Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Production readiness / secure by default #692

Closed
jaylinski opened this issue Jul 20, 2018 · 3 comments
Closed

Production readiness / secure by default #692

jaylinski opened this issue Jul 20, 2018 · 3 comments
Labels
Issue

Comments

@jaylinski
Copy link
Contributor

Describe the problem

I recently noticed that the PHP image php:7.2-fpm-alpine comes with the setting display_errors = On by default.

This was a bit problematic for me, because this setting exposed the mysqli connection credentials from my Wordpress site by displaying an error with all connection details. (yes, I should have disabled the wordpress debug mode)

What is the desired behaviour?

I expect the official PHP docker images to ship the php.ini-production config in order to be secure by default and production ready.

The official production config sets display_errors to Off: https://github.com/php/php-src/blob/php-7.2.8/php.ini-production#L477

Possible solutions

  • Ship the php.ini-production by default
  • Leave as is: we want to be developer-friendly and avoid "white-screens-of-death"
    Make it clear in docs to disable display_errors if the image is used in production.
  • Recommend upstream (php-src) to set display_errors to Off if no php.ini is found (I think that's the case for these docker images, I couldn't find a php.ini file)

Related issues

Relates to docker-library/wordpress#148.
@tianon
Copy link
Member

tianon commented Jul 20, 2018

We don't currently do anything special with php.ini beyond what PHP's own configure/build/install process provides, so our current situation is upstream's own default. 😞

php/7.2/stretch/cli/Dockerfile

Lines 125 to 172 in d6b950c

docker-php-source extract; \
cd /usr/src/php; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
# https://bugs.php.net/bug.php?id=74125
if [ ! -d /usr/include/curl ]; then \
ln -sT "/usr/include/$debMultiarch/curl" /usr/local/include/curl; \
fi; \
./configure \
--build="$gnuArch" \
--with-config-file-path="$PHP_INI_DIR" \
--with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \
\
# make sure invalid --configure-flags are fatal errors intead of just warnings
--enable-option-checking=fatal \
\
# https://github.com/docker-library/php/issues/439
--with-mhash \
\
# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236)
--enable-ftp \
# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195)
--enable-mbstring \
# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
--enable-mysqlnd \
# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
--with-password-argon2 \
# https://wiki.php.net/rfc/libsodium
--with-sodium=shared \
\
--with-curl \
--with-libedit \
--with-openssl \
--with-zlib \
\
# bundled pcre does not support JIT on s390x
# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT
$(test "$gnuArch" = 's390x-linux-gnu' && echo '--without-pcre-jit') \
--with-libdir="lib/$debMultiarch" \
\
${PHP_EXTRA_CONFIGURE_ARGS:-} \
; \
make -j "$(nproc)"; \
make install; \
find /usr/local/bin /usr/local/sbin -type f -executable -exec strip --strip-all '{}' + || true; \
make clean; \
cd /; \
docker-php-source delete; \

Perhaps there's more we could do to make it easier to switch to upstream's recommended "production" configuration?

@jaylinski
Copy link
Contributor Author

@tianon Thanks for your quick feedback! (Your open source contributions are impressive!)

I thought about this for a bit. I think it is unrealistic that upstream (php-src) will change anything about their defaults. Shipping the php.ini-production by default is a breaking change and would break a lot of existing applications, so this is also a no-go.

I thought about your suggestion on how to make it easier to switch to upstream's production config.
Maybe the two configs (development and production) could be copied into the PHP_INI_DIR, so you could do this:

FROM php:7.2
# Production container
RUN mv $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini
# Development container
RUN mv $PHP_INI_DIR/php.ini-development $PHP_INI_DIR/php.ini

And of course this should be also documented in the readme.

@tianon tianon mentioned this issue Aug 27, 2018
Merged
@tianon
Copy link
Member

tianon commented Aug 27, 2018

That's a great idea. 👍 (#711)

@jaylinski jaylinski mentioned this issue Aug 28, 2018
Merged
@jaylinski jaylinski mentioned this issue Sep 13, 2018
Closed
@Lctrs Lctrs mentioned this issue Oct 9, 2018
Merged
@wglambert wglambert mentioned this issue Oct 18, 2018
Closed
@cvmiert cvmiert mentioned this issue Apr 4, 2019
Closed
@mstenta mstenta mentioned this issue Oct 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @jaylinski @wglambert