Update .env

deployment/swag-new/.env

@@ -6,10 +6,17 @@ APPSEC_CONFIG=./appsec-config
 APPSEC_DATA=./appsec-data
 APPSEC_LOGS=./appsec-logs
 APPSEC_LOCALCONFIG=./appsec-localconfig
+
+## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
+## open-appsec configuration via open-appsec Web UI.
+## You can optionally set it to true when using local, declarative management for open-appsec,
+## declarative configuration will then get applied automatically when changed.
 APPSEC_AUTO_POLICY_LOAD=false
+
 ## Example for configuring HTTPS Proxy:
 ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
 APPSEC_HTTPS_PROXY=
+
 APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
 APPSEC_USER_EMAIL=user@email.com
 APPSEC_DB_PASSWORD=pass
@@ -19,8 +26,13 @@ APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
 
 ## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file 
 SWAG_CONFIG=./swag-config
+## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder
 SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs
+## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder
 SWAG_PROXY_CONFS=./swag-proxy-confs
+## For deployment of a simple lab testing environment, you can deploy the example configuration provided
+## for the vulnerable juice-shop container, see instructions further below.
+
 SWAG_TZ=Etc/UTC
 SWAG_VALIDATION=http # configure "http" or "dns" as validation modes 
 SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above
@@ -31,7 +43,7 @@ SWAG_AWS_ACCESS_KEY_ID=""
 SWAG_AWS_SECRET_ACCESS_KEY=""
 ##
 
-SWAG_STAGING=true
+SWAG_STAGING=true ## switch to 'false' after successful testing
 SWAG_URL=yourdomain.url
 SWAG_SUBDOMAINS=""
 SWAG_ONLY_SUBDOMAINS=""
@@ -39,11 +51,26 @@ SWAG_ONLY_SUBDOMAINS=""
 ## make sure your domain's public IP resolves to
 ## the docker host for Let's Encrypt cert generation to succeed
 
-## To connect your deployment to central WebUI you can uncomment following line
-## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io
+## To connect your deployment to central open-appsec WebUI provide the token for a profile
+## which you created in open-appsec WebUI at https://my.openappsec.io
 ## Example: APPSEC_AGENT_TOKEN=111-22222-111
 APPSEC_AGENT_TOKEN=
 
-## When not providing token for connection to central WebUI please uncomment following line
-## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI
-# COMPOSE_PROFILES=standalone
+## Important: When not providing token for connection to central WebUI:
+## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
+## sharing of learning between processes and allow you to perform tuning locally on CLI
+COMPOSE_PROFILES=
+
+## JUICE SHOP DEMO CONTAINER:
+## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
+## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
+
+## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder
+## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder
+## you can use the example files available here:
+## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf
+## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf
+## note that juiceshop container listens on HTTP port 3000 by default
+
+## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
+## COMPOSE_PROFILES=standalone,juiceshop