Laravel环境变量通过GuzzleHttp相互调用时在应用程序之间泄漏 [英] Laravel environment variables leaking between applications when they call each other through GuzzleHttp

问题描述

我在本地计算机上有两个Laravel 5.2应用程序(分别称为A和B)，都在本地Apache 2.4开发服务器上的两个不同虚拟主机上配置.

I have two Laravel 5.2 applications (lets call them A and B) on my local machine, both configured on two different virtualhosts on my local Apache 2.4 development server.

两个应用程序有时都通过GuzzleHttp相互调用.

Both applications sometimes are calling each other through GuzzleHttp.

有一次我想使用加密，并且开始从Laravel的Encrypter中获取"mac is invalid"异常.

At one point I wanted to use encryption and I started getting "mac is invalid" exceptions from Laravel's Encrypter.

在调查问题时，我发现当应用A调用应用B时，应用B突然从应用A获取了加密密钥(app.key)！这会导致加密中断，因为使用应用程序B的加密密钥对应用B上的值进行了加密.

While investigating the issue, I found that when app A calls app B, app B suddenly gets encryption key (app.key) from app A! This causes encryption to break because the values on app B where encrypted using app's B encryption key.

在调试时，我发现Dotenv库具有一些逻辑来保留现有变量(如果已设置).我发现$ _ENV和$ _SERVER都没有泄漏的变量，但是getenv()有它们！

While debugging, I found the Dotenv library has some logic to keep existing variables if they are set. I found that both $_ENV and $_SERVER do not have leaked variables, but getenv() has them!

我有点困惑，因为PHP putenv说:

I'm a bit confused because PHP putenv says:

环境变量仅在当前请求期间存在.

The environment variable will only exist for the duration of the current request.

似乎，如果在当前请求期间我通过GuzzleHttp启动另一个请求，则Dotenv在A中使用putenv()设置的变量会突然在GuzzleHttp请求的应用B中可用！

It seems, if during current request I launch another request through GuzzleHttp, the variables set by Dotenv in A using putenv() suddenly become available in app B which is being requested by GuzzleHttp!

我知道在生产服务器上这不是问题，在这些服务器上将使用配置缓存而不是Dotenv，并且很可能两个应用程序都将在不同的Apache服务器上运行，但是这种行为正在破坏我的开发过程.

I understand that this will not be an issue on production servers where config cache will be used instead of Dotenv and most probably both apps will run on different Apache servers, but this behavior is breaking my development process.

如何配置Laravel或GuzzleHttp或Apache或PHP，以防止putenv()从应用A泄漏到应用B中?

How do I configure Laravel or GuzzleHttp or Apache or PHP to prevent this putenv() leakage from app A into app B?

推荐答案

问题是您使用的是PHP的共享实例，因此当其中一个应用程序设置与另一个应用程序共享的环境变量时.我相信phpdotenv将它们视为不可变的，因此一旦设置了它们，其他应用程序将无法覆盖它们.

The problem is that you are using a shared instance of PHP, so when one of the apps sets an environment variable that is shared with the other app. I believe phpdotenv treats them as immutable, so once they are set, the other application cannot override them.

mod_php(自从您提到apache以来，我假设您正在使用它)基本上在每个apache进程内提供了一个php解释器. apache进程将在所有虚拟主机之间共享，因此为什么会出现此问题.如果您同时运行nginx和php-fpm，也会遇到相同的问题，但是，如果运行后者的软件堆栈，则更容易解决.

mod_php (which i presume you are using since you mentioned apache) basically provides a php interpreter inside each apache process. An apache process will be shared between all your vhosts hence why you are having this issue. You would also get the same issue if you were running nginx and php-fpm, however its easier to solve if you were running the latter software stack.

不幸的是，一个端口只能绑定到一个进程.因此，坚持使用mod_php和apache的唯一方法也是将您的虚拟主机放置在单独的端口号上，这意味着在访问它时必须将其中至少一个的端口号放置在url中.我真的不再使用apache了，因此我无法为您提供具体的详细信息，这可能是在您的vhost配置中设置不同端口而apache会做到的一种情况，但是我不得不推迟您的工作谷歌.

Unfortunately one port can only be bound to one process. So the only way to stick with mod_php and apache is too place your vhosts on seperate port numbers, which means you'll have to place the port number of at least one of them in the url when accessing it. I don't really use apache anymore so i can't give you specific details on doing this, it might be a case of just setting different ports in your vhost config and apache will just do it, but i'll have to defer you too google.

如果您正在运行nginx/php-fpm，则可能只是在另一个端口或套接字上运行另一个php-fpm进程配置并将第二个vhost指向该php实例而离开的情况.

If you were running nginx/php-fpm it would probably just be a case of creating a second php-fpm process config running on a different port or socket and pointing the second vhost at that php instance and away you go.

因此，总的来说，您有一些解决方案:

So in summary you have a few solutions:

1. 与apache和mod_php呆在一起，并在本周剩余的时间里搜索如何做我说的话.
2. 查看将php作为apache上的cgi模块运行将为您提供所需的灵活性(这类似于使用nginx/php-fpm，但无需更改网络服务器软件).
3. 停止使用phpdotenv并找到另一种方法(例如，将配置加载到htaccess或虚拟主机中，以便将其用作$ _ENV或$ _SERVER密钥)
4. 安装包含nginx/php-fpm的开发堆栈，并且应该通过创建两个php进程轻松解决该问题
5. 使用虚拟机(可能要查看无业游民或docker)

1. Stay with apache and mod_php, and spend the rest of the week googling how to do what i said.
2. Look into running php as a cgi module on apache will will then give you the flexibility you need (this is akin to using nginx/php-fpm but without changing your webserver software).
3. Stop using phpdotenv and find an alternative approach (such as loading your config in htaccess or inside the vhost so its available as $_ENV or $_SERVER keys)
4. Install a dev stack that includes nginx/php-fpm and it should be easily solvable by creating two php processes
5. Use virtual machines (possibly look at vagrant or docker) .

对不起，我没有更好的消息，但是不幸的是，您的WAMP堆栈限制太开箱了.

Sorry i don't have better news, but unfortunately your WAMP stack is just a little too restrictive out of the box.

这篇关于Laravel环境变量通过GuzzleHttp相互调用时在应用程序之间泄漏的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！