Improve -S (built-in webserver) to support optional ca/crt/key arguments

[paigeadelethompson]

Description

This would be nice just because for somebody who just wants to run a simple PHP application in a Docker container and set it up behind Cloudflare; they little more than suggest that you establish end-to-end encryption and even provide you with a certificate bundle to use with your application. In general I prefer less complexity for anything that I actually have to maintain, so if at most all I have to run is 1 container (which serves the PHP application with php -S) then it's a much better deal for me than having to mess around with nginx, or apache.

[iluuu1994]

Hi @paigeadelethompson. The built-in server is there for convenience. Implementing encryption is not something we want to do, it is complex and not necessary for local development. Furthermore, adding more features to the built-in server increases the risk of people believing it's something they may use in production. We don't want to reinvent the wheel, there are other fantastic options out there.

[iluuu1994]

@paigeadelethompson You may want to look into FrankenPHP though. It comes bundled with Caddy. https://frankenphp.dev/

[paigeadelethompson]

Check this out:

 --server addr:port
       -S addr:port   Start built-in web server on the given local address and
                      port

that's from the man page.... when you run it:

[Wed Dec  4 09:45:07 2024] PHP 8.3.14 Development Server (http://0.0.0.0:8080) started

The message it gives you is a little more indicative of it being a "development" web server, the information about what purpose it should have isn't even really consistent. I mean you look at anything else right... (NodeJS, Python, ruby, go, rust, even perl has a few options. TCL even has one that has no particular purpose (whatever you'd like to use it for, it's pretty nice) you'd think PHP would want that for PHP. I haven't worked with PHP professionally since probably 2012 I was just asking for the benefit of somebody else. For what this is worth, I feel like the fact that this being a "development server" was in the back of my mind for a long time but apparently I forgot; probably should just get rid of it completely.

[iluuu1994]

As mentioned, it's not that such a feature wouldn't be useful or make sense. The main difference to NodeJS and likely other project is that PHP is relatively understaffed. If we can use somebody else's code, that's generally what we prefer. In this case, FrankenPHP might be a great option, as it is a singular binary that comes with all of the extensions statically bundled, it comes with Caddy, and it has an official Docker container. You're right that "built-in server" is not very telling, and "development server" might have been a better term. That said, the docs are very clear about its purpose.

https://www.php.net/manual/en/features.commandline.webserver.php

Warning This web server is designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.

[paigeadelethompson]

As mentioned, it's not that such a feature wouldn't be useful or make sense. The main difference to NodeJS and likely other project is that PHP is relatively understaffed. If we can use somebody else's code, that's generally what we prefer. In this case, FrankenPHP might be a great option, as it is a singular binary that comes with all of the extensions statically bundled, it comes with Caddy, and it has an official Docker container. You're right that "built-in server" is not very telling, and "development server" might have been a better term. That said, the docs are very clear about its purpose.

https://www.php.net/manual/en/features.commandline.webserver.php

Warning This web server is designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.

So why not just get rid of it? I know I can't be the first person to arrive at the conclusion that it is useful even though it's apparently not. Even for what little use you say it has it might as well be a half-assed solution to the problem. All I'm trying to say is, you should just drop the feature entirely before it pisses somebody else off.

[iluuu1994]

I never said it wasn't useful. It is very useful, and heavily used. It is just not intended to be a production tool. If you do need HTTPS, then there are other options.