NOTE: This is now outdated. See the Doppler PHP examples repository instead.
Created: 26 October 2020
Author: Ryan Blunden ([email protected])
OS: Ubuntu 20.04
PHP: 7.4
NOTE: You can find other approaches to providing environment variables for PHP applications in our dedicated PHP examples repository that save you from having to mess with process managers such as Systemd.
This document demonstrates how to configure a PHP application with environment variables from Doppler running under NGINX. It presumes only one PHP application and one Doppler configuration will be used for the machine.
NOTE: All commands in this document require root access and so are run as the root user
apt update
apt install -y nginx php-fpm
add-apt-repository universe
(curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh
systemctl start nginx php7.4-fpm.serviceConfigure Doppler using a service token:
mkdir /var/doppler # acts as home when doppler is executed by systemd
HOME=/var/doppler doppler configure set token dp.st.XXX --scope=/
HOME=/var/doppler doppler configs # validate service token- Create a new NGINX configuration such as below, which is the most basic site configuration required to test everything works. It should be created an
/etc/nginx/sites-available/doppler-test:
server {
listen 80;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name my-app-hostname;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
- Disable the current default site:
unlink /etc/nginx/sites-enabled/default - Enable the new site:
ln -s /etc/nginx/sites-available/doppler-test /etc/nginx/sites-enabled/doppler-test - Run
nginx -tto confirm there are no configuration issues - Create a PHP file at
/var/www/html/env.phpwith the contents<pre><?php print_r($_SERVER); ?></pre> - Restart NGINX for the changes to take effect:
systemctl restart nginx - Open a browser and attempt to view the output of the
env.phppage, e.g. http://aws-server/env.php
Now that NGINX is working with PHP, let's now alter the php-fpm service to use Doppler:
- Edit
/etc/php/7.4/fpm/pool.d/www.conf, removing the leading semi=color from;clear_env=no - Run
systemctl edit php7.4-fpm.service --full:
- Change
ExecStartto start with/usr/bin/doppler run --:ExecStart=/usr/bin/doppler run -- /usr/sbin/php-fpm7.4 ... - Under
[Service]addEnvironment=HOME=/var/doppler
- Apply change with
systemctl daemon-reload && systemctl restart nginx php7.4-fpm.service
You may experience the process hanging, in this case, just send a SIGINT using CTRL+C to detach. This is a known issue and we are working on a fix, but is not a blocker for getting this working.
Now go back to your browser to refresh the env.php page and you should now see new environment variables from Doppler. If you get a 500 error, trying running systemctl daemon-reload && systemctl restart nginx php7.4-fpm.service again and retry.
NOTE: Currently, the PHP service will need to be manually restarted in order to fetch the latest secrets from Doppler and update the environment variables. You could work around this by specifying that the PHP service should restart ever n-seconds with editing the service by again running
/etc/php/7.4/fpm/pool.d/www.conf, and adding the following under[Service]:
Restart=always
RuntimeMaxSec=3600
To check NGINX is configured correctly: run nginx -t
If the php service fails to start: Run systemctl status php7.4-fpm.service to view the error logs. If the service is unable to start and the service config is correct, it’s most likely caused by an incorrect Doppler service token. You can test the validity of the token by running: HOME=/var/doppler doppler configs
This is great! Small request: can we add here what the result should be?
Change ExecStart to start with /usr/bin/doppler run ---> ChangeExecStartto start with/usr/bin/doppler run --:/usr/bin/doppler run -- ExecStart