Closed ThomasOrlita closed 9 months ago
Also, it would be helpful if httpmode
could be set via an environment variable:
- define('httpmode', false);
+ define(filter_var(getenv('httpmode'), FILTER_VALIDATE_BOOLEAN), false);
Can you elaborate on why the use of an .env
file is not a good security practice?
The .env
file is accessible through the mounted docker volume, a pretty common way of doing things. Any changes to this file in the ezXSS
directory are reflected instantly without the need to rebuild.
Regarding the httpmode
variable, I'd suggest creating a separate issue for that as it's unrelated to docker.
I meant that building the image with the production env file (as recommended in the instructions) is not a good security practice as it means the secrets will be leaked if the build is shared publicly.
You're right about mounting! I completely forgot about the possibility of just mounting the env file as a volume (as I was used to just passing the environment variables through Docker). I think this should be the recommended approach in the docs instead. However, also updating the app to make it work with the env passed from Docker would make it more versatile and easier to use with tools such as Portainer.
Hi @ThomasOrlita,
The httpmode inside the env file might be a possibility, I will think about this.
The other issue, what would be correct way to implement this? @GlitchWitch what do you think about this?
As shown in the example env, you can now set debug, httpmode and signupenabled settings in the .env file.
Regarding your other issue, it seems to me that this approach is not the recommended way (anymore) to pass the variables.
Also, while trying to debug with passing the variables through docker, for example with --env-file, it works fine for the docker compose, but it doesn't get passed to PHP correctly. To correctly get these variables, i either need a file to read from (as how it works now), or pass it to Apache so i can read it.
If you believe I'm looking at this wrong and there is an other (better) way to do this, please elaborate. For now I will close this.
I've also made some changes to the Docker installation process and made the settings like httpmode editable via the env, as requested.
Currently, using ezXSS with Docker requires building the image, including the
.env
file, which is not a good security practice and makes it harder to automate the build process.If the
.env
file isn't built, ezXSS should attempt to load the environment variables from the process, instead of failing because the.env
file doesn't exist.