain access. The user `SecureTheJuice` is member of this group.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4rm4nd%2Fsecurethejuice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl4rm4nd%2Fsecurethejuice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4rm4nd%2Fsecurethejuice/lists"}