Add PHP_SESSION_COOKIE_SECURE

README.md

@@ -251,15 +251,16 @@ PHP\_DISPLAY\_STARTUP\_ERRORS|Even when display\_errors is on, errors that occur
 PHP\_ERROR\_REPORTING|Set PHP error reporting level. Must be a number. <a href="https://maximivanov.github.io/php-error-reporting-calculator/">Use this tool for help.</a> (<a href="https://www.php.net/manual/en/errorfunc.configuration.php#ini.error-reporting">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"22527"
 PHP\_MAX\_EXECUTION\_TIME|Set the maximum time in seconds a script is allowed to run before it is terminated by the parser. (<a href="https://www.php.net/manual/en/info.configuration.php#ini.max-execution-time">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"99"
 PHP\_MEMORY\_LIMIT|Set the maximum amount of memory in bytes that a script is allowed to allocate. (<a href="https://www.php.net/manual/en/ini.core.php#ini.memory-limit">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"256M"
+PHP\_OPEN\_BASEDIR|Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.|fpm,<br />fpm-nginx,<br />fpm-apache|$WEBUSER\_HOME:/dev/stdout:/tmp
 PHP\_PM\_CONTROL|Choose how the process manager will control the number of child processes. (<a href="https://www.php.net/manual/en/install.fpm.configuration.php">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|**fpm:** dynamic<br />**fpm-apache:** ondemand<br />**fpm-nginx:** ondemand
 PHP\_PM\_MAX\_CHILDREN|The number of child processes to be created when pm is set to static and the maximum number of child processes to be created when pm is set to dynamic. (<a href="https://www.php.net/manual/en/install.fpm.configuration.php">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"20"
 PHP\_PM\_MAX\_SPARE\_SERVERS|The desired maximum number of idle server processes. Used only when pm is set to dynamic. (<a href="https://www.php.net/manual/en/install.fpm.configuration.php">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"3"
+PHP\_SESSION\_COOKIE\_SECURE|Specifies whether cookies should only be sent over secure connections.  (<a href="https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-secure">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|1 (true)
 PHP\_PM\_MIN\_SPARE\_SERVERS|The desired minimum number of idle server processes. Used only when pm is set to dynamic. (<a href="https://www.php.net/manual/en/install.fpm.configuration.php">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"1"
 PHP\_PM\_START\_SERVERS|The number of child processes created on startup. Used only when pm is set to dynamic. (<a href="https://www.php.net/manual/en/install.fpm.configuration.php">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"2"
 PHP\_POOL\_NAME|Set the name of your PHP-FPM pool (helpful when running multiple sites on a single server).|fpm,<br />fpm-nginx,<br />fpm-apache|"www"
 PHP\_POST\_MAX\_SIZE|Sets max size of post data allowed. (<a href="https://www.php.net/manual/en/ini.core.php#ini.post-max-size">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"100M"
 PHP\_UPLOAD\_MAX\_FILE\_SIZE|The maximum size of an uploaded file. (<a href="https://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize">Official docs</a>)|fpm,<br />fpm-nginx,<br />fpm-apache|"100M"
-PHP\_OPEN\_BASEDIR|Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.|fpm,<br />fpm-nginx,<br />fpm-apache|$WEBUSER\_HOME:/dev/stdout:/tmp
 AUTORUN\_ENABLED|Enable or disable all autoruns. It's advised to set this to `false` in certain CI environments (especially during a composer install)|fpm,<br />fpm-nginx,<br />fpm-apache|"true"
 AUTORUN\_LARAVEL\_STORAGE\_LINK|Automatically run "php artisan storage:link" on container start|fpm,<br />fpm-nginx,<br />fpm-apache|"true"
 AUTORUN\_LARAVEL\_MIGRATION|Automatically run "php artisan migrate --force" on container start. This is **not** recommended for large or distributed apps. Run your migrations manually instead.|fpm,<br />fpm-nginx,<br />fpm-apache|"false"

src/fpm/Dockerfile

@@ -10,17 +10,18 @@ ENV PHP_DATE_TIMEZONE="UTC" \
     PHP_DISPLAY_ERRORS=Off \
     PHP_DISPLAY_STARTUP_ERRORS=Off \
     PHP_ERROR_REPORTING="22527" \
-    PHP_MEMORY_LIMIT="256M" \
     PHP_MAX_EXECUTION_TIME="99" \
+    PHP_MEMORY_LIMIT="256M" \
     PHP_OPEN_BASEDIR="$WEBUSER_HOME:/dev/stdout:/tmp" \
-    PHP_POST_MAX_SIZE="100M" \
-    PHP_UPLOAD_MAX_FILE_SIZE="100M" \
-    PHP_POOL_NAME="www" \
     PHP_PM_CONTROL=dynamic \
     PHP_PM_MAX_CHILDREN="20" \
-    PHP_PM_START_SERVERS="2" \
+    PHP_PM_MAX_SPARE_SERVERS="3" \
     PHP_PM_MIN_SPARE_SERVERS="1" \
-    PHP_PM_MAX_SPARE_SERVERS="3"
+    PHP_PM_START_SERVERS="2" \
+    PHP_POOL_NAME="www" \
+    PHP_POST_MAX_SIZE="100M" \
+    PHP_SESSION_COOKIE_SECURE=1 \
+    PHP_UPLOAD_MAX_FILE_SIZE="100M"
 
 # install `php-fpm` (php server) and `libfcgi-bin` (for healthchecks)
 RUN apt-get update \

src/fpm/etc/php/fpm/pool.d/y-override-php-defaults.conf

@@ -224,7 +224,7 @@ ping.path = /ping
 
 ; Security measures
 php_admin_value[open_basedir] = ${PHP_OPEN_BASEDIR}
-php_admin_flag[session.cookie_secure] = true
+php_flag[session.cookie_secure] = ${PHP_SESSION_COOKIE_SECURE}
 
 ; Regional settings
 php_value[date.timezone] = ${PHP_DATE_TIMEZONE}