SoloLVL Posted January 10 Share Posted January 10 Problem: php-fpm unable to access env vars via getenv() func, meanwhile php-cli can Circumstances: -- php version 8.1.10 -- clear_env is set to no in /etc/php/8.1/fpm/pool.d/www.conf -- vars are set, thus is it possible to see them via shell env command or via php-cli with getenv() -- using ubuntu22 -- php-fpm runs under user which has access to those env vars Open to any thought, ready to provide more details Quote Link to comment Share on other sites More sharing options...
kicken Posted January 10 Share Posted January 10 (edited) The FPM workers run in a clean environment via systemd. Setting clear_env in the pool configuration doesn't change that. You will need to either set the variables as part of the service definition in systemd or through the web server so they get passed to the fpm process. For example, if using apache add SetEnv YOUR_VAR the_value to your site configuration. Or set them in your pool configuration explicity with env[YOUR_VAR]=the_value Edited January 10 by kicken Quote Link to comment Share on other sites More sharing options...
SoloLVL Posted January 10 Author Share Posted January 10 Thanks! The env vars I need are sensitive, so I just cannot set them in plaintext within config files of the server Quote Link to comment Share on other sites More sharing options...
kicken Posted January 10 Share Posted January 10 They need to go somewhere, unless you want to be manually entering them every time the system boots. The config files can have their permissions set so only root is able read them. If you're worried about someone else with root access reading the files, then your problem isn't "how to secure the environment variables?", it's "why does someone you don't trust have root access?". The other common solution is to not make them true environment variables at all and put them in a .env file in your application directory. Make that file readable only by the application's user and use something like symfony/dotenv to load it and access the variables using $_ENV. I do a mix of both in my applications which are based on the Symfony framework. I have SYMFONY_ENV=prod set as an environment variable in the server configuration to ensure it's running in production mode, then a .env.local file in the application directory that has all the secrets for the application. Quote Link to comment Share on other sites More sharing options...
SoloLVL Posted January 11 Author Share Posted January 11 I like your idea about putting them into config file during deployment, thanks! Regarding .env file -- I use Laravel and obviously use that .env file for vars & secrets, but I use aws-php-sdk, which uses getenv() function to get aws creds from env vars of the pod. I also cache configs, so .env file no more readable after caching, that's why I am so worried about the fact I cannot access system level env vars. But the most weird point is that other Laravel & Symfony apps of the friend of mine with the same configs have access to system lvl env vars. Appreciate your time and help! Quote Link to comment Share on other sites More sharing options...
SoloLVL Posted January 11 Author Share Posted January 11 UPD: php is started via supervisor. If I stop that via supervisor and start in the same way, but manually via shell -- then I am able to get env vars. Quote Link to comment Share on other sites More sharing options...
Solution SoloLVL Posted January 12 Author Solution Share Posted January 12 Proven solution: do not start supervisor like Quote service supervisor start but as Quote supervisord -n -c <path to supervisor.conf> Reference Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.