BestPractices doc recommends using env vars for 'sensitive options', points to example URL, but does not provide any info for Nginx

The Symfony "Best Practices" docs at

http://symfony.com/doc/current/best_practices/configuration.html

recommend

Moving Sensitive Options Outside of Symfony Entirely

    When dealing with sensitive options, like database credentials, we also recommend that you store them outside the Symfony project and make them available through environment variables.

And point to

Learn how to do it in the following article: How to Set external Parameters in the Service Container

Following/Reading at

How to Set external Parameters in the Service Container 
http://symfony.com/doc/current/cookbook/configuration/external_parameters.html 

the docs provide an example for setting EnvVars for use when using Apache

"For example, if you're using Apache, environment variables can be set using the following VirtualHost configuration: ..."

but avoid any example sufficient and correct for nginx, stating only

"The example above is for an Apache configuration, using the SetEnv directive. However, this will work for any web server which supports the setting of environment variables."

The nginx/env pieces are here

https://docs.apitools.com/blog/2014/07/02/using-environment-variables-in-nginx-conf.html
http://nginx.org/en/docs/http/ngx_http_perl_module.html#perl_set
http://nginx.org/en/docs/ngx_core_module.html#env

But there needs to be a good nginx example -- that works -- to properly provide ENV vars so that

"Symfony will grab any environment variable prefixed with SYMFONY__ and set it as a parameter in the service container"

Noting what appears to be the right approach, but seems to be broken atm; BUG report at

Symfony2+nginx external ENV vars aren't recognized by doctrine DB actions. fails with 'connection refused'.
symfony/symfony#14426

I wonder if we should consider recommending https://github.com/vlucas/phpdotenv for this like laravel does.

[wouterj]

👍

[wouterj]

ping @javiereguiluz @weaverryan what are your thoughts on recommending (and maybe even implementing into the SE) the phpdotenv library?

[javiereguiluz]

@wouterj I'm afraid I haven't used the phpdotenv library yet, so I can't say anything about it.

In any case, I think this is still some weak spot in Symfony (or at least in the Symfony documentation). I'd like to know "the solution" to safely store the most sensitive configuration options (e.g. database credentials) and use them in the application.

environment variables are used by many other frameworks for this include Laravel. They have supplemented phpdotenv by adding some coercion methods so you can force 0 and 1 to be booleans and also handling null values correctly.

Environment variables are also recommended for 12 factor apps. Environment variables also integrate nicely with travis and heroku (and likely other PaaS).

@beberlei is the one who pointed out this particular library to me in this post http://www.whitewashing.de/2014/10/26/symfony_all_the_things_web.html

I had personally used this gem in my rails apps https://github.com/laserlemon/figaro to handle this, but both the travis and heroku gems allow you to set them for their respective services

[weaverryan]

Quickly - I've also been thinking about dotenv lately, so personally, I'm certainly for exploring it. I don't believe using environmental variables over parameters.yml has any technical or security advantage, but they are more standard and familiar (and much easier to work with iirc when using something like Heroku). What's interesting about dotenv is that it gives an idiot-proof way of setting the environment variables if you don't understand setting them some other way.

@wouterj @jrobeson how would to envision dotenv being recommended? And alternative to putting things in parameters.yml? A full replacement that's officially recommended?

Thanks!

[weaverryan]

@jrobeson you replied as I posted :) - very very good points, I'm even more in favor of dotenv as a recommendation, if not a full proposal for a parameters.yml replacement.

Thanks!

@weaverryan: I do recommend using environment variables by default, although i'm not sure about this particular library. I haven't actually looked around all that much for alternatives.

I'm also using this particular program , but i'm not sure how well it would work for everyone (especially on windows) , but it's a nice supplement: http://direnv.net/ I't td be nice for them to be able to act on the same file.

@weaverryan : note that phpdotenv 2.x supports json and yaml loaders as well.

[wouterj]

@weaverryan I've used dotenv while playing around with Laravel. It uses it as a full replacement for the Symfony parameters.yml: https://github.com/laravel/laravel/blob/master/.env.example

Laravel, being known to use the convention over configuration rule, uses env(...) directly in its code. That's of course not possible to do within Symfony. Symfony currently supports the SYMFONY__ prefix thing for env variables, but if dotenv is made a recommendation (or is used in SE), I believe we have to come up with a better way to support environment variables in configuration files.

i rely on the SYMFONY__ variables currently and the tiny fix suggested in this bug symfony/symfony#7555 . The only real problem i have is the lack of parameter coercion

[javiereguiluz]

I'm closing this as "won't fix" because we no longer recommend using the SYMFONY__ env vars. Starting from Symfony 3.2 Symfony has support for runtime env vars and in #7224 I propose to update the "Best Practices" book to mention them. Thank you all for the discussion.